K2 Pass-Through Authentication - Overview

Kerberos is and will remain the recommended and preferred technology for handling distributed user security for the K2 platform. However, for many customers, the configuration and use of Kerberos is not a reasonable expectation. This may be for a number of reasons, such as the following:
  • Lack of internal skill, often the case in small or specialized companies.
  • Limited access to skill, perhaps due to infrastructure outsourcing agreements.
  • No access to Active Directory to make the required changes (such as in a Proof of Concept/Demo).
  • Time constraints for delivery, making infrastructure configuration delays severely problematic.
  • Basic business requirements (such as a simple internal document approval) that just don’t warrant time and expenditure on advanced security configuration.

To address this need K2 has implemented a technology to allow Kerberos dependencies to be removed but for the K2 platform to still act in a secure manner. This is configurable, meaning that customers are able to choose their own acceptable level of security, including limiting K2 user authentication to Kerberos, which would represent no change in this area.


This technology is called K2 Pass-Through Authentication and provides alternative technology whenever Kerberos fails, for example when an anonymous connection is made to the K2 server instead of the real end-user, which is a common symptom of a Kerberos failure. If the delegation has succeeded and the correct end-user has connected to K2, such as if Kerberos is running correctly or a connection was made through NTLM (with no delegation), then there is no need to use pass-through authentication. In this case the K2 server functions exactly as it did before in terms of authentication, as the pass-through authentication is not necessary.


Following a new installation, by default K2 Pass-Through Authentication works as-is across multiple application layers and immediately helps to resolve Kerberos-based issues, if Kerberos configuration is desired or attempted. This is a key benefit of this technology, ensuring customers can get the benefits of K2 without troubleshooting complex infrastructure issues that require multiple experts. Following an upgrade installation, K2 Pass-Through Authentication must be specifically turned on. This allows customers who have an already-configured environment to be confident that their K2 security is handled after upgrade just as it did before.

Important: For Upgrade Installations K2 will continue to function as it did prior to the K2 4.5 (4.10060.1.1290) KB001290 update when Kerberos is left as the default option in the Setup Manager. You may, however, choose to change the Kerberos option to Windows, effectively turning on K2 Pass-Through Authentication. For New Installations the Windows option is automatically enabled for K2 Pass-Through Authentication unless you perform a custom installation and switch the setting to Kerberos.


In summary, this feature provides an additional option over and above Kerberos and removes a common pain point for installing and configuring K2, particularly in a distributed environment. Enterprise clients need not be concerned that it replaces or removes Kerberos functionality from K2; it just allows K2 to work when Kerberos is problematic and customers are not able to resolve Kerberos-related issues immediately.

For an in-depth discussion of K2 Pass-Through Authentication, see the accompanying whitepaper for this article. You will learn how K2 Pass-Through Authentication works, what messages are logged related to it, and a scenario overview of how it will help in a real-world example involving InfoPath, K2 and SharePoint.

Installation Prerequisites

K2 Pass-Through Authentication is available as part of the K2 blackpearl with Update KB001290.

K2 Pass-Through Authentication is also available for K2 blackpoint with KB001290, but scenarios outlined in the attached whitepaper are beyond the scope of K2 blackpoint features.

Important: The use of the K2.NET 2003 ROM API is not supported with K2 Pass - Through Authentication