intermittent authentication probles using Kerberos

  • 21 August 2014
  • 4 replies
  • 8 views
C
Badge +1

I am completely new to the world of k2, and have recently taken on support a suite of applications that use K2 blackpearl to create and manage workflow items.

 

My first problem to get to the bottom of is that a user can at one point in time start a process and create an instance on the workflow, and then, for no abvious reason, not be able to later on that day.

 

The error message reads ..

The exception was: ClientException: 24408 K2:SWELBdboy from 10.310.156.133:585751 does not have rights to Start Process CarInsurance.K2ClaimApproval

 

The user is (as far as I know) making successful and unsuccessful attempts from the same PC and the same web browser.

 

Has anyone come across this before (I'm sure someone has), and if so, any solutions or pointers to other discussions, would be very much appreciated.

4 replies

Y
Badge +6

Hi cthulhu,


 


Please would check in workspace that the user does indeed have Process "start" rights. This can be found under Management Console>blackpearl:5555>Workflow Server>Processes>CarInsurance.K2ClaimApproval>Process Rights.


 


HTH


 


Kind regards,


Yannick

C
Badge +1

Thanks for the reply Yannik.

I have checked the process rights and they are fine - the group that the user is in has Admin rights for the process, and as I say, sometimes the workflow item gets created, occaisionally it doesn't.

 

If anybody has any other ideas on this I would like to hear them.

 

Thanks in advance.

S
Badge +10

I remember having this issue on 4.6.7. Are you on the latest version of blackpearl. This usually happens when the identity cache in the K2 database goes out of sync.

There is a stored procedure you can run to change the expiry date of the cache to force it tot refresh the identity cache. There is a patch I believe that will solve this issue for you. To test if this is the issue, you can go to the Identity table in the K2 database (the schema depends on what version of blackpearl you are using) and then just update the expireon field to now, which should automaticcly make K2 service refresh the cache.

M
Badge +10

Hi cthulhu,

 

To add to what s0m3one said, there are other ways to accomplish this without "poking" at the DB quite as much.

 

There is an identity cache refresh tool available that can be used on a specific user who needs to be updated available here:

http://community.k2.com/t5/General-K2-Utilities/Force-Identity-Service-Refresh/ba-p/74061

 

For changing the settings of the identity cache, which by default refreshes in 8 hour intervals, this documentation may be helpful:

http://help.k2.com/onlinehelp/k2blackpearl/icg/current/webframe.html#tweaking_identity_cache_performance_for_the_k2_server.html

 

Keep in mind, use the settings provided within reason as they can have a performance impact.  Hitting LDAP to rebuild the identity cache every 30 seconds is probably not a good idea.  Depending on the size of your active directory, you also run the risk of impacting SQL performance with a rebuild of the identity cache every 30 seconds as well.

 

Regards,

 

Mike

Reply


View our Community Site Map

Nintex Community Sitemap
Terms & ConditionsCookie settings