Impersonation Issue


Badge +1

Dear all,


I have a web application on the same server of my k2 server. I have set "<identity impersonate="true"/>" in the web.config and the "authentication" in the IIS has "ASP.NET impersonation" set to "enabled". From the web application I use the following code to start a process:


  Dim oConn As SourceCode.Workflow.Client.Connection = New SourceCode.Workflow.Client.Connection()
      Dim oProcInst As SourceCode.Workflow.Client.ProcessInstance


                oConn.Open(ConfigurationManager.AppSettings("K2Server").ToString())
                oConn.ImpersonateUser(oRequest.Properties("VAID").Value)
                oProcInst = oConn.CreateProcessInstance("K2ProcessProcessA")


                oProcInst.Folio = oRequest.Properties("RequestNo").Value
                oConn.StartProcessInstance(oProcInst)


It return an error of "NT AUTHORITYIUSR does not have permissions to impersonate user " at "oConn.ImpersonateUser(oRequest.Properties("VAID").Value)"


Can anyone advice on this? Thanks.


 



 


3 replies

Badge +8

Without knowing the exact requirements for your scenario, it might be tough to give you the proper resolution. I can however try to explain why this happens.


Chances are you have enabled anonymous access and disabled integrated security on the site along with the identity tag in the web.config. So what happens is, when the connection is opened, it gets authenticated as the nt authorityiusr account (anonymous), which is not a real account and can't be managed. As a security measure, all accounts that need to do impersonation must be granted access in K2, not possible with this account.


Here's what I would do:


Since you don't seem to need Integrated Security, set <identity impersonate="false" /> and assign an account for the application pool you are using. That way, when the connection is opened, the app pool user is authenticated against K2 and you can assign this account Impersonate permissions. If you can use the K2 Workspace app pool account, that should already have been done for you as part of the install.

Badge +8

Also make sure you don't have anonymous authentication enabled along with integrated security.  Browsers and IIS will take the easiest route and not authenticate in that scenario.

Badge +1

Hi dc & sbrown,


Thank you very much for your advice.

Reply