K2 blackpearl Product Documentation: Installation and Configuration Guide
Installation and Configuration Settings

Installation

The local group policy for each K2 Server Machine must be updated as per the following topic: Local Security Policy

SharePoint Requirements

If the Client User's service call requires access to a specific database where K2 Pass Through Authentication would be used, then the following user must be added to the database NT AUTHORITY\ANONYMOUS LOGON .
 

Configuration Settings

The required updates to K2 blackpearl to support K2 Pass-Through Authentication will install with K2 blackpearl 1290 for all distributed installations. The updates are intended for distributed installations and this is assumed by the installer when the Custom Option is selected. If a simple full installation is chosen, K2 Pass Through is not needed so the User configuration page will not display.

The K2 Pass-Through Authentication installation screen is only visible when installing K2 Server in a distributed configuration.

Along with the UI based configuration that is made while installing the system, settings are also located within the K2HostServer.Config file using the DelegationContext node. The selection implemented using these settings will determine how the system responds and handles authentication errors.

Once these settings have been implemented they are global for the K2 components, especially when K2 Servers for example are load balanced. All nodes MUST have the same configuration to avoid inconsistent behavior.

The manner in which K2 Pass-Through Authentication works can be configured using the DelegationContext node in the AppSettings section of K2HostServer.Config. This setting is global for all server connections, regardless of the source. If a network load balancer (NLB) is in place, all K2 Server nodes should have the same setting to prevent inconsistent behavior.

ClientKerberos

Client Kerberos is the default setting and the system will assume such if no change is made. With this option set, the K2 Server will behave as per normal before K2 Pass-Through Authentication was introduced. This means that normal delegation will take place using NTLM and assume that Kerberos has been configured.

If Kerberos was not configured, the error message will be logged in the K2 Server Log. When a connection is made that requested K2 Pass-Through Authentication, and delegation failed an error message will be logged in the K2 Log Files to identify the problem. When Kerberos Delegation or NTLM authentication takes place, the assumption is that the system is working as expected and no error messages will be recorded since there is no need.


Client Kerberos is the recommended option for enabling maximum security which implies that the system administrator has decided not to use K2 Pass Through Authentication.  This is the recommended option owing to the benefits of using Kerberos, however this does introduce the requirement for good planning and a higher degree of expertise to install.  Resources are available from the K2 Customer portal to assist in configuring Kerberos, and it is strongly recommended that these be used.

ClientWindows

ClientWindows constrains K2 Pass-Through Authentication to only occur if the client credentials are of WindowsIdentity type i.e. a valid windows token. This implementation will prevent less secure User Clients such as Forms and Claims identities from passing credentials. If Kerberos (or NTLM) is working, it uses those credentials. This is the recommended option for environments containing only Windows users and who need to maximize functionality and security, and this does not require Kerberos to be configured.

Recommendation: When the K2 Server is run in console mode make sure to be logged in as the correct user and make use of the “Run as Administrator” option to ensure that the correct elevated privileges are utilized.

 

 


K2 blackpearl Product Documentation: Installation and Configuration Guide 4.6.11