none
WCF SOAP security negotiation failed RRS feed

  • Question

  • I am getting the following error:

    SOAP security negotiation with 'https://Server.domain.com/Service.svc' for target 'https://Server.domain.com/Service.svc' failed. See inner exception for more details.

    Inner Execption:

    Security Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with identity 'host/Server.domain.com'. If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server.

    The Service that I have running, the app pool's identity is a service account created in Active Directory.  

    Below is Service Model section from my web.config file.  

    <system.serviceModel>
        <client>
          <endpoint>
            <identity>
              <servicePrincipalName value="wdw\WebUser"/>
              <!--<userPrincipalName value="wdw\WebUser" />-->
            </identity>
          </endpoint>
        </client>
        <behaviors>
          <serviceBehaviors >
            <behavior name="ServiceBehaviors"  >
              <serviceMetadata httpGetEnabled="True"/>
              <serviceDebug includeExceptionDetailInFaults="True" />
            </behavior>
          </serviceBehaviors>
        </behaviors>
        <bindings>
          <wsHttpBinding>
            <binding>
              <security mode="TransportWithMessageCredential">
                <message clientCredentialType="Windows"/>
              </security>
            </binding>
          </wsHttpBinding>
        </bindings>
        <services>
          <service name="Service" behaviorConfiguration="ServiceBehaviors" >
            <endpoint contract="IService" binding="wsHttpBinding" />
          </service>
        </services>
        <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
      </system.serviceModel>

    Can someone please point me in the right direction, I am trying to provide the app pool user identity, but no luck.

    Thank you in advance,



    Robert Johnston

    Monday, February 10, 2014 6:30 PM

Answers

  • Hi,

    Please first try to set the security mode to none to see if it help:

    <wsHttpBinding>
            <binding>
              <security mode="None"/>
            </binding>
     </wsHttpBinding>
    

    If it helps, then it will be something with your authentication.

    >>Security Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with identity 'host/Server.domain.com'. If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server.

    To enable the Negotiate process to select the Kerberos protocol for network authentication, the client application must provide an SPN, a user principal name (UPN), or a NetBIOS account name as the target name. If the client application does not provide a target name, the Negotiate process cannot use the Kerberos protocol. If the Negotiate process cannot use the Kerberos protocol, the Negotiate process selects the NTLM protocol.

    In cross-domain, kerberos has to be used. Since service is running as local system account, a SPN identity has to be used on the client side for the target name.

    For more informaiton, please read http://support.microsoft.com/kb/929650 .

    Also please try to check those similar threads:
    http://stackoverflow.com/questions/9975521/error-connecting-to-wcf-service-with-windows-security .
    http://stackoverflow.com/questions/972466/wcf-service-authentication-sspi-error .

    Best Regards,
    Amy Peng



    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Tuesday, February 11, 2014 1:59 AM
    Moderator