Introduction

If your K2 blackpearl environment is running a different version than your K2 for SharePoint app, you may encounter errors when trying to register the app on a SharePoint site. K2 always recommends that you upgrade to the latest released version to ensure that the K2 for SharePoint app released in the SharePoint store continues to work seamlessly with your on-premises K2 environment.

This article will describe some common error messages and how to resolve the issues.

  1. If you encounter an error when registering the app, such as "K2TSTS20002: An error occurred while processing an authorization response (invalid_redirect_uri)" your environments may be different versions. Follow the steps below to Synchronize Versions.
  2. If you encounter an error when accessing the app, such as "Access Denied" your environment needs to be updated to support Microsoft's common consent changes. Follow the steps below to Update Common Consent Scopes.

1. Synchronize Versions

Details

You may receive an error message when requesting an OAuth token while registering your K2 for SharePoint app, as shown below.

Image

In order to resolve this issue, you can perform the following steps:

  1. Upgrade your K2 blackpearl environment to K2 4.6.9. This version was released in February 2015 and includes several enhancements and fixes. Follow the steps in the Release Notes to upgrade your K2 environment first and then your K2 for SharePoint app. 
  2. If you cannot upgrade to K2 4.6.9, you will need to do some manual steps. These are outlined below.

Replacing the K2 for SharePoint App

The revised K2 for SharePoint Apps for K2 blackpearl 4.6.7 and 4.6.8 can be found on the right hand side of this article. These apps have the necessary authorization fixes to ensure that your K2 for SharePoint Apps keep working properly. Download the appropriate K2 for SharePoint App from this KB article that matches your K2 blackpearl server version. This can be found by looking at the Programs installed on your K2 blackpearl server. Extract the zip file, and then perform the following steps.

If the K2 for SharePoint App is already in the App Catalog:

  1. Replace the K2 for SharePoint App with the newly downloaded app from this KB article.
  2. Upgrade the app on all sites it was added to
  3. Run the Registration Wizard

If you installed the K2 for SharePoint App from the Microsoft SharePoint App Store:

  1. Add the newly downloaded app from this KB article to the App Catalog
  2. Remove the old K2 for SharePoint app from all sites it was added to
  3. Add the app to each SharePoint site
  4. Run the Registration Wizard

2. Update Common Consent Scopes

Details

You may receive an "Access Denied" error when accessing the K2 for SharePoint app. 

Resolving the Common Consent Scope Issue

In order to resolve this issue, please perform the following steps:

  1. Run the following SQL Script against your K2 database. You will need to replace the <K2_Service_Username> placeholder in the script with the K2 Service Account used in your environment:
    DECLARE @ResourceID UNIQUEIDENTIFIER;
    DECLARE @PrimaryCredentialID UNIQUEIDENTIFIER;

    SELECT @ResourceID = [ResourceID] FROM [Authorization].[OAuthResource]WHERE [ResourceType] = N'Microsoft Online'
    SELECT @PrimaryCredentialID = [CredentialID] FROM [HostServer].[SecurityCredentialCache] WHERE [UserName] = N'<K2_Service_Username>'

    DELETE FROM [Authorization].[OAuthIdentity] WHERE [ResourceID] = @ResourceID AND [PrimaryCredentialID] = @PrimaryCredentialID
  2. Log in to SharePoint Online as a Tenant Administrator
  3. Re-run the K2 Registration wizard once per tenant where K2 has been installed.
  4. You will be prompted to provide consent for K2 for Office 365. The consent prompt should contain the new scope for Managed Metadata, as shown below.

Image

Frequently Asked Questions

Q: Will my applications keep working if I do not update the app prior to the changes to trust.k2.com?
A: No, you will encounter the error if you do not upgrade the K2 for SharePoint app as soon as you need a new OAuth token.

Q: Does this only apply if I want to register the K2 for SharePoint app on a new SharePoint site?
A: No, you will need to update your app for all SharePoint sites prior to the changes to trust.k2.com.

Q: Will any of my deployed artifacts be affected by the app upgrade?
A: No, the artifacts are not affected at all. The ability to access the artifacts will fail once the changes to trust.k2.com are made and you require a new OAuth token from AAD.

Q: Will any of my deployed artifacts be affected if I have to remove the old app and then install the new app?
A: No, all artifacts will be intact.

Q: Will any of my running instances be affected by the changes in the trust.k2.com site? Will they go into an error state when the changes are made and I am still running the old version of the K2 for SharePoint app?
A: Yes, as soon as the new OAuth token is requested the instance will fail if you have not upgraded prior to the change.

Q: What SharePoint permissions are required in order to update the K2 for SharePoint app?
A: The user running the registration wizard for the updated K2 for SharePoint app must be a Global Administrator in order for the relying parties to be set up correctly. Global Administrator rights are required the first time only, and as soon as the relying parties have been added any normal user can run the registration wizard.