wcf: A call to SSPI failed: The target principal name is incorrect
I have ported a simple method consuming MS Dynamics AX WCF Service from .net framework to .net core 2.0 (console application).
In .net core project I added the connected service with no problem. All types were auto-generated correctly and I didn’t have to do much refactoring. However when I call the client this is the exception I’m getting: Could you assist me please? I’m using VS 2017 v15.6.6
Unhandled Exception: System.ServiceModel.Security.SecurityNegotiationException: A call to SSPI failed, see inner exception. ---> System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The target principal name is incorrect --- End of inner exception stack trace --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Net.Security.NegoState.StartSendAuthResetSignal(LazyAsyncResult lazyResult, Byte[] message, Exception exception) at System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult) at System.Net.Security.NegoState.CheckCompletionBeforeNextSend(Byte[] message, LazyAsyncResult lazyResult) at System.Net.Security.NegoState.ProcessReceivedBlob(Byte[] message, LazyAsyncResult lazyResult) at System.Net.Security.NegoState.ReadCallback(IAsyncResult transportResult) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Net.Security.NegoState.EndProcessAuthentication(IAsyncResult result) at System.Net.Security.NegotiateStream.EndAuthenticateAsClient(IAsyncResult asyncResult) at System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.<OnInitiateUpgradeAsync>d__12.MoveNext() --- End of inner exception stack trace --- at System.Runtime.AsyncResult.End[TAsyncResult](IAsyncResult result) at System.ServiceModel.Channels.ServiceChannel.SendAsyncResult.End(SendAsyncResult result) at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result) at System.ServiceModel.Channels.ServiceChannelProxy.TaskCreator.<>c__DisplayClass1_0.<CreateGenericTask>b__0(IAsyncResult asyncResult) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult()
at WcfTest.Program.<CreateSalesOrder>d__1.MoveNext() in C:\Users\vmi\Source\Repos\WcfTest\WcfTest\Program.cs:line 195
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at WcfTest.Program.<CreateSalesOrder>d__1.MoveNext() in C:\Users\vmi\Source\Repos\WcfTest\WcfTest\Program.cs:line 200
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at WcfTest.Program.<Main>d__0.MoveNext() in C:\Users\vmi\Source\Repos\WcfTest\WcfTest\Program.cs:line 65 --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at WcfTest.Program.<Main>(String[] args)
About this issue
- Original URL
- State: open
- Created 6 years ago
- Comments: 23 (8 by maintainers)
I’m having the same issue with an AIF Dynamics Service only in .net core, do you know how to set in code the userPrincipalName? or the needed service indentity on the channel factory as you mentioned? Thanks 😃
You are using Windows authentication as your authentication mechanism. When using Windows authentication, the identity of the server is also validated. The way this happens is when you get an authentication token from the domain controller to give to the server, the token is obtained for a specific identity of the server. The default identity used is HOST/dnsname. This identity (or spn) can only be used by the
SYSTEMorNETWORK SERVICEaccount (which includes the default identity used in IIS for the application pool user). If the server isn’t running with one of these accounts (or equivalent in the case of IIS), then a different identity will be used. Either an explicit identity will be provided on the servers binding (in which case the user running the service needs permission to that identity) or the service will use the identity of the user it is running with. In the case of a user identity, this will be in the active directory username format of user@domain, e.g. dynamics@contoso.com.One of two things is happening. Either you need to specify the correct server identity in your client binding, or we might have a bug in the .Net core stack somewhere (WCF, corefx, WCF Connected Service tool etc). So now I’ve given you some background on what’s happening, we need to narrow it down.
Are you running on Linux or Windows?
Can you generate a client running on the full framework which works correctly? If so, can you provide the binding config which is generated for the full framework and the binding code generated for .Net Core including the code which creates the endpoint. Feel free to anonymize any usernames, host names and domain names, just be consistent across the two sets of bindings. E.g. you could use hostname
myserver, domaincontoso.comand usernameuser.We were able to use the above code with just a few modifications as we were creating an AX Transfer Order, and it worked great! Now we can go try and create AX Purchase Orders and AX Sales Orders. Thank you so much, Dawiducik for the great example above!!
I don’t know how, but it looks like you predicted my next problem and your advice with switching the ports was soooo helpful. But why is AX generating “wrong” port? (Maybe not really wrong) Many thanks @naojamg ❤️
Well, I’ve set my identity with
new UpnEndpointIdentity("dynamics@contoso.com")(I guess UPN = UserPrincipalName) and now it works, thanks for good willings anyway @naojamg 😃As i can remember, there was a problem in the port of the soap service a was using, one url looks like this
x.x.x.x:8101/DynamicsAx/Services/TIFacturasServiciosand the other wasx.x.x.x:8201/DynamicsAx/Services/TIFacturasServiciosi was using the incorrect, i don’t remember what was the correct… after that i simply used the connected services tool in VS and everything worked fine