AuthenticationException in AppFabric 1.1 Caching for Windows Server
There is a known limitation in Windows Server AppFabric 1.0 Caching security. That is, when the security is enabled, the Caching Service must run under a build-in account such as the NETWORK SERVICE account. This limitation is improved in AppFabric 1.1 for Windows Server. In addition to the NETWORK SERVICE account, you can now run the AppFabric Caching Service as a custom domain account and still have the security enabled. See Introducing AppFabric 1.1. However when you try it, you receive some exceptions:
[Win32Exception (0x80004005): The target principal name is incorrect]
[AuthenticationException: A call to SSPI failed, see inner exception.]
System.Net.Security.NegoState.StartSendAuthResetSignal(LazyAsyncResult lazyResult, Byte[] message, Exception exception) +2402124
System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult) +113
System.Net.Security.NegoState.CheckCompletionBeforeNextSend(Byte[] message, LazyAsyncResult lazyResult) +116
System.Net.Security.NegoState.ProcessReceivedBlob(Byte[] message, LazyAsyncResult lazyResult) +319
System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult) +1227
System.Net.Security.NegoState.CheckCompletionBeforeNextSend(Byte[] message, LazyAsyncResult lazyResult) +116
System.Net.Security.NegoState.ProcessReceivedBlob(Byte[] message, LazyAsyncResult lazyResult) +319
System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult) +1227
System.Net.Security.NegoState.ProcessAuthentication(LazyAsyncResult lazyResult) +2404178
System.Net.Security.NegotiateStream.AuthenticateAsClient(NetworkCredential credential, String targetName, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel allowedImpersonationLevel) +40
System.ServiceModel.Channels.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity) +279
[SecurityNegotiationException: A call to SSPI failed, see inner exception.]
System.Runtime.Remoting.Proxies.RealProxy.EndInvokeHelper(Message reqMsg, Boolean bProxyCase) +518
System.Runtime.Remoting.Proxies.RemotingProxy.Invoke(Object NotUsed, MessageData& msgData) +401
Microsoft.ApplicationServer.Caching.OpenDelegate.EndInvoke(IAsyncResult result) +0
Microsoft.ApplicationServer.Caching.ChannelContainer.Opened(IAsyncResult ar) +128
What is missing in the documentation is a property called DataCacheServiceAccountType. You must set the security authentication account type to DomainAccount on the client side to resolve the error. The default type is SystemAccount.
You do this either in the app.config or Web.config:
<dataCacheClient name="default" dataCacheServiceAccountType="DomainAccount">
or in the client code:
DataCacheFactoryConfiguration factoryConfig = new DataCacheFactoryConfiguration();
factoryConfig.DataCacheServiceAccountType = DataCacheServiceAccountType.DomainAccount;