K2 blackpearl Product Documentation: Installation and Configuration Guide
Information and Error Messages

Troubleshooting the Log Messages

The list of error messages below are some of the error messages that may occur if or when Kerberos failure takes place. This topic is not intended to cover all aspects but is intended solely to indicate the most likely errors. The types of error messages that will be encountered are divided into two categories namely Information Messages and Error Messages.

See the following topic for more information on the K2 Logging framework : K2 Auditing and Logging

Information Log Messages

Copy Code
Switching Security Context from <anonymous user> to <pass-through user> for Session <id>.

This message displays  when a successful K2 Pass-Through Authentication event has occurred. Namely, the client API requested K2 Pass-Through Authentication and the K2 Server confirmed that it meets the requirements of the configuration settings.

Copy Code
No delegated or cached credentials are available to impersonate [pass-through user] for Session [session id]. External calls will be made in the context of the Service Account.

If the K2 Host Server needs to contact another hosted server (e.g. the SmartObject Server) and K2 Pass-Through Authentication occurred successfully on the original client connection, K2 Host Server will attempt to use SSO credentials so that the K2 Service Account isn’t used. If the current K2 Pass-Through Authentication user has no cached credentials, you’ll see this message.

Error Log Messages

Copy Code
K2 Pass-Through Authentication failed. Current Host Server configuration prevents pass-through to non-Windows identities.

The message above displays if K2 Pass-Through Authentication is attempted, you have the configuration setting of ClientWindows and the K2 Client API either found a non-Windows token (e.g. Forms) or it wasn’t able to verify  that the Windows token is authenticated.

Copy Code
Windows (Kerberos/NTLM) Identity Required. The end-user's identity is not being 
passed correctly between your client and server, perhaps due to incorrect 
Kerberos configuration. Either correctly configure Kerberos or utilize K2 
Pass-Through Authentication by setting the DelegationContext in 
K2HostServer.Config to ClientAny or ClientWindows mode instead of <current 
setting>.

This message  will display if you have ClientKerberos configured (or no setting) and K2 Pass-Through Authentication was attempted, meaning that your Kerberos configuration isn’t working. K2 Pass-Through Authentication would fail in this circumstance, so this is a warning that someone should resolve this by either enabling K2 Pass-Through Authentication or fixing Kerberos.

Mismatch Error

The following error: "A mismatch between the end user and the connection credentials has been detected. This may be intentional and will only require action if specific problems are currently being encountered. Refer to Kerberos and K2 Pass-Through Authentication settings…" occurs whenever a client (SourceCode.Workflow.Client) wants to use pass-through, but it is not allowed. This occurs when a user is logged in with the same account as the Workspace AppPool account, PTA-ClientWindows is enabled, and a connection needs to be made to another server such as a domain controller.It should not occur for Kerberos failures. However, there could be a non-related Kerberos failure at the same time depending on the connection being made.

 

 


K2 blackpearl Product Documentation: Installation and Configuration Guide 4.6.11