K2 Kerberos Question

  • 18 June 2010
  • 5 replies
  • 4 views
S
Badge +1

I have a K2 Blackpearl environment integrated with SharePoint 2007.  Kerberos is installed, I have gone through the Security_and_Kerberos_Authentication_with_K2_Servers.pdf and can't seem to solve the problem that I am having.  The environment consists of two load balanced WFE's, a shared app server running blackpearl, and a single database server.


I have debuged the problem and found that when the following code is executed in some instances the user associated with an open connection is Anonymous.


Connection c = new Connection();


c.Open();


The user is anonymous when accessed from a pc other then any of the servers.  If the user is executing the website from any of the servers then everything works as expected.


I orriginally thought that the SPN's were out of order, according to the doc they are correct.  Then I thought that deligation might be disabled, according to the doc and other sources is correct.


Any suggestions or ideas?


To make things more interesting I have a test environment that is similiar were I dont have the problem.

5 replies

F
Badge +5

Hi,


Have you checked the IE settings of the client machine i.e. Internet Options > Security > Trusted Sites > Sites -Make sure both the K2 sites and the MOSS sites are added here. Then for the Trusted Sites > Custom Level: User Authentication -  Make sure 'Automatic Logon with current Username and Password" has been selected.


Also have you checked the NTAuthenticationProviders of all the sites, it should be set to "Negotiate,NTLM"?


What exactly are you accesing when getting the auth errors?


More information on your environment will also help a great deal: Servernames, Hostheaders(if any), List of SPN's, Delegation(Full or constrained?), Service Accounts etc, OS Version(2003/2008).


Let us know.


Regards,


Frikkie

S
Badge +1

Frinkkie,


Thank you for the reply. 


I have gone through the K2 Kerberos Guide available through this site.  The problem occurs in a custom program using the K2 Framework.  I have the symbol files available and was able to successfully debug the source.  When the program arrives at the Connection.Open() line in the program the line executes and appopiately opens a connection to our K2 server.  When I review the information associated with the connection I noticed that the User object associated with the connection is Anonymous when connecting to my stage environment.  I am using my Windows Server 2008 development machine.  I have the exact same source code available in my test environment which functions as expected.  The expected result is that the current logged in domain user is associated with the connection.  So Connection.User is corp esteruser instead of AnonymousUser.


Aside from adding the sites to the trusted group in IE, as the document suggested, I ruled out any client site issues because my development machine correctly works with atleast one of my environments.  IE Test works stage does not.


I have compared the web.config files for the two web applications and they are identical.  They both contain the line Impersonate = true.  I have compared the k2hostserver.config file on the server and they are identical--less the different machine names.  The browser has the appropiate sites trusted.  The SharePoint web applications are set to Negotiate Kerberos.  The spn's for the k2 service account and the sharepoint service account contain the appopriate spns. 


The configuration for the stage environment is as follows:



  • crppwws01 -- Load Balanced WFE
  • crppwws02 -- Load Balanced WFE
  • crppass01 -- Application server also running K2 Blackpearl
  • crppdbs01 -- DB server

The name of the Web Application host header is ajgdmsstage. 


From what I can tell there are three accounts necessary for the setup.  One is the K2 Service account, the SharePoint Service account, and the SQL Server service account.  All three accounts are running in full delegation mode.  The server farm is a Moss 2007 environmnet running on Windows Server 2003.  SharePoint and the operating system are full patched.  I am not sure which version of K2 Blackpearl I am running--how do I check the version?  All the servers, including my development machine are joined and part of the same domain.  The application pools for the web application and k2 server are running using the corrisponding service accounts as the identity.  The K2 Service is running under the K2 Service account.


All the service accounts are in the administrators group of each server and have full rights to the registry.  The spns for the accounts are:


SharePoint Service Account:



  •         HTTP/CRPPWWS01.corp.ajgco.com
  •         HTTP/CRPPWWS01
  •         HTTP/CRPPASS01.corp.ajgco.com:26700
  •         HTTP/CRPPASS01:26700
  •         HTTP/CRPPASS01.corp.ajgco.com:26699
  •         HTTP/CRPPASS01:26699
  •         HTTP/CRPPWWS02
  •         HTTP/CRPPWWS02.corp.ajgco.com
  •         HTTP/AJGDMSSTAGE.corp.ajgco.com
  •         HTTP/AJGDMSSTAGE

K2 Service Account



  •         HTTP/CRPPASS01.CORP.AJGCO.COM
  •         HTTP/CRPPASS01
  •         K2Server/CRPPASS01.corp.ajgco.com:5252
  •         K2Server/CRPPASS01:5252
  •         K2HostServer/CRPPASS01.corp.ajgco.com:5555
  •         K2HostServer/CRPPASS01:5555

SQL Service Account



  •         MSSQLSvc/CRPPDBS01.corp.ajgco.com:1433
  •         MSSQLSvc/CRPPDBS01:1433

 


One weird situation is when I run the program from one of the WFE machines it correctly opens a connection with a using the logged in user in the stage envirnonment. 


CORPDomain Users are permissioned as Admin's for the process that I am using in K2.


Any ideas what I can try next?  I did notice that the SPN's need to be different before and after SP1 for black pearl.  Truthfully, I dont know how to check the version of K2.  I looked around in the K2 Workspace with no luck. 


Thank you very much,


Mark


 

F
Badge +5

Hi Mark,


The version can be seen via Add/remove programs and having the "Show Updates" checkbox checked.  I doubt however that you have an old enough version to be using the older SPNs.


Secondly, some things I would have done differently:



  • HTTP SPNs I never set with the port, there was some MS bug if I remember corerctly, which I think has never been properly resolved.
  • Above said, I would remove all HTTP SPNs registered for CRPPASS01 server and only create one  pair(HTTP/CRPPASS01.CORP.AJGCO.COM and HTTP/CRPPASS01) against the SharePoint service account. Then have the K2RunimeServices/Workspace application pool identity be the same as the SharePoint service account.  this is to prevent duplicates.
  • I'd also opt for Constrained delegation with Protocol Transition for each of the accounts, as I've seen this resolve Kerberos issues frequently in the not so distant past. 
  • Is the custom app running under this host header(AJGDMSSTAGE) also using the SharePoint service account as app pool identity?

Let me know what your thoughts are on my comments.


 


Regards,


Frikkie

S
Badge +1

Frikkie,


Thank you for your responce.  I am working with the team to get the changes made and will let you know if any of the above resolved our issues.


 


/Xark

S
Badge +1

Frikkie,


Thank you very much for all the support.  It turns out that one of the spn's was incorrect.  The FQN was not resolving.  I have added a test to try to ping each of the SPN's to my battery of troubleshooting techniques.


Thanks again,


/Xark

Reply


View our Community Site Map

Nintex Community Sitemap
Terms & ConditionsCookie settings