Changing the Default User Manager

Changing the default user manager after installing K2 involves multiple steps, mainly to change the connection strings throughout the platform but also to register the default user manager in the database. This topic details what needs to change for switching the default user manager, and uses changing from AD to SQL as the example, but the steps would be similar for changing from AD to a Custom UM.

Existing, deployed processes rely on string tables and not Environment Library variables. Ensure that you update these string tables, as appropriate, with the same connection information used for updating the Environment Library variables.
Ensure you complete all the steps below and then restart the K2 server. It is recommended that before changing to a new default provider, at least one user from that provider has been granted administration rights on the K2 server.

Follow the steps below to change the default user manager.

The default user manager is the user manager that has a value of 1 in the DefaultLabel column of the SecurityLabels table. User managers that have a Null or 0 are non-default. To switch from AD to SQL follow these steps:

  1. Stop the K2 blackpearl Server.
  2. Open Microsoft SQL Server Management Studio.
  3. Connect to the server where the K2 database is installed.
  4. Open the K2 database.
  5. Browse to the SecurityLabel table (HostServer.SecurityLabel).
  6. Right-click and select Script Table as > SELECT To > New Query Editor Window.

  7. Execute the following two scripts:

    UPDATE SecurityLabels SET DefaultLabel = 0 WHERE SecurityLabelName = 'K2'

    UPDATE SecurityLabels SET DefaultLabel = 1 WHERE SecurityLabelName = 'K2SQL'

    • The example uses AD to SQL and you must change these values if you are switching from or to a different user manager.
    • If you are using a custom user manager, replace K2SQL in the scripts with your custom security label.

  8. Restart K2 blackpearl Server service.

K2 Workspace includes a configuration file located in the K2 blackpearl root directory (<install drive>:\Program Files (x86)\K2 blackpearl\WorkSpace\Site\web.config). You must modify this to enable SQL user manager-based logins to K2 Workspace. Follow the steps below:

When running in single authentication mode (SQL or Custom) only, you will need to enable Anonymous Authentication and disable Windows Authentication access for the Workspace site. The site also needs to run under an ApplicationPool identity of Local System or Network Service.

However, when running in mixed mode (Active Directory and any other user manager), only Windows Authentication should be enabled for the K2 Workspace site. In this scenario, the Workspace site should run under an Active Directory ApplicationPool Identity which has Administrative permissions within K2.

Perform the following edits in the web.config file:

  1. The table below shows the lines and values in the Web.config file that need to be edited; the original on the left and the new value on the right.

    Original line in web.config New value
    <add key="authenticationMode" value="Windows" /> <add key="authenticationMode" value="Forms" />
    <add key="DefaultSecurityLabel" value="K2" /> <add key="DefaultSecurityLabel" value="K2SQL" />
    <membership defaultProvider="AspNetActiveDirectoryMembershipProvider" userIsOnlineTimeWindow="1600">
    <!--<membership defaultProvider="MembershipProvider" userIsOnlineTimeWindow="1600">-->    		 <!--<membership defaultProvider="AspNetActiveDirectoryMembershipProvider" userIsOnlineTimeWindow="1600">-->
    <membership defaultProvider="MembershipProvider" userIsOnlineTimeWindow="1600">

    Change which line is commented out
    <authentication mode="Windows"> <authentication mode="Forms">
    <add connectionStringName="ADConnectionString" connectionProtection="Secure" enablePasswordReset="false" enableSearchMethods="true" requiresQuestionAndAnswer="false" applicationName="/" description="Default AD connection" requiresUniqueEmail="false" clientSearchTimeout="30" serverSearchTimeout="30" attributeMapUsername="sAMAccountName" name="AspNetActiveDirectoryMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider,System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> <!--<add connectionStringName="ADConnectionString" connectionProtection="Secure" enablePasswordReset="false" enableSearchMethods="true" requiresQuestionAndAnswer="false" applicationName="/" description="Default AD connection" requiresUniqueEmail="false" clientSearchTimeout="30" serverSearchTimeout="30" attributeMapUsername="sAMAccountName" name="AspNetActiveDirectoryMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider,System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />-->

    Comment out the line
  2. Ensure that the following key is present: <add key="ExtraAuthData" value="1" />
  3. Save and close the web.config file.
  4. Performs an IIS Reset.

Verify Changes

A default user is added on install when the SQL user manager is used (Username: k2, Password: k2).

  1. Open a browser and navigate to K2 Workspace where a login page will be displayed.
  2. Enter the user name, password and security label.
  3. Log in.

Follow the steps below to change the connection string for the Workflow Server:

  1. Open K2 Workspace.
  2. Click Management > Management Console.
  3. Right click on the Workflow Server Node and select Edit Settings.
  4. Select the User Settings tab.
  5. Change the connection string in the data field to:

    Integrated=False;IsPrimaryLogin=True;Authenticate=True;EncryptedPassword=False;Host=localhost;Port=5555;UserID=k2;Password=k2;SecurityLabelName=[K2SQL];AuthData=1


    The SecurityLabelName in the connection string is the SQL user manager name. Substitute the placeholder value [K2SQL] with the correct value for your system, for example DenallixPartners.

Update the environment library connection strings for all fields except Mail Server and Web Service URL. You can update these in K2 Workspace or from K2 Studio, K2 for Visual Studio or the K2 Management Site. The methods for Workspace and the two designers are shown as examples below.

Method 1: Using K2 Workspace

Follow the steps below to change the connection string for the Environment Library:

  1. Open K2 Workspace.
  2. Select Management > Management Console.
  3. Browse to Environment Library > Templates > Default Template > Environments > [Development, Production or other environment] > Environment Fields.
  4. Select the Category Server and click Edit.
  5. Change the connection string in the Field Value to:

    Integrated=False;IsPrimaryLogin=True;Authenticate=True;EncryptedPassword=False; Host=localhost;Port=5555;UserID=k2;Password=k2;SecurityLabelName=[K2SQL];AuthData=1

    6. The SecurityLabelName in the connection string is the SQL user manager name. Substitute the placeholder value [K2SQL] with the correct value for your system, for example DenallixPartners.


  7. Repeat steps 4 and 5 for each of the following environment fields:
    • Category Server.
    • Service Object Server.
    • SmartObject Server.
    • Workflow Management Server.
    • Workflow Server (note the port number is 5252 by default, not 5555 like the other fields).

Follow the steps below to change the connection string for the User Role Manager Service Instance:

  1. Open K2 Workspace.
  2. Select Management > Management Console.
  3. Browse to SmartObjects > Services.
  4. Select the User Role Manager Service on the Left, then select URM Service on the right, and then click the Edit to modify the connection string.
  5. Change the connection string in the HostServerConnectionString to:

    Integrated=False;IsPrimaryLogin=True;Authenticate=True;EncryptedPassword=False; Host=localhost;Port=5555;UserID=k2;Password=k2;SecurityLabelName=[K2SQL];AuthData=1

    6. The SecurityLabelName in the connection string is the SQL user manager name. Substitute the placeholder value [K2SQL] with the correct value for your system, for example DenallixPartners.


If the K2SQL node is not present in the K2 Object Browser of K2 Studio and K2 for Visual Studio, you must update the configuration files and the connection to the Environment Library from K2 Studio and K2 for Visual Studio in order to see them.

Update Configuration Files

Change a line in the configurationmanager.config (location: <install drive>:\Program Files (x86) \K2 blackpearl\Configuration) for the user browser to render:

Change: (substitute 'Host=DEMO' with your Host name.)

<settings>

<add key="UserBrowserServer" value="Integrated=True;IsPrimaryLogin=True;Authenticate=True;EncryptedPassword=False;Host=DEMO;Port=5555" />

</settings>

To: (substitute 'Host=DEMO' with your Host name.)

<settings>

<add key="UserBrowserServer" value="Integrated=False;IsPrimaryLogin=True;Authenticate=True;EncryptedPassword=False;Host=DEMO;Port=5555; UserID=k2;Password=k2;SecurityLabelName=[K2SQL] />

</settings>

The K2SQL node is now displayed in the Object and Context Browsers under the User Browser with the following fields:

Field Description
Email Users email address.
FQN Users fully qualified name.
Manager Users manager.
Name Users Name.
Object SID The security ID of the user.

Update Environment Library Connection

You must update the connection to the Environment Library from K2 Studio and K2 for Visual Studio in order to see items in the context browser. This is done by clicking on the upper right corner of the Object Browser > Environment tab, and clicking Change Server.

In the Change Environment Server Connection dialog that appears, type the connection string to the server using the security label and user information.

Integrated=False;IsPrimaryLogin=True;Authenticate=True;EncryptedPassword=False; Host=localhost;Port=5555;UserID=k2;Password=k2;SecurityLabelName=[K2SQL];AuthData=1

The SecurityLabelName in the connection string is the SQL user manager name. Substitute the placeholder value [K2SQL] with the correct value for your system, for example DenallixPartners.

Each user should type in their username and password to connect to the Environment Library.

When configured for AD, the Out of Office service performs its required method calls using the Application Pool identity, which gives the system the elevated user rights to perform the Management API call for OOF. When a non-AD user manager is configured, the resources that are available when Active Directory is used are no longer available. The default label as the Application Pool account user is not an AD user and there are no administration credentials stored and it must be embedded in the connection string.

Enter a New Connection String

A new connection string must be added to the Workspace web.config file. Once the entry has been updated, the connection string can be encrypted for security purposes.

Updated connection string:

<add name="WorkflowManagementAdminConnectionString" connectionString="IsPrimaryLogin=True;Authenticate=True;EncryptedPassword=False;Integrated=False;Host=localhost;Port=5555;UserID=k2;Password=k2; SecurityLabelName=[K2SQL]" />

The SecurityLabelName in the connection string is the SQL user manager name. Substitute the placeholder value [K2SQL] with the correct value for your system, for example DenallixPartners.

Encrypt the Connection String

The following command is run from the command prompt and is used to encrypt the connection string that was updated in the section above. It will update the web.config file with encrypted information.

"%WinDir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe" -pe "connectionStrings" -app "[WorkspaceVirtualDirectoryPath]" -site "[WorkspaceSiteNameOrID]"

Tagged Definitions  
[WorkspaceVirtualDirectoryPath] The virtual directory path you specified on installation for example:”\Workspace”
[WorkspaceSiteNameOrID] The virtual directory path you specified on installation for example:”K2”

Decrypt the Connection String

If settings need to be changed and the Workspace web.config file must be amended, use the following command to decrypt the connection string. Performed similarly to the encryption command, replace –pe with –pd in the encryption command.

"%WinDir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe" -pd "connectionStrings" -app "[WorkspaceVirtualDirectoryPath]" -site "[WorkspaceSiteNameOrID]"

Additional Information

For further information on encrypting and decrypting connection strings, see the following resource http://msdn.microsoft.com/en-us/library/ms998283.aspx

Any change in the configuration of user managers will require an update of the existing user cache. Download and execute the SQL command against the K2 database.

UPDATE [K2].[Identity].[Identity]
SET [ExpireOn] = GETDATE()
,[Resolved] = 0
,[ContainersResolved] = 0
,[ContainersExpireOn] = GETDATE()
,[MembersResolved] = 0
,[MembersExpireOn] = GETDATE()

GO