This article was created in response to a support issue logged with K2. The content may include typographical errors and may be revised at any time without notice This article is not considered official documentation for K2 software and is provided “as is” with no warranties.

Issue

When attempting to search for Azure AD users in K2, the following error is shown:


The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

Image

Image

Symptoms

  • The search is performed on K2 Management, K2 Workspace, or forms/views that have implemented user search functionality.
  • Performing the search using the URM Service's UMUser SmartObject also produces the same error.
  • AD user search is not affected, only for Azure AD users.
  • If Runtime, Designer, or ViewFlow has been configured to login using Azure AD authentication, if you try to open them on the K2 Server itself, your browser will show a certificate error screen.

Troubleshooting Steps

A clue to resolving this issue is the certificate error page you see on your browser when you try to access your K2 application (Runtime, Designer or ViewFlow) using Azure AD authentication. When you attempt to perform a search for Azure AD users in K2, in the background, K2 will also need to go through the same authentication.

The Azure AD authentication works by redirecting users to https://login.microsoftonline.com. If you are getting a certificate error on your browser when it attempts to redirect to https://login.microsoftonline.com, it means your K2 server is not trusting the certificate from login.microsoftonline.com.

If you can view the certificate from login.microsoftonline.com, you should be able to view details about the certificate, such as the Certification Path. From the Certification Path, you can tell if the Intermediate CA is trusted. Below is an example of a Certification Path where everything is trusted and working:

Image

If the Intermediate CA is not trusted, the actual certificate will not be trusted as well, and you will not be able to get to login.micorosftonline.com.

The only way to resolve this is to work with your Security team or Administrator to trust the Intermediate CA shown in the Certification Path.