First verify the Trusted Token Issuer in SharePoint exists and verify that the associated certificate is in
the trusted root authority.
From the SharePoint Management Console:
> Get-SPTrustedSecurityTokenIssuer
IsSelfIssuer
NameId
RegisteredIssuerName
IdentityClaimTypeInformation
Description
SigningCertificate
: False
:
: 3308eaff-d056-4a32-9b1d-563f81bf06f9@5c89ac77-e
67f-4752-8edc-9714ba9f45d0
: Microsoft.SharePoint.Administration.Claims.SPTr
ustedClaimTypeInformation
:
: [Subject]
CN=K2 OAuth High Trust
[Issuer]
CN=K2 OAuth High Trust
[Serial Number]
2D2A5729B4CF59B54580733398273683
[Not Before]
6/17/2014 7:14:51 PM
[Not After]
6/18/2024 7:14:50 PM
[Thumbprint]
B124FE9088510A4C200CE63E585BCD6921FE9FDE
AdditionalSigningCertificates
MetadataEndPoint
IsAutomaticallyUpdated
Name
TypeName
:
:
:
:
:
DisplayName
Id
Status
Parent
:
:
:
:
Version
Properties
Farm
UpgradedPersistedProperties
:
:
:
:
{}
False
K2 for SharePoint
Microsoft.SharePoint.Administration.Claims.SPTr
ustedSecurityTokenService
K2 for SharePoint
68d9d740-d972-4d61-a01b-7e0cdce4da39
Online
SPSecurityTokenServiceManager
Name=SecurityTokenServiceManager
426066
{}
SPFarm Name=SharePoint_Config
{}
> Get-SPTrustedRootAuthority
Certificate
: [Subject]
CN=K2 OAuth High Trust
[Issuer]
CN=K2 OAuth High Trust
[Serial Number]
2D2A5729B4CF59B54580733398273683
[Not Before]
6/17/2014 7:14:51 PM
[Not After]
6/18/2024 7:14:50 PM
[Thumbprint]
B124FE9088510A4C200CE63E585BCD6921FE9FDE
Name
TypeName
: K2 for SharePoint
: Microsoft.SharePoint.Administration.SPTrustedRoot
Authority
DisplayName
: K2 for SharePoint
Id
: e2f48e4b-5bb7-4225-9e0b-6384d8751680
Status
: Online
Parent
: SPTrustedRootAuthorityManager
Version
: 426063
Properties
: {}
Farm
: SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
Farm
: SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
We should have a K2 for SharePoint trusted token issuer registered using the K2 OAuth High Trust
certificate.
This certificate must also be installed in the trusted root authority store. The thumbprints on these two
entities must match.
If the certificate looks OK in SharePoint, it may be that the K2 side is using the wrong certificate.
Since the certificate is encrypted in the K2 database, it is not feasible to manually check if this is correct.
A repair of the K2 install should fix any inconsistencies that may exist between K2 and SharePoint.
To repair the OAuth certificates:
First delete the token issuer and certificate from SharePoint
Remove-SPTrustedSecurityTokenIssuer -Id "K2 for SharePoint"
Remove-SPTrustedRootAuthority -Id "K2 for SharePoint"
Secondly, on the K2 side:
The certificate is stored in the HostServer.Configuration table and in the Host
Server\Bin\Oauth\Certificates folder on the file system.
HostServer.Config table:
1. In SQL:
DELETE FROM [K2].[HostServer].[Configuration]
WHERE VariableToken like '[[]K2_SIGN%'
2. Delete the certificate stored in host server bin:
3. Truncate the app only table (just to make sure that we start from a clean state)
TRUNCATE TABLE [K2].[Authorization].[OAuthAppOnlyToken]
4.
Next run a Repair on the BlackPearl install. (The certificate is generated by the 4.6.7 installer)
After this is done the new certificate should be visible in HostServer.Configuration table.
5. Run the SharePoint appdeployment.exe
This will re-create the correct SPTrustedRootAuthority and TokenIssuer configuration in
SharePoint, using the new certificate generated by K2
Verify at this point that the Token issuer and trusted root authority certificate is correctly added as in
the beginning of this document.
The certificates should match and registration wizard should run through correctly.
It may help at this point, when running the registration wizard, to enable full debug logging on K2
HostServer. There are debug messages logged when the app only token is issued which may help with
further investigation.