HostServer 在升级到 K2 Blackpearl 4.6.11 后抛出异常
HostServer throwing exceptions after upgrade to K2 Blackpearl 4.6.11
我们刚刚在我们的环境中将 K2 从版本 4.6.6 升级到 4.6.11。
环境中有两台具有负载平衡器设置的 K2 服务器。
升级后,K2 工作流 API 中的一些函数抛出异常。
"Error","EnvironmentServer","15100","Generic","SourceCode.Workflow.Runtime.Management [OpenConnection [string[] names]]","15100 Error occurred, ERROR: Unable to connect to loadbal-k2-abc.com on port 5252. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. ","anonymous","0.0.0.0"
"Error","EnvironmentServer","15100","Generic","SourceCode.Workflow.Runtime.Management [SendArchiveX [string[] names]]","15100 Error occurred, ERROR: Unable to connect to loadbal-k2-abc.com on port 5252. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. ","anonymous","0.0.0.0"
"Error","EnvironmentServer","15101","Generic","SourceCode.Workflow.Runtime.Management [ReleaseWorklistItem [string[] names]]","15101 Error occurred, ERROR: Unable to connect to loadbal-k2-abc.com on port 5252. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. ","anonymous","0.0.0.0"
"Error","System","2025","InternalMarshalError","SourceCode.Hosting.Server.Runtime.HostServerBroker.InternalMarshal","2025 Error Marshalling SourceCode.Workflow.Runtime.Management.WorkflowManagementHostServer.ReleaseWorklistItem, Unable to connect to loadbal-k2-abc.com on port 5252. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. ","","",
"Error","System","2025","InternalMarshalError","SourceCode.Hosting.Server.Services.TCPClientSocket.InternalMarshal","2025 Error Marshalling SourceCode.Workflow.Runtime.Management.WorkflowManagementHostServer.ReleaseWorklistItem, Unable to connect to loadbal-k2-abc.com on port 5252. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. "
"Error","Communication","8060","ProcessPacketError","SourceCode.Hosting.Server.Services.TCPClientSocket.ProcessMessage","8060 ProcessPacket Error, Unable to connect to loadbal-k2-abc.com on port 5252. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. "
在 HostServer 日志中,我们可以看到 K2 服务器出于某种原因正在尝试联系 K2 负载平衡器。这看起来像是对 K2 4.6.6 的更改,在 K2 4.6.6 中它工作得很好并且没有调用负载均衡器。
我们还检查了 K2 配置,没有任何地方提到负载均衡器地址。
我们还在没有负载均衡器的环境中进行了升级,它在那里没有任何错误地工作。
为什么 K2 主机服务器尝试连接到 K2 4.6.11 中的负载均衡器,它从哪里获取地址?
在 K2 支持的帮助下解决了这个问题。 K2 建立连接的方式发生了变化,我们建立连接字符串的方式也需要改变。
This was introduced in 4.6.11 with the SSO changes (TFS 524432 - SSO Prompt for Credential cache). In 4.6.10, when you Authenticate a HostServer session with the following connection string:
Integrated=True;IsPrimaryLogin=True;Authenticate=True;EncryptedPassword=False;Host=k2.denallix.com;Port=5555;UserID=Denallix\Administrator;Password=K2pass!;WindowsDomain=denallix;SecurityLabelName=K2
the connectionstring associated with the session is:
Integrated=True;IsPrimaryLogin=True;Authenticate=True;EncryptedPassword=False;Host=dlx;Port=5555;UserID=DENALLIX\Administrator;Password=K2pass!;AuthData=Denallix;SecurityLabelName=K2
So the WindowsDomain key wasn't persisted pre SSO and instead it was
added as AuthData (pay attention to the end of sample connection
strings above).
When you open a connection from the WorkflowManagmentServer to the
WorkflowClient, there is a check to see if the connection has a
WindowsDomain, Username and Password. If it had all 3, it would try
and use those details to Auth a user, in 4.6.10 we didn't persist the
WindowsDomain, it would just do a normal integrated connection string
without the username and password.
Essentially with such configuration you are trying to authenticate
with the following credentials WindowsDomain + UserID which leads to
use of something like "Domain\Domain\User" for authentication and
authentication attempt will fail because of that.
我们刚刚在我们的环境中将 K2 从版本 4.6.6 升级到 4.6.11。 环境中有两台具有负载平衡器设置的 K2 服务器。 升级后,K2 工作流 API 中的一些函数抛出异常。
"Error","EnvironmentServer","15100","Generic","SourceCode.Workflow.Runtime.Management [OpenConnection [string[] names]]","15100 Error occurred, ERROR: Unable to connect to loadbal-k2-abc.com on port 5252. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. ","anonymous","0.0.0.0" "Error","EnvironmentServer","15100","Generic","SourceCode.Workflow.Runtime.Management [SendArchiveX [string[] names]]","15100 Error occurred, ERROR: Unable to connect to loadbal-k2-abc.com on port 5252. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. ","anonymous","0.0.0.0" "Error","EnvironmentServer","15101","Generic","SourceCode.Workflow.Runtime.Management [ReleaseWorklistItem [string[] names]]","15101 Error occurred, ERROR: Unable to connect to loadbal-k2-abc.com on port 5252. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. ","anonymous","0.0.0.0" "Error","System","2025","InternalMarshalError","SourceCode.Hosting.Server.Runtime.HostServerBroker.InternalMarshal","2025 Error Marshalling SourceCode.Workflow.Runtime.Management.WorkflowManagementHostServer.ReleaseWorklistItem, Unable to connect to loadbal-k2-abc.com on port 5252. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. ","","", "Error","System","2025","InternalMarshalError","SourceCode.Hosting.Server.Services.TCPClientSocket.InternalMarshal","2025 Error Marshalling SourceCode.Workflow.Runtime.Management.WorkflowManagementHostServer.ReleaseWorklistItem, Unable to connect to loadbal-k2-abc.com on port 5252. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. " "Error","Communication","8060","ProcessPacketError","SourceCode.Hosting.Server.Services.TCPClientSocket.ProcessMessage","8060 ProcessPacket Error, Unable to connect to loadbal-k2-abc.com on port 5252. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. "
在 HostServer 日志中,我们可以看到 K2 服务器出于某种原因正在尝试联系 K2 负载平衡器。这看起来像是对 K2 4.6.6 的更改,在 K2 4.6.6 中它工作得很好并且没有调用负载均衡器。 我们还检查了 K2 配置,没有任何地方提到负载均衡器地址。
我们还在没有负载均衡器的环境中进行了升级,它在那里没有任何错误地工作。
为什么 K2 主机服务器尝试连接到 K2 4.6.11 中的负载均衡器,它从哪里获取地址?
在 K2 支持的帮助下解决了这个问题。 K2 建立连接的方式发生了变化,我们建立连接字符串的方式也需要改变。
This was introduced in 4.6.11 with the SSO changes (TFS 524432 - SSO Prompt for Credential cache). In 4.6.10, when you Authenticate a HostServer session with the following connection string:
Integrated=True;IsPrimaryLogin=True;Authenticate=True;EncryptedPassword=False;Host=k2.denallix.com;Port=5555;UserID=Denallix\Administrator;Password=K2pass!;WindowsDomain=denallix;SecurityLabelName=K2
the connectionstring associated with the session is: Integrated=True;IsPrimaryLogin=True;Authenticate=True;EncryptedPassword=False;Host=dlx;Port=5555;UserID=DENALLIX\Administrator;Password=K2pass!;AuthData=Denallix;SecurityLabelName=K2
So the WindowsDomain key wasn't persisted pre SSO and instead it was added as AuthData (pay attention to the end of sample connection strings above).
When you open a connection from the WorkflowManagmentServer to the WorkflowClient, there is a check to see if the connection has a WindowsDomain, Username and Password. If it had all 3, it would try and use those details to Auth a user, in 4.6.10 we didn't persist the WindowsDomain, it would just do a normal integrated connection string without the username and password.
Essentially with such configuration you are trying to authenticate with the following credentials WindowsDomain + UserID which leads to use of something like "Domain\Domain\User" for authentication and authentication attempt will fail because of that.