Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

A call to SSPI failed: The target principal name is incorrect

See original GitHub issue

I have ported a simple method consuming MS Dynamics AX WCF Service from .net framework to .net core 2.0 (console application).

In .net core project I added the connected service with no problem. All types were auto-generated correctly and I didn’t have to do much refactoring. However when I call the client this is the exception I’m getting: Could you assist me please? I’m using VS 2017 v15.6.6

Unhandled Exception: System.ServiceModel.Security.SecurityNegotiationException: A call to SSPI failed, see inner exception. ---> System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The target principal name is incorrect --- End of inner exception stack trace --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Net.Security.NegoState.StartSendAuthResetSignal(LazyAsyncResult lazyResult, Byte[] message, Exception exception) at System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult) at System.Net.Security.NegoState.CheckCompletionBeforeNextSend(Byte[] message, LazyAsyncResult lazyResult) at System.Net.Security.NegoState.ProcessReceivedBlob(Byte[] message, LazyAsyncResult lazyResult) at System.Net.Security.NegoState.ReadCallback(IAsyncResult transportResult) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Net.Security.NegoState.EndProcessAuthentication(IAsyncResult result) at System.Net.Security.NegotiateStream.EndAuthenticateAsClient(IAsyncResult asyncResult) at System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.<OnInitiateUpgradeAsync>d__12.MoveNext() --- End of inner exception stack trace --- at System.Runtime.AsyncResult.End[TAsyncResult](IAsyncResult result) at System.ServiceModel.Channels.ServiceChannel.SendAsyncResult.End(SendAsyncResult result) at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result) at System.ServiceModel.Channels.ServiceChannelProxy.TaskCreator.<>c__DisplayClass1_0.<CreateGenericTask>b__0(IAsyncResult asyncResult) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at WcfTest.Program.<CreateSalesOrder>d__1.MoveNext() in C:\Users\vmi\Source\Repos\WcfTest\WcfTest\Program.cs:line 195 — End of stack trace from previous location where exception was thrown — at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at WcfTest.Program.<CreateSalesOrder>d__1.MoveNext() in C:\Users\vmi\Source\Repos\WcfTest\WcfTest\Program.cs:line 200 — End of stack trace from previous location where exception was thrown — at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at WcfTest.Program.<Main>d__0.MoveNext() in C:\Users\vmi\Source\Repos\WcfTest\WcfTest\Program.cs:line 65 --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at WcfTest.Program.<Main>(String[] args)

Issue Analytics

State:
Created 5 years ago
Comments:23 (8 by maintainers)

Top GitHub Comments

6reactions

naojamgcommented, Mar 4, 2019

I’m having the same issue with an AIF Dynamics Service only in .net core, do you know how to set in code the userPrincipalName? or the needed service indentity on the channel factory as you mentioned? Thanks 😃

4reactions

mconnewcommented, May 7, 2018

You are using Windows authentication as your authentication mechanism. When using Windows authentication, the identity of the server is also validated. The way this happens is when you get an authentication token from the domain controller to give to the server, the token is obtained for a specific identity of the server. The default identity used is HOST/dnsname. This identity (or spn) can only be used by the SYSTEM or NETWORK SERVICE account (which includes the default identity used in IIS for the application pool user). If the server isn’t running with one of these accounts (or equivalent in the case of IIS), then a different identity will be used. Either an explicit identity will be provided on the servers binding (in which case the user running the service needs permission to that identity) or the service will use the identity of the user it is running with. In the case of a user identity, this will be in the active directory username format of user@domain, e.g. dynamics@contoso.com.
One of two things is happening. Either you need to specify the correct server identity in your client binding, or we might have a bug in the .Net core stack somewhere (WCF, corefx, WCF Connected Service tool etc). So now I’ve given you some background on what’s happening, we need to narrow it down.
Are you running on Linux or Windows?
Can you generate a client running on the full framework which works correctly? If so, can you provide the binding config which is generated for the full framework and the binding code generated for .Net Core including the code which creates the endpoint. Feel free to anonymize any usernames, host names and domain names, just be consistent across the two sets of bindings. E.g. you could use hostname myserver, domain contoso.com and username user.