Note: This documentation gets updated only when necessary, as the product is in sustained mode. For product updates see the Release Notes.

Kerberos

When components are installed on separate servers, credentials must be passed between the services. This can be accomplished by setting up Kerberos, which must be configured prior to installing K2. Although changes can be made after K2 is installed, you should attempt to configure Kerberos requirements prior to installing K2. Any time where two or more hops are required for user authentication, Kerberos must be configured unless you have decided to use K2 Pass-Through Authentication.

Kerberos is recommended for all configurations, machines and services in a distributed environment except for those that use OAuth (SharePoint 2013 and Azure Active Directory SmartObjects).

What is Kerberos?

Which authentication model should be implemented depends on whether user credentials must be passed from one system to another. When user credentials are passed, the system that is attempting to pass the credentials must be trusted for delegation. For this step to take place successfully, Kerberos delegation must be configured.

Basically, if a system needs to impersonate a user or if there are two or more hops between servers (commonly known as the 'double-hop issue'), Kerberos is required.

How can I tell if Kerberos is not configured properly?

Configuring Kerberos is an advanced task and should only be performed by an appropriately-trained person. The steps and configurations given in this help file are to be used as a guide. Your system may require additional configuration due to different hardware and software compatibilities.

The need for Kerberos configuration may only become evident once the following errors are detected. These errors appear as soon as one of the servers attempts to pass credentials.

NT AUTHORITY/ANONYMOUS LOGON
401 - Access Denied

Kerberos is configured as part of the installation, some configuration happens once the components are installed.

Neither Microsoft nor K2 developed the Kerberos standard. The MIT standard has been implemented in the Windows platform and K2 relies on the implementation to successfully pass credentials between servers.

A detailed guide on Security and Kerberos Authentication with K2 Servers can be found athttps://community.nintex.com/t5/K2-Archived-Articles/Configuring-Kerberos-for-K2-environment/ta-p/201873. This whitepaper contains useful information but some aspects are out of date. Current information on Kerberos authentication and K2 servers is available in this Help collection and via K2 KB articles.

Additional Resources for Kerberos

Kerberos Protocol Transition and Constrained Delegation:
https://technet.microsoft.com/en-us/library/cc739587(v=ws.10).aspx

Knowledge Base Articles on Kerberos:
https://community.nintex.com/t5/K2-blackpearl/ct-p/K2-blackpearl?q=Kerberos

Information on the Double-Hop Issue:
http://support.microsoft.com/kb/329986

While infrastructure changes are required by K2, each environment is different and has its peculiarities which must be taken into account. Modifying the infrastructure could have unforeseen results if the changes are not appropriately understood or managed. Given the broad spectrum of underlying infrastructure utilized, it is recommended that a panel or committee with appropriate skill in each area concerned be assembled to outline the underlying infrastructure changes and gauge the impact of the required changes prior to installing K2.