This article was created in response to a support issue logged with K2. The content may include typographical errors and may be revised at any time without notice This article is not considered official documentation for K2 software and is provided “as is” with no warranties.

Issue

K2 Mobile App users are able to log in but the worklist is empty (other UIs, such as K2 Workspace, display tasks when accessed by the same users).

Symptoms

K2 4.7 (4.7 Nov CU FP12) iOS K2 Mobile App - users are able to log in but the worklist is empty (other UI display tasks when accessed by the same user).

Troubleshooting Steps

In this scenario the following steps should be completed (in the order specified below):

(1) Ask affected user to try the following workaround: Log off from the K2 Mobile app and login using his K2 FQN (i.e. K2:DOMAIN\USER) - and see if it resolves this issue. If it won’t, the user should also try using a DOMAIN\USER format of login.

Why is this necessary? This is because tasks are assigned to FQNs.  When signing in into the K2 Mobile app the user can type in his full FQN, domain name or email. The K2Api site can either use AAD, Basic or Windows authentication.

For AAD this type of issue should not happen, but it can happen for on premises scenarios. Generally there are less configuration issues when IIS is set to anonymous only (see point (2) below). If the user signs in with his FQN (K2:DOMAIN\USER) or full domain name (DOMAIN\USER) then it should work. If the user signs in with an email, then the back-end does the following:

1. It takes the user@domain.com string and deletes the part after the @ sign, so only the "user" part is left.

2. It then takes "user" and adds the default server domain, so we get "DOMAIN\USER".

3. Next it adds the security label specified in web.config of K2Api to the "DOMAIN\USER" value, if it not specified there, it adds the server default, so we get "K2:DOMAIN\USER". In general a change in the email domain should not cause an issue for users, unless the server default domain does not match the FQN domain. If the user only specifies a basic username (USER) then the server default domain is added and the label is also added as explained above. Given the default domain DOMAIN and label K2 then the calculated FQN will be K2:DOMAIN\USER.

(2) If option (1) does not help, check the IIS settings on the K2 server and set the K2Api sub-site to anonymous authentication only - this will eliminate Windows authentication from the equation and allow you to make sure that you do not run into the Kerberos double hop issue. Once you made this change ask the user to test the K2 Mobile app using different login options just in case (user@domain.com, K2:Domain\user, Domain\user). If it will work after these changes, then also make sure  that the user does not get another error after refreshing the tasklist a couple of times. (Error bar at the top of Inbox).

Generally there are less configuration issues when IIS is set to anonymous only. If Windows authentication is enabled then IIS will hijack the authentication and use it’s own process. An identity will be set on the thread and this identity will be passed to HostServer. HostServer will perform FQN resolution. In this scenario the K2Api must be configured for integrated authentication (and it is by default). Double hopping could also be an issue here and it does cause empty task lists.