Cannot determine Service Principal Name

Question

I am trying to get a trivial WCF client talking to a WCF service, authenticating via a Geneva STS service. This is on a Server2008 virtual server (Hyver-V) I am not using localhost for testing, but have instead created a new web site within the IIS7 server. The web site (app2.lab.net) is running under an app pool that uses the Network Service as the identity. I have created an SPN (setspn -a http/app2.lab.net lab\labadfs01) for the new web site and the *machine account* of the server (labadfs01). I have also added the http://app2.lab.net site into the local intranet zone.

The client can talk successfully to the service when I remove all the *Geneva* related configuration settings from the app and web configs.

When I call from the client I get a runtime exception;

Client cannot determine the Service Principal Name based on the identity in the target address 'http://app2.lab.net/WcfSvcRP_1/Service.svc' for the purpose of SspiNegotiation/Kerberos. The target address identity must be a UPN ... or SPN identity.

The only other thing worthy of note is that the Geneva Server, the client and the RP are all running on the same server.

I am rather hoping that someone else has seen this issue before, and can tell me what is likely happening.

Answer 1

Hi,

The thread below contains the error you have encountered and an answer, but there is no example of the configuration required.

http://social.msdn.microsoft.com/forums/en-US/wcf/thread/1b99c331-9d38-447a-bb3b-64d7d5f04190

I'm gathering from the given answer, the custom binding configuration in <system.servicemodel> on the client needs to be changed to include an SPN or UPN identity for the issuer endpoint.

An example is below of how to do this for the issuer endpoint.

<issuedTokenParameters keyType="SymmetricKey" tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
              <additionalRequestParameters>
                <trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                  <trust:TokenType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</trust:TokenType>
                  <trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
                </trust:SecondaryParameters>
              </additionalRequestParameters>
              <issuer address="http://localhost/STS/Issue.svc" binding="ws2007HttpBinding" bindingConfiguration="StsBinding">
                  <identity>
                       <servicePrincipalName value="YOUR SPN"/>
                    </identity>
              </issuer>
              <issuerMetadata address="http://localhost/STS/Issue.svc/mex" />
            </issuedTokenParameters>

HTH

---

Regards Wilko31

Answer 2

Hi Wilko31,

The issue was indeed not having set the <servicePrincipalName> value in the config. I was so focused on resolving the SPN issue from a Kerberos perspective, that I completely missed this setting.

Thanks for your assistance.

Glenn.