I was working with a customer recently who was having authentication problems on their development environment.  All K2 Components and MOSS were installed on the same server.  However, whenever they went to K2 Workspace or opened an InfoPath form that used SmartObjects they would always get prompted for credentials.  Since everything was installed on the same server except SQL (which is a blog for a different day) there shouldn’t be any need for configuring Kerberos.  I could see when they browsed to K2 Workspace the browser was showing it was in the Internet security zone.  Internet Explorer will only pass your windows credentials to a server that is in your Local Intranet or Trusted Sites security zone.  Therefore, the solution was obvious:  add the K2 Workspace to the local intranet or trusted site zone.  This would also fix the prompting in InfoPath as it invokes web services in the K2 site to integrate with SmartObjects.

Except that didn’t work. 

When they entered the URL to the K2 Workspace in the local intranet zone, I noticed they were entering it like this:  http://k2dev.domain.com:81.  Ah ha!  A clue!  They had installed MOSS first and put it on port 80.  Later when they installed K2 workspace, they set up a new web site on port 81.  This was enough information to figure out why they were getting prompted for credentials.  There is a little known (ah-hem) undocumented feature (cough) in Internet Explorer which prevents adding URLs with a port number to the local intranet zone or trusted sites zone.  See this article for additional information:  http://support.microsoft.com/kb/296287.

The solution in this case is easy.  The K2 Workspace site needs to be put on port 80 so it can then be a local intranet or trusted site.   But MOSS is already on port 80, you object!  No problem.  The answer lies with Host Headers.

Open up the IIS console.  Right-click the properties of the website (not virtual directory) containing K2 Workspace.  On the Web Site tab, click the Advanced button to the right of the IP Address field.  On the following Advanced Web Site Identification tab, click the Add button.  Give a name for your web site, specify port 80, and the IP address of the server hosting it in the dialog:

But wait, there’s more! 

We’re only one third done.  We’ve given a name to this site, but no one else knows about it yet.  We need to tell DNS about the new name so when someone types it in the browser address bar, it knows where to send it.

You’ll need to have enough rights to perform the next step.  If you don't, make friends with a domain administrator.  You need to configure the DNS entry for this host header.  On the Start Menu, open Administrator Tools then click DNS.  In the DNS console, find your domain controller, expand Forward Lookup Zones, then right-click on your domain suffix (in this example domain.com).  Right-click and add New Host A record.  C Records won’t work, it must be an A record.  Enter the same name and IP Address you put on the host header and check the Create associated pointer (PTR) checkbox.

Hold on there partner, we’re still not done yet. 

We need to re-run the K2 Configuration Manager to tell it where K2 Workspace is now located:  http://k2workspace.domain.com.  If we don’t do this, it still thinks it is at http://k2dev.domain.com:81.  Re-run the configuration manager on the K2 host server and on the K2 Workspace server (in this customer’s case, they were the same machine), update the URL, and finish the configuration change by rebooting when prompted.  After the reboot, open up K2 Workspace in the browser.  Hey, it doesn’t prompt for credentials anymore!  If it does, make sure it is in your local intranet zone or trusted sites.   In the Workspace Management Console, drill down into the environment variables for your site in the current (development) environment.  Edit the “Web Service URL” environment variable to reflect the new K2 Workspace URL:

Now, re-deploy your InfoPath process that was prompting for credentials.  You have to do this to make sure that environment variable is updated in the appropriate spots.  After it is deployed you should be able to access both K2 Workspace and your InfoPath form without getting prompted for credentials.

If you think you need to use host headers in a distributed environment, make sure you set them up before you begin the install (as recommended in the blackpearl Getting Started Guide).   In a distributed environment you will need to use the host headers in your Kerberos settings.