Workspace authentication problem

  • 26 September 2010
  • 9 replies
  • 6 views
A
Badge +2

Hello,


I'm new to K2, I just finished installing a new K2 Blackpearl standalone server v 4.5 (latest) on the following environment:


- Windows Server 2008 K2, which has IIS 7.5


- Sql Server 2005 with SP1


I have followed the installation instructions to the very little details, and everything installed successfully, the server (service) is running fine and we can connect to it remotely and the report at the end of the installation had everything green.


I have used a domain admin account for the installation (we ran the installer as different user and set a domain admin credentials) and the service is ran with a local admin domain user.


But now, when I try to open the Workspace, I get the following errors:


if I open it from the machine it self:


HTTP Error 401.2 - Unauthorized


You are not authorized to view this page due to invalid authentication
headers.


And if I open it from a remote machine:


401 - Unauthorized: Access is denied due to invalid credentials.


You do not have permission to view this directory or page using the
credentials that you supplied.


It appears to be Kerberos problems, but I tried setting it to use NTLM and nothing happened.


The SPNs should be set successfully from the installer, but I assumed they weren't and tried running the tool:


http://www.iis.net/community/default.aspx?tabid=34&g=6&i=1887


It told me that I have some wrong SPNs set and recommended that I fix them with SetSPN.exe, and I did, but that also did not solve the problem.


For the record, there is nothing in the Event Viewer, we tried to enable Kerberos logging by changing a value in the registry and now I'm getting errors that look like this:


A Kerberos Error Message was received:
 on logon session esensesoftwareK2Service
 Client Time:
 Server Time: 12:32:8.0000 9/26/2010 Z
 Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED


Not sure if that's relevant.


 


Please help I'm totally out of ideas now.


Ahmad


 

9 replies

Vernon
Userlevel 4
Badge +14

For the Pre-Authentication you can try and disable this on the WS Application pool account in AD users and computers. Goto Properties of the service account> Account tab > Account options and enable the “Do not require Kerberos presuthentication” You can try this on both the Workspace application pool ID and K2 Service account. Other things to check will be the SPN’s for Workspace, the authentication providers, etc HTH Vernon

J
Badge +3

Good day Ahmad,


I'd like to know if your K2 Workspace is installed on the same server as the K2 server service? If so, then can you please check the following;


Make sure that you have set the delegation for the Workspace Service account and the K2 Service account to use Constrained Delegation with protocol transition. Reason I'm saying this is that there seems to be a need for the authentication method to switch over from Kerberos (Negotiate) to NTLM in order for K2 to communicate with the Workspace.


To do this, please do the following;


Open up the Service account's properties in Active Directory Users and Computers


Go to the Delegation Tab


Select the Radio Box for "Trust this user for delegation to specified services only"


Then add the other Service account --> If you opened the properties of the K2 service account, then please add the Workspace account.


Please select the checkbox "Expanded" which is located bottom loft corner. Once this is selected, you should see two entries in the list, one for the Netbios SPN you have set, and one for the FQDN that you have set. Please do the same for the other account as well.


Hope this Helps,


Regards,


Coenie


 

A
Badge +2

Thank you Vernon and Jacobok for your replys,


Vernon, I have tried that and it didn't work either. Everyone is telling me to check the SPNs, but to be honest I do not know how to do that, the K2 documentation says that I must tick the option for the installer to configure the SPNs, and I have done that, but it does not say anything about how to check them manually yourself, understand when they're set wrong and how to correct them.


Another question about SPNs, do you have to set the SPNs on the computer account or the user account of the connection pool?


 


Jacobok, yes the Workspace and the service is installed on the same machine, and they both use the same domain account.


I have tried what you told me; I selected "Trust this user for delegation to specified services only" then I clicked expanded, clicked the button to add the service, I chose both the computer account and the user account there in the popup, and then I saw lots of services, I selected and added all of them, that still did not solve the problem.


I'm starting to get a feeling that the problem is actually in IIS configuration, remember I'm using Windows Server 2008 R2 which is equipped with IIS 7.5.

J
Badge +3

Hi Ahmad,


I've attached a zip folder containing two word documents. The one will guide you through the SPNs and how to manage them and the other doc will focus on the IIS 7 and how to ensure that the authentication is set correctly for the K2 Site.


Hope this helps,


Coenie


 

F
Badge +5

Hi Ahmad,


I agree that it is IIS configuration at the moment rather than Kerberos, as Kerberos would only fail from a client or remotely not on the server itself.


Please advise if you have Integrated Windows Authentication as an Authentication module installed for IIS - http://technet.microsoft.com/en-us/library/cc754628(WS.10).aspx


After this ther might still be some Kerberos configuration out of place but you should be able to access Workspace on the local server.


Please find attached a document in order to guide you on Kerberos configuration and Windows 2008.


Regards,
Frikkie


 

F
Badge +5

Also see this: http://support.microsoft.com/kb/942043/

A
Badge +2

 


Wohoo! finally the Workspace is up and running, thank you all for your help.


Indeed windows authentication as a module was not installed on the server, although I had set all Windows configurations correctly and manually, but the module itself on Windows 2008 R2 is not installed by default, hence why it did not work.


And it seems that we have set Kerberos configurations and SPNs correctly too, because the website is working also when connecting from remote computers.


Cheers,


Ahmad

S
Badge +6

First Disable PreAuth requirement from "AD Computers and Users" on esensesoftwareK2Service account. Report what is the next error. Have you installed IIS 6 compatibility mode and tools. Does Configuration Analysis tool reported any errors. I am guessing that the authentication providers are not installed properly on IIS.

A
Badge +2

Enable Windows Authentication feature under IIS -> Security can fix this problem

Reply


View our Community Site Map

Nintex Community Sitemap
Terms & ConditionsCookie settings