Introduction

The System Account Requirements topic in the K2 blackpearl Getting Started guide recommends the K2 Service account be granted "Local Administrator" rights on the server where K2 blackpearl is installed. These rights are necessary for a K2 blackpearl installation to function and are detailed in this KB article. These rights can be individually granted to a non-Administrator account when a security policy requires stricter security on application service accounts.

Runtime Rights Required by the K2 Accounts

The K2 Service and Workspace accounts require access and rights to the following folders and registry keys:

Folder or Registry KeyAccountRightsServer
%SYSTEMROOT%\temp
 
K2 Service
 
Full Control
 
K2/MOSS
 
%COMMONPROGRAMFILES%\Microsoft Shared\web server extensions\12
 
K2 Service
 
Write Access
 
MOSS
 
%ALLUSERSPROFILE%\Application Data\MicrosoftCrypto\RSA
 
K2 Service
 
Full Control
 
K2/MOSS
 
HKEY_LOCAL_MACHINE\SOFTWARE\SourceCode\Logging
 
K2 Service
 
Full Control
 
K2/MOSS
 
%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\CONFIG
 
K2 Service
 
Modify
 
K2/MOSS
 
%PROGRAMFILES%\K2 blackpearl\Host Server\Bin
 
K2 Service
 
Modify
 
K2
 
%SYSTEMROOT%\Temp
 
K2 Workspace (Web Application Pool) Account
 
Modify
 
K2/MOSS
 



Granting these rights to the appropriate accounts will allow companies with strict security policies to avoid granting the K2 Service and Workspace accounts full administrative rights to the server.

If installing in a distributed environment, security rights on these folders and the registry key will depend on which components are installed on the server. The only folder listed above that is not directly related to the K2 blackpearl Server or Workspace components is the "%COMMONPROGRAMFILES%\Microsoft Shared\web server extensions\12" folder, which is present only if SharePoint (WSS v3 or MOSS 2007) is installed. If SharePoint is installed on different server, the K2 Service account still requires rights to the folder on that server.

Note: Users deploying K2 Web Designer workflows to SharePoint need 'Contributor' rights on the SharePoint site collection. The MOSS/WSS Web Application Pool account requires Write access to %COMMONPROGRAMFILES%\Microsoft Shared\web server extensions\12\Layouts\Features and %COMMONPROGRAMFILES%\Microsoft Shared\web server extensions\12\ISAPI and must be a local administrator on the server in order to log K2 blackpearl Server errors to the event log.

Installation Rights

The account under which K2 blackpearl is installed requires an account in the local administrators group. This allows the "eventbus" and "eventbus error" message queues to be created as well as the event log source "K2 BlackPearl Server."

The account under which K2 blackpearl is installed also creates the following Performance Counter registry keys:

  • HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\K2 [blackpearl] Server
  • HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\K2 Server


Once these registry keys are present, the K2 service account will be able to write values to these performance counters without administrative privileges because the K2HostServer.exe application is a trusted application.

Other modifications during installation include the installation of program files, entries in configuration files, such as machine.config, and the creation of the K2 databases. These actions require administrator privileges.

For more information about installing K2 blackpearl, including setting up Kerberos and MSDTC for distributed environments, see the Getting Started guide available on the K2 Customer and Partner portal.

If the K2 Server Service Account is not part of the Local Administration Group

When the K2 Server service account is not part of the Local Administration group the performance counters for the K2 blackpearl Server must be disabled.
To disable the performance counters, follow the steps below:

  • Open the K2Server.setup file in a text editor. The default location for this files is "\program files\K2 Blackpearl\Host Server\Bin\K2server.setup"
  • Change the node's Enable attribute to "False". e.g.
  • Save and Close K2Server.setup
  • Restart the K2 blackpearl Server service


If the K2 Server service account is not disabled and the User is not part of the local admin group it will seem as if the server started up successfully, but the WorkFlow server has not started. When trying to connect to the WorkflowServer port (default- 5252), the connection will fail with "A connection could not be made because the target machine actively refused" error.

Rights Required by the WSS/MOSS Application Pool Account


The WSS or MOSS Web application pool account needs both db_DataReader and db_DataWriter rights on the WebWorkflow SQL database that is used for the K2 Web Designer in SharePoint sites. The Execute right is also need for stored procedures in this database. Without this access the K2 Web Designer will not function.

Steps to Verify a K2 blackpearl Installation

After granting these rights, it is necessary to test the installation to ensure the K2 Service account is configured correctly. The following checklist should be used as a starting point for testing the installation. References are made to the K2 blackpearl Getting Started documentation provided with K2 blackpearl and all installation, configuration and post installation steps are required before attempting to follow this checklist.

K2 blackpearl Server

  • Check that the K2 blackpearl Server service is running
  • Open Control Panel > Administrative Tools > Services
  • Find K2 blackpearl Server and double click it
  • One the General tab verify that the service Startup type is set to "Automatic" and that the service is started
  • From the Log On tab verify that Log on as is set to "This account" and that the configured account is your K2 Service account


K2 blackpearl Workspace

  • Open the K2 blackpearl Workspace
  • Verify that you can see the K2 Worklist
  • From the left hand bar, select Activity Statistics to run the Activity Statistics Report. Please note that if this is the first time you are accessing reports that it will take some time to load all the relevant Web services, this is normal operation and subsequent accesses will be faster
  • Next access the Management Console by hovering the mouse cursor over the Management item in the top left hand corner of the screen. When the submenu appears, click Management Console
  • Once the Management Console has loaded, expand the first level of each node
  • Under the Workflow Server node, click Server Rights to verify assigned permissions
  • Close the K2 blackpearl Workspace


Report Designer

  • Using the examples provided in the K2 blackpearl Documentation, build a custom report using the web based K2 Report Designer
  • Run the previously created custom report


K2 for SharePoint

Before you begin:
Ensure that you have completed all installation and configuration tasks associated to SharePoint. Further details can be found in the K2 blackpearl Getting Started documentation. There are post installation tasks which must be completed.

For each Web Application where K2 components have been activated:

  • If the K2 Worklist Web Part for SharePoint has been placed on any pages, verify that this is active and connecting to the K2 blackpearl Server. It will display an error if it is unable to connect
  • If the K2 Workflow Integration has been activated for the site, open any document library then click on the Settings submenu and click K2 Web Designer
    • Using the walkthrough available in the K2 blackpearl Tutorials documentation, create a test process using the K2 Web Designer to verify its functionality
    • Test the workflow by starting an instance
  • Complete the following steps once K2 for Visual Studio verification has been completed:
    • Using the SmartObject created in the K2 for Visual Studio verification, follow the example in the K2 blackpearl Tutorials documentation to build a BDC Application using the newly-created SmartObject as the data source


K2 for Visio

Build and Deploy:

  • Using the examples provided in the K2 blackpearl Tutorials documentation, build a new workflow process and export this to the K2 blackpearl Server
  • Use the K2 Management Console to assign permissions to start the workflow
  • Test the workflow by starting an instance


K2 for Visual Studio

Build and Deploy:

  • Using the examples provided in the K2 blackpearl Tutorials documentation, build a new SmartObject and workflow process and deploy them to the K2 blackpearl Server
  • Use the K2 Management Console to assign permissions to start the workflow
  • Test the workflow by starting an instance