Microsoft has had many detractors in recent history, specifically around system security and integrity issues. To address these concerns Microsoft has embarked on a drive to systematically address security across its product line. Recent results of this drive have included the announcement of Windows Server 2003 SP1.
Since this announcement was made public and the first candidate release became available, K2.net 2003 has gone through a validation exercise to ensure interoperability with any changes or enhancements to the security model.
With the final release of Windows 2003 Server Service Pack 1, and the high customer uptake rate expected, it is imperative that the expected impact on K2.net 2003 systems be clarified.
The rest of this document will go into more detail regarding system requirements, possible symptoms and steps to address issues.
K2.net 2003 running on Windows Server 2003 SP1
The announcement of the intended release of Windows Server 2003 SP1 was made shortly after the release of K2.net 2003 SP1a, precluding it from being fully tested under the new security model. K2.net 2003 SP2 has however been fully tested against all the new Windows 2003 Server Service Pack.
|Note: K2.net 2003 SP2 and later versions is compatible with Windows Server 2003 SP1.|
Fortunately, the enhancements to the security model of Windows Server 2003 SP1 do not require that major changes be made to current product configurations. Most implementations using Kerberos delegation would not require any additional configuration at all.
There are two ways to approach making the relevant changes and this depends on whether your network requires NTLM, Kerberos or a combination of NTLM and Kerberos. If you intend to use only NTLM delegation, please follow the steps outlined in the section named “NTLM”. These steps require you to make changes to the system registry and are only recommended under the following circumstances
|1. ||When you specifically don’t want K2.net 2003 Workspace and workflow forms web sites to reside in the end-user's Intranet Zone in IE (This is required for Kerberos to work)|
|2. ||End-users which are forced to use NTLM authentication (Internet/Public Computer/PC not member of Domain, etc) can not be accommodated in a Windows 2000 functional level Domain|
|3. ||If you are not running on a Windows 2003 functional level for the domain and have enabled Protocol Transition|
If your require K2.net 2003 to use both NTLM and Kerberos delegation, please follow the steps outlined in the “Setting up a Service Principal Name” section. This simply requires that the K2 Server Service Account has a Service Principal Name (SPN) entry set, allowing it to be trusted for delegation.
The sections below will list the possible symptoms and error messages that could be encountered under the new Service Pack, and also describe the steps required to resolve these issues.
The potential error messages are grouped and listed by K2.net component. A screen capture of each error can be found at the end of the document.
K2.net 2003 Service Manager:
|1. ||“Authentication with the server failed”|
|K2.net 2003 Workspace:|
|1. ||“Authentication with the server failed”|
|2. ||“The request failed with HTTP status 401: Unauthorized.”|
|3. ||Workspace loads with username set to “NT Authority/Anonymous logon”|
|K2.net 2003 Studio:|
|1. ||When exporting to your server the following message appears |
“Authentication with the server failed”
|Step-by-Step Problem Resolution |
Follow these steps to disable the “loopback” check:
|1. ||Click Start | Run and then type “regedit”, and click “OK”.|
|2. ||In Registry Editor, locate and then click the following registry key: ”HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa”|
|3. ||Right-click “Lsa”, point to New, and then click the “DWORD” value.|
|4. ||Type “DisableLoopbackCheck”, and then press “Enter”.|
|5. ||Right-click “DisableLoopbackCheck”, and then click “Modify”.|
|6. ||In the Value data box, type 1, and then click “OK”.|
|7. ||Quit Registry Editor, and then restart your computer.|
For more information on these steps please refer to the following Microsoft KB article:
|Important: Please be advised that only those familiar with editing the registry should perform this step. If used incorrectly or if incorrect changes are made, this may cause your installation of Windows not to function correctly and may require the operating system to be reinstalled. K2,net 2003 and the Microsoft corporation do not accept any liability for loss of data or damage to systems or intellectual property should the system fail or not function correctly as a result of editing the registry. You are advised that you edit the system registry entirely at your own risk.|
Setting up a Service Principal Name
To create the SPN mentioned above, simply follow these steps:
|1. ||Start K2.net 2003 Service Manager.|
|2. ||Right click on your K2.net server and select “Edit Server Registration Properties”.|
|3. ||Open the dropdown menu from “Security package” and select “NTLM”.|
|4. ||Right click on your K2.net server again and select “Properties”|
|5. ||Select the “K2.net Service Account” tab|
|6. ||Provide the username and password of the K2.net 2003 Server service user or select the local system account, depending on which account you would prefer the service to run under.|
|7. ||Click the “Add” button. Please note that you will have to be logged on a Domain Administrator to be able to add this entry to Active Directory.|
|8. ||Click “OK”|
|9. ||Restart your K2.net server service|