+44(0)1908 545 770
YOUR EXPERT RPA PARTNER

Team up with our RPA strategy and tech specialists for maximum automation impact

Find out more
Harness the power of UiPath in your business.
WATCH NOW

Save money and spend more time on priority work.

Book consultation
READY, SET, AUTOMATE

Let's choose, design and deploy a process automation solution for your business.

Find out more
TRANSFORM YOUR BUSINESS

Let's analyse your business to discover opportunities for innovation and automation.

Find out more

Begin your business transformation journey

Book consultation
AUTOMATE EVERY FUNCTION

Automate where it matters most. Scale to solve challenges in every area

Find out more
GIVE EVERY TEAM THE TOOLS FOR SUCCESS

Equip people with user-friendly solutions that save time and make work easier

Find out more

Which business problem
can we solve first?

Book consultation
10 September 2015

How to: Kerberos Authentication for K2 Smartforms Applications

Kerberos authentication for K2 Smartforms

  1. What is Kerberos

Kerberos authentication is a security protocol that allows delegation of users’ credentials across multiple servers, allowing a server to impersonate the user to another server or service. In contrast, NTLM the default enabled IIS security protocol, does not support delegation of identity across servers.

K2 Automated Testing Software

BenchQA allows full test automation of K2, including fully automated K2 SmartForms and K2 Workflow testing. It promotes test driven development for K2 and ensures continued quality assurance for K2 solutions. Easily apply changes to test cases to accommodate changes to K2 apps and ensure all apps are regression tested to avoid defects and assure continuous quality.

 

Free K2 Five Upgrade Review

 https://msdn.microsoft.com/en-us/library/windows/desktop/aa378747(v=vs.85).aspx

  1. When do we need Kerberos for K2 applications

In a previous blog post (http://blog.velocity-it.com/2015/05/18/sql-user-impersonation-with-k2/) we discussed how to setup the K2 server to impersonate a user in SQL server. This allows us to prevent a user from accessing data to which the user doesn’t have the rightful permissions to. In most small-scale K2 environments the web server (IIS), application server (K2 blackpearl) and database server sit on the same physical (or virtual) machine. The user logs into the application, the application delegates the users’s credentials to the K2 Server, which in turn delegates the credentials to SQL server. This is more commonly known as a single hop situation, illustrated below.

Kerberos authentication for k2

1 – Single hop authentication

When we start scaling K2 out, we however often configure the K2 server and SQL Server to be hosted on separate machines..Within these solutions there is the requirement to impersonate a user from the K2 Server to the SQL servers, also commonly known as a double hop (See below diagram). The default NTLM authentication protocol as stated above does not provide the impersonation functionality required to support these solutions, and we need to revert to alternative means of Authentication.

2 - Multi hop authentication

2 – Multi hop authentication

One option for authentication is to make use of K2 Pass-Through Authentication, which is discussed here: http://help.k2.com/onlinehelp/k2blackpearl/icg/4.6.4/webframe.html#K2PA_-_Introduction.html.

Another option is to make use of the Kerberos security protocol which does provide the impersonation/delegation functionality needed to support such solutions.

  1. Setting up Kerberos for authentication

To set up Kerberos for authentication the following requirements need to be met:

  1. The SQL Server Service Account, as well as the IIS service accounts and K2 Blackpearl service accounts need to share a domain.
  2. Service principal names (SPNs) need to be setup for all the above mentioned service accounts
  3. Delegation needs to be enabled.
  1. Setting up the required SPN’s

For Kerberos authentication to work the following SPNS need to be setup:

SQL SERVER:

setspn -s MSSqlSvc/HOSTNAME:PORTNUMBER  DOMAINSQLSERVICEACCOUNT

setspn -s MSSqlSvc/FQDN:PORTNUMBER  DOMAINSQLSERVICEACCOUNT

K2 SERVER:

setspn -s K2Server/HOSTNAME:5252  DOMAINK2SERVICEACCOUNT

setspn -s K2Server/FQDN:5252 DOMAINK2SERVICEACCOUNT

setspn -s K2HostServer/HOSTNAME:5555 DOMAINK2SERVICEACCOUNT

setspn -s K2HostServer/FQDN:5555 DOMAINK2SERVICEACCOUNT

IIS:

And the following spns need to be setup for all of the different application pool accounts under which the different K2 modules is hosted:
setspn -s HTTP/HOSTNAME  DOMAINIISSERVICEACCOUNT

setspn -s HTTP/FQDN DOMAINIISSERVICEACCOUNT

More information on SPNs can be found at https://msdn.microsoft.com/en-us/library/ms677949%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396.

  1. Enabling delegation

The final step is to enable delegation on the service accounts.

3 - Account Delegation

3 – Account Delegation

More information on delegation can be found at: https://technet.microsoft.com/en-us/library/cc756906(v=ws.10).aspx

About Velocity IT

Velocity IT is a K2 partner that specialises in the design and development of K2 workflow, K2 SmartForms and K2 BPM solutions.  Click here for more information…

Kerberos authentication for K2

Need further technical advice or support?