K2 [blackpearl] HF2.01 Distributed Installations (and also SP1)

I have doing quite a few distributed deployments for customers in the APAC region and I thought it would be nice to share my experience and tips with the community as there are several challenges when the reporting services web server is on a separate machine from the K2 server.  The tips below assume that:

  • Visual Studio is not installed (which is normally the case for secure environments)
  • K2 Workspace is installed with the K2 server.
  • Installations are all done to the default program file paths.  If you use other drive letters, there might be some additional configuration for HF2.01. i.e. Some assemblies need to be copied to C: drive.  I have tested this with SP1 and it is not needed.

Note some of the steps might not be needed when K2 [blackpearl] SP1 is out.

Quickstart Guide for Distributed Installs

  1.  Make sure the base pre-requisites are set up correctly first for the Windows Server 2003 Machines.
    • Windows Installer 3.0 Redistributable
    • Microsoft Report Viewer Redistributable 2005 SP1 - Make sure it's SP1!  It's pretty hard to tell as MS doesn't have any indication other than the difference in size of the setup files.
    • Windows 2003 SP2 
    • .NET Framework 2.0
    • .NET Framework 3.0
  2. Create your K2 service account and also the K2 workspace app pool account in your domain.  Give the K2 service account local admin rights to the server and "Log on as a service" rights in the local security policy console.  Give the K2 workspace app pool account IIS_WPG group rights.
  3. Using the Component Services Management console, configure the MSDTC security configuration of both the SQL Server and the K2 Server nodes to use the following settings:
    • Check "Network DTC Access"
    • Check "Allow Remote Clients"
    • "Allow Remote Administration" was not needed so I left it as unchecked.
    • Check "Allow Inbound" and "Allow Outbound"
    • For a cluster, set the authentication to use "Incoming Caller Authentication Required".  Mutual Authentication is not supported in a cluster configuration.
    • Enable TIP and XA transactions was left unchecked as we were not using internet transactions or transactions to Oracle or DB2.
    • DTC Logon Account *must* be left as NetworkService.  This is recommended by MS.
  4. If you have plans to setup as a cluster, make sure to setup as a Farm configuration.  This is true even if you only have one node at the moment.  If you set it up as a stand alone server, you might face issues later in migrating.  This means, for pre-requisites:
    • You need to configure the virtual DNS entry for the cluster first.
    • If you are setting up 2 K2 server nodes or more, make sure NLB is configured right first.  If NLB is not configured first, the K2 Host Server service will not start properly.
    • Kerberos configuration is mandatory.  This is true even if the K2 workspace is installed together with the K2 Host Server service.  This is different from K2.net 2003 due to the Farm mechanism used.  i.e. you have to specify the farm fully qualified domain name (FQDN) up front in the K2 configuration manager.  See below for the actual Kerberos configuration details.  NTLM can be used only in a stand alone server configuration.
  5. Install the first server node first, follow the setup guide for details.  Just make sure you specify the virtual cluster name correctly as the default value is left as the domain path only.  e.g. contoso.com instead of k2cluster.contoso.com.  Specify the database details.  Note you will need your license key here.  Reboot as needed.
  6. Run the HF2.01 update.  This will change with SP1 as it is a full install.
  7. Install the second server node next.  Select Add server to farm option.  Point it to the correct database.  Note you will need your license key here.  Update with HF2.01 next.    Reboot as needed.
  8. Ok at this point, your server should not start correctly.  If you launch it in console mode, you will see that the workflow server is waiting for the SmartObject server thread to start.  This is normal as Kerberos has not been configured yet.  I'll leave the Kerberos configuration to the end so let's do the Reports setup next.
  9. One thing I noted is that try not to change the default virtual folder names of the Reporting Services web sites.  I noted this can cause the K2 overview reports to not install properly.  In SP1, they are introducing the ability to specify the path of the Reporting Service web service virtual folder.
  10. Before running the installer, warm up the RS web site by navigating to http://<rs_server_name>/reports.  This helps prevents timeout errors during the installation. 
  11. On your reporting services web server, run the K2 installer and configuration manager.  This will detect the RS installation and install the K2 Reports component.  Update with HF2.01 as needed.  Reboot as needed.
  12. There is some post configuration needed at this point with HF2.01.  Copy the following assemblies to the GAC.  Copy it from another machine or VPC as needed.  Note that this is fixed in SP1 and this step is not needed if you are using SP1.
    • SourceCode.Data.SmartObjects.Client
    • SourceCode.SmartObjects.Client.dll
    • SourceCode.SmartObjects.Management.dll
    • SourceCode.Categories.Client.dll
    • SourceCode.HostClientAPI.dll
  13. Copy the following dlls to the RS bin folder C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin.  Note you do not need to do this for SP1.
    • SourceCode.Data.SmartObjects.Client
    • SourceCode.SmartObjects.Management.dll
  14. Check that the following lines are in the RSReportDesigner.config.  They were already there in my setup but somebody said it wasn't in theirs for other installations.  Note this is not needed for SP1.
    • <Configuration> 
        <Extensions>  
          <Data>
              <Extension Name="SOURCECODE" Type="SourceCode.Data.SmartObjectsClient.SOConnection,SourceCode.Data.SmartObjectsClient, Version=4.0.0.0, Culture=neutral, PublicKeyToken=16A2C5AAAA1B130D"/>
          </Data>
          <Designer>
              <Extension Name="SOURCECODE" Type="Microsoft.ReportingServices.QueryDesigners.GenericQueryDesigner,Microsoft.ReportingServices.QueryDesigners"/>
          </Designer>
        </Extensions>
      </Configuration>
  15. Also check for the rsreportserver.config.  Note I didn't have to add this (This also was not needed for SP1).
    • <Configuration> 
       <Extensions>  
        <Data>
         <Extension Name="SOURCECODE"                                     
                             Type="SourceCode.Data.SmartObjectsClient.SOConnection,
                             SourceCode.Data.SmartObjectsClient, Version=4.0.0.0,   
                             Culture=neutral, PublicKeyToken=16a2c5aaaa1b130d"/>
        </Data> 
       </Extensions>
      </Configuration>
  16. Also check for the rssrvpolicy.config.  Note I didn't have to add this (This was also not needed for SP1).
    • <CodeGroup  
      Description= "Code group for the Custom Data Extension"  
      Name="CustomDataExtensionCodeGroup"
      PermissionSetName="FullTrust">
      class="UnionCodeGroup”
      version="1"         
        <IMembershipCondition
                Url="C:\Program Files\Microsoft SQL Server\MSSQL.1\Reporting 
                Services\ReportServer\bin\SourceCode.Data.SmartObjectsClient.dll"/>
                class="UrlMembershipCondition"
                version="1"
      </CodeGroup>
  17. Note the Reporting Services Web server has 2 virtual folders that run under the Network Service account, to get kerberos working, create a RS App Pool account and give it IIS_WPG rights on the RS web server.  Set both app pools for the RS web application to use this account. 
  18. Give reporting services content manager rights to the K2 workspace app pool account.
  19. Now comes the interesting part of doing the Kerberos configuration.  Here's my setup for a Win2k domain or mixed mode Win2K3 domain  (i.e. non-constrained delegation):
    1. SPNs setup.  Note the last 2 (i.e. SCHostServer) was not needed in my setup but another person mentioned that it was needed.  I would leave it out unless you hit issues.  Also note that the K2Server SPN is set with both the port number and without.  I discovered this was needed, otherwise you would get kerberos errors.  Also note the need of the port number on the BlackpearlServer SPN, this is needed otherwise your K2 Host server service will not start.
      • Setspn –a K2Server\<K2 Server cluster FQDN Name> <Domain>\<K2 Service Account Name>
      • Setspn –a K2Server\<K2 Server cluster Netbios Name> <Domain>\<K2 Service Account Name>
      • Setspn –a K2Server\<K2 Server cluster FQDN Name>:5252 <Domain>\<K2 Service Account Name>
      • Setspn –a K2Server\<K2 Server cluster Netbios Name>:5252 <Domain>\<K2 Service Account Name>
      • Setspn –a BlackPearlServer\<K2 Server cluster FQDN Name>:5555 <Domain>\<K2 Service Account Name>
      • Setspn –a BlackPearlServer \<K2 Server cluster Netbios Name>:5555 <Domain>\<K2 Service Account Name>
      • Setspn –a HTTP\<K2 Workspace cluster FQDN Name> <Domain>\<K2 Workspace App Pool Account Name>
      • Setspn –a HTTP\<K2 Workspace cluster Netbios Name> <Domain>\<K2 Workspace App Pool Account Name>
      • Setspn –a HTTP\<Reporting Services FQDN Name> <Domain>\<RS Web App Pool Account Name>
      • Setspn –a HTTP\<Reporting Services Host Name> <Domain>\<RS Web App Pool Account Name>
      • Setspn –a SCHostServer/<K2 Server cluster FQDN Name> <Domain>\<K2 Service Account Name>
      • Setspn –a SCHostServer/<K2 Server cluster Netbios Name> <Domain>\<K2 Service Account Name>
        1. Take note with K2 [blackpearl] SP1, the SPN service name for BlackPearlServer (and SCHostServer) are changed to K2HostServer.
    2. Configure the accounts to be trusted for delegation.  Use the AD Users and Computers management console.  It is a checkbox in the account properties when the AD is in Win2K mode or Win2K3 mixed mode.  Check for the following accounts:
      1. K2 Workspace App Pool Account.  If you are using Win2K3 Native mode, you can use constrained delegation, set the following trust on this account:
        • Trust HTTP\<Reporting Services Name> SPN on RS Web App Pool Account
        • Trust BlackPearlServer\<K2 Server Name>:5555 SPN on K2 Service Account
        • Trust K2Server\<K2 Server Name> SPN on <K2 Service Account Name>
        • Trust K2Server\<K2 Server Name>:5252 SPN on <K2 Service Account Name>
        • Trust  SCHostServer SPN on <K2 Service Account Name>  - Note this last one was added by another person, I did not have to do this in my own setup.
        • Note in SP1, SCHostServer and BlackPearlServer should be replaced by K2HostServer
      2. RS Web App Pool Account.  If you are using Win2K3 Native mode, you can use constrained delegation, set the following trust on this account:
        • Trust BlackPearlServer\<K2 Server Name>:5555 SPN on K2 Service Account
        • Note in SP1, BlackPearlServer should be replaced by K2HostServer

Ok, that's it, if everything is done right.  You can start up the K2 services (or reboot the K2 servers) and they should now run fine.  If they don't, I would normally start troubleshooting by turning on Kerberos Logging (http://support.microsoft.com/kb/262177) and the event log for errors.  They will give you clues if you missed a step.

Also note that if your kerberos configuration is done correctly, you will be able to see a standard reports node in the K2 public folders tree in the K2 workspace.  Test by opening up the Process Overview reports and see if it runs fine.  If you do not see them, I would probably first check the K2 configuration log files for errors.  This might give some clues on installation issues.

Hope you all find this article useful.  Cheers!

Posted Fri, Dec 7 2007 1:12 PM by johnny

Comments

Krapansky wrote re: K2 [blackpearl] HF2.01 Distributed Installations
on Fri, Dec 21 2007 9:48 AM

Great post, especially the reporting parts!

Thanks

kenlin wrote re: K2 [blackpearl] HF2.01 Distributed Installations (and also SP1)
on Thu, Nov 6 2008 2:03 AM

I have one question, how do i check to see if the SetSPN is success and the account is there?

johnny wrote re: K2 [blackpearl] HF2.01 Distributed Installations (and also SP1)
on Thu, Nov 6 2008 7:26 AM

You can run the setspn with a "-l" option to list the SPNs set on the account.

e.g. setspn -l <my domain>\<my service account>

Cobusve wrote re: K2 [blackpearl] HF2.01 Distributed Installations (and also SP1)
on Mon, Dec 8 2008 9:32 AM

Hi Johnny,

OK, I am trying to set up constrained delegation and I am tired of banging my head against this brick wall.

I am using FORMS authentication on a web server from where we are doing protocol transition to Kerberos. (We have domain users logging in from the internet as well as non-domain users using just forms auth).

This all seems fine and I get an impersonation capable token for the user from the S4U2 subsystem.

I can follow this happening in the eventlog with Kerberos Logging on.

Everything seems to be setup correctly, but looking at the eventlog on the K2 server I can see that an Anonymous logon is done using NTLM.

If I do not do the protocol transition, but use the windows API to call LogonUser to get a token everything works fine and the logon is done using Kerberos as expected.

In both cases the eventlog entry for the Logon Success audit has identical privileges on the token.

Since I do not have the password for all users I HAVE to use the transition password-less so the LogonUser option is not solving my problem.

How can I get the client to connect using the Kerberos ticket it has received instead of Anonymous NTLM?

johnny wrote re: K2 [blackpearl] HF2.01 Distributed Installations (and also SP1)
on Tue, Dec 9 2008 2:25 AM

It's been a while since I have done Protocol transitioning but I kind of recalled from K2.net 2003 days that you had to turn on the option "trusted for impersonation" for the computer account.  I assume the same would apply as well for the K2 blackpearl setup.  You can give that a try and see if that works.