Enabling AAD Multi-Factor Authentication Requires Changes in K2 4.7
KB002303
PRODUCT
When you enable Microsoft Azure Active Directory (AAD) Multi-Factor Authentication (MFA), you must then reconfigure K2 because switching MFA on or off invalidates all cached refresh tokens. This means that the tokens K2 cached are no longer valid and must be reissued by Azure. This includes cached user tokens and the K2 service account token.
Resolution
To reconfigure K2 blackpearl 4.7 so that the service account's OAuth refresh token is valid, follow these steps:
- Open K2 Management
- Browse to Authentication > OAuth > Tokens
- Delete the Microsoft Online token associated with the identity of the K2 service account and the one used to run the Registration Wizard, if different
- Browse to the SharePoint app catalog's Site Contents page and click K2 blackpearl for SharePoint
- In the Administration section of the app settings page, click the Registration Wizard link and run the configuration again
Advanced Troubleshooting
If the resolution above does not work, you can delete the service account's token using the following SQL script. To do this, copy the script below, replacing DENALLIXK2Service with the FQN of your service account, and run the script on the K2 database.
DELETE [K2].[Authorization].[OAuthIdentity] FROM [K2].[Authorization].[OAuthIdentity]
INNER JOIN [K2].[HostServer].[SecurityCredentialCache]
ON [K2].[Authorization].[OAuthIdentity].PrimaryCredentialID=[K2].[HostServer].[SecurityCredentialCache].PrimaryCredential
WHERE [K2].[HostServer].[SecurityCredentialCache].UserName = 'DENALLIXK2Service'