Archive for the ‘Kerberos’ Category

Error: The target principal name is incorrect

July 17, 2008

Why Can Fail?!

After <security mode=”Transport”> is set, when my web application tries to call my WCF service, which is residing on a different server, this error pops up.

“The target principal name is incorrect.”

( >_< )

Why Like That?!

Apparently this issue has to do with Kerberos authenication, NTLM, SPN and all those stuff. (welcome any others to give a more accurate definition of “all those stuff”) If the client and service reside on the same server, all works fine as it is using NTLM. On separate servers, Kerberos authenication is used, which fails.

What To Do?!

A workaround is to insert a dummy identity element into the endpoint section of the client config.

<endpoint name=””
contract=”ICalculator” >

<servicePrincipalName value=”MYSERVICE/MyMachine”/>


Ironically, what this does is to force the service to fall back to NTLM authentication after Kerberos authentication using the dummy identity element fails. The service does not fall back to NTLM authentication without a identity element, don’t ask me why…. ( @_@; )

A more concrete solution seems to define the ServicePrincipalName for the assigned username or run the service (or client) under higher privileges. Both of these solutions has yet to be tested. To be investigated further if time permits.

Where Got Clue?!

I got the information from these 2 forum posts.