This article was created in response to a support issue logged with K2. The content may include typographical errors and may be revised at any time without notice This article is not considered official documentation for K2 software and is provided “as is” with no warranties.

Issue

Error appears when running any view/form after upgrading to 4.7:

The current Service Instance 'Service InstanceName' enforces impersonation, which caused the current request to fail as only Pass-Through Authentication credentials were available for 'Domain\Username'.

Either cache some credentials for 'Domain\Username' or configure Kerberos. If impersonation doesn't need to be enforced and the K2 Service Account is suitable, disable the Enforce Impersonation option for this Service Instance.

Symptoms

This error appeared when upgrading to K2 4.7 using the update installer.

Before the upgrade, the AppPoolAccount is visible in this section of code:

<allowedCallers>
</clear>
<add value="[Domain]\[AppPoolAccount]" />
</allowedCallers>

 After running the K2 4.7 update installer, the AppPoolAccount was removed:

<allowedCallers>

</clear>
</allowedCallers>

Resolution

This was identified as an existing bug on the K2 Product when upgrading to 4.7.

The workaround on the bug is to add the SmartForms App Pool Account to the section in the C:\Program Files (x86)\K2 blackpearl\Token Service\Bin\K2TokenService.exe.config file as follows:

<allowedCallers>
</clear>
<add value="[Domain]\[AppPoolAccount]" />
</allowedCallers>