Hi, I would really appreciate prompt assistance with the following question. I am installing K2 blackpearl (latest and greatest) on a client environment.
K2 workspace and K2 server are on the same dedicated box (win 2008, IIS7). SQL server is on another. No SharePoint or Reporting integration yet.
I am configuring the authentication to be Kerberos. Following the documentation, I have set SPNs for K2 Workspace and K2 Service Account. Delegation and everything is set.
Ok, so I have installed the workspace on port 80. The workspace authentication mode is Windows Integrated. I didn't set the 'Enable Direct Metabase Edit' or the adsutil.vbs, because it doesn't seem to be applicable.
So I am trying to validate the Kerberos setup and K2 Workspace...
On localhost, the workspace opens successfully with the K2 service (or any other domain) account. When we open the workspace in IE8 on another machine (in the same, and only, domain) we are prompted multiple times for credentials, before it errors out.
Yes, the site is added to the Trusted, always pass credentials, etc. In FireFox it kind of works (navigation is messed up, but the site opens).
On the Workspace/K2 server I now see a bunch of Kerberos errors.
Please help? It must be something related to the authentication mode and the Kerberos setup. I am 100% sure the SPNs are set correctly, I did it myself and tripple-checked everything.
To summarize - when opening the workspace from another computer, I am being prompted 4 or 5 times for the same credentials, then errors out.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> <EventID>4625</EventID> <Version>0</Version> <Level>0</Level> <Task>12544</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2010-03-01T16:26:08.888Z" /> <EventRecordID>13014</EventRecordID> <Correlation /> <Execution ProcessID="596" ThreadID="716" /> <Channel>Security</Channel> <Computer>SPTESTBP1.some.domain</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-0-0</Data> <Data Name="SubjectUserName">-</Data> <Data Name="SubjectDomainName">-</Data> <Data Name="SubjectLogonId">0x0</Data> <Data Name="TargetUserSid">S-1-0-0</Data> <Data Name="TargetUserName"> </Data> <Data Name="TargetDomainName"> </Data> <Data Name="Status">0xc000006d</Data> <Data Name="FailureReason">%%2313</Data> <Data Name="SubStatus">0xc000006a</Data> <Data Name="LogonType">3</Data> <Data Name="LogonProcessName">Kerberos</Data> <Data Name="AuthenticationPackageName">Kerberos</Data> <Data Name="WorkstationName">-</Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">-</Data> <Data Name="KeyLength">0</Data> <Data Name="ProcessId">0x0</Data> <Data Name="ProcessName">-</Data> <Data Name="IpAddress">192.168.1.XXX</Data> <Data Name="IpPort">64086</Data> </EventData> </Event>
Actually I may have figured it out. In the K2 documentation there is a whole chapter about Windows 2008 configuration which I missed. I will keep you posted.
The following blogs should help as well:
http://www.k2underground.com/blogs/infrastructure_spotlight/archive/2009/07/06/windows-server-2008.aspx
http://www.k2underground.com/blogs/johnny/archive/2009/08/19/some-differences-when-configuring-kerberos-with-host-headers-on-a-ssrs-2008-setup-with-0807v3-0-on-windows-2008.aspx
http://www.k2distillery.com/2009/10/iis-7-kerberos-configuration.html
check the IE settings: Make sure the site is added under 'Trusted Sites' on your remote machine and set the Security levels for this zone to LOW. Open Custom level and go right down to the bottom, under User Authentication make sure the radio button is in the “Automatically logon with current user..”. Also, under Advanced Internet Options, make sure 'Enable Integrated Windows Authentication (requires restart)' is checked.
Vernon
____________________________________________________________________________________ The statements and opinions made in my postings are my own, and do not reflect the opinions of SourceCode Technology Holdings, Inc. or its subsidiaries. All information is provided as is with no warranties, express or implied, and grants no rights or licenses.