12

I am trying to access a wcf client. I know people are getting information out of it right now, so I know it works. My problem is I can't seem to get past it. The service is a mutual certific service. I have the appropriate certs in my personal stores on my local machine. Even with that, I get the following exception:

 A call to SSPI failed, see inner exception

Searching deep into the exception and I see this:

Message : The target principal name is incorrect

How can I resolve this? Do I need to impersonate the user the app pool is running under? Do I need to add an Identity\ServicePrincipleName or Identity\UserPrincipleName? Has anyone run into an issue similar to this?

SoftwareSavant
  • 8,456
  • 26
  • 107
  • 186

4 Answers4

6

See my answer to a similar problem here: netTCP binding Soap Security Negotiation Failed. This guidance should apply to other bindings, not just TCP.

Community
  • 1
  • 1
sfuqua
  • 5,324
  • 1
  • 28
  • 30
1

For future reference for others, I experienced this issue but the existing answers didn't help.

My issue was with the userPrincipalName being used for a service reference.

I had recently re-registered the service reference in order update it but it had overwritten the specified userPrincipalName in the log files with my email address:

<endpoint address="net.pipe://localhost/XXXX"
  binding="netNamedPipeBinding" bindingConfiguration="NetNamedPipeBinding_IXXX"
  contract="XXXServiceReference.IXXX"
  name="NetNamedPipeBinding_IXXXX">
  <identity>
    <userPrincipalName value="my@emailaddress.com" />
  </identity>
</endpoint>

To rectify the issue, I simply changed the userPrincipalName to localhost, which it what it was previously:

<userPrincipalName value="localhost" />
Martin
  • 14,189
  • 1
  • 26
  • 43
0

I regenerated the client and the endpoint in the output.config file now had <identity> <userPrincipalName value="Serviecname@companyname.com" /> </identity> in the Endpoint Tag. So the new endpoint looked like - 

 <endpoint address="net.tcp://machinename:6001/ReferenceDataService" binding="netTcpBinding" bindingConfiguration="netTcpBindingConf" contract="IReferenceDataService" >
     <identity>
 <userPrincipalName value="Serviecname@companyname.com" />

This solved my issue

rhinobear
  • 21
  • 1
  • 2
  • In case anybody isn't familiar with WCF - I used svcutil.exe to regenerate the client, and the output.config was generated with it. – rhinobear Feb 15 '17 at 17:43
0

For me, it worked when I specified the server's username in the endpoint. Not the client's username. And it was a UPN, not a SPN.

new EndpointAddress(
    new Uri("net.tcp://server:1234/MyWcf/svc"),
        EndpointIdentity.CreateUpnIdentity("username@domain.local"))

From what I understand, the client verifies that it's talking to the expected user.

Clay Lenhart
  • 1,537
  • 15
  • 17