I'm using a netTcpBinding with a self-hosted service running as my own user, with a client of ASP.NET hosted by IIS running as Network Service on another machine. I'm a bit confused on the service/client identity and how it relates to authentication.
I find that if I don't specify anything in the <identity> for my client <endpoint> things fail:
Error: System.ServiceModel.Security.SecurityNegotiationException: A call to SSPI failed, see inner exception. ---> System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The target principal name is incorrect ---
However, so long I specify something there, for instance:
<identity><userPrincipalName /></identity>
It works fine. Same if I use <servicePrincipalName />. Additionally, if I specify a value, it doesn't matter what it is. value="foo" works just as well as "user@domain".
Is something wrong I mean, this "works", but shouldn't Kerberos be authenticating the remote service identity for me (I'm assuming Kerberos is happening on netTcpBinding -- I didn't find a way to disable NTLM/Nego.)
More concerning, on the server-side, it doesn't seem to matter if or what I specify on the <identity> for the <service> <endpoint>. I don't have to specify an identity (that's understandable), but why does it pretty much ignore whatever I put in there if I do specify something
Thanks!
SSPI fails without userPrincipalName, why?
Binoy71254
You can verify this by going on the client and doing this:
MyChannelFactory.Credentials.Windows.AllowNtlm = false;
This will force a Kerberos authentication. If you have a bogus Identity element, it should fail.
Thanks!
Scott
Nick3
You could also run hosted in IIS which could be accessed by the host/machine SPN.
Thanks!
Scott
YazzyYaz
Senthil Murugan
Tepe
A-ha! Success!
using at, I ran my service as LocalSystem and all was well. This means that the problem was with Kerberos and SPNs and all that. It means that my services must either run as a local account or have an SPN defined for the username I use.
This means moving my services to be Windows Services has just been bumped up in priority, which is a good thing.
Thanks for the help, Scott et al.
Zulfiqar Malik
I'm getting a similar error, and despite what Scott Mason and others have posted here before, I can't get this to work.
I'm running a self-hosted service under a console application, running as a domain user. The endpoint is net.tcp using default security settings (Windows auth., EncryptAndSign)
When I connect locally, everything works fine. I assume this is due to the SSPI optimization mentioned by Jan Alexander here.
When I connect from a remote computer, logged in as the same user, I get a SecurityNegotiationException with the error "Either the target name is incorrect or the server has rejected the client credentials.". Deeper in the call stack I can see there's a Logon Failed Win32Exception.
I've tried adding a userPrincipalName and a servicePrincipalName, but nothing seemed to help. I've tried setting AllowNtlm to True to force NTLM (rather than Kerberos) authentication, but that did nothing either.
I am still using the January CTP. Will upgrading to RC0 help Are there any known issues with Kerberos that were fixed in later builds
I don't want to register any SPNs since I am not sure that I'll have the option to do so at every deployment of the system. If this will eventually be hosted as a Windows Service running as NetworkService, will that alleviate the problem Is there a way to run the self-hosted Console App under the NetworkService credentials
Thanks,
Avner Kashtan
John~
Almost forgot to answer another one of your questions... ;>
You can run a cmd as System account by running this command:
at <time> /interactive "cmd"
Where time is one minute ahead of the current time. When one minute passes you'll see a command prompt pop up. When you run your self hosted app from here, it will run as the system account.
I would recommend creating a Windows Service instead. It's much easier.
Thanks!
Scott
int2str
Service is a self-hosted Console app, client is a WinForms app.
Client endpoint is defined like this:
<endpoint name="ConfigurationService"
address="net.tcp://servername:996/Path/Service"
binding="netTcpBinding"
contract="IConfigurationService" />
Both client and server are WinXPsp2 or Win2k3 (I'm not sure about SP level for the Win2k3), both are domain members and running as domain accounts. I don't know anything about the domain - mixed-mode, native mode, Win2k, Win2k3 - no clue.
Setting AllowNtlm to false didn't help. I'll try the trick with at tomorrow - thanks. I don't want to spend the time to turn it into a Windows Service unless I'm sure it will solve the security issue, since it's a much lower priority.
John1234566
The behavior in which you applied a bogus UPN or SPN to the identity and having it work is by design. Basically what happens is that it will try and use the credentials you supplied to do a kerberos authentication. If that fails, then it will use NTLM instead. So if you put in a bogus (or empty string) in the identity element, then it will use NTLM.
In the case of the other error "Either the target name is incorrect or the server has rejected the client credentials" can you give me more details on that Is your client a console or Windows app or a Webform What client credentials are you using
Thanks!
Scott