This is a mirror of official site:

WCF on intranet with windows authentication: Kerberos or NTLM (Part 1)

| Thursday, July 14, 2011
The issue

When we build enterprise level SOA system on top of windows servers, if the environment is with Active Directory, using windows authentication is probably the most appropriate authentication mechanism which is secure, straight forward to build and easy to maintain. Underneath WCF's windows authentication implementation, two SSP are used: Kerberos and NTLM. You might encounter the same issues like I did, here I want to share some of the experience come from my trouble shooting.

If we use domain user to host a WCF service, and call this service from another machine, very likely we will have this error:

    A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The target principal name is incorrect

There are quite a lot articles (1, 2, 3, 4) discussing this issue, basically their solution is to:

    use setspn.exe to create an SPN for the domain account
    configure at client side, set spn as client identity

However, the odd thing is actually we can skip step 1, and set a dummy string in step 2, it also works. Why? I am not the first one who has this question, these 2 posts (1, 2) has the exact same question against this. So, I decided to dig deeper and find the root cause.

Read more: Tianxiang Chen's Tech Blog
QR: wcf-on-intranet-with-windows-authentication-kerberos-or-ntlm-part-1.aspx

Posted via email from Jasper-net