K2 Site Configuration

You can do the following on the K2 Site Configuration page:

  1. Create the K2 Site.
  2. Select an existing site if one exists.
  3. Select a binding if multiple IIS bindings are used.

If you create a new site with the installer, a K2 Self Signed Certificate will be automatically generated and used. If you choose an existing site, that site must already have a certificate.

When selecting "Use an existing Web Site", this site must already exist.
Depending on your environment, you may see a slightly different screen to the one shown here. You will at least see the Create a new Web site option.
On a simple full installation (single server) the Setup Manager uses the K2 User Account seen in the image below for the Application Pool, the K2 Service Account and the K2 Administrator account.
When doing a custom installation, you will see a slightly different screen where you can enter three different accounts (App Pool, Service, and Admin).
When generating the XML file for an unattended install, you will see the create a new website and use an existing website section.

Feature Description

Create a New Web Site

If you want to create a new site, type the name in the Web Site Name field, and K2 will create it automatically.

Use an Existing Web Site Name

The name of the site created under IIS. Use the Bindings button to select which binding to use.

Note: You can create the site without closing the K2 Setup Manager. Click Refresh to reload the list of available web site options.

Test the User Account credentials

To test the username / password combination, click the Test button.
If the Web site drop down does not list a site, you may need to create one. Type in the name of the web site you want to create, and K2 will do the rest. If a site was recently created and does not display, you may need to perform an IIS reset. Then, click the Refresh button on this page.

Bindings refers to the bindings for the website as set up in IIS.

The Setup Manager takes care of bindings configuration in the background, the bindings page is not shown unless you click the Bindings button. The Setup Manager hides the bindings page except under the following conditions:

  • The Setup Manager shows the bindings page if you have a binding on your website set up in IIS with a wildcard certificate and with no host name entry. In this case the bindings page will show a binding in this format:
    https://[MachineName].[domain].com:443
    You're free to use this if you do not want to set up a Host Header. If you want to use a Host Header, see the following points:

The Setup Manager shows the Resolve STS Issuers page if, during an Upgrade or Reconfigure, the selected bindings don't match the STS Issuers in the database. See the Resolve Security Token Service Issuers topic for more information.

K2 recommends that you use the SSL (HTTPS protocol) when configuring K2 sites (Viewflow, K2 Designer, and SmartForms Runtime sites). If you don't use SSL you run the risk of unencrypted site traffic being intercepted.

If you configure all K2 sites to use SSL (HTTPS protocol), K2 recommends setting cookies as secure (described below). Using secure cookies prevents sending authentication and other cookies over unencrypted HTTP. Enabling secure cookies applies to the following cookies sent by K2 sites:

  • .K2Auth
  • FedAuth
  • XSRFCookie
  • AspxAutoDetectCookieSupport

If your environment is not using HTTPS bindings to access Smartforms or Viewflow, you should reconfigure your bindings to use SSL to benefit from the added security in K2 Five.

Possible errors in mixed-protocol environments

In environments using both SSL and non-SSL bindings, cookies may be incorrectly set to secure. For example, the Designer site is set to HTTP but the runtime site is set to HTTPS. If accessing the site over HTTP when cookies are set to secure, the following issues will occur.

  • If you open the runtime site (configured for HTTPS) first and then open the Designer site, you get redirected to the login page. If you are using Windows STS you see a blank page that is stuck in a loop trying to authenticate you. If you are using Forms STS, you are redirected to the login page where you can enter credentials but you are returned to this page even if you submit valid credentials.

If you do encounter these issues you must disable secure cookies.

Enable or disable secure cookies

To enable or disable secure cookies, you must change the web.config file in the sections mentioned below, of each site:

  • Viewflow: [K2 installation folder]\WebServices\Viewflow\
  • K2 Designer: [K2 installation folder]\K2 SmartForms Designer\
  • SmartForms Runtime site: [K2 installation folder]\K2 SmartForms Runtime\

Set the requireSSL value to either true or false to enable or disable secure cookies respectively:
  • <system.identityModel.services>
      <federationConfiguration>
        <cookieHandler requireSsl="true" path="/" />

  • <authentication mode="Forms">
      <forms defaultUrl="Default.aspx" loginUrl="_trust/Login.aspx" requireSSL="true" enableCrossAppRedirects="true" cookieless="AutoDetect" timeout="9000" />


Add or edit the following setting under the <system.web> element:

  • <system.web>
        <httpCookies requireSSL="true"/>

Save the web.config file, clear your browser cache and open the site again. Cookies are now secure.

Strict-Transport-Security (HSTS)

K2 recommends enabling HSTS if your K2 sites and web endpoints make use of SSL (HTTPS). In short, enabling HSTS tells the client browser to force the use of HTTPS for the domain.

See the HTTP Strict Transport Security Cheat Sheet for information on HSTS.

If you have non-K2 related sites and web services that use HTTP and the same host header, but run on different ports, these services could start failing if HSTS is enabled.
If HSTS is enabled by mistake and you run into issues due to a mixed protocol configuration, you can disable it by completely removing the following entry under the ViewFlow, K2 Designer, and SmartForms Runtime web.config files:
<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="Strict-Transport-Security" value="max-age=5184000;" />

What to do on this page

Enter the load balanced URL here if installing the K2 Site over a load balanced environment. Also, if choosing HTTPS for the web site, you need to have already set up the binding and certificate.

To configure the K2 Site:

Option 1- Create a new web site:

  1. Enter the name for the New web site or keep the default name, K2.
  2. Click Next to proceed.
  3. The Setup Manager will create the new web site.

The Setup Manager creates two bindings with the default set to HTTP. The Setup Manager does not show the bindings page unless you click on the Binding button, and this is the only time a security certificate gets created (K2 self sign cert).

Option 2 - Use an existing Web site:

  1. Select the web site to use from the Web Site drop down menu.
  2. Click Next to proceed.

The Setup Manager shows the bindings page next and a default selected. If you select HTTPS, you must use your own security certificate. You can only chose 2 binding, 1 of each type.