.NET 3.5 SP1 Breaking Change to WCF

I walked into a booby-trap with .NET 3.5 SP1. Here are the details. You receive a 401 authentication error when you upgrade your server running WCF service to .NET 3.5 SP1. The WCF run-time now requires an identity to be passed in on the call. The identity or SPN is not verified for authenticity, it just needs to be present. You can fix the issue from code or by inserting the identity tag into the url.

The authentication failure is triggered if all of the conditions are met

  • The scenario uses ClientCredentialType.Windows, which specifies the Negotiate authentication scheme.
  • The scenario uses http, https, or net.tcp.
  • The service runs under a don-domain account

More specifics

 

 

3.5 SP1

3.5 RTM

Default – specify NO identity

System.ServiceModel.Security.MessageSecurityException: The HTTP request is unauthorized with client authentication scheme ‘Negotiate’. The authentication header received from the server was ‘Negotiate oYG… snip…. —> System.Net.WebException: The remote server returned an error: (401) Unauthorized. —> System.ComponentModel.Win32Exception: The target principal name is incorrect

Accepted (no identity required)

Default – specify bad identity

Accepted (identity not checked)

Accepted (identity not checked)

allowNTLM=false – specify NO identity

System.ServiceModel.Security.MessageSecurityException: The HTTP request is unauthorized with client authentication scheme ‘Negotiate’. The authentication header received from the server was ‘Negotiate oYG… snip…. —> System.Net.WebException: The remote server returned an error: (401) Unauthorized. —> System.ComponentModel.Win32Exception: The target principal name is incorrect

Accepted (no identity required)

allowNTLM=false – specify bad identity

Caught System.ServiceModel.CommunicationException: An error (The request was canceled) occurred while transmitting data over the HTTP channel. —> System.Net.WebException: The request was canceled —> System.Net.ProtocolViolationException: The requirement for mutual authentication was not met by the remote server.

Caught System.ServiceModel.CommunicationException: An error (The request was canceled) occurred while transmitting data over the HTTP channel. —> System.Net.WebException: The request was canceled —> System.Net.ProtocolViolationException: The requirement for mutual authentication was not met by the remote server.

  Here is the fix, placed in the client configuration file inside the endpoint tags (<endpoint>fix goes here </endpoint>:

<identity>
  <servicePrincipalName value=”spn” />
</identity>
 

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *