K2 Site Configuration

You can do the following on the K2 Site Configuration page:

  1. Create the K2 Site.
  2. Select an existing site if one exists.
  3. Select a binding if multiple IIS bindings are used.

If you create a new site with the installer, a K2 Self Signed Certificate will be automatically generated and used. If you choose an existing site, that site must already have a certificate and must be a secure site (HTTPS). HTTPS is required to ensure communication between a user's browser and the K2 site is secure, for more info see K2 relies on HTTPS to secure communication between browsers and the server.

When selecting Use an existing Web Site, this site must already exist.
Depending on your environment, you may see a slightly different screen to the one shown here. You will at least see the Create a new Web site option.
On a simple full installation (single server) the Setup Manager uses the K2 User Account seen in the image below for the Application Pool, the K2 Service Account and the K2 Administrator account.
When doing a custom installation, you will see a slightly different screen where you can enter three different accounts (App Pool, Service, and Admin).
When generating the XML file for an unattended install, you will see the create a new website and use an existing website section.

Feature Description

Create a New Web Site

If you want to create a new site, type the name in the Web Site Name field, and K2 will create it automatically.

Use an Existing Web Site Name

The name of the site created under IIS. Use the Bindings button to select which binding to use.

Note: You can create the site without closing the K2 Setup Manager. Click Refresh to reload the list of available web site options.

Test the User Account credentials

To test the username / password combination, click the Test button.
If the Web site drop down does not list a site, you may need to create one. Type in the name of the web site you want to create, and K2 will do the rest. If a site was recently created and does not display, you may need to perform an IIS reset. Then, click the Refresh button on this page.

Bindings refers to the bindings for the website as set up in IIS.

The Setup Manager takes care of bindings configuration in the background, the bindings page is not shown unless you click the Bindings button. The Setup Manager hides the bindings page except under the following conditions:

  • The Setup Manager shows the bindings page if you have a binding on your website set up in IIS with a wildcard certificate and with no host name entry. In this case the bindings page will show a binding in this format:
    https://[MachineName].[domain].com:443
    You're free to use this if you do not want to set up a Host Header. If you want to use a Host Header, see the following points:

  • The Setup Manager shows the Resolve STS Issuers page if, during an Upgrade or Reconfigure, the selected bindings don't match the STS Issuers in the database. See the Resolve Security Token Service Issuers topic for more information.
  • K2 sites configured as HTTP will display as disabled and will not be used as HTTPS is required.

The product uses SSL (HTTPS) when configuring K2 sites (Viewflow, Designer, and SmartForms Runtime sites). If you don't use SSL you run the risk of unencrypted site traffic being intercepted.

If you configure all K2 sites to use SSL (HTTPS), we recommend setting cookies as secure. Using secure cookies prevents sending authentication and other cookies over unencrypted HTTP connections. Enabling secure cookies applies to the following cookies set by K2 sites:

  • .K2Auth
  • FedAuth
  • XSRFCookie
  • AspxAutoDetectCookieSupport

Possible errors in mixed-protocol environments

In environments that use both SSL and non-SSL bindings, cookies may be incorrectly set to secure.

For example, suppose that the Designer site is set to HTTP, but the Runtime site is set to HTTPS. Now suppose that you open the runtime site (configured for HTTPS) first and then open the Designer site (configured for HTTP), and you get redirected to the login page. If you are using Windows STS you see a blank page that is stuck in a loop trying to authenticate you. If you are using Forms STS, you are redirected to the login page where you can enter credentials, but you are returned to this page even if you submit valid credentials

If you do encounter these issues you must disable secure cookies.

Enable or disable secure cookies

To enable or disable secure cookies, you must change the web.config file in the sections mentioned below, for each K2 site listed below:

  • Viewflow: [K2 installation folder]\WebServices\Viewflow\
  • Designer: [K2 installation folder]\K2 SmartForms Designer\
  • SmartForms Runtime site: [K2 installation folder]\K2 SmartForms Runtime\

Copy

Set the requireSSL value to true to enable secure cookies, or set the requireSSL value to false to disable secure cookies:

<system.identityModel.services>
  <federationConfiguration>
    <cookieHandler requireSsl="true" path="/" />

<authentication mode="Forms">
  <forms defaultUrl="Default.aspx" loginUrl="_trust/Login.aspx" requireSSL="true" enableCrossAppRedirects="true" cookieless="AutoDetect" timeout="9000" />


Add or edit the following setting under the <system.web> element:
<system.web>
    <httpCookies requireSSL="true"/>

Save the web.config file, clear your browser cache and open the site again. Cookie security should be set according to the configuration you used.

Strict-Transport-Security (HSTS)

K2 recommends enabling HSTS if your K2 sites and web endpoints make use of SSL (HTTPS). In short, enabling HSTS tells the client browser to force the use of HTTPS for the domain.

See the HTTP Strict Transport Security Cheat Sheet for information on HSTS.

If you have non-K2 related sites and web services that use HTTP and the same host header, but run on different ports, these services could start failing if HSTS is enabled.
If HSTS is enabled by mistake and you run into issues due to a mixed protocol configuration, you can disable it by completely removing the following entry under the ViewFlow, K2 Designer, and SmartForms Runtime web.config files:
<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="Strict-Transport-Security" value="max-age=5184000;" />

What to do on this page

Enter the load balanced URL here if installing the K2 Site over a load balanced environment. Also, if choosing HTTPS for the web site, you need to have already set up the binding and certificate.

To configure the K2 Site:

Option 1- Create a new web site:

  1. Enter the name for the New web site or keep the default name, K2.
  2. Click Next to proceed.
  3. The Setup Manager will create the new web site.

The Setup Manager creates two bindings with the default set to HTTP. The Setup Manager does not show the bindings page unless you click on the Binding button, and this is the only time a security certificate gets created (K2 self sign cert).

Option 2 - Use an existing Web site:

  1. Select the web site to use from the Web Site drop down menu.
  2. Click Next to proceed.

The Setup Manager shows the bindings page next and a default selected. If you select HTTPS, you must use your own security certificate. You can only chose 2 binding, 1 of each type.