In a high security environment, it is not always possible to give the K2.net Server service account local administrator rights. This article details the minimal permissions that the service account requires on the local server.

Configuration

The following details, how to create a service account for the K2.net 2003 Server windows service.  These are a base set of steps that are required to get the K2.net 2003 Server windows service working without giving the service account local administrator rights on the local server and also db_owner permissions on the K2 and K2Log databases.

Additional security policy settings may be configured depending on the security policies of your environment.  The administrator will need to do sufficient regression testing on the K2.net components to ensure that the additional changes do not break any functionality.

  • First create a Domain User account in Active Directory that will be used as the service account.
  • Log on to the K2.net Server machine with an account that has local administrator rights.
  • Open up the Local Security Policy console and assign "Log on as a service" rights to the service account to allow it to start as a service.  Ensure that the service account is not assigned "Deny log on as a service" rights.  In the example below, the service account name is K2Server and the domain is K2Train

    Image (1)

    Image (2)

    Note: When setting the K2.net 2003 Server service account from the Services manager console, it will automatically assign the "Log on as a service" rights for you.
  • In Services manager console, set the K2.net Server service to log on with this account.

    Image (3)

    Image (4)

  • If using Windows Authentication to connect to the K2 and K2Log databases, you will need to assign the following rights to the domain account in SQL server Enterprise
    Manager for the K2 and K2Log databases:
    • db_datareader
    • db_datawriter
    • EXEC permissions on all stored procedures
    • Image (5)

      Image (6)

  • Requires file access to create files on the file system for log and trace file creation on:
    • <%K2 Install Dir%>/bin.
  • Requires "Read and Execute" permissions on the following folders:
    • <%SystemRoot%>/
    • <% SystemRoot %>/ Microsoft.NET\Framework\<%FrameworkVersion%>
    • <% SystemRoot %>/Assembly>
    • <% SystemRoot %>/System32>
    • <%K2 Install Dir%>
  • Requires "CreateKey" permissions on the following registry entries to create application specific keys:
    • HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
    • HKLM\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\LastConnect
    • HKLM\SOFTWARE\Microsoft\Cryptography\RNG
    • HKLM\System\CurrentControlSet\Services\EventLog\Application\K2.net Server 2003

      If any of the keys have not been created yet, ensure that permission on the parent key is set, i.e. if "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters" does not exist but "HKLM\System\CurrentControlSet\Services" does, permissions should be set on the Services key in order for the child keys to be created.

      Note: This configuration has been tested for K2.net Server service only. You can use the FileMon and RegMon tools to verify if additional permissions are needed for other components like Out of Office, Archiving, etc. Please see additional article references.

  • If you use InfoPath Activity templates, you can specify to save the InfoPath form to SharePoint Portal Server or to a file path. The service account will require rights to create InfoPath forms on the specified destination location i.e. either SharePoint document library permissions or file folder permissions.
  • If Kerberos delegation is required, additional settings have to be configured. Please refer to KB000123 for more details.