AuthenticationException in AppFabric 1.1 Caching for Windows Server

There is a known limitation in Windows Server AppFabric 1.0 Caching security. That is, when the security is enabled, the Caching Service must run under a build-in account such as the NETWORK SERVICE account. This limitation is improved in AppFabric 1.1 for Windows Server. In addition to the NETWORK SERVICE account, you can now run the AppFabric Caching Service as a custom domain account and still have the security enabled. See Introducing AppFabric 1.1. However when you try it, you receive some exceptions:

[Win32Exception (0x80004005): The target principal name is incorrect]
 
[AuthenticationException: A call to SSPI failed, see inner exception.]
   System.Net.Security.NegoState.StartSendAuthResetSignal(LazyAsyncResult lazyResult, Byte[] message, Exception exception) +2402124
   System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult) +113
   System.Net.Security.NegoState.CheckCompletionBeforeNextSend(Byte[] message, LazyAsyncResult lazyResult) +116
   System.Net.Security.NegoState.ProcessReceivedBlob(Byte[] message, LazyAsyncResult lazyResult) +319
   System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult) +1227
   System.Net.Security.NegoState.CheckCompletionBeforeNextSend(Byte[] message, LazyAsyncResult lazyResult) +116
   System.Net.Security.NegoState.ProcessReceivedBlob(Byte[] message, LazyAsyncResult lazyResult) +319
   System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult) +1227
   System.Net.Security.NegoState.ProcessAuthentication(LazyAsyncResult lazyResult) +2404178
   System.Net.Security.NegotiateStream.AuthenticateAsClient(NetworkCredential credential, String targetName, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel allowedImpersonationLevel) +40
   System.ServiceModel.Channels.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity) +279
 
[SecurityNegotiationException: A call to SSPI failed, see inner exception.]
   System.Runtime.Remoting.Proxies.RealProxy.EndInvokeHelper(Message reqMsg, Boolean bProxyCase) +518
   System.Runtime.Remoting.Proxies.RemotingProxy.Invoke(Object NotUsed, MessageData& msgData) +401
   Microsoft.ApplicationServer.Caching.OpenDelegate.EndInvoke(IAsyncResult result) +0
   Microsoft.ApplicationServer.Caching.ChannelContainer.Opened(IAsyncResult ar) +128

What is missing in the documentation is a property called DataCacheServiceAccountType. You must set the security authentication account type to DomainAccount on the client side to resolve the error. The default type is SystemAccount.

You do this either in the app.config or Web.config:

<dataCacheClient name="default" dataCacheServiceAccountType="DomainAccount">

or in the client code:

DataCacheFactoryConfiguration factoryConfig = new DataCacheFactoryConfiguration();
factoryConfig.DataCacheServiceAccountType = DataCacheServiceAccountType.DomainAccount;