< class="prominent-subhead ">

Delegation settings to enable K2 Windows Token Service to impersonate using Kerberos

This article has been archived, and/or refers to legacy products, components or features. The content in this article is offered "as is" and will no longer be updated. Archived content is provided for reference purposes only. This content does not infer that the product, component or feature is supported, or that the product, component or feature will continue to function as described herein.


The K2 Windows Token Service (introduced in K2 blackpearl 4.6.8) is used to convert claims tokens to Windows tokens for off-box authentication and impersonation that requires a Windows token, such as SQL Server. The K2 Windows Token Service is installed on the servers where the K2 Designer, K2 smartforms Runtime and K2 View Flow components are installed, and runs under the local system account. If you use Kerberos in your environment, a domain administrator must configure constrained delegation for HTTP for both the server name as well as the FQDN for each of the following servers:

  • K2 smartforms runtime server
  • K2 Designer server
  • K2 Workspace server (this hosts the K2 View Flow component)
If constrained delegation already exists for these servers, add the constrained delegation settings required for the K2 Windows Token Service.

Detailed Information

When K2 components are distributed between different machines or hosts, SmartObject services may require a Windows token instead of a claims token to pass user credentials between the machine boundaries. If you have Kerberos configured in your environment, constrained delegation must be enabled to allow K2 to obtain the correct Windows impersonation token on behalf of users that were originally authenticated with a claims token. The constrained delegation configuration allows a service to obtain service tickets (under the delegated user's identity) to a restricted list of other services running on specific servers on the network. The K2 Windows Token Service is a Windows Identity Foundation (WIF) feature that extracts UPN claims from SAML tokens and generates Windows security tokens. This allows K2, as the relying party, to impersonate a claims user for access to a line of business system, such as SQL.

Configuration Analysis Check

The K2 Configuration Analysis tool detects the current delegation settings against the computer account when running in an Active Directory enabled environment, and reports these values or shortcomings. It concludes with the following warning.

If you have configured Kerberos in your environment, a domain administrator must configure constrained delegation in Active Directory. For more information see How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0 (MSND)

Constrained Delegation Settings Example

The final Delegation Properties for the server can be configured in the following screen. This must be configured on each domain where the K2 Designer, K2 smartforms Runtime, or the K2 View Flow components are installed. Each server only needs to delegate HTTP service types TO ITSELF because the service is installed locally on that server.

Server Properties: Delegation