Example of K2 Pass-Through Implementation
K2 Pass-Through Authentication is of great value in a variety of scenarios for both runtime and the management of K2 components, for example K2 Worklist Web part, K2 Workspace, K2 Process Portal, Custom Task Pages and so on.
The scenario described in this section is designed to illustrate how K2 Pass-Through Authentication can be implemented for an environment where Kerberos has not been configured correctly.
- SharePoint, with a Site containing an Announcements List
- K2 Server
- K2 Workspace
- Thick-client InfoPath Form we’ll use as our client
Run Time Scenario
In this scenario, the InfoPath form will be used to connect in real time to the SharePoint list via a K2 SmartObject. Without K2 Pass-Through Authentication and in an environment where Kerberos is configured incorrectly, this scenario wouldn’t be possible and would result in refused connections and Kerberos failure. At each stage a description will be provided as to how K2 Pass-Through Authentication is being used to resolve the Kerberos issues.
SmartObject Creation
From within SharePoint, use K2 SmartObject Configuration to add a SmartObject to the Announcements list – ensuring that you check the integrated check box.
Potential Kerberos-Related Problems | How K2 Pass-Through Authentication Will Help |
---|---|
Under pre K2 Pass-Through Authentication circumstances, the user would not be able to connect K2 SharePoint to create the SmartObject as this is a double hop i.e. Kerberos delegation failure. | Connection will be made. |
K2 Pass-Through Authentication provides the following functionality
- K2’s SharePoint components use SourceCode.HostClientAPI to contact the K2 Server.
If Kerberos is not configured for this step, this will come through as anonymous.
- With K2 Pass-Through Authentication the logon attempt is successful, as the user creating the SmartObject.
- K2 Host Server will then call the K2 SmartObject Server.
- The K2 SmartObject Server verifies that the K2 Pass-Through User has rights to create SmartObjects and Service Instances.
- The K2 SmartObject Server will execute the relevant methods of K2’s SharePoint ServiceObject.
- K2 Server will then contact SharePoint to retrieve the metadata for the Announcement List. This facilitates the creation of the correct SmartObject structure. This is performed as the K2 Service Account context (SharePoint already validated the end-user’s permissions so there’s no need to do it twice), meaning no other K2 Pass-Through Authentication functionality is used here.
- The SmartObject and related Service Instance are created, using the structure retrieved from SharePoint.
InfoPath Form Configuration
This step configures the InfoPath form and integrates it with the SmartObject created in the previous step.
- Right click the InfoPath form template and choose “Integrate with SmartObject”.
- Select the SmartObject previously created for the Announcements list and choose to link the “Create” method with your form.
- Add the metadata for the “Create” method to your form and then link this SmartObject method to a button so that you can create an Announcement from the InfoPath form.
- Publish this InfoPath form so that you can execute it.
Potential Kerberos-Related Problems | How K2 Pass-Through Authentication Will Help |
---|---|
Unable to connect to K2 via the K2 Runtime Services (on the K2 Workspace or SharePoint server) as this is a double hop. | Will allow connection to be made. |
What happens here with K2 Pass-Through Authentication is as follows:
- The K2 Runtime services (which may be hosted on the K2 Workspace or SharePoint server) will be contacted by the wizard on the client used to add the SmartObject.
- These will in turn call K2 via SourceCode.HostClientAPI, performing K2 Pass-Through Authentication in order to log in to K2 as the end-user (if the end user credentials were lost on the hop via the K2 Runtime Services).
- K2 Host Server will then contact the K2 SmartObject Server in order to retrieve the SmartObject details, via the K2 SharePoint ServiceObject. No connection to SharePoint is required here, so no further K2 Pass-Through Authentication functionality is used.
Executing the InfoPath form – using SharePoint Impersonation
Open the InfoPath form and add an announcement. Once this is complete, verify in SharePoint that the creator of the announcement list item was the end-user and not the K2 Service Account. This has been achieved without any delegation, using K2 Pass-Through Authentication’s SharePoint impersonation feature.
Potential Kerberos-Related Problems | How K2 Pass-Through Authentication Will Help |
---|---|
Can’t connect to K2 via the K2 Runtime Services (on the K2 Workspace or SharePoint server) as this is a double hop. | Will allow connection to be made. |
Don’t have user credentials to call SharePoint, only the K2 Service Account. | Will use SharePoint impersonation in order to make the updates in SharePoint as the end user. |
Events taking place using K2 Pass-Through Authentication are as follows:
- The K2 Runtime services (which may be hosted on the K2 Workspace or SharePoint server) will be contacted by the InfoPath form (running on the client).
- The K2 Runtime Services will in turn call K2 via SourceCode.HostClientAPI, performing K2 Pass-Through Authentication in order to log in to K2 as the Client-user (if the Client user credentials were lost on the hop via the K2 Runtime Services).
- K2 Host Server will then contact the K2 SmartObject Server - this will be done as the K2 Service Account.
- The request will be passed to the K2 SharePoint ServiceObject in order to execute the relevant method.
- The K2 SharePoint ServiceObject will pass the K2 Pass-Through user identity to the K2 SharePoint web services (connecting in the K2 Service Account’s context) on the SharePoint server. These will perform an impersonation on SharePoint prior to performing the desired functionality – in this case adding the Announcement.
Executing the InfoPath form – Enforce Impersonation
Although the option to Enforce Impersonation is redundant with regards to SharePoint (we can use SharePoint impersonation so there is no security issue) we can illustrate how this option functions in this scenario because K2 will contact SharePoint as the K2 Service Account prior to impersonation being performed.
For this step, before opening the InfoPath form and adding the Announcement, do the following:
- Use the K2 SmartObject Service Tester to locate the Service Instance for the Announcements list.
- Set the property to True, ensuring that impersonate is also still true. This creation of the Announcement should now fail as the SmartObject Server was contacted as the K2 Service Account instead of the end-user – which was blocked by this property.
Potential Kerberos-Related Problems | How K2 Pass-Through Authentication Will Help |
---|---|
Can’t connect to K2 via the K2 Runtime Services (on the K2 Workspace or SharePoint server) as this is a double hop. | Will allow connection to be made. |
Don’t have user credentials to call SharePoint, only the K2 Service Account. | Will block the Service Account from utilizing a SmartObject marked as integrated. |
Events that take place with K2 Pass-Through Authentication are as follows:
- The K2 Runtime services (which may be hosted on the K2 Workspace or SharePoint server) will be contacted by the InfoPath form (running on the client).
- These will in turn call K2 via SourceCode.HostClientAPI, performing K2 Pass-Through Authentication in order to log in to K2 as the end-user (if the end user credentials were lost on the hop via the K2 Runtime Services).
- K2 Host Server will then contact the K2 SmartObject Server. This will be done as the K2 Service Account.
- The K2 SmartObject Server identifies that the Enforce Impersonation property and the Impersonate property are both true. It then checks the current user in the K2 Host Server as well as the current user executing the code, as they are different (showing we’re executing as the service account) an exception is thrown and execution of the SmartObject method stops.
Executing the InfoPath form – using Single Sign-On
In this instance Single Sign On is used to contact SharePoint as the correct user instead of using the native impersonation functionality available in the K2 SharePoint ServiceObject. Since the system is running as the actual Client user, this will even succeed if the Enforce Impersonation property is true.
To add SSO credentials for the end user, either use the K2 Workspace to cache the credentials, or just connect to the K2 Host Server via any API (e.g. via the Workflow Management API) with a connection string that resembles the following:
Integrated=False; IsPrimaryLogin=True; SecurityLabelName=K2; UserID=[user\domain]; Password=[password]; Host=[k2 server]; Port=[port]
Once this is done, open the InfoPath form and create an Announcement. Again, it should be created as the end user and not the K2 Service Account.
Potential Kerberos-Related Problems | How K2 Pass-Through Authentication Will Help |
---|---|
Can’t connect to K2 via the K2 Runtime Services (on the K2 Workspace or SharePoint server) as this is a double hop. | Will allow connection to be made. |
Don’t have user credentials to call SharePoint, only the K2 Service Account. | Use SSO to store and retrieve credentials. Logging on as and impersonating that user so that the credentials are used to call SharePoint, just as if Kerberos was working. |
What happens here with K2 Pass-Through Authentication is as follows:
- The K2 Runtime services (which may be hosted on the K2 Workspace or SharePoint server) will be contacted by the InfoPath form (running on the client).
- These will in turn call K2 via SourceCode.HostClientAPI, performing K2 Pass-Through Authentication in order to log in to K2 as the end-user (if the end user credentials were lost on the hop via the K2 Runtime Services).
- K2 Host Server will note that it needs to call a hosted server (the K2 SmartObject Server) and that it is doing K2 Pass-Through Authentication. It will then retrieve the SSO credentials for that user which are now present.
- The K2 Host Server will logon and impersonate the end-user by using the SSO credentials, before calling the K2 SmartObject Server as the impersonated SSO user (end user).
- The request running under the SSO credentials will be passed to the K2 SharePoint ServiceObject in order to execute the relevant method to add the Announcement.
- Once this is complete, the K2 Host Server will revert to the Service Account.