4409 error after setting up Kerberos

  • 5 January 2007
  • 2 replies
  • 1 view

Badge +1
We started receiving this error after switching from SP3 in single server configuration to SP4 in distributed simple configuration with Kerberos authentication when we try to update process instance data fields from our web page through K2ROM.

First version of our system had NTLM authentication, and users on the process had all the rights granted with the K2.NET Service Manager except Admin rights.

After moving to Kerberos authentication, user with the same rights is no more allowed to write data to process instance.
K2.NET authenticates the user, user can read data but when processInstance.Update() method is invoked K2.NET returns following error message:

4409 - DOMAINUserName from AAA.BBB.CCC.DDD does not have rights to Open Process PROCESSNAME(ID)

If we grant this user Admin rights through K2.NET Service Manager he is able to do the update.

I read in your manual about different levels of rights that can be granted, but I don't think I really understand it well.

Now my questions...

What does Admin right for a user really stand for in the context of specific process?
How can it be, that the same user before switching to Kerberos can do update without Admin rights, and later user needs Admin rights?
Is there any place where all error codes are listed with some kind of explanation?
If not, what does this specific error code mean?

And finally, should I grant all my users on a process Admin rights or is there something else I should do to fix this issue?

Thank you in advance for all your suggestions or explanations...

2 replies

Badge +8
The issue you are seeing does not have anything to do with Kerberos it is actually a problem that was fixed in SP4. Previously non-admins could run the ProcessInstance.update method and potentially update data that is out of the scope of what they should be allowed to update. In SP4 it is required that you have Admin permissions in order to update an entire process instance. To update data associated to a worklist item (Activity Instance Data) rather use the WorklistItem.Update method.

As for a document that describes all the errors I don't think there currently is one but you could make that request on the portal site using the feedback form.

I hope this helps.

-Eric
Badge +1
Thank you very much for your quick response. :D

That info is very helpfull.

Reply