AuthenticationException in AppFabric 1.1 Caching for Windows Server


There is a known limitation in Windows Server AppFabric 1.0 Caching security. That is, when the security is enabled, the Caching Service must run under a build-in account such as the NETWORK SERVICE account. This limitation is improved in AppFabric 1.1 for Windows Server. In addition to the NETWORK SERVICE account, you can now run the AppFabric Caching Service as a custom domain account and still have the security enabled. See Introducing AppFabric 1.1. However when you try it, you receive some exceptions:

[Win32Exception (0x80004005): The target principal name is incorrect]
 
[AuthenticationException: A call to SSPI failed, see inner exception.]
   System.Net.Security.NegoState.StartSendAuthResetSignal(LazyAsyncResult lazyResult, Byte[] message, Exception exception) +2402124
   System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult) +113
   System.Net.Security.NegoState.CheckCompletionBeforeNextSend(Byte[] message, LazyAsyncResult lazyResult) +116
   System.Net.Security.NegoState.ProcessReceivedBlob(Byte[] message, LazyAsyncResult lazyResult) +319
   System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult) +1227
   System.Net.Security.NegoState.CheckCompletionBeforeNextSend(Byte[] message, LazyAsyncResult lazyResult) +116
   System.Net.Security.NegoState.ProcessReceivedBlob(Byte[] message, LazyAsyncResult lazyResult) +319
   System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult) +1227
   System.Net.Security.NegoState.ProcessAuthentication(LazyAsyncResult lazyResult) +2404178
   System.Net.Security.NegotiateStream.AuthenticateAsClient(NetworkCredential credential, String targetName, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel allowedImpersonationLevel) +40
   System.ServiceModel.Channels.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity) +279
 
[SecurityNegotiationException: A call to SSPI failed, see inner exception.]
   System.Runtime.Remoting.Proxies.RealProxy.EndInvokeHelper(Message reqMsg, Boolean bProxyCase) +518
   System.Runtime.Remoting.Proxies.RemotingProxy.Invoke(Object NotUsed, MessageData& msgData) +401
   Microsoft.ApplicationServer.Caching.OpenDelegate.EndInvoke(IAsyncResult result) +0
   Microsoft.ApplicationServer.Caching.ChannelContainer.Opened(IAsyncResult ar) +128

What is missing in the documentation is a property called DataCacheServiceAccountType. You must set the security authentication account type to DomainAccount on the client side to resolve the error. The default type is SystemAccount.

You do this either in the app.config or Web.config:

<dataCacheClient name="default" dataCacheServiceAccountType="DomainAccount">

or in the client code:

DataCacheFactoryConfiguration factoryConfig = new DataCacheFactoryConfiguration();
factoryConfig.DataCacheServiceAccountType = DataCacheServiceAccountType.DomainAccount;

Comments (7)

  1. AP says:

    Thanks so much, this fixed my issue.  I am running a web service locally in VS2010 debug mode, and my web service couldn't connect to the app fabric cache.  Switching the account type to DomainAccount solved the issue.

  2. Ckalyanpur says:

    Thank you :). This resolved our issue.

  3. Thanks Buddy says:

    You are great…

  4. # says:

    awesome, thanks a lot, it resolved my issue.

  5. SK says:

    Thanks, it resolved the issue. There was an error with the attribute – name="default". Just removed and it's fine.

  6. davidqiu says:

    SK,

    dataCacheServiceAccountType is an attribute in dataCacheClient. My sample sets the attribute on the default dataCacheClient.  

    msdn.microsoft.com/…/hh351483(v=azure.10).aspx

  7. ashaalex says:

    Thanks a lot!

Skip to main content