Category Archives: Uncategorized

K2 and AAD manual integration configuration – errors and solutions

Even after doing 3-5 installations which leverage manual integration between K2 and active directory I keep bumping into errors which at times take disproportionally large amount of time to decipher them and pin point that tiny/silly error in configuration settings which prevents your setup from working. So I decided to collate them all into the “symptom-solution list” and keep in one place – i.e. in this blog post.

AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application


AADSTS50011

That most likely means that Token Endpoint Reply URL is not specified in your AAD app properties. That URL should look as follows https://{K2SiteURL}/identity/token/oauth/2 and you need to make sure that it is added in your app Settings.  You do that in Azure Portal > Azure Active Directory > App Registrations > %Your_K2_App_Name% > Settings > Reply URLs. 

Add required URL and be sure to wait something like 30 seconds at least after applying this change and try logging in again.

AADSTS700016: Application with identifier ‘%APP_URL%’ was not found in the directory ‘%AZURE_DIRECTORY_ID%’.

AADSTS700016

dThis error message means either mismatch between identifierUris listed in your app manifest file and URL reported in error message or absence of these URLs in app manifest. Your K2 AAD app manifest file should contain your Runtime and Designer URLs, as shown on the screenshot below:

One thing to remember here is that when you edit App ID URI from AAD app properties and put updated value there it overwrites your identifierUris list in app manifest values – it removes your Designer and Runtime URLs from there (and anything else listed there) and puts updated App ID URI value there, which will give you  AADSTS700016 error.

Claim mapping configuration cannot be found for this claim. Claim information: Name=”

This was the one I wasted hours of troubleshooting time triple-checking all my configuration and asking each and everyone to help me spot what is wrong with my set up, only to discover that I tried to perform logon with my Azure tenant admin account which was listed in AAD users list as account with “Microsoft Account” source whereas it is necessary to create a user in AAD (all of those listed in AAD Users list with “Azure Active Directory” specified in Source column). I’m not 100% sure if this problem can be better handled on K2 side to present more actionable/clear error message – one we have here nudge you into direction of checking identity claim mapping while in this scenario problem is completely different.

I will be extending this list with other error messages as I encounter them.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

How to: Join Windows Server 2012 Core to domain

Since Windows Server 2012 allowed add/remove of GUI “on the fly” via Uninstall-WindowsFeature/Ininstall-WindowsFeature and their aliases amount of questions “How do I do X in Server Core” decreased drastically as there is now universal lazy man response to this – temporarily add GUI do thing X and remove GUI again. Not always time efficient but effective 🙂

Anyhow almost everything can be done without GUI. Here is your option to perform domain join operation for server core box:

1) Old-school crutch sconfig 🙂 Option (1):

sconfig

You may see that it actually uses in netdom.exe in the background when it asks for password:

sconfig domain join

It even suggest you to change computer name in case you forgot do it in advance:

sconfig domain join - computer name change prompt

Assuming you entered correct password and DNS/IP settings allow you to locate and reach out domain controller you will receive reboot prompt in the end of this process:

sconfig domain join - restart prompt

Once restart is performed you can verify the results either via WMIC or PowerShell:

sconfig domain join - verify via WMIC or PS

2) Add-Computer commandlet.

3) djoin command. This one allows to perform offline domain join.

djoin

There is also related dsadd command but this can only be used to pre-create computer account in domain. This utility will create a computer account in the domain, but will not join the local computer from a workgroup to a domain.

 

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Latest K2 versions and IE8 support

For customers using K2 smatforms it is not a revelation that IE8 is not something fully supported. In fact IE8 support has been imited to end-user runtime execution only – K2 smartforms runtime, K2 workspace (Home Page, Reports Runtime, Worklist and Single Sign-On) and K2 web parts since K2 smartforms 1.0. And IE8 support was dropped entirely starting from K2 smartforms 4.6.9. It seems to be that it was high time to do so as investments in maintaining compatibility with a piece of software originally released back in March 2009 does not seem to be justified.

IE8 About

Those shops where for one or another reason IE8 is still being used would be interested in freshly published K2 KB entitled “Known issues when running Forms or the Forms Viewer web part in Internet Explorer 8 or IE8 Compatibility mode” which gives detailed overview of issues you may encounter when using latest versions of K2 smartforms (4.6.9, 4.6.10) and IE8.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Garbage in garbage out

Found this nice quotation in “Governance of IT: An executive guide to ISO / IEC 38500” by A. L. Holt:

\n\n

On two occasions I have been  asked [by members of Parliament], Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?’ I am not able to comprehend the kind of confusion of ideas that could provoke such a question.

\n(Babbage 1864)

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Number of connections for full mesh topology

In full mesh topology the number of connections required per given number of nodes grows as a power of 2. General function for the number of connection in full mesh:

f(x)=(x^2-x)/2

x – number of nodes in the network, f(x) – number of connections

So for 2 nodes you need 1 line, for 3 – 3, for 4 – 6, for 5 – 10 etc.  

Facebooktwittergoogle_plusredditpinterestlinkedinmail

DNS: Resource Records

Resourse Records (RRs) used to identify objects within DNS hierarchy / basic lookups within specified domain. Key RRs types are following (7):\n\nSOA (Start of Authority) Records – indicate which server is authoritative for that particular zone. Indicate authoritative server for zone which also in charge for processing zone updates. Also contains some critical zone information like TTL interval, contact responsible for DNS etc. Created automatically when DNS is installed for AD DS.\n\nHost (A) Records – most widely used RR type, simply contains name of the host & its IP address. Used to identify IP address of objects.\n\nName Server (NS) Records – identify which computers are name servers for a particular zone (i.e. DNS servers). There can be only one SOA record for a zone but multiple NS records indicating computers against which you may run DNS queries. NS RRs don’t contain IP but simply point to a server A record.\n\nService (SRV) Records – indicate which resources perform particular service. E.g. DCs referenced by SRV records which define specific services like GC, LDAP, Kerberos. SRV records did not exist in original DNS standard, so don’t supported by some old DNS implementations (like UNIX BIND 4.1.x or NT 4.0 DNS). BIND 8.1.2+ supports SRV records.\n\nMail Exchanger (MX) records – indicates resources available for SMTP reception, so that mail send to particular domain forwarded to server/servers indicated by the MX record.\n\nPointer (PTR) RRs – for reverse queries (i.e. lookup for names by IP), stored in reverse lookup zones.\n\nCanonical name (CNAME) Records – server alias, to refer server by multiple names. E.g. friendly name for mail server in addition to its complex name following some naming convention.\n\nLess commonly used RRs:\n\nAAAA – IPv6 A record\n\nISDN – maps DNS name to ISDN phone number\n\nKEY – stores public key used for encryption in particular domain\n\nRP – specifies responsible person for domain\n\nWKS – designates a particular Well-Known Service\n\nMB – indicates host which contains a specific mailbox

Facebooktwittergoogle_plusredditpinterestlinkedinmail

AD DS: Tombstone Lifetime

What is it?\n\nThombstone interval is a preconfigured period for AD objects since their last validation of being active. Default value in Windows Server 2008 R2 – 60 days.\n\nFull list of default values:\n\nWindows Version Default TSL\n—————————————-\nWindows Server 2000 – 60 days\nWindows Server 2003 – 60 days\nWindows Server 2003 SP1 – 180 days\nWindows Server 2003 R2 – 60 days\nWindows Server 2003 R2 SP2 – 180 days\nWindows Server 2008 – 180 days\nWindows Server 2008 R2 – 180 days\nWindows Server 2012 – 180 days\nWindows Server 2012 R2 – 180 days (not confirmed)\n\n(thanks for this data goes to Mathias R. Jessen, see his answer to this question on servefault.com)\n\nHow to check current setting?\n\nYou can do it with dsquery command:\n\ndsquery * "cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=" –scope base –attr tombstonelifetime\n\nHow to change?\n\nUse ADSI edit and change tombstoneLifetime value of Directory Service object. Directory Service object reside in configuration partition of AD forest (CN=Configuration,CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration, DC=domain, DC=com).\n\nWhy shoud I care?\n\nThis interval is used to prevent introduction of lingering objects into your AD DS when you perfroming restore. If you need to restore global catalog then time of your backup should not exceed tombstone interval for successful restore. So if you need to do a restore of AD objects older than 60 days, you should change your tombstone interval setting accordingly.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Windows Server Backup 2008 vs 2008 R2

Just a quick note on differences / improvements in Windows Server Backup in Windows Server 2008 R2. Following are new in R2:

– Ability to back up/exclude individual files and to include/exclude file types and paths from a volume (instead of just full volumes before).

– Improved performance and use of incremental backups

You can now store backups created using a scheduled backup on a remote shared folder or volume. If you store backups on a remote shared folder, only one version of your backup will be maintained. You can also store backups on virtual hard disks.

– Improved options and performance for system state backups and recoveries. Server Backup MMC can be used to perform system state recoveries. Single backup can be used both for system state & data.

– Expanded CLI (wbadmin command) & PowerShell support.

Related TN article: What’s New in Windows Server Backup

Facebooktwittergoogle_plusredditpinterestlinkedinmail

How to remove unused software from user machines with SCCM 2012

The other day I came across a question on stackowerflow.com which was about possibilty to “Automatically uninstall unused applications in SCCM 2012”, which in turn lead me to nice series of blog posts which describe how to accomplish uninstall of unused applications based on SCCM software metering data with use of Orchestrator Runbooks and allowing users opt out from uninstall process. While this is perfectly suitable blueprint which may be adopted as is it may also give you an idea on other ways to acomplish uninstallation of unused apps in your environment.

\nLinks to blogposts:\n\n1) Software Metering Deep Dive and Automation Part 1: Use It Or Lose It – The Basics\n\n2) Software Metering Deep Dive and Automation Part 2: Use It Or Lose It – The Collections\n\n3) Software Metering Deep Dive and Automation Part 3: Use It Or Lose It – The Orchestrator Runbook Automation

And you may also want to download System Center 2012 – Configuration Manager Component Add-ons and Extensions which apart many other useful things contains  runmetersumm.exe utility which can be executed on the SQL instance hosting the Configuration Manager database to trigger the summarization process for software metering data.

Facebooktwittergoogle_plusredditpinterestlinkedinmail