Category Archives: How-to

Unable to logon to K2 using AAD credentials: “WIF10201: No valid key mapping found for securityToken”

Problem: You unable to log on to K2 sites (Designer/Runtime/Management) using AAD credentials (AAD integration configured without SharePoint online as described here) and receiving the following error:

Resolution steps:

1) Open your K2 AAD app Federation Metadata Document using the following URL: 

https://login.microsoftonline.com/{YOUR_DIRECTORY ID}/federationmetadata/2007-06/federationmetadata.xml

2) Inside metadata XML document you need to search for a certificate value within <X509Certificate></X509Certificate> tags and copy it.

3) Open online Calculate Fingerprint tool and paste this value into X.509 cert field of this page, make sure sha1 selected as algorithm and click on Calculate Fingerprint button:

4) Navigate to K2 Management > Authentication > Claims > Issuers. Select your AAD issuer, click edit and paste unformatted FingerPrint value into Thumbprint field of Edit Claim Issuer dialog:

5) Try AAD logon again, clearing browser cache if necessary.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

How to quickly grab K2 HTTPS certificate thumbprint using PowerShell

I’ve already mentioned this in my old blog post (along with GUI way for this task), but just posting this separately for better visibility/searcheability 🙂

In case you need to obtain thumbprint value of your K2 site HTTPS certificate (or any other certificate) you can use this PowerShell script:

If necessary you can put it into variable and reuse in other commands/script, just replace “Write-Host” with “$thumbprint = ” to store certificate thumbprint value in $thumbprint variable. Just don’t forget to change filter argument  “K2.domain.com” to something that is relevant for your certificate.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Configure K2 SmartForms for AAD Authentication

My post “Configure K2 SmartForms for AAD Authentication” has been just recently published on AcloudA Blog. But in addition to that I’ve already managed to revisit exactly the same process to see how it works in K2 Five Public RC which is already available to K2 clients upon request.

This article assumes that you have K2 Five Public RC installed and configured in your environment with on-premise AD or K2 SQL authentication and we now just want to add an AAD integration.

Beyond installed and configured K2 blackpearl and K2 SmarForms our prerequisites are AAD subscription (this has been covered in my previous article) and SSL configuration of K2 web sites (as usual for test purposes you can get away with self-signed certificate, and this is also covered in K2 Installation and Configuration Guide).

There are two big parts in setting up K2 and AAD integration: registering K2 SmartForms app in AAD and K2 side configuration of OAuth Resource and AAD label.

First part is fully covered in my previous article so I only going to go through K2 side configuration steps.

To begin configuration process, we need to open K2 Management site. As our first step here, we need to Register an OAuth Resource in K2. To do that we navigate to Authentication > OAuth > Resources and click on New button:

As you can see overall UI theme changed a bit in K2 Five from black to silver/gray and in New OAuth Resource form we now have two extra fields “Refresh Token Endpoint” and “Metadata Endpoint”. We now need to to type in resource name, select Microsoft Online as a resource type and enter Authorization and Token Endpoint values we recorded during AAD app registration, i.e. they should look as follows:

Token Endpoint value:

https://login.microsoftonline.com/{AAD_DIRECTORY_ID}/oauth2/token

Authorization Endpoint URL value:

https://login.microsoftonline.com/{AAD_DIRECTORY_ID}/oauth2/authorize

We leave Use Host Server Authorization Endpoint checkbox unchecked, and two new fields unfilled and click on OK button (see screenshot below):

Our next step is to edit client_id resource parameter of newly created OAuth resource. For that make sure that your “AAD” resource is selected in resource list and select client_id from the lest of Resource Parameters below and click on Edit button as shown below:

Once client_id edit dialog has been opened we just need to paste APPLICATION ID we saved during AAD app registration in all three fields of this box, i.e. we use it as a value for Authorization, Token and Refresh:

We next need to edit number of other parameters in the same fashion. We edit api_version resource parameter entering “1.0” for all values:

Next, we edit scope resource parameter entering reader as Authorization Value as shown below:

For all values of client_secret enter KEY we saved during AAD app registration:

We specify https://graph.windows.net for all values of resource parameter:

For redirect_uri we enter https://{YourK2Server}/identity/token/oauth/2 as Authorization and Token value:

For entity_id parameter we enter DIRECTORY ID of your AAD instance as a token value:

After all these edits you Resource Parameters for AAD resource should look like this:

We are now ready to add AAD security label in K2 (you can use something other than “AAD” as label name). For this we need to execute this SQL script or use sample script from K2 Installation and Configuration guide adjusting values for @OAuthProviderName and @SecurityLabelName variables. Be sure to back up your K2 database as you supposed to do before any direct modification of K2 database (I hope this is already your habit? If not try to form it 😊).

Once script has been executed, we need to restart K2 service to get this new label initialized/picked up by K2.

Our next step is to add new claim issuer from K2 Management site, for that navigate to Authentication > Claims > Issuers, click New and fill in New Claim Issuer form as shown below:

You need to specify the following values there:

For Issuer value you specify https://sts.windows.net/{DIRECTORY_ID}/, for URI value you specify https://login.windows.net/{DIRECTORY_ID}/wsfed. As a Thumbprint value you need to paste your FINGERPRINT VALUE. Pay attention to trailing slash in Issuer URL – do not omit it.

Next step is configuration of the Claim Mappings in K2. Claim mappings are used to identify the incoming claims and map them to the appropriate K2 security label. To do that we navigate to Authentication > Claims > Claims and click New:

In the New Claim Mapping form, we then select label and issuer we created earlier and fill in the form. We need to type in User and Group token identifiers and fill in all values under Identity Provider along with Original Issuer and Claim Type values under Identity section (see screenshot below).

Next, we need to configure the Realms and Audience URIs linking them with new issuer. For that, we navigate to K2 Management > Authentication > Claims > Realms and for every realm enable our AAD issuer, by means of selecting realm entry, clicking Edit and checking newly created issuer in Linked Issuers list:

Hooray! We can now navigate to our SmartForms URL and select our AAD and logon with AAD credentials:

Once label is selected you are redireted to Microsoft login page (https://login.microsoft.online.com) where you need to type in your AAD credentials and click Sign in:

 

What you going to see next obviously depends on which K2 site you were trying to access. And here things are a bit different in K2 Five – you actually won’t be able to access anything until rights will be granted. Both K2 Management and K2 Workspace are now essentially SmartForms based forms and you going to get related error messages when you don’t have access to them:

As for designer it seems it is also locked for AAD user, which was not the case in K2 4.7:

It looks like even designer is locked out by default, but bad thing that error messages not too user friendly to say the least.

This nudges us to perform our final configuration step. As we don’t have K2 Management rights we need to go and grant them, right? No changes between 4.7 and K2 Five here, before we will be able to read AAD data we need to obtain and cache AAD OAuth token for K2 service account and until that we only going to get this error message:

Error message tells us that OAuth token requires authorization and comes from K2 URM Service.

It means that we need to obtain OAuth token for K2 service account (URM Service runs in the context of this account). To do that perform the following steps (no changes here if we compare with K2 4.7):

1) Run SmartObject Services Tester (“C:\Program Files (x86)\K2 blackpearl\Bin\SmartObject Service Tester.exe”) in the context of your K2 service account using standard Windows “Run as different user” option.

2) Now the tricky part. Unfortunately, now, in K2 4.7 SmartObject Services Tester only allows you to perform authorization redirect only when you are creating new instance (this possibly will be addressed in upcoming K2 Five release). Thus, to get our K2 Service account token instead of touching URMService we will simply register new Azure Active Directory service instance (and you may want to have it anyway):

 

In Add Service Instance dialog we just switching Authentication Mode to OAuth, selecting our OAuth Resource (“AAD”) and typing https://graph.windows.net as OAuth Resource Audience value. We do not touch any other settings leaving them on default values as illustrated below.

Once you click on Next, you will get this message (once again this message appears only when you are adding new instance, not editing existing one!):

Once you hit OK browser window will be opened where you need to type in your AAD credentials. Important: you need an AAD user with Global administrator directory role for this action, otherwise you are going to see the following error:

If you remember one of the rights we granted to our app is “Read directory data” and as it is a directory wide access only global admin AAD user can grant consent to this right:

Once you type in your AAD global admin user credentials you just need to confirm that we are granting permissions mentioned above to the app:

Once you click on accept you should be redirected on your K2 Identity site (you may get Windows credentials prompt at this stage – type in your K2 service account credentials) and see “Authorization Successful” message:

This means that K2 service account token has been created and cached on your K2 server and you can see it in K2 Management > Authentication > OAuth > Tokens:

3) You can now get back to SmartObject Services Tester and click on Next, Add to finish creation of AAD Service Instance:

We now completed all the configuration steps and can grant rights to AAD users and use them in all K2 user pickers:

If we now trying to login to K2 sites using our AAD account prior to granting any rights both K2 Designer and K2 Workspace going to be available to him in default configuration (so Designer is still not locked out by default), but K2 Management is not accessible until you grant your user appropriate rights:

Of course, K2 Designer we see in K2 Five is completely different beast than it used to be, but discussing it is out of scope for this article, so I’ll just put only one screenshot of it below:

So, after repeating AAD integration configuration steps I can say that at least in K2 Five Public RC we don’t see any drastic changes when it comes to configuring AAD integration (though we can see couple of tiny changes but they don’t impact the overall process) – depending on your preference you can either refer to my old article to go through the entire process or use an old article only for AAD app set up part and this one for K2 configuration part.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Convert Server 2016 Evaluation to Licensed – “This edition cannot be upgraded”

The other day it was necessary to me to convert from activated Windows Server 2016 Evaluation to Licensed. As I had a key I thought it would be matter of clicking Change product key in GUI ant entering a new key. So you either wade through GUI till you find this Change product key link:

Or directly run “slui” command. Both actions will open up this window for you:

But if you try to type license 100% correct and valid product key on activated Evaluation machine you will get this error:

“This edition cannot be upgraded?” And it might be confusing, especially if you did a quick check on edition installed and prepared appropriate product key… But check again, for Evaluation versions, edition value contains word “Evaluation”, so it is not “Datacenter”, but “Datacenter Evaluation”:

Now it is clear what is complaining about. But how to make it to accept full product key? You can use DISM for this:

This will require reboot and some waiting but will convert your Evaluation license to full, provided that you entered correct product key.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

“Method not found error” when attempting to add a new item into K2 Studio project

The other day I was about to build some tiny K2 test project using old-fashioned thick designer UI K2 Studio which I still prefer to use whenever I need to build some little K2 process. Unfortunately I bumped into this error:

Error message politely informs us about this:

Method not found: ‘Microsoft. Build. BuildEngine

BuildItem SourceCode. ProjectSystem. ProjectBuildItem

get_BuildItem()’.

That’s not very obvious, right? But, trust me it just complains that some DLL is not properly added to GAC, or there is a mismatch between DLL version in GAC and in some other location.

Solution? If you run K2 environment without coldfixes just run a Repair from installation media. But most likely you’ve applied some coldfix recently. Verify if files which supposed to go to GAC were added to that location correctly. Remember that some files go to K2 installation directory, while some others may go to “[Program Files]Reference Assemblies\SourceCode\v4.0\” and into GAC v4, i.e. into “C:\Windows\Microsoft.NET\assembly\GAC_MSIL\”. In my case the error was caused by the fact that SourceCode.Workflow.Authoring.dll assembly was not updated in GACv4.

When something wrong with aforementioned DLL you will also see the same error when trying to deploy something with PnD:

So in case you getting this type of error you know what to check now.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

SQL Server: new instance installation frozen on “SqlEngineConfigAction_install_startup_Cpu64” step

I was installing additional new instance of SQL Server 2012 on a machine where other instance was installed earlier. In the process I run into the problem where Setup wuzard just frozen on about 99% on SqlEngineConfigAction_install_startup_Cpu64 step without flagging any errors and making no progress for hours, so that Setup window looks like that all the time:

I realized that I’ve seen it before but not made any efforts to fix it beyond starting process from scratch. This time I did some googling and found that there may be quite a few reasons for this problem, for example see this blog post: “Your SQL Server Setup may hang forever when it’s almost at the 99 %!” on MSDN Blogs. I tried a few suggestion with no luck but in the process I’ve noticed that Windows service for my new named instance has been already created but frozen in “Starting” state, so killing and restarting it manually revived SQL Setup Manager and it completed installation process with flying colors in a minute after this. So it seems SQL Setup Manager just endlessly waits for service started confirmation or something like this without any time out in place… Anyhow I’m just taking a note of my fix in case somebody else or myself run into this again.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Configuring SQL instance firewall rules via PowerShell

Doing distributed environments setups rather frequently these days I realized that I really don’t want wasting my time setting up SQL Server firewall rules via GUI (I described the process here) and luckily enough Ryan Mangan already created such script. All I had to do is try it (confirm that it works), save it on GitHub and share on my blog for the benefit of wider community:

Original blog post by Ryan/source of this script: PowerShell Script for SQL Firewall rules

Facebooktwittergoogle_plusredditpinterestlinkedinmail

K2 MSMQ thread & MSMQ abort exception

There is one interesting fix included into K2 4.7 May CU which, as far as I know, is not mentioned in related KBs for some reason (KB001888 and  FP KBs). I just wanted to share some information about it as it may be useful for those who run older versions of K2 preceding to 4.7 May CU and additionally mention how to take K2 process memory dump conveniently.
First things first – the issue and related background information. Within K2 process there is a single thread which checks message queue, it is single thread and it process messages one by one (this is by design, as doing in a multi thread fashion is not necessarily best idea). Exception may occur in the process of message bus message processing and this dedicated K2 thread tries to abort this transaction to perform a retry which normally works just fine, but in rare scenarios MSMQ can throw another exception which causes K2 MSMQ processing thread to stop completely.
On the surface symptoms of this issue: suddenly your K2 users no longer receive any K2 task notifications at all, despite the fact that all relevant settings had not been changed and absolutely correct. Brand new test process confirms that task notifications do not work indeed for all usres while Email Events keep working fine. Quick fix/corrective action: restart K2 service – and all delayed task notifications should be gradually dispatched (depending on how long time ago MSMQ thread stopped, your delay for processing the piled queue may be quite big). Service restart resolves this because K2 starts MSMQ thread on service start up.
Good news is that 4.7 May CU has fix for this built in and when transaction abort is necessary MSMQ thread first checks if transaction in question is not already rollback/committed or completed status and only if this is not the case attempts to abort it. If even then K2 receives an exception then message moved into error queue.
I can imagine that when you run K2 version without this fix in production you may be reluctant to restart K2 service not being 99% sure that you deal with this specific issue, and there is a way to do that. To verify that your MSMQ thread within K2 process is still running you may follow these steps:
1) Take full memory dump of K2 process – for quick check on K2 threads either dump taken from Task Manager or procdump.exe will suffice.

In task manager you just have to locate K2HostSerever.exe from the list of processes, right click on it and select “Create dump file”, like that:

It will show you pop up indicated where dump file has been created once done, something like that:

Things gets more tricky with procdump.exe as you now need to obtain process PID, but it is way more configurable and allows you do more things when it comes to taking process memory dumps. As I work in support I really don’t like to repeat explanations on how to use it and where do I find PID and why PID is not displayed in my Task Manager and so on. So I created this tiny script for that (get it on GitHub):

2) Once dump is taken open it using DebugDiag and search for MSMQ, if MSMQ thread is running you should be able to find something like this:

If you unable to find this in memory dump of your running K2 process it most likely means that MSMQ thread had been stopped due to exception, and if you look under the Previous .NET Exceptions Report (Exceptions in all .NET Heaps) section, you most likely may see the aborted exception with MSMQ stack there.

On a side note DebugDiag also allows you to see if call which failed was made from K2 WorfkflowServer namespace or from something custom/external – that is also very useful to check in the very beginning of troubleshooting process.

I hope you may find this information useful and interesting for one reason or another 🙂 Stay tuned for new posts.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

SharePoint 2010: Unable to edit user properties

The other day I received a support case where customer complained that they “suddenly” lost ability to edit user properties in SharePoint 2010. As usual picture worth thousand works so the problem was that if you navigate to Site Actions > Site Permissions, locate some user and click on your user name you will be presented with user information page and if you click edit you will see this:

Sort of interesting Edit Personal Settings dialog where it is not possible to edit anything…

But it used to look like that:

You see more properties listed and they are editable. Now having that description you have to be really skillful with art of googling to get to the bottom of this in the form of some blog post similar to this one. Because to do a proper Google search (one which yields a solution) you have to employ the right terms/know the nature of this issue. But if you noticed word suddenly in quotes in the very beginning I had a background information on preceding changes which caused this “sudden” issue hence was able to fix it. I will go into detailed explanation below for the sake of knowledge sharing.

First of all 1st screenshot is normal for environments where UPS is up and running – as soon as you configure it, SharePoint assumes that all property modifications are being performed on AD DS side and synced from there on a regular basis by UPS. Once UPS is provisioned SP 2010 hides/modifies default forms (layouts/userdisp.aspx – the one where you may click Edit Item to change your properties on the _layouts/useredit.aspx form) and instead of them for users whose profiles are synced you supposed to see specific user profile page instead, which will look approximately like this:

If it does not shown and you see the same uneditable edit form as on the first screenshot, then it either means that UPA is not configured completely or user profile is not synced yet (are you sure that user in question is in right OU?)

So essentially first screenshot/problem shows us that UPS was partially configured/profile(s) not synced (as we still not getting user profile page) but default forms already modified in the process of UPS installation, because when you provision a UPA it will set the fields in hidden site user info list to read only and hidden. With this knowledge about the nature of the problem you may google for the right scripts/information.

In my case we worked on environment where UPS was failing to start/work properly (one of these cases where you need delve deeper into configuration of UPS and peruse something like this blog post) hence it was just mandatory to restore ability to edit user properties. And for that you just need to use the script below against your SP web app (grab this script on GitHub).

Once this script completes you will get your editable user properties back. Two potential problems you may have with this:
1) If Get-SPWeb part of the script complains about incompatibility saying something like “Microsoft SharePoint is not supported with version 4.0.30319.34014” just run new PS instance using -version 2.0 switch;
2) If script completes successfully but you getting user profile page instead of your old beloved form – delete user profile and try again (in case you are not keen or fully removing UPA).

And one last note with regards how we run into this in my specific support case. Client was using K2 and they lived quite happily without UPS provisioned in their SharePoint environment which is a bit strange as a UPS is a requirement for K2. But after upgrading to 4.6.11 the very strange issue crop up which had a bit obscure symptoms on the surface, but in the end was isolated to the fact that each time GetUserGroups URM call was performed to the SharePoint provider no SharePoint groups of which this user is direct member were returned. On the surface it looked like random losing of user’s group membership information and randomly failed K2 tasks which were assigned to SharePoint groups. Randomness stemmed from the fact that GetGroupUsers URM call returned all users for the same group just fine.

And knowing that sometimes it is difficult to find where it was told that XYZ is requirement for K2, I’ll clarify this for UPS specifically: you can find it in K2 blackpearl Installation and Configuration Guide > Prerequisites > Environment Configuration > SharePoint Server 2010 User Profile Service set up

“The SharePoint User Profile Service on any non SharePoint Foundation version must be set up correctly for the Identity Services Group Providers to function correctly with regards to User, Group and Membership resolution. It must be correctly populated with the user’s information and the service must be started.”

Posting rather a lot about SharePoint 2010 at the time of 2016 and cloud stuff I rather feel like author of The Old New Thing blog who at some point decided to blog about old stuff as there is less competition there – everybody busy blogging about new and shiny things (though I should admit I don’t go into really low level details as that blog does) 🙂 But I hope these posts may still be useful for someone.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

How to: configure K2 NLB port rules with PowerShell

Long time ago I did a video and blog post on configuring Windows NLB K2 cluster. I know that those materials are not perfect, but thanks to blogging you not only can be subject of mockeries for mistakes and naivety in your old posts, but also you can review and improve on them over time 🙂

Anyhow my old blog post on creating K2 NLB cluster contained this neat picture of required port rules:

As I tread my test K2 environments as “wipe and load”-ready and subject them to all sort of experiments leading to wipe and load and rebuilds I grow tired of creating this rules via GUI. Thanks to PowerShell and Microsoft Community it is not a problem to find a sample script to create Windows NLB cluster. I actually wanted to rewrite it with minor improvements and K2 specifics to spin off K2 NLB cluster quicker but due to endless lack of time this idea moved on the back-burner. What I did instead though is prepared PS script to create port rules:

That’s help a bit when I rebuilding my test environment. You can grab this script from GitHub too.

Facebooktwittergoogle_plusredditpinterestlinkedinmail