K2.net 2003 running on Windows 2003 Server SP1
KB000098
PRODUCTWith the final release of Windows 2003 Server Service Pack 1, and the high customer uptake rate expected, it is imperative that the expected impact on K2.net 2003 systems be clarified.
| Introduction K2.net 2003, like most Microsoft centric products, relies heavily on infrastructure services provided by the host Windows Operating System. One of the cardinal services provided, and consumed by K2.net, is Security, Authentication and Authorization. Without this service it would be impossible to manage system integrity in the complex technical environments prevalent in this era of interconnected systems. |
| Microsoft has had many detractors in recent history, specifically around system security and integrity issues. To address these concerns Microsoft has embarked on a drive to systematically address security across its product line. Recent results of this drive have included the announcement of Windows Server 2003 SP1.
| |||
Additional Requirements Fortunately, the enhancements to the security model of Windows Server 2003 SP1 do not require that major changes be made to current product configurations. Most implementations using Kerberos delegation would not require any additional configuration at all. There are two ways to approach making the relevant changes and this depends on whether your network requires NTLM, Kerberos or a combination of NTLM and Kerberos. If you intend to use only NTLM delegation, please follow the steps outlined in the section named “NTLM”. These steps require you to make changes to the system registry and are only recommended under the following circumstances | |||
| 1. | When you specifically don’t want K2.net 2003 Workspace and workflow forms web sites to reside in the end-user's Intranet Zone in IE (This is required for Kerberos to work) | ||
| 2. | End-users which are forced to use NTLM authentication (Internet/Public Computer/PC not member of Domain, etc) can not be accommodated in a Windows 2000 functional level Domain | ||
| 3. | If you are not running on a Windows 2003 functional level for the domain and have enabled Protocol Transition | ||
If your require K2.net 2003 to use both NTLM and Kerberos delegation, please follow the steps outlined in the “Setting up a Service Principal Name” section. This simply requires that the K2 Server Service Account has a Service Principal Name (SPN) entry set, allowing it to be trusted for delegation. The sections below will list the possible symptoms and error messages that could be encountered under the new Service Pack, and also describe the steps required to resolve these issues. | |||
Error Messages The potential error messages are grouped and listed by K2.net component. A screen capture of each error can be found at the end of the document. K2.net 2003 Service Manager: | |||
| 1. | “Authentication with the server failed” | ||
 | |||
| K2.net 2003 Workspace: | |||
| 1. | “Authentication with the server failed” | ||
| 2. | “The request failed with HTTP status 401: Unauthorized.” | ||
| 3. | Workspace loads with username set to “NT Authority/Anonymous logon” | ||
 | |||
 | |||
| K2.net 2003 Studio: | |||
| 1. | When exporting to your server the following message appears “Authentication with the server failed” | ||
 | |||
| Step-by-Step Problem Resolution NTLM Follow these steps to disable the “loopback” check: | |||
| 1. | Click Start | Run and then type “regedit”, and click “OK”. | ||
| 2. | In Registry Editor, locate and then click the following registry key: ”HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa” | ||
| 3. | Right-click “Lsa”, point to New, and then click the “DWORD” value. | ||
| 4. | Type “DisableLoopbackCheck”, and then press “Enter”. | ||
| 5. | Right-click “DisableLoopbackCheck”, and then click “Modify”. | ||
| 6. | In the Value data box, type 1, and then click “OK”. | ||
| 7. | Quit Registry Editor, and then restart your computer. | ||
|
Setting up a Service Principal Name | |||
| 1. | Start K2.net 2003 Service Manager. | ||
| 2. | Right click on your K2.net server and select “Edit Server Registration Properties”. | ||
 | |||
| 3. | Open the dropdown menu from “Security package” and select “NTLM”. | ||
 | |||
| 4. | Right click on your K2.net server again and select “Properties” | ||
| 5. | Select the “K2.net Service Account” tab | ||
 | |||
| 6. | Provide the username and password of the K2.net 2003 Server service user or select the local system account, depending on which account you would prefer the service to run under. | ||
| 7. | Click the “Add” button. Please note that you will have to be logged on a Domain Administrator to be able to add this entry to Active Directory. | ||
 | |||
| 8. | Click “OK” | ||
| 9. | Restart your K2.net server service | ||
