Consuming a WCF with an Identity set on Endpoint: correct UPN does not work

Question

I wrote a Windows Service hosted WCF service. Deployed or localhost works fine, my client app can consume it.

If I change the LogOn setting of the Windows Service and set a domain user (changing from the default "Local System") my client app cannot consume the service anymore. The exception I get is

A call to SSPI failed

There is no inner exception or any details. To fix this I tried to set the UPN in my client app request in order to get a valid service name check. This is done, client side, via code, setting an Identity in the endpoint:

string uri = "myServiceUri";
EndpointIdentity identity = EndpointIdentity.CreateSpnIdentity("user@domain");
EndpointAddress epa = new EndpointAddress(uri, identity, new AddressHeader[] { });

There comes the very strange behavior.

If I set the exact UPN in my client request, lets say "user@domain", I get a new exception (no inner exception, no details)
```
The following remote identity failed verification: 'user@domain'
```
If I set any other string as UPN in my client request, it works fine, let's say "XXXuser@domainXXX", "toto", or even String.Empty.

Server side, I did not set any Identity node in config file to keep default behavior, ie UPN check (no SPN nor DNS).

In other words, the Service/User name check seems to work only if the settings in my client app is wrong.

Dear community, your help would be very appreciated on this topic.

Thanks

Askolein · Accepted Answer

The solution is... use CreateUpnIdentity instead of CreateSpnIdentity to let WCF handle the UPN properly.

The reason is that without any Identity node in the server config file and with a domain account as service user, the default identity exposed by service is the UPN "account@domain".

Consuming a WCF with an Identity set on Endpoint: correct UPN does not work

Answers (2)

Related Questions