Issue Description

When using an Active Directory group in a SharePoint Group, where the Active Directory group DisplayName does not match the sAMAccountName, the group will not resolve and will display as disabled in the Identity Service.

Cause

The Active Directory user manager only binds to Users and Groups on their sAMAccountName values and does not incorporate DisplayNames. Due to this the accounts are not found and are disabled in Identity Service.

Fix Description

The SharePoint Active Directory implementation now makes use of the supplied SharePoint Group SID values to determine the Domain and sAMAccountName of Groups which are members of SharePoint Groups.

 

To Enable or Disable the Active Directory Group SID lookup feature run the following SQL query in the K2 database:

  • Add new Xml attribute (True or False)

UPDATE

    [HostServer].[GroupProvider]

SET

    [Init].modify('insert attribute translateDomainName {("false")} into (/init/server)[1]')

WHERE

       [Init].exist('(/init/server[@isOnline="false"])') = 1

  • Modify an existing Xml attribute (True or False)

 

UPDATE

       [HostServer].[GroupProvider]

SET

       [Init].modify('replace value of (/init/server/@translateDomainName)[1] with "false"')

WHERE

       [Init].exist('(/init/server[@isOnline="false"])') = 1

Resolution

  1. Ensure you have K2 4.7 installed.
  2. Download and Install the K2 4.7 November 2017 Cumulative Update from K2 Partner and Customer Portal.
  3. Get the K2 4.7 November 2017 Cumulative Update FP4 from Regional Support.
  4. Install the K2 4.7 November 2017 Cumulative Update FP4 to apply the fix.
  5. Execute the SQL queries as mentioned in the Fix Description as required.