Introduction

The latest How To topics are available in the K2 Five User Guide or the K2 Cloud User Guide’s How to section.

K2 smartforms Runtime can be set up on a separate workgroup server in a DMZ for SQLUM users while the K2 environment is using Active Directory authentication. This article describes how to configure K2 smartforms Runtime for Forms Authentication on a non-domain environment.

Assumptions

The following is assumed when working with this scenario:

  • A working K2 blackpearl environment is configured.
  • SQLUM is configured.
  • The machine is in workgroup mode. If it is in domain mode, the setup pages you see here are different. 

Implementation Details

Follow the steps below to implement the scenario as described above.

  1. Install K2 blackpearl.
  2. The following message is displayed. Click OK.
    Image

    This message does not display in K2 4.7 and later.
  3. Continue with the Setup Manager until you reach the User Manager Settings screen. Select the SQL User Manager.
    Image
  4. Install the K2 blackpearl server, K2 Workspace and K2 Core components.
    Image
  5. Complete the Setup Manager.
  6. Set up the Application Pool Account by opening the Server Manager.
  7. Navigate to Configuration > Local Users and Groups > Users. Right click and select Add New User.
  8. Provide details for the Application Pool Account and click Create.
    Image

    Image
  9. Grant IIS (Internet Information Services) permissions for the account to run as an Application Pool with the command aspnet_regiis.exe -ga k2ws.
    Image
  10. Perform all other configuration required to have a successful working K2 blackpearl environment.
  11. Install K2 smartforms. The following message is displayed. Click OK:
    Image

    This message does not display in K2 4.7 and later.
  12. Continue with the Setup Manager until you reach the Select Components screen. Select the SmartForms Runtime component.
    Image
  13. Provide the SQL Server details on the K2 Server Database page.
    Image
  14. Continue with the Setup Manager until you reach the SmartForms Runtime Site – Application Pool screen. Select the option Update or create a new Application Pool and provide the details as previously configured.
    Image
  15. Complete the Setup Manager.
  16. Make a backup of the web.config file in the K2 smartforms Runtime folder:
    Image
  17. Edit the web.config file and set the default security label to K2SQL in the node as shown below. This will allow you to type the user ID without specifying the security label.
    Image
  18. Configure K2SQL to be the only security label in the node as shown below:
    Image
  19. Test the configuration by opening a Form.
    Image

Known Issue - Authentication With Server Failed: The logon attempt failed

When trying to access an external facing Smartforms Runtime site hosted on a DMZ server which is not part of a domain, an Authentication With Server Failed: The logon attempt failed error occurs:

Image

This error occurs when the Claims Authentication model is used on the DMZ server. When the SmartForms Runtime Site hosted on the non-domain DMZ server trys to authenticate, the error occurs because the workgroup identity from the DMZ server is not known by the AD-based K2 server on the internal network.

Workaround for this issue

To resolve the above issue, you can use Anonymous Authentication on the SmartForms Runtime site hosted in the DMZ server. If Anonymous Authentication cannot be used, Forms Authentication must be applied and is the recommended approach for this workaround with K2 4.6.7 and later (when claims authentication was introduced). Follow these steps to enable Forms Authentication:

  1. Open the Web.config file of the SmartForms Runtime site hosted on the DMZ. The Web.config file can be found in the following path: [Local Disk]\Program Files (x86)\K2 blackpearl\K2 smartforms Runtime\ Web.config.
  2. Comment out the following three sections in the Web.config:

    <!--

      <configSections>

        <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />

        <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />

      </configSections>

      <system.identityModel>

        <identityConfiguration saveBootstrapContext="false">

          <issuerNameRegistry type="SourceCode.Security.Claims.Web.IssuerNameRegistry, SourceCode.Security.Claims.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=16a2c5aaaa1b130d" />

          <certificateValidation certificateValidationMode="None" />

          <securityTokenHandlers>

            <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />

            <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />

            <add type="SourceCode.Security.Claims.Web.WIFExtensions.Saml2SecurityTokenHandler, SourceCode.Security.Claims.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=16A2C5AAAA1B130D" />

            <remove type="System.IdentityModel.Tokens.Saml2SecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />

            <add type="SourceCode.Security.Claims.Web.WIFExtensions.SamlSecurityTokenHandler, SourceCode.Security.Claims.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=16A2C5AAAA1B130D" />

            <remove type="System.IdentityModel.Tokens.SamlSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />

          </securityTokenHandlers>

        </identityConfiguration>

      </system.identityModel>

      <system.identityModel.services>

        <federationConfiguration>

          <cookieHandler requireSsl="false" path="/" />

          <wsFederation passiveRedirectEnabled="false" issuer="http://none" realm="http://extranet.yourdomain.com/Runtime" requireHttps="false" />

        </federationConfiguration>

      </system.identityModel.services>

    -->



    <!--<add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
    -->


     <!--<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
    -->
  3. Edit in the loginUrl of the following tag to remove the _trust part of it. Change the following from:

<forms defaultUrl="Default.aspx" loginUrl="_trust/Login.aspx" requireSSL="false" enableCrossAppRedirects="true" cookieless="AutoDetect" timeout="9000" />

to the following:

<forms defaultUrl="Default.aspx" loginUrl="Login.aspx" requireSSL="false" enableCrossAppRedirects="true" cookieless="AutoDetect" timeout="9000" />


Important: If the K2 Software is updated on the DMZ server, these changes will be overwritten. Apply the changes mentioned above after updating.