Updating to K2 4.7 causes the removal of the AppPoolAccount on K2TokenService.exe.config that breaks Kerberos
kbt136672
PRODUCTIssue
Error appears when running any view/form after upgrading to 4.7:
The current Service Instance 'Service InstanceName' enforces impersonation, which caused the current request to fail as only Pass-Through Authentication credentials were available for 'DomainUsername'.
Either cache some credentials for 'DomainUsername' or configure Kerberos. If impersonation doesn't need to be enforced and the K2 Service Account is suitable, disable the Enforce Impersonation option for this Service Instance.
Symptoms
This error appeared when upgrading to K2 4.7 using the update installer.
Before the upgrade, the AppPoolAccount is visible in this section of code:
</clear>
<add value="[Domain][AppPoolAccount]" />
</allowedCallers>
After running the K2 4.7 update installer, the AppPoolAccount was removed:
<allowedCallers>
</clear>
</allowedCallers>
Resolution
This was identified as an existing bug on the K2 Product when upgrading to 4.7.
The workaround on the bug is to add the SmartForms App Pool Account to the section in the C:Program Files (x86)K2 blackpearlToken ServiceBinK2TokenService.exe.config file as follows:
1. Add AppPoolAccount user value to: K2TokenService.exe.config below the clear
2. Restart the K2 Claims To Windows Token Service, under Windows Services.
3. Clear web browser cache. Make sure the option for “Preserve Favorites website data” is unchecked if using IE.
</clear>
<add value="[Domain][AppPoolAccount]" />
</allowedCallers>