SecurityNegotiationException: A call to SSPI failed / Win32Exception (0x80004005): The target principal name is incorrect

SecurityNegotiationException: A call to SSPI failed / Win32Exception (0x80004005): The target principal name is incorrect

• Freiling

  Hi,

  I was facing the same problem, but overcame from that even when I used en empty string instead of "MYSERVICE/MyMachine". If I used "MYSERVICE/MyMachine", there is no difference, the application is running fine in both cases.So, what difference it make to provide "MYSERVICE/MyMachine"

  Thank You

  
  

• Norge

  Thanks for the information.

  My service account is a domain user account with limited permissions. What SPN should I set (for net.tcp binding) HOST/MachineName belongs to the computer account. If I create a custom service class and assign it the service account (e.g. setspn –a MYSERVICE/MyMachine SERVICE.ACCOUNT) how do I tell the client proxy bindings about the custom SPN

  Thanks.

  
  

• prog.gabi

  Hi Frank,

  I'm sorry for my late reply.

  You can set SPN for the client proxy by modifying the endpoint of the service. You can do that usign configuration or programmatically.

  Using configuration you can do it like this:

  <client>
  <endpoint name=""
  address="http://localhost:8000/servicemodelsamples/service"
  binding="wsHttpBinding"
  bindingConfiguration="Binding1"
  contract="ICalculator" >

  <identity>
  <servicePrincipalName value="MYSERVICE/MyMachine"/>
  </identity>

  </endpoint>
  </client>

  Using code you can set SPN on the proxy like this:

  proxy.Endpoint.Address = new EndpointAddress(new Uri("http://localhost:6060/service"), new SpnIdentity("MYSERVICE/MyMachine"));

  Please note that you can set the SPN on the service so that it is contained in the service's WSDL. You can do that by modifying the service's endpoint either in config or programmaticaly in the exactly the same way as on the client. You need to use ServiceHost instead of the proxy of course when setting endpoint programmatically and you need to use service element in configuration when using config. If you do that and then use svcutil to generate the client proxy and config by pointing it to the service's WSDL, we will automatically set the correct SPN for you on the client side.

  I hope this helps.

  Thanks

  --Jan

  
  

• Jayender.vs

  Hi Frank,

  when doing windows authentication and the Kerberos is used or negotiated by SSPI you need to supply the fully qualified domain name of the service's host inside the service URL you are using on the proxy that connects to the service.

  This assumes that the account under which the service is running has access to the machine (default) SPN key that is created when the computer is added to the active directory domain. If this is not true, you need to supply the correct SPN of the account under which the service is running on the client. In order to obtain a SPN for your service's account you need to be a AD domain administrator. There is more about this on MSDN for example here: http://msdn.microsoft.com/library/default.asp url=/library/en-us/dnpag2/html/WSS_Ch7_KerbTechSupp.asp

  For local machine comunication there is an optimization in the SSPI that does not require you to supply the fully qualified domain name of the host.

  I hope this helps you to resolve this issue.

  Thanks,

  --Jan

   

  
  
• SecurityNegotiationException: A call to SSPI failed / Win32Exception (0x80004005): The target principal name is incorrect