Quantcast
Channel: K2 – Mike's Blog
Viewing all 93 articles
Browse latest View live

Considerations when deploying packages

$
0
0

Just a short list of things to be aware of when deploying K2 packages (those who took K2 blackpearl course should recognize the list below):

  • Target elements will be created, reused, or overwritten. If something already exists in the target environment, the tool will let you decide whether to use the existing item or replace it with the version from the package.
  • Make sure the necessary dependencies are included, or exist in the target environment.
  • Provide values for the variables that the package creator specified.
  • Workflow definitions are versioned, everything else is not. In other words, applications will always use the latest version of a SmartForm or a SmartObject, but existing workflow instances will not be upgraded. Therefore, be careful when deploying updated SmartForms and SmartObjects since this can break existing workflow instances.
  • You should run the Package and Deployment tool on a physical K2 server in the environment you wish to deploy to.
  • You only need to run the deployment package once in a distributed or multi-server farm environment. K2 application elements are stored centrally in the K2 database and can be accessed by any K2 server in the environment.

 

Facebooktwittergoogle_plusredditpinterestlinkedinmail

System.IO.IOException : The requested operation could not be completed due to a file system limitation

$
0
0

I recently had a support case thanks to which I discovered rather cool way of checking out on big files in specific directory which I will describe later here.

Under certain conditions you may see the following issue in K2: very high CPU usage and by extension overall sluggishness of K2 applications accompanied with “System.IO.IOException : The requested operation could not be completed due to a file system limitation.”

As in most of the cases error message itself indicates what is wrong here and “The requested operation could not be completed due to a file system limitation” should ring a bell for you that some file or files run amok and growth beyond file system limits or something along these lines. If you read your logs even more closely they may even give away specific culprit to you indicating log file name which is responsible for this.

K2 has broad logging capabilities for monitoring and troubleshooting purposes (quite good overview of K2 logging can be found here) but in terms of logging volume main suspects are: SmO logging (the only logging which can’t be capped in terms of file size), ADUM logs (very voluminous, especially on debug logging level; file size can be limited by adjusting configurable settings, meaning that you have to go extra mile if you want to allow unhealthy big file name) and lastly debug assemblies you may receive from K2 support. Debug assemblies usually are quickly build ad-hoc troubleshooting tools to investigate specific issue and may well not have log file limit and write super detailed logging (=voluminous log files). As such those supposed to be removed upon completion of your troubleshooting effort, but in reality can be left applied for a while which gradually evolves into forever…

Anyhow exception “System.IO.IOException : The requested operation could not be completed due to a file system limitation.” in K2 host server log in most of the cases caused by abnormally high in size log file, which becomes so big that it exceeds RAM size which makes it difficult to open it and append for writing, and then you have that slippery slope situation with degraded performance and high CPU moment, and to that “aha, I forgot to disable/remove unneeded logging” moment.

Now my take away from this case (though what is said above also worth noting). How to quickly check on huge files in specific directory. Just use this PS script:

Get-ChildItem -Path 'C:\Program Files (x86)\K2 blackpearl' -Recurse -Force -File | Select-Object -Property FullName,@{Name='SizeGB';Expression={$_.Length / 1GB}},@{Name='SizeMB';Expression={$_.Length / 1MB}} | Sort-Object { $_.SizeGB } -Descending | Out-GridView

You may add “-First 10” parameter right after Select-Object in the script above to minimize output which is especially useful when you primarily interested to identify largest file or files.

Here is how the result for healthy K2 folder looks like (by healthy I mean one without strangely big log files):

Large files search

As you can see normally you should not have anything with size of 1 gigabyte more, but above mentioned exception is usually caused by 10-20 GB log file which will be featured prominently on the top of the output.

See also related K2 community KB: Exception – The requested operation could not be completed due to a file system limitation.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

24411 User is not allowed to open worklist item

$
0
0

I recently seen quite an interesting issue which was a bit confusing for author of workflow and took a bit of time to fix (I guess because error message is a bit misleading maybe).

Assume you just deployed a K2 process with Default Client Event inside which assigned to Process Originator as a destination user. What could be simpler? But when process originator tries to open this task using SmatForm Task List (open SmartForm action) he gets an error:

Worklist item could not be opened. 24411 K2:DOMAIN\K2_Service_Account is not allowed to open the worklist item with SN=X_YZ

That’s a bit unexpected, right? Especially when you see K2 service account mentioned in error message instead of real user who tries to open this task. You can guess that somehow user credentials dropped/lost and K2 service account is being used to access task for some reason. The question is why?

The cause of this turned out to be the following setting in K2 SmartForms runtime site web.config file:

<add key=”ConnectAsAppPool” value=”true” />

Once you change above-mentioned setting to “false” things are back to normal and you see expected behaviour without 24411 error upon smartform open actionsmartform open action SmartForm open action.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Updated K2 4.7 build is available on portal.k2.com

$
0
0

.3 build of K2 4.7 just become available on K2 portal in software downloads section, if you are about to upgrade to 4.7 make sure that you have latest installer bits so that you can benefit from included fixes (OK, in this case this is only one fix, but nonetheless). This specific .3 build resolves the issue when after running the K2 smartforms Setup Manager to re-configure or repair your K2 environment, the SharePoint integrated workflows association to their respective SharePoint lists are broken. That issue has solution/fix but using latest installer build you wont even notice it – so please do have latest installer build before starting your upgrade. Refer to official K2 KB for details: “Upgrading to K2 4.7 breaks the association between K2 workflows and SharePoint Lists and Libraries

By the way unlike it was with some earlier minor installer build updates K2 made big strides in documenting this publicly – great to see improved transparency and documentation around minor installer builds.

So in case you planning your 4.7 upgrade today your build number supposed to be 4.16060.2000.3. But in case you going to do it later make sure you are using latest bits (in case your server has internet connectivity installer will also report presence of newer version to you – even if it is minor build update, please not ignore it).

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Uninstalling assembly from .NET v2 GAC – Assembly Cache Viewer “Access Denied”

$
0
0

Most annoying and confusing part of installing K2 coldfixes (those which involve manual steps) is adding/removing assemblies from GAC – I keep seeing people utterly confused by this process and even despite doing this regularly myself keep bumping into different hurdles from time to time. And judging by amount of questions in the Internet a lot of people experience issues with adding/removing libraries to GAC too.

There is couple of issues with .NET v2 GAC which has so called “Assembly Cache Viewer” representation when you get while browsing to “C:\Windows\Assemlbly” folder. As with any thing designed with some good intentions it is a mixed blessing and especially so when it meets with UAC 🙂 On the one hand it allows for easy uninstall/registration by means of drag and drop, on the other sometimes you can’t uninstall items without cleaning up registry key first and sometimes you have hard time thanks to UAC and Explorer process being always run without elevation.

On my test boxes UAC is normally disabled completely making it easy to work with Assembly Cache Viewer, and in some other cases just disabling UAC by moving respective slider in control panel + reboot solves this or for those avoiding reboots killing explorer and then running it in elevated mode does the trick. But recently I bump into especially annoying scenario where previous battle tested workaround didn’t work for me. Symptoms – you trying to uninstall assembly from .NET v2 GAC – Assembly Cache Viewer and getting “Access Denied”, like that:

Running Exploerer in elevated mode doesn’t help, and if you look at UAC slider in control panel it is already moved to the lowest position pretending to be disabled. Welcome to the world of corporate GPO managed IT environments. This means that User Account Control: run all administrators in Admin Approval Mode policy is Enabled. Solution? gpedit.msc > Security Settings > Local Policies > Security Options > User Account Control: run all administrators in Admin Approval Mode, set this policy to disabled and reboot your machine. Yes, reboot is required. This is really good example of issues that sometimes on a user side/GUI GPOs just silently block stuff with no clear indication of this, consequently even for IT pros it takes some time to figure out that things are failing thanks to those things (think of UAC or IE Enterprise Mode) and unfortunately quickly solving these tiny hiccups largely depends on whether you seen this before or not 🙂

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Unable to activate/uninstall K2 App: RemoveApp does not exist as a method of this SmartObject Instance

$
0
0

Sometimes when trying to activate or uninstall K2 4.7 App from App Catalog level or from the Site Collection level you can get the following error:

If you enable SmO logging you can trace that error actually happens on SmO level, more specifically with SharePoint Integration Helper Methods SmO and its Activate Site Collection method:

 System > SharePoint 2013 Integration > SharePoint Integration Helper Methods

*NOTE: Issue happens with Activate Site Collection method, not with Activate Site Collections one.

Sometimes clearing your browser’s cookies and cache or starting your browser using another user account or incognito / InPrivate mode helps to resolve this issue. But when those methods does not work  you may try to execute this method manually in the SmO Tester tool using K2 service account. The only required input property which you need is the SiteURL, the rest of the fields can be blank. This action should result in an output message “Success”. Once that’s done, you can go back to your SharePoint AppCatalog and Activate or Uninstall the K2 App from there – this time it should not give you any errors.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Curious case of stubborn Workgroup flag

$
0
0

I’ve just recently got a support case from the client where no matter that we tried MSMQ won’t work in Directory Service Integration mode, resulting in the following warning from K2 blackpearl Setup Manager:

MSMQ component is a prerequisite for K2 and it seems that all you need to do covered in K2 documentation: Installation and Configuration Guide > Prepare > Supporting Components Configuration > Message Queuing (MSMQ)As an example of functionality which will be impacted by this issue I can mention task notification emails as those have to be queued in MSMQ before being picked up by the Eventbus.

Yet information there was not sufficient, and required me to do some prolonged troubleshooting and googling. But the thing is that MSFT documentation does not highlight root cause which I found either and only some old obscure blog post lead me in the right direction.

So according to K2 documentation we have at the moment we supposed to set permissions and instead of outlining what permissions to set and where, KB strangely starts from where to set them, omitting WHAT & WHY parts 🙂 Moreover it suggests to set permissions on what its called “root object” and according to KB documentation means MSMQ container itself:

But this is not possible at all – this Root Object does not exist before you installed MSMQ Directory Integration Service, and if was installed correctly there is no need for you to go and set any permissions. But if it was installed but not in Directory Integration mode it won’t have its properties exposed in AD:

For WHAT & WHY parts K2 documentation elegantly refers you to MSFT TechNet. There you have to navigate and do a bit of careful reading to find out that setting permissions in AD DS required before installing Directory Service Integration Features of Message Queuing (why not start with this in K2 documentation?).

MSFT KB says that special permissions have to be set IF you installing Directory Service Integration feature of Message Queuing on a domain controller (we can safely ignore this as we need to install feature on K2 server and we won’t be installing K2 on domain controller, except for “all-in-one” test box scenario). Next MSFT KB says that you have to grant the Network Service account the Create MSMQ Configuration Objects permission to the computer object in AD DS before installing the Directory Services Integration feature on a computer that is a domain controller. So all in all according to MSFT KB you only need to set permissions in case you installing MSMQ Directory integration on DC. So no need for extra permissions, right? There are some required permissions but normally they are in place by default.

To save you pain making sense of all this documentation you have to mess with permissions only when installing MSMQ on domain controller, period. But recently I had a support case where this just does not want to work and after unsuccessful troubleshooting attempts with client I revert to my test lab and run into the same issue there. The fact that I run into it only on one server tells me that it only happens if your computer ACL was somehow customized or locked down either intentionally or not. If that pesky Workgroup flag keeps reverting to 1 despite you installed Directory Service Integration Feature, please make sure that SELF identity has the following rights on your K2/MSMQ server in AD:

So in short K2 KB should be structured like that:

1. K2 requires MSMQ Server and MSMQ Directory Service Integration components to be installed. DS integration improves security as it enables publishing queue properties to AD, authentication and encryption of messages using certificates registered in the directory.
2. Before installing MSQM on domain controller machine you may need to grant additional permissions as described in Microsoft documentation: https://technet.microsoft.com/en-us/library/cc730960(v=ws.11).aspx

NOTE: this is only applicable for “all-in-one” test servers where you may want K2 to coexist on the same machine with DC. This is not applicable for production deployments where K2 runs on the dedicated AD DS member server.

3. In case you doing normal installation on AD DS member server you usually do not have to grant any special permissions except for if you security ACL for K2 server is customized. If you installed MSMQ Directory Service integration on domain member server and Workgroup flag reverting to 1 all the time then check that SELF identity has Create MSMQ Configuration objects and Delete MSMQ Configuration objects rights granted over your K2 server computer object:

NOTE: (1) My tests show me that it is sufficient to apply these permissions to “This objects only”, but you should understand that enabling disabling Directory Service Integration feature requires restart of the machine, so it seems it is all about rights at the point of installation and first reboot after it to create MSMQ objects correctly – I noticed that if I delete MSMQ objects, revoke rights and even reboot the machine Workgroup flag keep staying set to 0, but reinstalling MSMQ feature reveals this problem again. Granting rights sometimes work on the fly without reinstalling MSMQ – just restart the service.

(2) These advanced permissions may become messy way to quickly as you inherit them from your domain and then each time you click on Add button separate ACL entry is being created for your computer object, so watch out for explicit Deny settings overriding your Allow grants.

4. For installing K2 on standalone servers (not joined to domain) or in cases when you unable to make Directory Service Integration work you can consider using workgroup mode and private queues. Though if latter is the case it is much better investigate and resolve your Directory Service Integration issue.

Apart from possibility of better structured related information in K2 documentation I’m wondering why MSFT does not have full set of permissions required for Directory Service Integration mode published somewhere? It seems this issue with lacking rights for SELF identity does not happen as by default in Windows Server 2012 R2 domain on newly provisioned server its ACL entry looks as follows:

Hope this article will save someone some time which may be wasted on troubleshooting this.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

How to: enable Document Set in Document Library

$
0
0

I just recently bumped in into this thing – you have to enable Document Sets on a library level before you can actually use it. This little point baffled me a bit when I tried to use Create Document Set SmartWizard in K2 Studio:

It took me a while to switch over too my SharePoint document library to realize that I just can’t create document set there:

Normally the same New Document menu contains an option to create Document Set. Well now it’s clear that “Required field is empty” error is just a clumsy way employed by K2 Studio to tell you that Document Sets disabled for your library.

To enable them you just go to Library Settings > Advanced Settings > Allow management of content types as on screenshots below.

Click on Library Settings button on ribbon:

Click on Advanced Settings:

In advanced settings select Yes for Allow management of content types and hit OK:

Now you also need add Document Set content type using Add from existing site content types link in library settings:

At this point you should be able create document sets in SharePoint just fine:

Yet you still going to have problem with K2 SmarWizard I mentioned initially. Why? Just go to K2 App settings for your library to see the answer:

Just click on Regenerate SmartObjects, go back to K2 Studio and Create Document Set SmartWizard to see things working there:

Voila, we can now see our Document Set enabled library and use SmartWizard to create document sets in it.

Just to recap: To be able to create document sets within SharePoint libraries you have to Allow management of content types in Advanced Settings of this library and add Document Site content type using “Add from existing site content types” link in library settings.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

How to: Install SharePoint 2010 August 2015 CU

$
0
0

On a day to day basis I keep repeating people to always check on with K2 compatibility matrix before installing or upgrading their K2 environments. Very frequently people try to mix K2 with too new Microsoft components which weren’t tested with their version of K2. But there is an opposite issue when Microsoft infrastructure components lag behind in terms of patches/versions fully supported by their release of K2. I know quite a few people still using SharePoint 2010 with K2 4.6.11. So with SharePoint 2010 being an old thing in itself people often skip CUs for this product for some reason which is unknown to me. In this article I want to discuss what is the latest CU for SP 2010 supported by K2 4.6.11 (note that with 4.7 K2 dropped support for SP 2010) and how to install it.

What is the latest CU for SP 2010 supported by K2 4.6.11? As usual you have to check compatibility matrix, but you have to find old one, which will show you this:

And this:

Does it mean that newer CUs will break something/won’t work with K2? Not necessarily, it only means that it won’t be supported because it has not been tested. At the time of release of 4.6.11 latest SP 2010 CU available was August 2015 CU and hence all testing and QA was performed against this CU – K2 cannot guarantee that all will work with newer CUs.

With that knowledge if you are still on SP 2010 it makes sense to make sure you running “newest” supported CU for it. Easiest way to do that is fire off SharePoint Management Shell on your SharePoint server and execute the following command:

(Get-SPFarm).BuildVersion

This will give you your current build:

Having this information look up in SP builds list @ Todd Klindt’s SharePoint Admin Blog to translate this into CU and SP levels, for example 15.0.7106.5000 translates into August 2013 CU:

Note that there may be minor last digit discrepancies depending on how you look up for build number. So now I know that my SP 2010 is August 2013 CU and for K2 4.6.11 I can go up to August 2015 CU (download link) from that – let’s try to do it.

First things should go first – backup your SharePoint environment. Navigate to Central Administration > Backup and Restore and click Perform a backup – just go through the wizard and create full farm backup. It can be good idea to test that your backup can be restored.

Once backup is done an CU file is downloaded launch it, accept license terms and hit “Continue”:

CU installer will check for installed updates and proceed with extracting files and installation of update after that:

Once done it will ask for reboot:

Most frequent mistake in all this process it assuming that after reboot of your SharePoint server you will be running updated SharePoint version. Quick check with (Get-SPFarm).BuilVersion will show you the same build as it was before you started CU installation process. So update is not finished just yet and to complete it you have to locate SharePoint 2010 Products Configuration Wizard in Start Menu:

and run it. Next you just go through the wizard’s steps to complete upgrade:

Warning you got in the very beginning should be taken seriously if you do this on a server used by other people where IIS reset may have undesired impact:

Once all configuration tasks completed you should get confirmation of successful configuration and click Finish button:

After clicking on Finish it will take you to CA main page automatically. In CA you can navigate to Upgrade and Migration > Upgrade Status where you can see confirmation of successful upgrade:

And now it is time to issue (Get-SPFarm).BuildVersion command once again:

First execution of the command on the screenshot was made before running of SharePoint 2010 Products Configuration Wizard and the second after wizard completion – now we run build 14.0.7155.5000 which is the latest SharePoint 2010 build officially supported by K2 4.6.11.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

How to: configure K2 NLB port rules with PowerShell

$
0
0

Long time ago I did a video and blog post on configuring Windows NLB K2 cluster. I know that those materials are not perfect, but thanks to blogging you not only can be subject of mockeries for mistakes and naivety in your old posts, but also you can review and improve on them over time 🙂

Anyhow my old blog post on creating K2 NLB cluster contained this neat picture of required port rules:

As I tread my test K2 environments as “wipe and load”-ready and subject them to all sort of experiments leading to wipe and load and rebuilds I grow tired of creating this rules via GUI. Thanks to PowerShell and Microsoft Community it is not a problem to find a sample script to create Windows NLB cluster. I actually wanted to rewrite it with minor improvements and K2 specifics to spin off K2 NLB cluster quicker but due to endless lack of time this idea moved on the back-burner. What I did instead though is prepared PS script to create port rules:

$InterfaceName = "Ethernet"
$ClusterPrimaryIP = "192.168.100.116"

#Removing default port rule for the NLB Cluster
Write-Host "Removing default port rule..." -ForegroundColor yellow
Get-NlbClusterPortRule -HostName . | Remove-NlbClusterPortRule -Force -ErrorAction SilentlyContinue
#Adding SmartForms/Workspace rule for port 80 HTTP
Write-Host "Adding port rule for HTTP (TCP 80)" -ForegroundColor yellow
Add-NlbClusterPortRule -Protocol Tcp -Mode Multiple -Affinity Single -StartPort 80 -EndPort 80 
`-Timeout 1 -InterfaceName $InterfaceName -IP $ClusterPrimaryIP| Out-Null
#Adding SmartForms/Workspace rule for port 443
Write-Host "Adding port rule for HTTPS (TCP 443)" -ForegroundColor yellow
Add-NlbClusterPortRule -Protocol Tcp -Mode Multiple -Affinity Single -StartPort 443 -EndPort 443 
`-Timeout 1 -InterfaceName $InterfaceName -IP $ClusterPrimaryIP| Out-Null
#Adding blackpearl rule for port 5252 - K2 workflow client connections
Write-Host "Adding blackpearl port rule for port 5252" -ForegroundColor yellow
Add-NlbClusterPortRule -Protocol Tcp -Mode Multiple -Affinity None -StartPort 5252 -EndPort 5252 
`-InterfaceName $InterfaceName -IP $ClusterPrimaryIP| Out-Null
#Adding blackpearl rule for port 5555 - K2 Host Server connections from client assemblies
Write-Host "Adding blackpearl port rule for port 5555" -ForegroundColor yellow
Add-NlbClusterPortRule -Protocol Tcp -Mode Multiple -Affinity None -StartPort 5555 -EndPort 5555 
`-InterfaceName $InterfaceName -IP $ClusterPrimaryIP| Out-Null
Write-Host "Rules configuration compoleted" -ForegroundColor green

That’s help a bit when I rebuilding my test environment. You can grab this script from GitHub too.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

SharePoint 2010: Unable to edit user properties

$
0
0

The other day I received a support case where customer complained that they “suddenly” lost ability to edit user properties in SharePoint 2010. As usual picture worth thousand works so the problem was that if you navigate to Site Actions > Site Permissions, locate some user and click on your user name you will be presented with user information page and if you click edit you will see this:

Sort of interesting Edit Personal Settings dialog where it is not possible to edit anything…

But it used to look like that:

You see more properties listed and they are editable. Now having that description you have to be really skillful with art of googling to get to the bottom of this in the form of some blog post similar to this one. Because to do a proper Google search (one which yields a solution) you have to employ the right terms/know the nature of this issue. But if you noticed word suddenly in quotes in the very beginning I had a background information on preceding changes which caused this “sudden” issue hence was able to fix it. I will go into detailed explanation below for the sake of knowledge sharing.

First of all 1st screenshot is normal for environments where UPS is up and running – as soon as you configure it, SharePoint assumes that all property modifications are being performed on AD DS side and synced from there on a regular basis by UPS. Once UPS is provisioned SP 2010 hides/modifies default forms (layouts/userdisp.aspx – the one where you may click Edit Item to change your properties on the _layouts/useredit.aspx form) and instead of them for users whose profiles are synced you supposed to see specific user profile page instead, which will look approximately like this:

If it does not shown and you see the same uneditable edit form as on the first screenshot, then it either means that UPA is not configured completely or user profile is not synced yet (are you sure that user in question is in right OU?)

So essentially first screenshot/problem shows us that UPS was partially configured/profile(s) not synced (as we still not getting user profile page) but default forms already modified in the process of UPS installation, because when you provision a UPA it will set the fields in hidden site user info list to read only and hidden. With this knowledge about the nature of the problem you may google for the right scripts/information.

In my case we worked on environment where UPS was failing to start/work properly (one of these cases where you need delve deeper into configuration of UPS and peruse something like this blog post) hence it was just mandatory to restore ability to edit user properties. And for that you just need to use the script below against your SP web app (grab this script on GitHub).

# Load SharePoint PS Module (if not already loaded)
# You only need this section if you want to run this script from PS ISE / outside of SP Management Shell
$ver = $host | select version
if ($ver.Version.Major -gt 1) {$host.Runspace.ThreadOptions = "ReuseThread"} 
if ((Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue) -eq $null) 
{
Add-PSSnapin "Microsoft.SharePoint.PowerShell"
}

# Tested with SharePoint 2010
# Restores editable user fields after UPA provisioning
$web = Get-SPWeb http://intranet.contoso.com/
$names = "Title", "EMail", "MobilePhone", "Notes", "SipAddress", "Picture", "Department", "JobTitle"
foreach( $name in $names )
{
$f = $web.SiteUserInfoList.Fields.GetFieldByInternalName($name);
$f.Hidden = $false
$f.ReadOnlyField = $false
$f.Update()
}

Once this script completes you will get your editable user properties back. Two potential problems you may have with this:
1) If Get-SPWeb part of the script complains about incompatibility saying something like “Microsoft SharePoint is not supported with version 4.0.30319.34014” just run new PS instance using -version 2.0 switch;
2) If script completes successfully but you getting user profile page instead of your old beloved form – delete user profile and try again (in case you are not keen or fully removing UPA).

And one last note with regards how we run into this in my specific support case. Client was using K2 and they lived quite happily without UPS provisioned in their SharePoint environment which is a bit strange as a UPS is a requirement for K2. But after upgrading to 4.6.11 the very strange issue crop up which had a bit obscure symptoms on the surface, but in the end was isolated to the fact that each time GetUserGroups URM call was performed to the SharePoint provider no SharePoint groups of which this user is direct member were returned. On the surface it looked like random losing of user’s group membership information and randomly failed K2 tasks which were assigned to SharePoint groups. Randomness stemmed from the fact that GetGroupUsers URM call returned all users for the same group just fine.

And knowing that sometimes it is difficult to find where it was told that XYZ is requirement for K2, I’ll clarify this for UPS specifically: you can find it in K2 blackpearl Installation and Configuration Guide > Prerequisites > Environment Configuration > SharePoint Server 2010 User Profile Service set up

“The SharePoint User Profile Service on any non SharePoint Foundation version must be set up correctly for the Identity Services Group Providers to function correctly with regards to User, Group and Membership resolution. It must be correctly populated with the user’s information and the service must be started.”

Posting rather a lot about SharePoint 2010 at the time of 2016 and cloud stuff I rather feel like author of The Old New Thing blog who at some point decided to blog about old stuff as there is less competition there – everybody busy blogging about new and shiny things (though I should admit I don’t go into really low level details as that blog does) 🙂 But I hope these posts may still be useful for someone.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

K2 MSMQ thread & MSMQ abort exception

$
0
0

There is one interesting fix included into K2 4.7 May CU which, as far as I know, is not mentioned in related KBs for some reason. I just wanted to share some information about it as it may be useful for those who run older versions of K2 preceding to 4.7 May CU and additionally mention how to take K2 process memory dump conveniently.
First things first – the issue and related background information. Within K2 process there is a single thread which checks message queue, it is single thread and it process messages one by one (this is by design, as doing in a multi thread fashion is not necessarily best idea). Exception may occur in the process of message bus message processing and this dedicated K2 thread tries to abort this transaction to perform a retry which normally works just fine, but in rare scenarios MSMQ can throw another exception which causes K2 MSMQ processing thread to stop completely.
On the surface symptoms of this issue is that suddenly your K2 users no longer receive any K2 task notifications at all, despite relevant settings has not been changed and correct. Brand new test process confirms that task notification does not work indeed. Quick fix/corrective action: restart K2 service – and all delayed task notifications should be gradually dispatched (depending on how long time ago MSMQ thread stopped delay for processing the piled queue may be quite big). Service restart resolves this because K2 starts MSMQ thread on service start up.
Good news is that 4.7 May CU has fix for this built in and when transaction abort is necessary MSMQ thread first checks if transaction in question is not already rollback/committed or completed status and only if this is not the case attempts to abort it. If even then K2 receives an exception then message moved into error queue.
I can imagine that when you run K2 version without this fix in production you may be reluctant to restart K2 service not being 99% sure that you deal with this specific issue, and there is a way to do that. To verify that your MSMQ thread within K2 process is still running you may follow these steps:
1) Take full memory dump of K2 process – for quick check on K2 threads either dump taken from Task Manager or procdump.exe will suffice.

In task manager you just have to locate K2HostSerever.exe from the list of processes, right click on it and select “Create dump file”, like that:

It will show you pop up indicated where dump file has been created once done, something like that:

Things gets more tricky with procdump.exe as you now need to obtain process PID, but it is way more configurable and allows you do more things when it comes to taking process memory dumps. As I work in support I really don’t like to repeat explanations on how to use it and where do I find PID and why PID is not displayed in my Task Manager and so on. So I created this tiny script for that (get it on GitHub):

$procid=get-process "K2HostServer" |select -expand id
# -ma - Write a full dump file which includes All the Image, Mapped and Private memory
# -ma - Just takes a full dump immidiately from running process
# -e -ma - tales full dump file on unhandled exception aka crash dump
C:\procdump\procdump.exe -accepteula -ma $procid C:\procdump\k2hostserver.dmp

2) Once dump is taken open it using DebugDiag and search for MSMQ, if MSMQ thread is running you should be able to find something like this:

If you unable to find this in memory dump of your running K2 process it most likely means that MSMQ thread had been stopped due to exception, and if you look under the Previous .NET Exceptions Report (Exceptions in all .NET Heaps) section, you most likely may see the aborted exception with MSMQ stack there.

On a side note DebugDiag also allows you to see if call which failed was made from K2 WorfkflowServer namespace or from something custom/external – that is also very useful to check in the very beginning of troubleshooting process.

I hope you may find this information useful and interesting for one reason or another 🙂 Stay tuned for new posts.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Scripts for taking K2 service memory dumps

$
0
0

I’ve spent some time today improving “create K2 service memory dump script” (one which I already mentioned in “K2 MSMQ thread & MSMQ abort exception” blog post) and creating “collect dump support files”. Next step will be merging them into one and adding some nice to have things I have no time for right now.

Collect dump support files script (GitHub link):

$DumpPath='C:\Dumps'
$NetV2='C:\Windows\Microsoft.NET\Framework\v2.0.50727'
$NetV2x64='C:\Windows\Microsoft.NET\Framework64\v2.0.50727'
$NetV4='C:\Windows\Microsoft.NET\Framework\v4.0.30319'
$NetV4x64='C:\Windows\Microsoft.NET\Framework64\v4.0.30319'

$NetV2Dump="$DumpPath\Microsoft.NET\Framework\v2.0.50727"
$NetV2x64Dump="$DumpPath\Microsoft.NET\Framework64\v2.0.50727"
$NetV4Dump="$DumpPath\Microsoft.NET\Framework\v4.0.30319"
$NetV4x64Dump="$DumpPath\Microsoft.NET\Framework64\v4.0.30319"

If (!(Test-Path $DumpPath))
{
Write-Host 'Creating folder'
(New-Item $DumpPath -ItemType Directory | out-null)
} 
Else {
Write-Host 'Folder already exist'
}

Write-Host "Attempting to copy $NetV2\mscordacwks.dll" -ForegroundColor Green
If (!(Test-Path "$NetV2\mscordacwks.dll"))
{
Write-Host "$NetV2\mscordacwks.dll - File not found, skipping" -ForegroundColor Red
}
Else 
{

If (!(Test-Path "$NetV2Dump")) {New-Item "$NetV2Dump" -Type Directory | out-null}
Copy-Item "$NetV2\mscordacwks.dll" -Destination "$NetV2Dump\mscordacwks.dll"
Write-Host "Done!" -ForegroundColor Green
}

Write-Host "Attempting to copy $NetV2\sos.dll" -ForegroundColor Green
If (!(Test-Path "$NetV2\sos.dll"))
{
Write-Host "$NetV2\sos.dll - File not found, skipping" -ForegroundColor Red
}
Else 
{

If (!(Test-Path "$NetV2Dump")) {New-Item "$NetV2Dump" -Type Directory | out-null}
Copy-Item "$NetV2\sos.dll" -Destination "$NetV2Dump\sos.dll"
Write-Host "Done!" -ForegroundColor Green
}

Write-Host "Attempting to copy $NetV2x64\mscordacwks.dll" -ForegroundColor Green
If (!(Test-Path "$NetV2x64\mscordacwks.dll"))
{
Write-Host "$NetV2x64\mscordacwks.dll - File not found, skipping" -ForegroundColor Red
}
Else 
{

If (!(Test-Path "$NetV2x64Dump")) {New-Item "$NetV2x64Dump" -Type Directory | out-null}
Copy-Item "$NetV2x64\mscordacwks.dll" -Destination "$NetV2x64Dump\mscordacwks.dll"
Write-Host "Done!" -ForegroundColor Green
}

Write-Host "Attempting to copy $NetV2x64\sos.dll" -ForegroundColor Green
If (!(Test-Path "$NetV2x64\sos.dll"))
{
Write-Host "$NetV2x64\sos.dll - File not found, skipping" -ForegroundColor Red
}
Else 
{

If (!(Test-Path "$NetV2x64Dump")) {New-Item "$NetV2x64Dump" -Type Directory | out-null}
Copy-Item "$NetV2x64\sos.dll" -Destination "$NetV2x64Dump\sos.dll"
Write-Host "Done!" -ForegroundColor Green
}

Write-Host "Attempting to copy $NetV4\mscordacwks.dll" -ForegroundColor Green
If (!(Test-Path "$NetV4\mscordacwks.dll"))
{
Write-Host "$NetV4\mscordacwks.dll - File not found, skipping" -ForegroundColor Red
}
Else 
{

If (!(Test-Path "$NetV4Dump")) {New-Item "$NetV4Dump" -Type Directory | out-null}
Copy-Item "$NetV4\mscordacwks.dll" -Destination "$NetV4Dump\mscordacwks.dll"
Write-Host "Done!" -ForegroundColor Green
}

Write-Host "Attempting to copy $NetV4\sos.dll" -ForegroundColor Green
If (!(Test-Path "$NetV4\sos.dll"))
{
Write-Host "$NetV4\sos.dll - File not found, skipping" -ForegroundColor Red
}
Else 
{

If (!(Test-Path "$NetV4Dump")) {New-Item "$NetV4Dump" -Type Directory | out-null}
Copy-Item "$NetV4\sos.dll" -Destination "$NetV4Dump\sos.dll"
Write-Host "Done!" -ForegroundColor Green
}

Write-Host "Attempting to copy $NetV4x64\mscordacwks.dll" -ForegroundColor Green
If (!(Test-Path "$NetV4x64\mscordacwks.dll"))
{
Write-Host "$NetV4x64\mscordacwks.dll - File not found, skipping" -ForegroundColor Red
}
Else 
{

If (!(Test-Path "$NetV4x64Dump")) {New-Item "$NetV4x64Dump" -Type Directory | out-null}
Copy-Item "$NetV4x64\mscordacwks.dll" -Destination "$NetV4x64Dump\mscordacwks.dll"
Write-Host "Done!" -ForegroundColor Green
}

Write-Host "Attempting to copy $NetV4x64\sos.dll" -ForegroundColor Green
If (!(Test-Path "$NetV4x64\sos.dll"))
{
Write-Host "$NetV4x64\sos.dll - File not found, skipping" -ForegroundColor Red
}
Else 
{

If (!(Test-Path "$NetV4x64Dump")) {New-Item "$NetV4x64Dump" -Type Directory | out-null}
Copy-Item "$NetV4x64\sos.dll" -Destination "$NetV4x64Dump\sos.dll"
Write-Host "Done!" -ForegroundColor Green
}

Take K2 service process dump (GitHub link):

# Obtain K2 service PID
$procid=get-process "K2HostServer" |select -expand id
# Create target folder if not exist:
$DumpPath="C:\dumps"
If (!(Test-Path $DumpPath))
{
Write-Host 'Creating folder'
(New-Item $DumpPath -ItemType Directory | out-null)
} 
Else {
Write-Host 'Folder already exist'
}
# -ma - Write a full dump file which includes All the Image, Mapped and Private memory
# -ma - Just takes a full dump immidiately from running process
# -e -ma - takes full dump file on unhandled exception aka crash dump
C:\procdump\procdump.exe -accepteula -ma $procid $DumpPath\k2hostserver.dmp

Be sure checking out GitHub links as I keep editing/updating these scripts there.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

“Method not found error” when attempting to add a new item into K2 Studio project

$
0
0

The other day I was about to build some tiny K2 test project using old-fashioned thick designer UI K2 Studio which I still prefer to use whenever I need to build some little K2 process. Unfortunately I bumped into this error:

Error message politely informs us about this:

Method not found: ‘Microsoft. Build. BuildEngine

BuildItem SourceCode. ProjectSystem. ProjectBuildItem

get_BuildItem()’.

That’s not very obvious, right? But, trust me it just complains that some DLL is not properly added to GAC, or there is a mismatch between DLL version in GAC and in some other location.

Solution? If you run K2 environment without coldfixes just run a Repair from installation media. But most likely you’ve applied some coldfix recently. Verify if files which supposed to go to GAC were added to that location correctly. Remember that some files go to K2 installation directory, while some others may go to “[Program Files]Reference Assemblies\SourceCode\v4.0\” and into GAC v4, i.e. into “C:\Windows\Microsoft.NET\assembly\GAC_MSIL\”. In my case the error was caused by the fact that SourceCode.Workflow.Authoring.dll assembly was not updated in GACv4.

When something wrong with aforementioned DLL you will also see the same error when trying to deploy something with PnD:

So in case you getting this type of error you know what to check now.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Configure K2 SmartForms for AAD Authentication

$
0
0

My post “Configure K2 SmartForms for AAD Authentication” has been just recently published on AcloudA Blog. But in addition to that I’ve already managed to revisit exactly the same process to see how it works in K2 Five Public RC which is already available to K2 clients upon request.

This article assumes that you have K2 Five Public RC installed and configured in your environment with on-premise AD or K2 SQL authentication and we now just want to add an AAD integration.

Beyond installed and configured K2 blackpearl and K2 SmarForms our prerequisites are AAD subscription (this has been covered in my previous article) and SSL configuration of K2 web sites (as usual for test purposes you can get away with self-signed certificate, and this is also covered in K2 Installation and Configuration Guide).

There are two big parts in setting up K2 and AAD integration: registering K2 SmartForms app in AAD and K2 side configuration of OAuth Resource and AAD label.

First part is fully covered in my previous article so I only going to go through K2 side configuration steps.

To begin configuration process, we need to open K2 Management site. As our first step here, we need to Register an OAuth Resource in K2. To do that we navigate to Authentication > OAuth > Resources and click on New button:

As you can see overall UI theme changed a bit in K2 Five from black to silver/gray and in New OAuth Resource form we now have two extra fields “Refresh Token Endpoint” and “Metadata Endpoint”. We now need to to type in resource name, select Microsoft Online as a resource type and enter Authorization and Token Endpoint values we recorded during AAD app registration, i.e. they should look as follows:

Token Endpoint value:

https://login.microsoftonline.com/{AAD_DIRECTORY_ID}/oauth2/token

Authorization Endpoint URL value:

https://login.microsoftonline.com/{AAD_DIRECTORY_ID}/oauth2/authorize

We leave Use Host Server Authorization Endpoint checkbox unchecked, and two new fields unfilled and click on OK button (see screenshot below):

Our next step is to edit client_id resource parameter of newly created OAuth resource. For that make sure that your “AAD” resource is selected in resource list and select client_id from the lest of Resource Parameters below and click on Edit button as shown below:

Once client_id edit dialog has been opened we just need to paste APPLICATION ID we saved during AAD app registration in all three fields of this box, i.e. we use it as a value for Authorization, Token and Refresh:

We next need to edit number of other parameters in the same fashion. We edit api_version resource parameter entering “1.0” for all values:

Next, we edit scope resource parameter entering reader as Authorization Value as shown below:

For all values of client_secret enter KEY we saved during AAD app registration:

We specify https://graph.windows.net for all values of resource parameter:

For redirect_uri we enter https://{YourK2Server}/identity/token/oauth/2 as Authorization and Token value:

For entity_id parameter we enter DIRECTORY ID of your AAD instance as a token value:

After all these edits you Resource Parameters for AAD resource should look like this:

We are now ready to add AAD security label in K2 (you can use something other than “AAD” as label name). For this we need to execute this SQL script or use sample script from K2 Installation and Configuration guide adjusting values for @OAuthProviderName and @SecurityLabelName variables. Be sure to back up your K2 database as you supposed to do before any direct modification of K2 database (I hope this is already your habit? If not try to form it 😊).

Once script has been executed, we need to restart K2 service to get this new label initialized/picked up by K2.

Our next step is to add new claim issuer from K2 Management site, for that navigate to Authentication > Claims > Issuers, click New and fill in New Claim Issuer form as shown below:

You need to specify the following values there:

For Issuer value you specify https://sts.windows.net/{DIRECTORY_ID}/, for URI value you specify https://login.windows.net/{DIRECTORY_ID}/wsfed. As a Thumbprint value you need to paste your FINGERPRINT VALUE. Pay attention to trailing slash in Issuer URL – do not omit it.

Next step is configuration of the Claim Mappings in K2. Claim mappings are used to identify the incoming claims and map them to the appropriate K2 security label. To do that we navigate to Authentication > Claims > Claims and click New:

In the New Claim Mapping form, we then select label and issuer we created earlier and fill in the form. We need to type in User and Group token identifiers and fill in all values under Identity Provider along with Original Issuer and Claim Type values under Identity section (see screenshot below).

Next, we need to configure the Realms and Audience URIs linking them with new issuer. For that, we navigate to K2 Management > Authentication > Claims > Realms and for every realm enable our AAD issuer, by means of selecting realm entry, clicking Edit and checking newly created issuer in Linked Issuers list:

Hooray! We can now navigate to our SmartForms URL and select our AAD and logon with AAD credentials:

Once label is selected you are redireted to Microsoft login page (https://login.microsoft.online.com) where you need to type in your AAD credentials and click Sign in:

 

What you going to see next obviously depends on which K2 site you were trying to access. And here things are a bit different in K2 Five – you actually won’t be able to access anything until rights will be granted. Both K2 Management and K2 Workspace are now essentially SmartForms based forms and you going to get related error messages when you don’t have access to them:

As for designer it seems it is also locked for AAD user, which was not the case in K2 4.7:

It looks like even designer is locked out by default, but bad thing that error messages not too user friendly to say the least.

This nudges us to perform our final configuration step. As we don’t have K2 Management rights we need to go and grant them, right? No changes between 4.7 and K2 Five here, before we will be able to read AAD data we need to obtain and cache AAD OAuth token for K2 service account and until that we only going to get this error message:

Error message tells us that OAuth token requires authorization and comes from K2 URM Service.

It means that we need to obtain OAuth token for K2 service account (URM Service runs in the context of this account). To do that perform the following steps (no changes here if we compare with K2 4.7):

1) Run SmartObject Services Tester (“C:\Program Files (x86)\K2 blackpearl\Bin\SmartObject Service Tester.exe”) in the context of your K2 service account using standard Windows “Run as different user” option.

2) Now the tricky part. Unfortunately, now, in K2 4.7 SmartObject Services Tester only allows you to perform authorization redirect only when you are creating new instance (this possibly will be addressed in upcoming K2 Five release). Thus, to get our K2 Service account token instead of touching URMService we will simply register new Azure Active Directory service instance (and you may want to have it anyway):

 

In Add Service Instance dialog we just switching Authentication Mode to OAuth, selecting our OAuth Resource (“AAD”) and typing https://graph.windows.net as OAuth Resource Audience value. We do not touch any other settings leaving them on default values as illustrated below.

Once you click on Next, you will get this message (once again this message appears only when you are adding new instance, not editing existing one!):

Once you hit OK browser window will be opened where you need to type in your AAD credentials. Important: you need an AAD user with Global administrator directory role for this action, otherwise you are going to see the following error:

If you remember one of the rights we granted to our app is “Read directory data” and as it is a directory wide access only global admin AAD user can grant consent to this right:

Once you type in your AAD global admin user credentials you just need to confirm that we are granting permissions mentioned above to the app:

Once you click on accept you should be redirected on your K2 Identity site (you may get Windows credentials prompt at this stage – type in your K2 service account credentials) and see “Authorization Successful” message:

This means that K2 service account token has been created and cached on your K2 server and you can see it in K2 Management > Authentication > OAuth > Tokens:

3) You can now get back to SmartObject Services Tester and click on Next, Add to finish creation of AAD Service Instance:

We now completed all the configuration steps and can grant rights to AAD users and use them in all K2 user pickers:

If we now trying to login to K2 sites using our AAD account prior to granting any rights both K2 Designer and K2 Workspace going to be available to him in default configuration (so Designer is still not locked out by default), but K2 Management is not accessible until you grant your user appropriate rights:

Of course, K2 Designer we see in K2 Five is completely different beast than it used to be, but discussing it is out of scope for this article, so I’ll just put only one screenshot of it below:

So, after repeating AAD integration configuration steps I can say that at least in K2 Five Public RC we don’t see any drastic changes when it comes to configuring AAD integration (though we can see couple of tiny changes but they don’t impact the overall process) – depending on your preference you can either refer to my old article to go through the entire process or use an old article only for AAD app set up part and this one for K2 configuration part.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

How to quickly grab K2 HTTPS certificate thumbprint using PowerShell

$
0
0

I’ve already mentioned this in my old blog post (along with GUI way for this task), but just posting this separately for better visibility/searcheability 🙂

In case you need to obtain thumbprint value of your K2 site HTTPS certificate (or any other certificate) you can use this PowerShell script:

Write-Host (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match "K2.domain.com"}).Thumbprint;

If necessary you can put it into variable and reuse in other commands/script, just replace “Write-Host” with “$thumbprint = ” to store certificate thumbprint value in $thumbprint variable. Just don’t forget to change filter argument  “K2.domain.com” to something that is relevant for your certificate.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Unable to logon to K2 using AAD credentials: “WIF10201: No valid key mapping found for securityToken”

$
0
0

Problem: You unable to log on to K2 sites (Designer/Runtime/Management) using AAD credentials (AAD integration configured without SharePoint online as described here) and receiving the following error:

WIF10201: No valid key mapping found for securityToken: 'System.IdentityModel.Tokens.X509SecurityToken' and issuer: 'https://sts.windows.net/{YOUR_AAD_ID}/'.

Resolution steps:

1) Open your K2 AAD app Federation Metadata Document using the following URL: 

https://login.microsoftonline.com/{YOUR_DIRECTORY ID}/federationmetadata/2007-06/federationmetadata.xml

2) Inside metadata XML document you need to search for a certificate value within <X509Certificate></X509Certificate> tags and copy it.

3) Open online Calculate Fingerprint tool and paste this value into X.509 cert field of this page, make sure sha1 selected as algorithm and click on Calculate Fingerprint button:

4) Navigate to K2 Management > Authentication > Claims > Issuers. Select your AAD issuer, click edit and paste unformatted FingerPrint value into Thumbprint field of Edit Claim Issuer dialog:

5) Try AAD logon again, clearing browser cache if necessary.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

K2 Five collation requirement changes

$
0
0

In the past I’ve wrote some blog post promoting documented K2 collation requirement. With release K2 Five this requirement changed and I guess I have to mention it on my blog as essentially it makes my old blog posts about required K2 database collation incorrect.

So recently (with release of K2 Five) all K2 documentation was updated and states that our requited collation now is “SQL_Latin1_General_CP1_CI_AS“. Where to find this information?

In K2 Installation and Configuration Guide you can find “SQL and Reporting Services Operational Requirements” section which says that:

– Case-sensitive databases are NOT supported.

– The following collation setting is required for the K2 database: SQL_Latin1_General_CP1_CI_AS

And as usually you can find the same information in K2 Product Compatibility, Integration and Support matrix:

What is good about this change is that SQL_Latin1_General_CP1_CI_AS will be default collation if you installing SQL Server on top of Windows Server which has been installed with US location/language settings – so at least some people will meet this requirement by accident.

What is bad is that collation requirement was just silently changed in documentation with release of K2 Five without any explanations. According to my current knowledge collation which was mentioned in documentation before was a requirement only for pre-4.6.11 versions of K2. So in case you are doing new installation of K2 4.6.11 or newer make sure that your SQL Server instance provisioned with SQL_Latin1_General_CP1_CI_AS collation.

Somewhat mixed blessing is change which was made to K2 Five installer to enforce this collation: what it does at the moment is just enforces this collation on K2 DB level while ignoring SQL Server instance level collation. So in case you not provisioned SQL Server instance with the right collation you will get an errors post installation and will be forced to change SQL Server instance level collation to fix this. That’s something that I hope will be corrected in K2 installer in the future so that it warns you about wrong instance level collation issues before you start your installation.

Conclusion: read vendor documentation carefully before doing your installation even if you did it many times before 🙂

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Configure K2 and SharePoint Online integration

$
0
0

Some time ago I posted an article “Configure K2 and SharePoint Online integration” on StarWind Software blog which outlines details about getting your SharePoint online instance up and running and adding K2 for SharePoint app to your app catalog, so if you are interested to know more read on at StarWind Software blog.

One thing I was not 100% clear on while writing that article is “Enable auto-activation on sites where the app is deployed” option, which is enabled by default (K2 for SharePoint app > Settings > Manage App Activations).

Based on the setting name wording I was not very clear whether “Enable auto-activation on sites where the app is deployed” setting works for SharePoint online newly created site collections? Especially as I’ve noticed that if I run activation manually there is a step “we need to create a token of your behalf” which, I assume, requires user input… So I had a question whether auto activation is possible for SharePoint Online newly created site collections where K2 app was only deployed?

It was also not very clear what drives/triggers automatic activation and with which frequency it happens.

Luckily enough there are some colleagues who always help 🙂 Below some extra details I’ve learnt only after writing that article.

The function of the Auto-Activation Setting on the Manage App Activation Page designed for strict activation on Site Collection Level (permission wise) and only allow Site Collections to be activated via the App Catalog Level.

When the setting is set to False the below Warning will be presented when the user tries to activate on the Site Collection Level:

This setting will not Auto Activate any new Site Collections created in SharePoint Online. When it set to True/Enabled you can perform activation from site collection level. So the wording “Enable auto-activation on sites where the app is deployed” is really a bit confusing though description above this setting is quite clear (but who reads notes and descriptions? 😉

Essentially this option allows Site Collection Owners activate K2 app on a site collection level manually and when it disabled they won’t be able to do that from the site collection level and it will be possible only via app catalog level from K2 app management page.

But, true auto activation does happen for sub-sites of already activated site collections. But this functionality works only with K2 Five. This functionality was introduced in K2 4.7 but did not work as expected. More information on this can be found in the following KB http://help.k2.com/kb001755

But this subsites auto-activation requires Event Receiver sub-site of the K2 site to be exposed to internet when you use SharePoint Online. When using SharePoint on premise there is no need for any exposure of the K2 site to the internet.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Reading list: K2 Authentication and Authorization

$
0
0

This is a list of links to K2 documentation which covers K2 Authentication and Authorization topics. In case you have some time to read something for fun 🙂

Authentication

Authentication and Authorization in K2

Claims-based Authentication in K2

Outbound Authorization and OAuth in K2

About K2Trust

Troubleshooting Claims-based Authentication Issues

Identity and Data Security in K2 Cloud for SharePoint

SharePoint Hybrid, Multiple Identity Providers & K2

AAD Multi-Factor Authentication Considerations

Enabling AAD Multi-Factor Authentication Requires Changes in K2 4.7

Authentication Modes

Authentication (in Management)

Integrating with Salesforce

Azure Active Directory Management (Read/Write to AAD)

Claims and OAuth Configuration for SharePoint 2013

Standard SmartForms Authentication

Multi-Authentication Providers

Consolidation to Multi-Auth

IIS Authentication

Authorization

Authorization Framework Overview

Outbound Authorization and OAuth in K2

REST Broker

Resources for Working with the REST Service Broker

REST Swagger File Reference Format

REST Broker and Swagger Descriptor Overview (video)

Endpoints REST Service Type

OData Broker

Using the OData Service Broker (including Serialization and Deserialization)

Endpoints OData Service Type

Workflow and SmartObject APIs

APIs (in Management)

Configuring the Workflow REST API

Configuring the SmartObject OData API

How to Use the K2 Workflow REST Feed with Microsoft Flow to Redirect a K2 Task

How to Use the K2 Workflow REST Feed with Microsoft Flow to Start a Workflow

How to: Use the K2 OData Feed with Microsoft Excel

How to: Use the K2 OData Feed with Microsoft Power BI

Facebooktwittergoogle_plusredditpinterestlinkedinmail
Viewing all 93 articles
Browse latest View live