Note: This documentation gets updated only when necessary, as the product is in sustained mode. For product updates see the Release Notes.
Troubleshooting the Log Messages
The list of error messages below are some of the error messages that may occur if or when a delegation failure takes place. This topic is not intended to cover all aspects but is intended solely to indicate more common errors. The types of error messages that will be encountered are divided into two categories -- Information Messages and Error Messages.
Information Log Messages
Message |
Meaning |
Switching Security Context from <anonymous user> to <pass-through user> for Session <id>. |
This message displays when a successful K2 Pass-Through Authentication event has occurred. Namely, the client API requested K2 Pass-Through
Authentication and the K2 Server confirmed that it meets the requirements of the configuration settings. |
No delegated or cached credentials are available to impersonate [pass-through user] for Session [session id]. External calls will be made in the context of the Service Account. |
If the K2 server needs to contact another hosted server (e.g. the SmartObject Server) and K2 Pass-Through Authentication occurred successfully on the original client connection, K2 Host Server will attempt to use SSO credentials so that the K2 Service Account isn’t used. If the current K2 Pass-Through Authentication user has no cached credentials, you’ll see this message. |
Error Log Messages
Error |
Meaning |
K2 Pass-Through Authentication failed. Current Host Server configuration prevents pass-through to non-Windows identities. |
This message displays if K2 Pass-Through Authentication is attempted, and you have the configuration setting of ClientWindows and the K2 Client API either found a non-Windows token (e.g. Forms) or it wasn’t able to verify that the Windows token is authenticated. |
Windows (Kerberos/NTLM) Identity Required. The end-user's identity is not being
passed correctly between your client and server, perhaps due to incorrect
Kerberos configuration. Either correctly configure Kerberos or utilize K2
Pass-Through Authentication by setting the DelegationContext in
K2HostServer.exe.config to ClientAny or ClientWindows mode instead of <current
setting>. |
This message will display if you have ClientKerberos configured (or no setting) and K2 Pass-Through Authentication was attempted, meaning that your Kerberos configuration isn’t working. K2 Pass-Through Authentication would fail in this circumstance, so this is a warning that someone should resolve this by either enabling K2 Pass-Through Authentication or fixing Kerberos. |
Mismatch Error
Error |
Meaning |
A mismatch between the end user and the connection credentials has been detected. This may be intentional and will only require action if specific problems are currently being encountered. Refer to Kerberos and K2 Pass-Through Authentication settings. |
This message occurs whenever a client (SourceCode.Workflow.Client) wants to use pass-through, but it is not allowed. This occurs when a user is logged in with the same account as the Workspace AppPool account, PTA-ClientWindows is enabled, and a connection needs to be made to another server such as a domain controller .It should not occur for Kerberos failures. However, there could be a non-related Kerberos failure at the same time depending on the connection being made. |