I have a client connecting to a WCF service using the following on both endpoints:
<security mode="Message">
<message clientCredentialType="Windows" />
</security>
This works in my dev environment (both running locally) and the negotiation works properly. When I push it to the test environment I get the following message:
SOAP security negotiation with 'http://host/service' for target 'http://host/service' failed. See inner exception for more details.
The inner exception:
System.ComponentModel.Win32Exception: Security Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with identity 'host/server-name.domain'. If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server.
After randomly changing attributes and generally messing about, the only way I could get it working was to change the Application Pool for the service to use LocalSystem as the Identity. This has subsequently caused the sys admins to have kittens, and is not something I can continue doing.
Can anyone shed any light as to why this is happening? Both the client Windows account, and the AppPool's Identity are in the same domain. The service is running on a server in the same domain.
If authentication works with LocalSystem but not a domain account it may be that you're missing a SPN for the domain account. This page provides some background about configuring the identity that your service is running as: http://msdn.microsoft.com/en-us/library/bb628618.aspx
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With