none
A call to SSPI failed, The target principal name is incorrect

    Question

  • I am using ESB 1.0 to call a WCF service but it fails with following error:

    Error details: System.ServiceModel.Security.SecurityNegotiationException: 
    A call to SSPI failed, see inner exception. ---> 
    System.Security.Authentication.AuthenticationException: 
    A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: 
    The target principal name is incorrect
      --- End of inner exception stack trace ---

    Here is my itinerary for this call:

    <Itinerary xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.biztalk.practices.esb.com/itinerary" uuid="" beginTime="" completeTime="" state="Pending" isRequestResponse="false">
    	<ServiceInstance uuid="" name="Microsoft.Practices.ESB.Services.Transform" type="Messaging" state="Pending" position="0" isRequestResponse="false" xmlns="" />
    	<Services xmlns="">
    		<Service uuid="" beginTime="" completeTime="" name="ItnPartner" type="Messaging" state="Pending" isRequestResponse="true" position="1" serviceInstanceId="" />
    	</Services>
    	<ResolverGroups xmlns="">
    		<Resolvers serviceId="ItnPartner0">&lt;![CDATA[STATIC:\\TransportType=WCF-NetTcp;TransportLocation= net.tcp://machine01:9000/Services/ContactSync;Action=Services/ContactSyncService/UpdateContact;EndPointConfig= UserName=MyServicesUser&amp; SecurityMode=Transport&amp;TransportClientCredentialType = Windows &amp;TransportProtectionLevel=EncryptAndSign;JaxRpcResponse=True;MessageExchangePattern=;TargetNamespace=http://tempuri.org/;TransformType=;]]&gt;</Resolvers>
    	</ResolverGroups>
    </Itinerary>
    

     and this is the part of the WSDL of targrt service:

    <wsdl:service name="ContactSyncService">
    	<wsdl:port name="NetTcpBinding_ContactSyncService" binding="tns:NetTcpBinding_ContactSyncService">
    		<soap12:address location="net.tcp://machine01:9000/Services/ContactSync" />
    		<wsa10:EndpointReference>
    			<wsa10:Address>net.tcp://machine01:9000/Services/ContactSync</wsa10:Address>
    			<Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
    				<Spn>MyServicesUser</Spn>
    			</Identity>
    		</wsa10:EndpointReference>
    	</wsdl:port>
    </wsdl:service>
    
    

    Any help?


    Farrukh
    Thursday, December 02, 2010 3:37 PM

Answers

  • Hi,

    It looks like you may have a missmatch in the service principle name (SPN) or user principle name (UPN) in the service configuration. If you are using kreberos authentication then these will need to match.

    See if you can set this in the Identity section of the client configuration for the service proxy.

    Regards,

    Alan

     


    http://www.CloudCasts.net - Community Webcasts Powered by Azure
    Thursday, December 02, 2010 4:12 PM
  • I'm with Alan in trying to set the Identity here.

     

    You should be able to set the identity using the Itinerary by add this to your EndpointConfig

    &Identity=<Identity><Spn>MyServicesUser</Spn></Identity>

     

    Identity is a promoted property which the WCF Adapter provider can use to set this when configuring the dynamic adapter.

     

    Check here: http://msdn.microsoft.com/en-us/library/ms733130.aspx

    and here: http://msdn.microsoft.com/en-us/library/bb245991(BTS.70).aspx

     

    HTH


    MCT, MCSD.NET, BizTalk TS
    Friday, December 03, 2010 11:18 PM

All replies

  • Hi,

    It looks like you may have a missmatch in the service principle name (SPN) or user principle name (UPN) in the service configuration. If you are using kreberos authentication then these will need to match.

    See if you can set this in the Identity section of the client configuration for the service proxy.

    Regards,

    Alan

     


    http://www.CloudCasts.net - Community Webcasts Powered by Azure
    Thursday, December 02, 2010 4:12 PM
  • Hi Alan,

    I am using the correct SPN as given in above sample (WSDL and Itinerary), secondly i cannot set this in identity, as i am not calling it from any application instead i am using ESB and all configuration is in itinerary. But i am not sure if something is missing in above itinerary.

    Thanks


    Farrukh
    Friday, December 03, 2010 9:00 AM
  • I'm with Alan in trying to set the Identity here.

     

    You should be able to set the identity using the Itinerary by add this to your EndpointConfig

    &Identity=<Identity><Spn>MyServicesUser</Spn></Identity>

     

    Identity is a promoted property which the WCF Adapter provider can use to set this when configuring the dynamic adapter.

     

    Check here: http://msdn.microsoft.com/en-us/library/ms733130.aspx

    and here: http://msdn.microsoft.com/en-us/library/bb245991(BTS.70).aspx

     

    HTH


    MCT, MCSD.NET, BizTalk TS
    Friday, December 03, 2010 11:18 PM