none
error "call to SSPI failed" "the target principal name is incorrect" with executable hosted service RRS feed

  • Question

  • I have created an exe that host a WFC service where a different client exe shoud connect.

    Client and server exe runs with a user account, because they must interact with a user interface

    If both uses a local account it works fine

    If they uses a Domain account (even with admin rights) I get a "call to sspi failed" when the client try to connect the server.

    the code I use on the client is:

    client =

    NewServiceReference1.Service1

    client.Endpoint.Address =

    NewEndpointAddress("net.tcp://pc-server:8733/Service1")

           


    alex

    Tuesday, December 10, 2013 11:42 AM

Answers

  • Hi,

    If we are running under a dedicated service account (let's call it "ServiceAccount" on the domain "MyDomain"), then you need to have this:
    <identity>
         <userPrincipalName value="ServiceAccount@MyDomain" />
    </identity>

    Please note that you may need to use the fully-qualified domain name, including the Forest and Tree levels. The fully-qualified name is needed when you are using Kerberos for authentication.

    For more information about this, please try to check the following blog:
    http://blogs.msdn.com/b/tiche/archive/2011/07/13/wcf-on-intranet-with-windows-authentication-kerberos-or-ntlm-part-1.aspx .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, December 11, 2013 3:33 AM
    Moderator
  • I ve solved with this:

    Dimmyuri As New Uri(My.Settings.endpointaddress)

    client=newServiceReference1.Service1Client

    client.Endpoint.Address = NewEndpointAddress(myuri, EndpointIdentity.CreateSpnIdentity(String.Empty))

    This last row force to use NTLM and works fine

     


    alex

    Wednesday, December 18, 2013 1:22 PM

All replies

  • Hi,

    If we are running under a dedicated service account (let's call it "ServiceAccount" on the domain "MyDomain"), then you need to have this:
    <identity>
         <userPrincipalName value="ServiceAccount@MyDomain" />
    </identity>

    Please note that you may need to use the fully-qualified domain name, including the Forest and Tree levels. The fully-qualified name is needed when you are using Kerberos for authentication.

    For more information about this, please try to check the following blog:
    http://blogs.msdn.com/b/tiche/archive/2011/07/13/wcf-on-intranet-with-windows-authentication-kerberos-or-ntlm-part-1.aspx .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, December 11, 2013 3:33 AM
    Moderator
  • thank you for your help.

    I don't use a special account, but both server and client runs under the current domain user (that may not be the same)

    I've read the article, it seems that I have to avoid Kerberos and use NTLM. But is not clear to me where to "use String.Empty or null to create SPN identity at client side". Alessandro


    alex

    Wednesday, December 11, 2013 11:55 AM
  • I ve solved with this:

    Dimmyuri As New Uri(My.Settings.endpointaddress)

    client=newServiceReference1.Service1Client

    client.Endpoint.Address = NewEndpointAddress(myuri, EndpointIdentity.CreateSpnIdentity(String.Empty))

    This last row force to use NTLM and works fine

     


    alex

    Wednesday, December 18, 2013 1:22 PM