www.code-geek.com

.NET Framework

A call to SSPI failed: The target principal name is incorrect

I had this issue working with an ASP.NET MVC app and a Windows Communication Foundation (WCF) service secured by Windows security. Previously security was set to None.



ESCENARIO

Characteristic Description
Security Mode Transport
Interoperability WCF only
Authentication (Service)

Authentication (Client)

Yes (using Windows integrated authentication)

Yes (using Windows integrated authentication)

Integrity Yes
Confidentiality Yes
Transport NET.TCP
Binding NetTcpBinding
when I call the service this is the exception I’m getting, Here’s the full exception:
<message ipaddress="::1" isauthenticated="False" action="GetAll" exception="  Exception ( System.ServiceModel.Security.SecurityNegotiationException ) : A call to SSPI failed, see inner exception. Source: mscorlib StackTrace:   Server stack trace:      at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty&amp; remoteSecurity)     at System.ServiceModel.Channels.StreamSecurityUpgradeInitiatorBase.InitiateUpgrade(Stream stream)     at System.ServiceModel.Channels.ConnectionUpgradeHelper.InitiateUpgrade(StreamUpgradeInitiator upgradeInitiator, IConnection&amp; connection, ClientFramingDecoder decoder, IDefaultCommunicationTimeouts defaultTimeouts, TimeoutHelper&amp; timeoutHelper)     at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper&amp; timeoutHelper)     at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper&amp; timeoutHelper)     at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)     at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)     at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)    Exception rethrown at [0]:      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp; msgData, Int32 type)  InnerException ( System.ComponentModel.Win32Exception ) : The target principal name is incorrect" severitymessage="Exception occured while calling Task.WaitAll() method." managedthreadid="7">

  • My Bindings:
  • <security mode="Transport">
    <transport clientcredentialtype="Windows" protectionlevel="EncryptAndSign">
    <message clientcredentialtype="Windows">
    </message></transport></security>
    


    When set transport to Windows value, the server is also expected to exist on a Windows domain that uses the Kerberos protocol as its domain controller. so basically allows SOAP message exchanges to occur under the security context established with a Windows credential. The default identity used is HOST/dnsname.


    So in order to resolve the issue we need to specify the correct server identity in your client binding, like this:


    <endpoint address="net.tcp://localhost:4506/myservice" binding="netTcpBinding" bindingconfiguration="StandardIncreasedBuffer" contract="ServiceContract" name="MyService">
    <identity>
    <userprincipalname value="">
    </userprincipalname>
    </identity>
    </endpoint>
    


    Hope it helps

    Leave A Comment

    This site uses Akismet to reduce spam. Learn how your comment data is processed.