WCF 3.5 SP1 issue with service to service authentication error (caller not authenticated)

April 6, 2009 by
Filed under: Programming, Software Configuration, WCF 

I recently discovered an issue with WCF 3.5 SP1, specifically the error is “The caller was not authenticated by the service”

System.ServiceModel.Security.SecurityNegotiationException was unhandled
  Message=”The caller was not authenticated by the service.”

My setup was using WSHttpBinding with message security, and it worked locally but not on a hosted machine in a domain.  I had two services on same box, calling each other, and this issue cropped up.  I was using the dns as the identity in the configuration file, however there was a change in 3.5 SP1 and now it requires either a SPN (service principal name) or a UPN (user principal name) to work correctly.  The interesting thing is you don’t even need to know the spn since it is automatically created when the service is hosted.  This is only needed for client configuration calling the services.

You can leave SPN blank it will work if default is kerberos, otherwise you will want to specify the specific spn for negotiate to fall back on.

So, if the host is running with user credentials, you should use its UPN:

userPrincipalName value=user@example.com” />

And if the host is running as s service, specify the SPN

servicePrincipalName value=Host/MACHINENAME” />

I hope this helps.


3 Comments on WCF 3.5 SP1 issue with service to service authentication error (caller not authenticated)

  1. Durgesh Rai on Thu, 21st May 2009 5:06 am
  2. Nice article.. really helpfull fome
    it was solved my problem…

    Thanks a lot…

  3. Cuong Bui on Sun, 12th Dec 2010 3:52 am
  4. Simple article but the result is very good. It solved my problem! Many thanks!

  5. Trikks on Sun, 27th Mar 2011 11:13 am
  6. Thank you very much!
    Helped me a lot! :)

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

%d bloggers like this: