I’m currently reading splendid piece of writing entitled “K2 blackpearl Best Practices“, which despite being published very long time ago still not lost its relevance. Just wanted to note one of the points contained in this document:

Refrain from using K2 management APIs within process solutions as the use of these requires that the identity of the user executing the code has administration rights. In particular this includes the management APIs contained within the SourceCode.Workflow.Management, SourceCode.ManagementAPI, SourceCode.SmartObjects.Services.Management, and SourceCode.SmartObjects.Services.SmartBox.Management assemblies, but any assembly with ‘Management’ in the name typically requires permissions on the server that a typical user will not have. Occasionally use of these APIs is required but it should be kept to a minimum.

Just highlighting this as important point as I saw cases where K2 clients tried to use this and expected those things to work without Administrative rights. Just jotting this down along with primary source which mentions this caveat.

So yesterday (24/06/2015) K2 4.6.10 release was revealed for general public and it is now available to all K2 clients in K2 blackpearl downloads sections at portal.k2.com. You may familiarize yourself with product release notes (KB001700) which contains consolidated information about all parts of K2 product suite by contrast with former practice of having separate release notes for individual components (blackpearl, smartforms, control pack etc.). K2 blackpearl 4.6 Compatibility Matrix is updated too.

This is a second release which uses unified versioning for all components and I still think that this change has tremendous impact of simplifying life both for clients and for K2 support. Former versioning system was a bit messy and not often less consumer friendly, but also was a source of frequent confusion and cases when incompatible or poorly compatible components were mixed in one environment. Now it’s plain and simple you have to have 4.6.10 version for all of your components. Period. Really like this – nice and simple how it should be.

This is a really interesting project

Originally posted on GreenEggs on K2:

View original 1,298 more words

Certain SharePoint 2013 features as well as K2 for SharePoint need to have User Profile Application (UPA) working and its database populated with correct data.

Sometimes it is difficult to confirm whether or not UPA is correctly configured as SharePoint UI does not show you all the properties for the users. Moreover, even if UPA is not configured properly users still can login to SharePoint and successfully get OAuth tokern, and this fact complicates troubleshooting.

As a quick way to confirm that UPA is populated correctly for a particular user you may ask him to login to SharePoint and navigate to the following page:

https://<siteurl>/_api/SP.UserProfiles.PeopleManager/GetMyProperties

It will return all UPA propeerties for the user. For OAuth tokens to work correctly following properties should be popluated: SPS-ClaimID, SPS-ClaimProviderID, SPS-ClaimProviderType, and SPS-UserPrincipalName.

There is a quite good section at help.k2.com which describes what you have to do in order to enable HTTPS for K2 SmartObject Services – “Windows Authentication with SSL for K2 SmartObject Services”. This post is sort of recap of that section with few extra bits of information.

So first you have to edit K2HostServer.exe.config file (default location – Program Files(x86)\K2 blackpearl\Host Server\Bin) as follows:

1. Change enableEndpoints=”false” to enableEndpoints=”true”
2. Change scheme=”http” to scheme=”https”
3. Change port=”8888″ to port=”8443″
4. Change wcf binding=“wsHttpBinding” bindingConfiguration= “wsHttpBinding+Windows” to wcf binding=“wsHttpBinding” bindingConfiguration= “wsHttpBinding+HTTPS”
5. Change rest binding=“webHttpBinding” bindingConfiguration= “webHttpBinding+Windows” to rest binding=“webHttpBinding” bindingConfiguration= “webHttpBinding+Windows+HTTPS”
6. Change excluded all=”true” to excluded all=”false”

As usual changes made to this config file will be picked up with K2 service restart, but it is bettor to done additional configuration task before restarting it.

7. Configure the URL Access Control List so that the service account can use the https url by issuing following command:

netsh http add urlacl url=https://[server]:8443/ user=[domain\ServiceAccountUsername]

8. Next you need configure the SSL for the port by issuing the following command:

netsh http add sslcert ipport=0.0.0.0:8443 certhash=[CertificateThumbprint] appid={4dc3e181-e14b-4a21-b022-59fc669b0914}

Here some comments may be necessary. For certhash value you have specify value of CertificateThumbrint property of a certificate which is being used for HTTPS binding of your K2 site:

You need to copy Thumbprint value from certificate properties and specify it as a value of certhash property of aforementioned command (no spaces). As for appid property you may use GUID suggesten in K2 help article {4dc3e181-e14b-4a21-b022-59fc669b0914} though according to some sources random GUID can be specified (you can use any valid GUID, as it is only used to allow you to identify the binding later).

So in the end command should look similar to this:

netsh http add sslcert ipport=0.0.0.0:8443 certhash=‎e202039fac0b424d624d14b18102973cc7e7889c appid={4dc3e181-e14b-4a21-b022-59fc669b0914}

There is an alternative way to get your K2 site SSL certificate thumbrpint with use of PowerShell:

Import-module WebAdministration
$cert = Get-ChildItem cert:\LocalMachine\My | where { $_.Subject -match "CN\=\*.denallix.com" } | select -First 1
Write-Host $cert

9. Once all that has been done you can restart K2 service and validate the results by accessing the following url (adjust URL accordingly):

https://[server]:8443/SmartObjectServices/endpoints/endpoints.xml

If you see a page similar to one on the screenshot below then you successfully configured HTTPS for K2 SmartObject Services.

Just a note on one issue to pin down exact error cause. You may see the situation when K2 host service is unable to start failing on Initializing Role Provider step for provider with label “K2″ with the following error:

Error 2001 Error Starting Host Server: Data at the root level is invalid. Line 1, position 1.
;Error Invoking 'StartHostServer' : SourceCode.HostServerLib: Data at the root level is invalid. Line 1, position 1.

Here is screenshot:

So if you read a few line above the error itself it should give you a clue – as we see that it fails attempting to initialize Role Provider with label “K2″… Already guessed what is wrong here?

So it seems that something wrong with security label K2, likely with RoleInit XML field. Tried to enable ADUM logging maybe? If yes just review SQL query you used to do this, likely it has some minor error causing above mentioned issue. Correct it & re-run SQL script and your K2 service is back up and running again

Recently I run into interesting case when attempt to register K2 for SharePoint app failed with quite strange error: “SmartObject Server Exception: Unable to load one or more of the requested types. Retrieve the LoaderExceptions property for more information”.

What is more interesting it was clean installation of K2 4.6.10 environment using latest installer available from K2 portal. After environment was reinstalled three times (you know that “reboot three times” approach I guess? ) and all conceivable prerequisites were double checked I decided to do what you never ever should do, namely to register SharePoint 2013 service instance using SmartObjects Services Tester Tool. Note (for the sake of redundancy): you should never use this tool to add or edit your SharePoint 2013 service instances all of those should be created from SharePoint interface by means of so called “appify” operation.

As I saw that registration wizard throws this error on SharePoint Service broker registration step I decided just try to create SharePoint 2013 service instance with tester tool just to see if I get some error message there. And I was able to see this:

So this was clear indicator that our K2 server missing some dependencies. Long story short, thanks to input from some colleagues (which is omitted here to prettify the narrative ), solution to this was found.

So in case you was early adopter of K2 4.6.10 or downloaded 4.6.10 installer early enough you may have noticed that there were couple of minor versions of it which were superseded by one currently available in downloads section of K2 portal (it has .2 in the very end of all components versions). So .0 & .1 4.6.10 installers were available for a while but now replaced with .2 which addressed number of issues identified in its predecessors:

http://help.k2.com/kb001708 (Item References coldfix for K2 4.6.10)

http://help.k2.com/kb001709 (Known Issue: Developer license coldfix for K2 4.6.10 )

http://help.k2.com/kb001710 (Known Issue: Delete workflow coldfix for K2 4.6.10)

So check out your installation files and make sure that you have .2 installer so that you don’t have to mess with coldfixes later. But there is a minor issue with .2 installer of K2 for SharePoint 4.6.10, namely it contains “wrong” version of SharePoint client components (sharepointclientcomponents_x64.msi) – 16.0.4002.1211 (1,8 MB) and installs it on K2 server – and when this version only is installed you are going to see errors I mentioned above. 4.6.9 installer and presumably 4.6.10 .0/.1 installers contained 15.0.4481.1505 version of SharePoint Client Components and once you install it onto your K2 server above mentioned issues solved.

So it seems that we should not expect .3 installer for 4.6.10, but no worries this will be “fixed” in 4.6.11 installer which we will be able to see soon. As for now just take a note that if you are doing clean install of K2 for SharePoint 4.6.10 (separate installer which you need to use in case you have SharePoint 2013 in your environment) using installation package currently available on K2 downloads portal make sure that you additionally install K2 for SharePoint Client Components 15.0.4481.1505 which you can grab from 4.6.9 installer for example.

So with new wave of releases from Microsoft we now have Visual Studio 2015 and Windows 10 amongst other things, and depending on what you do you may be more excited about one or another of these two. But what is common between VS 2015 and Windows 10 they all come with .NET 4.6. There is much more in these new versions, but for example for Windows 10 two salient features you will notice are built in .NET 4.6 and Edge browser.

Now to K2. Upcoming 4.6.11 release promises us full support of Windows 10 (excluding Edge browser), but there is an interesting thing with old versions of K2 and .NET 4.6. In case you are doing development for older versions of K2 platform you may want to use Windows 10 and/or Visual Studio 2015 on your development workstation and this may pose a small issue.

Here is screenshot from clean Windows 8.1 Enterprise machine on which Visual Studio 2015 installed. This is what we have in terms of .NET on this machine:

As you can see we have .NET 4.5 as well as .NET 4.6 installed. But here is what K2 Setup Manager 4.6.8 thinks about this:

So you don’t have .NET Framework 4.5 Some other applications may have issues with detecting your .NET version with advent of 4.6, but as Microsoft says in such cases “if app was written accordingly to our recommendations you won’t have any issues.” You may read up a bit about this in the related blog post at Aaron Stebner’s WebLog.

No worries – you will see this only with 4.6.8 and earlier versions, starting from 4.6.9 and onwards .NET detection works OK whether you have .NET 4.6 or not. You may also contact K2 support to obtain a coldfix for K2 setup manager 4.6.8 which will will solve this issue.

Recently I had a support case where the problem was connectivity from mobile devices using K2 Mobile app. In retrospect case was very easy, but there is one interesting observation which to some extent was cause of confusion and slow progress towards resolution.

Not doing a lot of configuring of K2 Mobile as I have ready-made environments where everyting is up and running already at my disposal I felt that I need to look through available K2 documentation. What I found confusing or lacking is that documentation is heavily focused on K2 mobile client apps usage and troubleshooting of connectivity from client side and there is no documentation section or document dedicated to server side setup of K2 Mobile functionality which I expected to see. The closest thing to server side settings/requirements documentation for K2 Mobile which is possible to find is probably “Troubleshooting the K2 Mobile Apps for iOS and Windows Phone (K2 WebAPI)” document. Which is again written from the mobile app/client POV

Any ideas why I had such expectations and why there is no such documentation?

So the answer is I think that I, as well as many other folks burdened with experience in IT which harks back to the early days of mobility, still have that outdated idea that if you need mobile device access to your enterprise application you inevitably need dedicated application server for this role configured separately and quite often placed in DMZ and all this configured as a big extra feature. Well things moved forward since these early days of mobility and now apps being written with pervasive mobile devices in mind, or rather I would say web standards and application development standards imply ability to access from different type of devices and over the Internet. So we still need to configure firewalls (though even this is mitigated by tendency to use standard 443 port instead of obscure ports requiring you to do extra changes on firewall side), but access from mobile apps given the situation with development standards and maturity of devices themselves (they much more close to real PCs in terms of their hardware horsepower, features supported by their browsers and bandwidth available to them) it is just an extra feature and not a big separate product or application role anymore. Consequently there is no huge configuration guide related with server side configuration required for K2 Mobile. Really, K2 mobile going to work for you (almost ) without any additional server side configuration OOB and it is more matter of allowing network connectivity these days.

So you obviously need some public URL as a way of accessing your K2 site (in particular mobile app needs an access to K2API and designer URLs) – in essence your URL should be binded properly to K2 site in your IIS – pay attention to host headers – your binding should either be set as “All unassigned” or set to use your public URL.

Another important thing is that any real world production deployment going to require HTTPS and it means that you need to have a certificate. And what you should know is that for now K2 Mobile for iOS app will allow to connect even if you use not-trusted certificate, whereas K2 Mobile apps for Android or Windows mobile apps will fail to connect giving you obscure error message when you are using non-trusted certificate.

So really quick troubleshooting guide:

1. Mobile app giving you “Server not found” error. Make sure that firewall allows access from mobile device to K2 server, i.e. your URL is being resolved properly by clients and next your mobile devices are able to reach K2 server IP.

2. Mobile app gives you “Mobile services not found” error. It seems that you are reaching web server but there is a difficulty accessing required K2 subsites. Check your K2 site bindings – your IIS server should be configured to serve request coming to the public URL you use for K2 Mobile access.

3. Your K2 Mobile app works on iOS, but on Android devices you are receiving “Request Time Out” and on Windows Mobile “WININET_E_CANNOT_CONNECT” errors. These obscure error messages are trying to say you that certificate you are using for your public K2 URL is not trusted on devices. At the moment K2 Mobile app for iOS allows connecting with not-trusted certificate (this is subject to change in next versions), but Windows Mobile and Android apps won’t connect until you have trusted certificate. It means that you have to install the root certificate of the certificate authority which issued your K2 URL certificate  on your mobile devices.

So K2 released version 4.6.11 today and you may find all six components of the platform available in respective downloads section of portal.k2.com.  Mysterious component number six is K2 Language Pack 4.6.11 (Preview)

So for all keen on trying latest and greatest time has come. And since recently you have an option to take Update Manager route which is available for you if you run 4.6.9 or later version of K2. There are certain caveats for use Update Manager, especially in how you need to do modify operations for updated environments (see “K2 blackpearl 4.6.11 Installation and Configuration – Update Manager PDF” for details).

This release adds some new wizards to create dynamic item references and loop through them using the “For Each” wizard. There is also new License Report for managing K2 environment user licenses. This release fully supports Visual Studio 2015 and Windows 10 support (caveat: no Edge browser support, but this is normal – just try to remember situation with x64 IE support at the time when IE9 was released). Enhancements have been made to the K2 Designer and to the file and image attachment controls.

K2 4.6.11 Windows 10 Support

List of fixes and new features in each component can be found in the Release Notes:
K2 4.6.11 Release Notes (KB001735)
And the same for K2 connect can be found in separate release notes document:
K2 Connect 4.6.11 Release Notes (KB000860)

Once you done with installing 4.6.11 RTM your list of K2 installed components going to look something like this:

And below is a new K2 Designer start page, which has clean and neat look, isn’t it? At least I like it better than what we had before.

Looking forward to see early adopters leveraging new features and how real adoption of this release will play out (given the nature of my work I can expect to see some first hand accounts ).

Sooner or later after you done with your initial implementation of K2 question of restricting access to K2 Workspace being brought up by somebody and though your configuration options are not very flexible here there is a way to do it (KB000291), the thing is that you should not rush into making changes into this area without reading documentation first (don’t tell me that it is what you normally do all the time).

What quite often happens here is as soon as a person charged with this task finds “how” part of it he/she rush to configure it without reading into any details, like those mentioned in “Other Considerations” section of KB000291. I believe that mindset “try first, read manual later” which is very popular in IT, somewhat difficult to resist as it is largely being instilled into you by technology itself (both hardware and software), which is and always was built with “fool-proof” design patterns in mind, trying to be forgiving and allow for rollbacks and easy correction and handling of errors. Anyhow people often configure something first, and then comes that moment of “now what/how do I fix this”?

When it comes to K2 blackpearl Workspace security management you should know beforehand the following about the way that the tabs in Workspace function:
1. With a new installation, no-one has explicit permissions, Workspace will function in optimistic security mode, meaning everyone can see the tab.
2. As soon as a user has been assigned explicit permissions on a tab, it will switch to pessimistic security mode. Meaning that a user will need explicit rights to see the tab. If a user is not on the list, they will not be allowed to see it and this is what is occurring in your environment.

So typical error when customizing K2 workspace security is granting rights only to one user (you should never left your admin account without these rights) which may left the company for example, or what we can deem a “double-mistake” here is granting these rights to only one user which in addition doesn’t have admin level rights on K2 server, thus you are leaving yourself with no opportunity for subsequent corrections via normal, GUI way.

In case you haven’t done double-mistake mentioned above you can easily correct this situation. To fix this, you just need to log in as a user who has been granted permissions and then assign permissions to those that you want to grant access (please grant those to your dedicated K2 admin account), using the Workspace Permissions option in the Security tab.

If case you are not sure which user has permissions, have a look at the ActionPermissions table in K2 databse:

SELECT UserName FROM ActionPermissions
WHERE actionid =
(SELECT ID FROM [action] WHERE [name] = 'Management Console')

Made an epic “double-mistake”? I.e. granted rights to one user without server level administrative rights in K2 and now not able to edit permissions despite this user can access required tabs? This means that you are reached the section of KB000291 entitled “Error Resolution” which you supposed to read before playing around with Workspace security settings. And I’m quote this section:

If this happens, it will be necessary to manually modify the SQL databases to reset all Workspace permissions. It will then be necessary to specify all the permissions again. Please contact K2 Support prior to modifying any of the K2 databases or data stored in them.

So you have to reset your permissions to their defaults (no explicit permission, optimistic security mode). It requires direct edits in your K2 DB which is considered to be thing to avoid whenever it is possible and should only be performed by you in case you know what you are doing and more importantly you know how do you rollback your change if anything goes wrong. So you should use do it with full understanding of risks involved.

It will suffice to issue the following SQL server statement against your K2 DB:

TRUNCATE TABLE Workspace.ActionPermission

But you never do this without doing K2 DB backup first and reading preceding couple of paragraphs, right? I really hope so.

Another frequently asked question around K2 workspace permissions is revolving around the fact that you may see that they are not fine-grained enough and not fully in-line with RBAC ideology/approach. To these questions there is no easy answer with current implementation of K2 Workspace but things should become way better with complete overhaul of this part of K2 which is planned to be released at some point, but real particulars of this change and what we get with it are under NDA at this point.

This is a really interesting project

Originally posted on GreenEggs on K2:

View original 1,298 more words

Certain SharePoint 2013 features as well as K2 for SharePoint need to have User Profile Application (UPA) working and its database populated with correct data.

Sometimes it is difficult to confirm whether or not UPA is correctly configured as SharePoint UI does not show you all the properties for the users. Moreover, even if UPA is not configured properly users still can login to SharePoint and successfully get OAuth tokern, and this fact complicates troubleshooting.

As a quick way to confirm that UPA is populated correctly for a particular user you may ask him to login to SharePoint and navigate to the following page:

https://<siteurl>/_api/SP.UserProfiles.PeopleManager/GetMyProperties

It will return all UPA propeerties for the user. For OAuth tokens to work correctly following properties should be popluated: SPS-ClaimID, SPS-ClaimProviderID, SPS-ClaimProviderType, and SPS-UserPrincipalName.

There is a quite good section at help.k2.com which describes what you have to do in order to enable HTTPS for K2 SmartObject Services – “Windows Authentication with SSL for K2 SmartObject Services”. This post is sort of recap of that section with few extra bits of information.

So first you have to edit K2HostServer.exe.config file (default location – Program Files(x86)\K2 blackpearl\Host Server\Bin) as follows:

1. Change enableEndpoints=”false” to enableEndpoints=”true”
2. Change scheme=”http” to scheme=”https”
3. Change port=”8888″ to port=”8443″
4. Change wcf binding=“wsHttpBinding” bindingConfiguration= “wsHttpBinding+Windows” to wcf binding=“wsHttpBinding” bindingConfiguration= “wsHttpBinding+HTTPS”
5. Change rest binding=“webHttpBinding” bindingConfiguration= “webHttpBinding+Windows” to rest binding=“webHttpBinding” bindingConfiguration= “webHttpBinding+Windows+HTTPS”
6. Change excluded all=”true” to excluded all=”false”

As usual changes made to this config file will be picked up with K2 service restart, but it is bettor to done additional configuration task before restarting it.

7. Configure the URL Access Control List so that the service account can use the https url by issuing following command:

netsh http add urlacl url=https://[server]:8443/ user=[domain\ServiceAccountUsername]

8. Next you need configure the SSL for the port by issuing the following command:

netsh http add sslcert ipport=0.0.0.0:8443 certhash=[CertificateThumbprint] appid={4dc3e181-e14b-4a21-b022-59fc669b0914}

Here some comments may be necessary. For certhash value you have specify value of CertificateThumbrint property of a certificate which is being used for HTTPS binding of your K2 site:

You need to copy Thumbprint value from certificate properties and specify it as a value of certhash property of aforementioned command (no spaces). As for appid property you may use GUID suggesten in K2 help article {4dc3e181-e14b-4a21-b022-59fc669b0914} though according to some sources random GUID can be specified (you can use any valid GUID, as it is only used to allow you to identify the binding later).

So in the end command should look similar to this:

netsh http add sslcert ipport=0.0.0.0:8443 certhash=‎e202039fac0b424d624d14b18102973cc7e7889c appid={4dc3e181-e14b-4a21-b022-59fc669b0914}

There is an alternative way to get your K2 site SSL certificate thumbrpint with use of PowerShell:

Import-module WebAdministration
$cert = Get-ChildItem cert:\LocalMachine\My | where { $_.Subject -match "CN\=\*.denallix.com" } | select -First 1
Write-Host $cert

9. Once all that has been done you can restart K2 service and validate the results by accessing the following url (adjust URL accordingly):

https://[server]:8443/SmartObjectServices/endpoints/endpoints.xml

If you see a page similar to one on the screenshot below then you successfully configured HTTPS for K2 SmartObject Services.

Just a note on one issue to pin down exact error cause. You may see the situation when K2 host service is unable to start failing on Initializing Role Provider step for provider with label “K2″ with the following error:

Error 2001 Error Starting Host Server: Data at the root level is invalid. Line 1, position 1.
;Error Invoking 'StartHostServer' : SourceCode.HostServerLib: Data at the root level is invalid. Line 1, position 1.

Here is screenshot:

So if you read a few line above the error itself it should give you a clue – as we see that it fails attempting to initialize Role Provider with label “K2″… Already guessed what is wrong here?

So it seems that something wrong with security label K2, likely with RoleInit XML field. Tried to enable ADUM logging maybe? If yes just review SQL query you used to do this, likely it has some minor error causing above mentioned issue. Correct it & re-run SQL script and your K2 service is back up and running again

Recently I run into interesting case when attempt to register K2 for SharePoint app failed with quite strange error: “SmartObject Server Exception: Unable to load one or more of the requested types. Retrieve the LoaderExceptions property for more information”.

What is more interesting it was clean installation of K2 4.6.10 environment using latest installer available from K2 portal. After environment was reinstalled three times (you know that “reboot three times” approach I guess? ) and all conceivable prerequisites were double checked I decided to do what you never ever should do, namely to register SharePoint 2013 service instance using SmartObjects Services Tester Tool. Note (for the sake of redundancy): you should never use this tool to add or edit your SharePoint 2013 service instances all of those should be created from SharePoint interface by means of so called “appify” operation.

As I saw that registration wizard throws this error on SharePoint Service broker registration step I decided just try to create SharePoint 2013 service instance with tester tool just to see if I get some error message there. And I was able to see this:

So this was clear indicator that our K2 server missing some dependencies. Long story short, thanks to input from some colleagues (which is omitted here to prettify the narrative ), solution to this was found.

So in case you was early adopter of K2 4.6.10 or downloaded 4.6.10 installer early enough you may have noticed that there were couple of minor versions of it which were superseded by one currently available in downloads section of K2 portal (it has .2 in the very end of all components versions). So .0 & .1 4.6.10 installers were available for a while but now replaced with .2 which addressed number of issues identified in its predecessors:

http://help.k2.com/kb001708 (Item References coldfix for K2 4.6.10)

http://help.k2.com/kb001709 (Known Issue: Developer license coldfix for K2 4.6.10 )

http://help.k2.com/kb001710 (Known Issue: Delete workflow coldfix for K2 4.6.10)

So check out your installation files and make sure that you have .2 installer so that you don’t have to mess with coldfixes later. But there is a minor issue with .2 installer of K2 for SharePoint 4.6.10, namely it contains “wrong” version of SharePoint client components (sharepointclientcomponents_x64.msi) – 16.0.4002.1211 (1,8 MB) and installs it on K2 server – and when this version only is installed you are going to see errors I mentioned above. 4.6.9 installer and presumably 4.6.10 .0/.1 installers contained 15.0.4481.1505 version of SharePoint Client Components and once you install it onto your K2 server above mentioned issues solved.

So it seems that we should not expect .3 installer for 4.6.10, but no worries this will be “fixed” in 4.6.11 installer which we will be able to see soon. As for now just take a note that if you are doing clean install of K2 for SharePoint 4.6.10 (separate installer which you need to use in case you have SharePoint 2013 in your environment) using installation package currently available on K2 downloads portal make sure that you additionally install K2 for SharePoint Client Components 15.0.4481.1505 which you can grab from 4.6.9 installer for example.

So with new wave of releases from Microsoft we now have Visual Studio 2015 and Windows 10 amongst other things, and depending on what you do you may be more excited about one or another of these two. But what is common between VS 2015 and Windows 10 they all come with .NET 4.6. There is much more in these new versions, but for example for Windows 10 two salient features you will notice are built in .NET 4.6 and Edge browser.

Now to K2. Upcoming 4.6.11 release promises us full support of Windows 10 (excluding Edge browser), but there is an interesting thing with old versions of K2 and .NET 4.6. In case you are doing development for older versions of K2 platform you may want to use Windows 10 and/or Visual Studio 2015 on your development workstation and this may pose a small issue.

Here is screenshot from clean Windows 8.1 Enterprise machine on which Visual Studio 2015 installed. This is what we have in terms of .NET on this machine:

As you can see we have .NET 4.5 as well as .NET 4.6 installed. But here is what K2 Setup Manager 4.6.8 thinks about this:

So you don’t have .NET Framework 4.5 Some other applications may have issues with detecting your .NET version with advent of 4.6, but as Microsoft says in such cases “if app was written accordingly to our recommendations you won’t have any issues.” You may read up a bit about this in the related blog post at Aaron Stebner’s WebLog.

No worries – you will see this only with 4.6.8 and earlier versions, starting from 4.6.9 and onwards .NET detection works OK whether you have .NET 4.6 or not. You may also contact K2 support to obtain a coldfix for K2 setup manager 4.6.8 which will will solve this issue.

Recently I had a support case where the problem was connectivity from mobile devices using K2 Mobile app. In retrospect case was very easy, but there is one interesting observation which to some extent was cause of confusion and slow progress towards resolution.

Not doing a lot of configuring of K2 Mobile as I have ready-made environments where everyting is up and running already at my disposal I felt that I need to look through available K2 documentation. What I found confusing or lacking is that documentation is heavily focused on K2 mobile client apps usage and troubleshooting of connectivity from client side and there is no documentation section or document dedicated to server side setup of K2 Mobile functionality which I expected to see. The closest thing to server side settings/requirements documentation for K2 Mobile which is possible to find is probably “Troubleshooting the K2 Mobile Apps for iOS and Windows Phone (K2 WebAPI)” document. Which is again written from the mobile app/client POV

Any ideas why I had such expectations and why there is no such documentation?

So the answer is I think that I, as well as many other folks burdened with experience in IT which harks back to the early days of mobility, still have that outdated idea that if you need mobile device access to your enterprise application you inevitably need dedicated application server for this role configured separately and quite often placed in DMZ and all this configured as a big extra feature. Well things moved forward since these early days of mobility and now apps being written with pervasive mobile devices in mind, or rather I would say web standards and application development standards imply ability to access from different type of devices and over the Internet. So we still need to configure firewalls (though even this is mitigated by tendency to use standard 443 port instead of obscure ports requiring you to do extra changes on firewall side), but access from mobile apps given the situation with development standards and maturity of devices themselves (they much more close to real PCs in terms of their hardware horsepower, features supported by their browsers and bandwidth available to them) it is just an extra feature and not a big separate product or application role anymore. Consequently there is no huge configuration guide related with server side configuration required for K2 Mobile. Really, K2 mobile going to work for you (almost ) without any additional server side configuration OOB and it is more matter of allowing network connectivity these days.

So you obviously need some public URL as a way of accessing your K2 site (in particular mobile app needs an access to K2API and designer URLs) – in essence your URL should be binded properly to K2 site in your IIS – pay attention to host headers – your binding should either be set as “All unassigned” or set to use your public URL.

Another important thing is that any real world production deployment going to require HTTPS and it means that you need to have a certificate. And what you should know is that for now K2 Mobile for iOS app will allow to connect even if you use not-trusted certificate, whereas K2 Mobile apps for Android or Windows mobile apps will fail to connect giving you obscure error message when you are using non-trusted certificate.

So really quick troubleshooting guide:

1. Mobile app giving you “Server not found” error. Make sure that firewall allows access from mobile device to K2 server, i.e. your URL is being resolved properly by clients and next your mobile devices are able to reach K2 server IP.

2. Mobile app gives you “Mobile services not found” error. It seems that you are reaching web server but there is a difficulty accessing required K2 subsites. Check your K2 site bindings – your IIS server should be configured to serve request coming to the public URL you use for K2 Mobile access.

3. Your K2 Mobile app works on iOS, but on Android devices you are receiving “Request Time Out” and on Windows Mobile “WININET_E_CANNOT_CONNECT” errors. These obscure error messages are trying to say you that certificate you are using for your public K2 URL is not trusted on devices. At the moment K2 Mobile app for iOS allows connecting with not-trusted certificate (this is subject to change in next versions), but Windows Mobile and Android apps won’t connect until you have trusted certificate. It means that you have to install the root certificate of the certificate authority which issued your K2 URL certificate  on your mobile devices.

So K2 released version 4.6.11 today and you may find all six components of the platform available in respective downloads section of portal.k2.com.  Mysterious component number six is K2 Language Pack 4.6.11 (Preview)

So for all keen on trying latest and greatest time has come. And since recently you have an option to take Update Manager route which is available for you if you run 4.6.9 or later version of K2. There are certain caveats for use Update Manager, especially in how you need to do modify operations for updated environments (see “K2 blackpearl 4.6.11 Installation and Configuration – Update Manager PDF” for details).

Another interesting thing is that even if you are using combined installer or separate installers (meaning those which can be used to perform clean install) to update existing environment the same Update Manager type of install is being run (though on per component basis) and what is also new here is that once you done updating one of the components Update Manager reminds you about availability of update for another related component:

This possibly doesn’t look as a big thing for you, but as I normally see quite a few of support cases down to the simple fact that people start their upgrade but not upgraded all of the components in their environment I really appreciate this. People can plainly forget update some component and discover this only after a while when strange errors crop up and after placing support ticket and doing a bit of investigation work. So these reminders really going to save some time for all.

This release adds some new wizards to create dynamic item references and loop through them using the “For Each” wizard. There is also new License Report for managing K2 environment user licenses. This release fully supports Visual Studio 2015 and Windows 10 support (caveat: no Edge browser support, but this is normal – just try to remember situation with x64 IE support at the time when IE9 was released). Enhancements have been made to the K2 Designer and to the file and image attachment controls.

K2 4.6.11 Windows 10 Support

List of fixes and new features in each component can be found in the Release Notes:
K2 4.6.11 Release Notes (KB001735)
And the same for K2 connect can be found in separate release notes document:
K2 Connect 4.6.11 Release Notes (KB000860)

Once you done with installing 4.6.11 RTM your list of K2 installed components going to look something like this:

And below is a new K2 Designer start page, which has clean and neat look, isn’t it? At least I like it better than what we had before.

Looking forward to see early adopters leveraging new features and how real adoption of this release will play out (given the nature of my work I can expect to see some first hand accounts ).

Sooner or later after you done with your initial implementation of K2 question of restricting access to K2 Workspace being brought up by somebody and though your configuration options are not very flexible here there is a way to do it (KB000291), the thing is that you should not rush into making changes into this area without reading documentation first (don’t tell me that it is what you normally do all the time).

What quite often happens here is as soon as a person charged with this task finds “how” part of it he/she rush to configure it without reading into any details, like those mentioned in “Other Considerations” section of KB000291. I believe that mindset “try first, read manual later” which is very popular in IT, somewhat difficult to resist as it is largely being instilled into you by technology itself (both hardware and software), which is and always was built with “fool-proof” design patterns in mind, trying to be forgiving and allow for rollbacks and easy correction and handling of errors. Anyhow people often configure something first, and then comes that moment of “now what/how do I fix this”?

When it comes to K2 blackpearl Workspace security management you should know beforehand the following about the way that the tabs in Workspace function:
1. With a new installation, no-one has explicit permissions, Workspace will function in optimistic security mode, meaning everyone can see the tab.
2. As soon as a user has been assigned explicit permissions on a tab, it will switch to pessimistic security mode. Meaning that a user will need explicit rights to see the tab. If a user is not on the list, they will not be allowed to see it and this is what is occurring in your environment.

So typical error when customizing K2 workspace security is granting rights only to one user (you should never left your admin account without these rights) which may left the company for example, or what we can deem a “double-mistake” here is granting these rights to only one user which in addition doesn’t have admin level rights on K2 server, thus you are leaving yourself with no opportunity for subsequent corrections via normal, GUI way.

In case you haven’t done double-mistake mentioned above you can easily correct this situation. To fix this, you just need to log in as a user who has been granted permissions and then assign permissions to those that you want to grant access (please grant those to your dedicated K2 admin account), using the Workspace Permissions option in the Security tab.

If case you are not sure which user has permissions, have a look at the ActionPermissions table in K2 databse:

SELECT UserName FROM ActionPermissions
WHERE actionid =
(SELECT ID FROM [action] WHERE [name] = 'Management Console')

Made an epic “double-mistake”? I.e. granted rights to one user without server level administrative rights in K2 and now not able to edit permissions despite this user can access required tabs? This means that you are reached the section of KB000291 entitled “Error Resolution” which you supposed to read before playing around with Workspace security settings. And I’m quote this section:

If this happens, it will be necessary to manually modify the SQL databases to reset all Workspace permissions. It will then be necessary to specify all the permissions again. Please contact K2 Support prior to modifying any of the K2 databases or data stored in them.

So you have to reset your permissions to their defaults (no explicit permission, optimistic security mode). It requires direct edits in your K2 DB which is considered to be thing to avoid whenever it is possible and should only be performed by you in case you know what you are doing and more importantly you know how do you rollback your change if anything goes wrong. So you should use do it with full understanding of risks involved.

It will suffice to issue the following SQL server statement against your K2 DB:

TRUNCATE TABLE Workspace.ActionPermission

But you never do this without doing K2 DB backup first and reading preceding couple of paragraphs, right? I really hope so.

Another frequently asked question around K2 workspace permissions is revolving around the fact that you may see that they are not fine-grained enough and not fully in-line with RBAC ideology/approach. To these questions there is no easy answer with current implementation of K2 Workspace but things should become way better with complete overhaul of this part of K2 which is planned to be released at some point, but real particulars of this change and what we get with it are under NDA at this point.