Tag Archives: K2

GA of K2 5.2 – time to try new version

Today 17.10.2018 K2 5.2 went into GA stage meaning news about release were sent to all clients and partners and starting from now we can download this new and shiny version from K2 portal. So it is a perfect time to do a little review. Without further ado let me start with this.

You can download 5.2 installer from K2 portal. And providing you have test VM with current version of K2, update manager will get you to new version  withing 30 minutes or so. Once installer completes extraction of files you presented with splash screen:

Splash screen provides you with essential information (.NET 4.6.1 requirement, where to run an so on) and allows you to kick off installation process (conservative people like me can still locate Setup.exe and run it from Installation folder).

In case of existing installation detected K2 Update manager detects that and gets you upgraded just in few steps:

In case you run with multiple security labels you will immediately notice improved label selection UI which is no longer looks like something from the past and fully aligned with modern K2 UI design:

Additionally you will notice increased number of available OAuth resource types:

My favorite under the hood improvement, which is really huge thing, is completely rebuilt identity cache and sync architecture which was brought into on-prem product from its cloud version (if I employ Microsoft-speak “battle-tested in the cloud” and so on). At this stage all the internal infrastructure of new Sync Engine is already here in 5.2 RTM, yet it is disabled – stay tuned for official news for when this feature will go live for all customers. At initial stage K2 will work with selected customers to assist them to enable and transition to the new Sync Engine. But like I said, you already can see that underlying infrastructure for New Sync engine is already here in 5.2 release. In case you familiar with back end/underlying tables you can tell that number of Identity tables has increased:

And Identity.Identity table has been expanded too:

Long story short with all these changes and new sync engine enabled your Identity cache sync speed will be greatly improved and, for example, even your URM Get Users SmO call against Azure AD label can be served from cache without doing query to AAD.

There is more improvements and new features and I will try to cover them in greater details a bit later.

Additional resources / next steps:

Download K2 5.2

5.2 Release Notes

5.2 User Guide

5.2 Installation and Configuration Guide aka ICG

K2 5.2 Developer Reference aka DevRef

K2 Five (5.2) Fix Packs

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Simple walkthrough: Using K2 Database Consolidation Tool

Purpose of this blog post is to outline K2 databases consolidation process using K2 Database Consolidation Tool.

When you may need it? For older K2 deployments when initial installer used to create 14 separate databases instead of one “K2” database we expect to see with current K2 versions. Such environments even after upgrades to newer versions carry on to have these 14 databases and only starting from K2 4.7 databases consolidation is enforced and you cannot upgrade till you consolidate your databases into one. So you can still see non-consolidated K2 database en environments which run any version of K2 up to 4.6.11 including.

To perform consolidation of these 14 K2 databases into one you need to obtain appropriate version of K2 Database Consolidation Tool from K2 support. Below you can see basic steps you need to perform while performing K2 databases consolidation using this tool.

1) First we need to check collation of your existing K2 databases, this is necessary because consolidation tool won’t handle conversions from one locale to another and consolidation will fail. You can run this script to see collation of your non-consolidated K2 DBs:

As you can see on the screenshot below output of this script shows that my non-consolidated databases have Ukrainian_100_CI_AS collation:

2) Make sure that your target SQL Server service instance has the same collation as your databases either via GUI:

or script:

and copy your non-consolidated databases to the target server which will be hosting consolidated database (unless it is not the same server which was hosting them initially).

2) Obtain K2 Database Consolidation Tool from K2 support, extract it on your SQL server which hosts your K2 databases and launch SourceCode.Database.Consolidator.exe, once you start it you will be presented with the following UI:

3) It will detect your non-consolidated K2 DBs (<No Instance> in the Instance drop down means that you are connecting to default, not named SQL Server instance) and here you need to select your target DB – just select <New Database>, specify “Create Database Name” (I’m using default name used by K2 installer which is K2) and click Create:

4) Once you click Create, database K2 will be created in the same collation as your SQL Server instance (your target DB will contain all the required tables and structure but no data) and Start button become available to you so that you can start consolidation process:

5) Before clicking on Start make sure  your K2 service is stopped. Despite we just created our target “K2” database we still getting warning that all data in target DB will be truncated and we have to click Yes to start consolidation process:

Once you clicked on next you will have to wait for a while till consolidation completes (in the bottom of the tool window in its “status line” you will see current operations which are being performed during databases consolidation process. Time which is necessary to complete this process is heavily depends on your server performance and volume of data in your source databases.

In some scenarios (e.g. source and destination collations have different locale IDs or you moved source databases to another SQL server without re-creating their master key) consolidation process may fail leaving your non-consolidated databases databases in read-only state:

In such scenario you need to review consolidation log to identify and address errors and once done. Switch your source databases back to RW mode (as explained here), delete your target database and start again from step (2). When consolidation completes successfully source non-consolidated databases also stay in read-only mode.

If consolidation completes without errors you will get a message confirming this and also informing you that ReconfigureServer.ps1 script has been created:

You can also click on Log Directory link which will open consolidation log file location – as usual you can open it and make sure than neither ‘Logged Warning’ or ‘Logged Error’ can be found anywhere in this log beyond Legend section in the beginning.

6) In the directory which contains K2 Database Consolidation Tool you will need to take ReconfigureServer.ps1 script and copy it over to your K2 server. This script fires off K2 blackpearl Setup Manager while instructing it to connect to your new consolidated DB:

Here is this script code which you can copy/paste:

Once you run this script on K2 server it will start K2 Setup Manager where you need to go through all pages of “Configure K2 blackpearl” process:

You will see on the database configuration step of the wizard that thanks to PS script we already targeting our new consolidated DB:

Once reconfiguration process is completes (without errors and warnings) you can start testing how your K2 environments behaves after K2 consolidation process.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

SQL script to attach detached non-consolidated K2 DBs

I keep playing with SQL and non-consolidated K2 DBs and in previous post I covered bringing “these 14” back online, now I realized that other case where SSMS requires way too many click is attaching “these 14” back (let’s say after you rebuild your SQL instance system DBs to change instance collation).

Quick google allowed me to find relevant question on dba.stackexchange.com where I took script which generates CREATE DATABASE FOR ATTACH for all existing user databases. Next having my 14 non consolidated K2 DBs I generated the following script to attach them back in bulk:

You can either use this CREATE DATABASE FOR ATTACH for all existing user databases script while your K2 databases are still attached, of it they are not just replace paths in script listed above and execute modified script to attach them quickly.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

SQL Script to switch all currently RO databases to RW mode

I was doing some testing of K2 databases consolidation process which required me to re-run database consolidation process more than once to re-try it. Unfortunately K2 Database Consolidation Tool leaves all databases in read-only mode if something fails during consolidation process. If you remember K2 used to have 14 separate data bases prior to consolidated DB was introduced (see picture below).

Typing 14 statements manually to bring all these database to read-write mode is a bit time consuming so I came up with the following script:

Essentially it will select all databases currently in RO state and will output bunch of statements to bring all of them to RW state as an output:

Just copy-paste this script output into new query window of SSMS and press F5 🙂

It may be useful for you once in a while (and if not for this specific use case, then as an example of generating some repetitive statements which contain select statement results inside).

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Reading list: K2 Authentication and Authorization

This is a list of links to K2 documentation which covers K2 Authentication and Authorization topics. In case you have some time to read something for fun 🙂

Authentication

Authentication and Authorization in K2

Claims-based Authentication in K2

Outbound Authorization and OAuth in K2

About K2Trust

Troubleshooting Claims-based Authentication Issues

Identity and Data Security in K2 Cloud for SharePoint

SharePoint Hybrid, Multiple Identity Providers & K2

AAD Multi-Factor Authentication Considerations

Enabling AAD Multi-Factor Authentication Requires Changes in K2 4.7

Authentication Modes

Authentication (in Management)

Integrating with Salesforce

Azure Active Directory Management (Read/Write to AAD)

Claims and OAuth Configuration for SharePoint 2013

Standard SmartForms Authentication

Multi-Authentication Providers

Consolidation to Multi-Auth

IIS Authentication

Authorization

Authorization Framework Overview

Outbound Authorization and OAuth in K2

REST Broker

Resources for Working with the REST Service Broker

REST Swagger File Reference Format

REST Broker and Swagger Descriptor Overview (video)

Endpoints REST Service Type

OData Broker

Using the OData Service Broker (including Serialization and Deserialization)

Endpoints OData Service Type

Workflow and SmartObject APIs

APIs (in Management)

Configuring the Workflow REST API

Configuring the SmartObject OData API

How to Use the K2 Workflow REST Feed with Microsoft Flow to Redirect a K2 Task

How to Use the K2 Workflow REST Feed with Microsoft Flow to Start a Workflow

How to: Use the K2 OData Feed with Microsoft Excel

How to: Use the K2 OData Feed with Microsoft Power BI

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Configure K2 and SharePoint Online integration

Some time ago I posted an article “Configure K2 and SharePoint Online integration” on StarWind Software blog which outlines details about getting your SharePoint online instance up and running and adding K2 for SharePoint app to your app catalog, so if you are interested to know more read on at StarWind Software blog.

One thing I was not 100% clear on while writing that article is “Enable auto-activation on sites where the app is deployed” option, which is enabled by default (K2 for SharePoint app > Settings > Manage App Activations).

Based on the setting name wording I was not very clear whether “Enable auto-activation on sites where the app is deployed” setting works for SharePoint online newly created site collections? Especially as I’ve noticed that if I run activation manually there is a step “we need to create a token of your behalf” which, I assume, requires user input… So I had a question whether auto activation is possible for SharePoint Online newly created site collections where K2 app was only deployed?

It was also not very clear what drives/triggers automatic activation and with which frequency it happens.

Luckily enough there are some colleagues who always help 🙂 Below some extra details I’ve learnt only after writing that article.

The function of the Auto-Activation Setting on the Manage App Activation Page designed for strict activation on Site Collection Level (permission wise) and only allow Site Collections to be activated via the App Catalog Level.

When the setting is set to False the below Warning will be presented when the user tries to activate on the Site Collection Level:

This setting will not Auto Activate any new Site Collections created in SharePoint Online. When it set to True/Enabled you can perform activation from site collection level. So the wording “Enable auto-activation on sites where the app is deployed” is really a bit confusing though description above this setting is quite clear (but who reads notes and descriptions? 😉

Essentially this option allows Site Collection Owners activate K2 app on a site collection level manually and when it disabled they won’t be able to do that from the site collection level and it will be possible only via app catalog level from K2 app management page.

But, true auto activation does happen for sub-sites of already activated site collections. But this functionality works only with K2 Five. This functionality was introduced in K2 4.7 but did not work as expected. More information on this can be found in the following KB http://help.k2.com/kb001755

But this subsites auto-activation requires Event Receiver sub-site of the K2 site to be exposed to internet when you use SharePoint Online. When using SharePoint on premise there is no need for any exposure of the K2 site to the internet.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

K2 Five collation requirement changes

In the past I’ve wrote some blog post promoting documented K2 collation requirement. With release K2 Five this requirement changed and I guess I have to mention it on my blog as essentially it makes my old blog posts about required K2 database collation incorrect.

So recently (with release of K2 Five) all K2 documentation was updated and states that our requited collation now is “SQL_Latin1_General_CP1_CI_AS“. Where to find this information?

In K2 Installation and Configuration Guide you can find “SQL and Reporting Services Operational Requirements” section which says that:

– Case-sensitive databases are NOT supported.

– The following collation setting is required for the K2 database: SQL_Latin1_General_CP1_CI_AS

And as usually you can find the same information in K2 Product Compatibility, Integration and Support matrix:

What is good about this change is that SQL_Latin1_General_CP1_CI_AS will be default collation if you installing SQL Server on top of Windows Server which has been installed with US location/language settings – so at least some people will meet this requirement by accident.

What is bad is that collation requirement was just silently changed in documentation with release of K2 Five without any explanations. According to my current knowledge collation which was mentioned in documentation before was a requirement only for pre-4.6.11 versions of K2. So in case you are doing new installation of K2 4.6.11 or newer make sure that your SQL Server instance provisioned with SQL_Latin1_General_CP1_CI_AS collation.

Somewhat mixed blessing is change which was made to K2 Five installer to enforce this collation: what it does at the moment is just enforces this collation on K2 DB level while ignoring SQL Server instance level collation. So in case you not provisioned SQL Server instance with the right collation you will get an errors post installation and will be forced to change SQL Server instance level collation to fix this. That’s something that I hope will be corrected in K2 installer in the future so that it warns you about wrong instance level collation issues before you start your installation.

Conclusion: read vendor documentation carefully before doing your installation even if you did it many times before 🙂

Update (Feb 2018): Current guidelines are:

– For upgrade installations be sure to make SQL server instance and K2 DB collation are the same (in case you moving K2 DB onto new server)

– For clean installs I would suggest stick to Latin1_General_CP1_CI_AS (especially if you do 4.7 install). I will probably write more detailed post to explain this position later

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Unable to logon to K2 using AAD credentials: “WIF10201: No valid key mapping found for securityToken”

Problem: You unable to log on to K2 sites (Designer/Runtime/Management) using AAD credentials (AAD integration configured without SharePoint online as described here) and receiving the following error:

Resolution steps:

1) Open your K2 AAD app Federation Metadata Document using the following URL: 

https://login.microsoftonline.com/{YOUR_DIRECTORY ID}/federationmetadata/2007-06/federationmetadata.xml

2) Inside metadata XML document you need to search for a certificate value within <X509Certificate></X509Certificate> tags and copy it. You need very first value from <Signature> section. It looks like it gets changed from time to time causing this issue.

3) Open online Calculate Fingerprint tool and paste this value into X.509 cert field of this page, make sure sha1 selected as algorithm and click on Calculate Fingerprint button:

4) Navigate to K2 Management > Authentication > Claims > Issuers. Select your AAD issuer, click Edit and paste unformatted FingerPrint value into Thumbprint field of Edit Claim Issuer dialog:

This completes required changes, no K2 service restart required after this, and you can proceed to step (5) immediately.

5) Try AAD logon again, clearing browser cache if necessary.

And the most important part (if you use K2 4.7): You may see this error with a regular intervals of around 2 months or something if you run K2 4.7 without November 2017. Be sure to apply November 2017 CU to get support for rollover of the Azure Active Directory certificate thumbprints. You can see that this has been added in November 2017 CU as per CU release notes, K2 Five support this in its RTM version.

 

Facebooktwittergoogle_plusredditpinterestlinkedinmail

How to quickly grab K2 HTTPS certificate thumbprint using PowerShell

I’ve already mentioned this in my old blog post (along with GUI way for this task), but just posting this separately for better visibility/searcheability 🙂

In case you need to obtain thumbprint value of your K2 site HTTPS certificate (or any other certificate) you can use this PowerShell script:

If necessary you can put it into variable and reuse in other commands/script, just replace “Write-Host” with “$thumbprint = ” to store certificate thumbprint value in $thumbprint variable. Just don’t forget to change filter argument  “K2.domain.com” to something that is relevant for your certificate.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Configure K2 SmartForms for AAD Authentication

My post “Configure K2 SmartForms for AAD Authentication” has been just recently published on AcloudA Blog. But in addition to that I’ve already managed to revisit exactly the same process to see how it works in K2 Five Public RC which is already available to K2 clients upon request.

This article assumes that you have K2 Five Public RC installed and configured in your environment with on-premise AD or K2 SQL authentication and we now just want to add an AAD integration.

Beyond installed and configured K2 blackpearl and K2 SmarForms our prerequisites are AAD subscription (this has been covered in my previous article) and SSL configuration of K2 web sites (as usual for test purposes you can get away with self-signed certificate, and this is also covered in K2 Installation and Configuration Guide).

There are two big parts in setting up K2 and AAD integration: registering K2 SmartForms app in AAD and K2 side configuration of OAuth Resource and AAD label.

First part is fully covered in my previous article so I only going to go through K2 side configuration steps.

To begin configuration process, we need to open K2 Management site. As our first step here, we need to Register an OAuth Resource in K2. To do that we navigate to Authentication > OAuth > Resources and click on New button:

As you can see overall UI theme changed a bit in K2 Five from black to silver/gray and in New OAuth Resource form we now have two extra fields “Refresh Token Endpoint” and “Metadata Endpoint”. We now need to to type in resource name, select Microsoft Online as a resource type and enter Authorization and Token Endpoint values we recorded during AAD app registration, i.e. they should look as follows:

Token Endpoint value:

https://login.microsoftonline.com/{AAD_DIRECTORY_ID}/oauth2/token

Authorization Endpoint URL value:

https://login.microsoftonline.com/{AAD_DIRECTORY_ID}/oauth2/authorize

We leave Use Host Server Authorization Endpoint checkbox unchecked, and two new fields unfilled and click on OK button (see screenshot below):

Our next step is to edit client_id resource parameter of newly created OAuth resource. For that make sure that your “AAD” resource is selected in resource list and select client_id from the lest of Resource Parameters below and click on Edit button as shown below:

Once client_id edit dialog has been opened we just need to paste APPLICATION ID we saved during AAD app registration in all three fields of this box, i.e. we use it as a value for Authorization, Token and Refresh:

We next need to edit number of other parameters in the same fashion. We edit api_version resource parameter entering “1.0” for all values:

Next, we edit scope resource parameter entering reader as Authorization Value as shown below:

For all values of client_secret enter KEY we saved during AAD app registration:

We specify https://graph.windows.net for all values of resource parameter:

For redirect_uri we enter https://{YourK2Server}/identity/token/oauth/2 as Authorization and Token value:

For entity_id parameter we enter DIRECTORY ID of your AAD instance as a token value:

After all these edits you Resource Parameters for AAD resource should look like this:

We are now ready to add AAD security label in K2 (you can use something other than “AAD” as label name). For this we need to execute this SQL script or use sample script from K2 Installation and Configuration guide adjusting values for @OAuthProviderName and @SecurityLabelName variables. Be sure to back up your K2 database as you supposed to do before any direct modification of K2 database (I hope this is already your habit? If not try to form it ?).

Once script has been executed, we need to restart K2 service to get this new label initialized/picked up by K2.

Our next step is to add new claim issuer from K2 Management site, for that navigate to Authentication > Claims > Issuers, click New and fill in New Claim Issuer form as shown below:

You need to specify the following values there:

For Issuer value you specify https://sts.windows.net/{DIRECTORY_ID}/, for URI value you specify https://login.windows.net/{DIRECTORY_ID}/wsfed. As a Thumbprint value you need to paste your FINGERPRINT VALUE. Pay attention to trailing slash in Issuer URL – do not omit it.

Next step is configuration of the Claim Mappings in K2. Claim mappings are used to identify the incoming claims and map them to the appropriate K2 security label. To do that we navigate to Authentication > Claims > Claims and click New:

In the New Claim Mapping form, we then select label and issuer we created earlier and fill in the form. We need to type in User and Group token identifiers and fill in all values under Identity Provider along with Original Issuer and Claim Type values under Identity section (see screenshot below).

Next, we need to configure the Realms and Audience URIs linking them with new issuer. For that, we navigate to K2 Management > Authentication > Claims > Realms and for every realm enable our AAD issuer, by means of selecting realm entry, clicking Edit and checking newly created issuer in Linked Issuers list:

Hooray! We can now navigate to our SmartForms URL and select our AAD and logon with AAD credentials:

Once label is selected you are redireted to Microsoft login page (https://login.microsoft.online.com) where you need to type in your AAD credentials and click Sign in:

What you going to see next obviously depends on which K2 site you were trying to access. And here things are a bit different in K2 Five – you actually won’t be able to access anything until rights will be granted. Both K2 Management and K2 Workspace are now essentially SmartForms based forms and you going to get related error messages when you don’t have access to them:

As for designer it seems it is also locked for AAD user, which was not the case in K2 4.7:

It looks like even designer is locked out by default, but bad thing that error messages not too user friendly to say the least.

This nudges us to perform our final configuration step. As we don’t have K2 Management rights we need to go and grant them, right? No changes between 4.7 and K2 Five here, before we will be able to read AAD data we need to obtain and cache AAD OAuth token for K2 service account and until that we only going to get this error message:

Error message tells us that OAuth token requires authorization and comes from K2 URM Service.

It means that we need to obtain OAuth token for K2 service account (URM Service runs in the context of this account). To do that perform the following steps (no changes here if we compare with K2 4.7):

1) Run SmartObject Services Tester (“C:\Program Files (x86)\K2 blackpearl\Bin\SmartObject Service Tester.exe”) in the context of your K2 service account using standard Windows “Run as different user” option.

2) Now the tricky part. Unfortunately, now, in K2 4.7 SmartObject Services Tester only allows you to perform authorization redirect only when you are creating new instance (this possibly will be addressed in upcoming K2 Five release). Thus, to get our K2 Service account token instead of touching URMService we will simply register new Azure Active Directory service instance (and you may want to have it anyway):

In Add Service Instance dialog we just switching Authentication Mode to OAuth, selecting our OAuth Resource (“AAD”) and typing https://graph.windows.net as OAuth Resource Audience value. We do not touch any other settings leaving them on default values as illustrated below.

Once you click on Next, you will get this message (once again this message appears only when you are adding new instance, not editing existing one!):

Once you hit OK browser window will be opened where you need to type in your AAD credentials. Important: you need an AAD user with Global administrator directory role for this action, otherwise you are going to see the following error:

If you remember one of the rights we granted to our app is “Read directory data” and as it is a directory wide access only global admin AAD user can grant consent to this right:

Once you type in your AAD global admin user credentials you just need to confirm that we are granting permissions mentioned above to the app:

Once you click on accept you should be redirected on your K2 Identity site (you may get Windows credentials prompt at this stage – type in your K2 service account credentials) and see “Authorization Successful” message:

This means that K2 service account token has been created and cached on your K2 server and you can see it in K2 Management > Authentication > OAuth > Tokens:

3) You can now get back to SmartObject Services Tester and click on Next, Add to finish creation of AAD Service Instance:

We now completed all the configuration steps and can grant rights to AAD users and use them in all K2 user pickers:

If we now trying to login to K2 sites using our AAD account prior to granting any rights both K2 Designer and K2 Workspace going to be available to him in default configuration (so Designer is still not locked out by default), but K2 Management is not accessible until you grant your user appropriate rights:

Of course, K2 Designer we see in K2 Five is completely different beast than it used to be, but discussing it is out of scope for this article, so I’ll just put only one screenshot of it below:

So, after repeating AAD integration configuration steps I can say that at least in K2 Five Public RC we don’t see any drastic changes when it comes to configuring AAD integration (though we can see couple of tiny changes but they don’t impact the overall process) – depending on your preference you can either refer to my old article to go through the entire process or use an old article only for AAD app set up part and this one for K2 configuration part.

Update 09.2018: Since this post has been written official K2 documentation has been updated to cover this scenario. Below you can find direct links to relevant section of K2 ICG:

Manually Configure K2 for Azure Active Directory (AAD) K2 4.7

Manually Configure K2 for Azure Active Directory (AAD) K2 5.0

Manually Configure K2 for Azure Active Directory (AAD) K2 5.1

Facebooktwittergoogle_plusredditpinterestlinkedinmail