Troubleshooting Authentication Issues
This section covers a common issue you may encounter with authentication, as well as the recommended resolution.
If your environment has multiple AD domains, or had multiple domains in the past, you may receive an authentication blocking error when trying to install K2. To troubleshoot the issue, check the following:
- Open the product.config file in the Setup Manager's Installation folder and search for this key: <setting key="domainusercheck" value="true" />. Make sure it is not set to false. This setting only needs to be set to false for a multi-domain setup where the computer domain is different to the user account domain used for the setup.
- Make sure that no accounts used for installing K2 have the following two local policies set:
- Deny log on locally
- Deny log on through Remote Desktop Services
If neither of these are the problem, log a case for support to assist further troubleshooting.
When restricting permissions for domain users on the default containers for Users and Computers in Active Directory, the following errors can occur.
Error in the K2 installer during Exchange integration:
Error when attempting to browse to the K2 Workspace (Deskop) site after installation:
Error when attempting to browse to the K2 Designer site after installation:
The errors above may not always be the same, but they will always reference to an error with the DirectoryServices.
Resolution:
In order for K2 to function properly, service accounts require the List contents and Read all properties permissions to be granted on the root of the domain. Follow these steps to achieve this:
- Open Active Directory Users and Computers
- Click View
- Click Advanced Features (if it is not already selected)
- Select the domain root, Properties
- Select the Security tab
- Click Advanced
- Select Authenticated Users (or add a new set of permissions for a group containing the service account if you don't want to edit an existing set)
- Click Edit
This should apply to This object and all descendent objects to ensure permissions are allowed for all containers in the domain.