Troubleshooting the Log Messages
The list of error messages below are some of the error messages that may occur if or when Kerberos failure takes place. This topic is not intended to cover all aspects but is intended solely to indicate the most likely errors. The types of error messages that will be encountered are divided into two categories namely Information Messages and Error Messages.
 |
See the following topic for more information on the K2 Logging framework : K2 Auditing and Logging |
Information Log Messages
|
Copy Code
|
|
|---|---|
Switching Security Context from <anonymous user> to <pass-through user> for Session <id>. |
|
This message displays when a successful K2 Pass-Through Authentication event has occurred. Namely, the client API requested K2 Pass-Through Authentication and the K2 Server confirmed that it meets the requirements of the configuration settings.
|
Copy Code
|
|
|---|---|
No delegated or cached credentials are available to impersonate [pass-through user] for Session [session id]. External calls will be made in the context of the Service Account. |
|
If the K2 Host Server needs to contact another hosted server (e.g. the SmartObject Server) and K2 Pass-Through Authentication occurred successfully on the original client connection, K2 Host Server will attempt to use SSO credentials so that the K2 Service Account isn’t used. If the current K2 Pass-Through Authentication user has no cached credentials, you’ll see this message.
Error Log Messages
|
Copy Code
|
|
|---|---|
K2 Pass-Through Authentication failed. Current Host Server configuration prevents pass-through to non-Windows identities. |
|
The message above displays if K2 Pass-Through Authentication is attempted, you have the configuration setting of ClientWindows and the K2 Client API either found a non-Windows token (e.g. Forms) or it wasn’t able to verify that the Windows token is authenticated.
|
Copy Code
|
|
|---|---|
Windows (Kerberos/NTLM) Identity Required. The end-user's identity is not being passed correctly between your client and server, perhaps due to incorrect Kerberos configuration. Either correctly configure Kerberos or utilize K2 Pass-Through Authentication by setting the DelegationContext in K2HostServer.Config to ClientAny or ClientWindows mode instead of <current setting>. |
|
This message will display if you have ClientKerberos configured (or no setting) and K2 Pass-Through Authentication was attempted, meaning that your Kerberos configuration isn’t working. K2 Pass-Through Authentication would fail in this circumstance, so this is a warning that someone should resolve this by either enabling K2 Pass-Through Authentication or fixing Kerberos.
Mismatch Error
The following error: "A mismatch between the end user and the connection credentials has been detected. This may be intentional and will only require action if specific problems are currently being encountered. Refer to Kerberos and K2 Pass-Through Authentication settings…" occurs whenever a client (SourceCode.Workflow.Client) wants to use pass-through, but it is not allowed. This occurs when a user is logged in with the same account as the Workspace AppPool account, PTA-ClientWindows is enabled, and a connection needs to be made to another server such as a domain controller.It should not occur for Kerberos failures. However, there could be a non-related Kerberos failure at the same time depending on the connection being made.
