AuthenticationException in AppFabric 1.1 Caching for Windows Server

There is a known limitation in Windows Server AppFabric 1.0 Caching security. That is, when the security is enabled, the Caching Service must run under a build-in account such as the NETWORK SERVICE account. This limitation is improved in AppFabric 1.1 for Windows Server. In addition to the NETWORK SERVICE account, you can now run the AppFabric Caching Service as a custom domain account and still have the security enabled. See Introducing AppFabric 1.1. However when you try it, you receive some exceptions:

[Win32Exception (0x80004005): The target principal name is incorrect]
 
[AuthenticationException: A call to SSPI failed, see inner exception.]
   System.Net.Security.NegoState.StartSendAuthResetSignal(LazyAsyncResult lazyResult, Byte[] message, Exception exception) +2402124
   System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult) +113
   System.Net.Security.NegoState.CheckCompletionBeforeNextSend(Byte[] message, LazyAsyncResult lazyResult) +116
   System.Net.Security.NegoState.ProcessReceivedBlob(Byte[] message, LazyAsyncResult lazyResult) +319
   System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult) +1227
   System.Net.Security.NegoState.CheckCompletionBeforeNextSend(Byte[] message, LazyAsyncResult lazyResult) +116
   System.Net.Security.NegoState.ProcessReceivedBlob(Byte[] message, LazyAsyncResult lazyResult) +319
   System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult) +1227
   System.Net.Security.NegoState.ProcessAuthentication(LazyAsyncResult lazyResult) +2404178
   System.Net.Security.NegotiateStream.AuthenticateAsClient(NetworkCredential credential, String targetName, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel allowedImpersonationLevel) +40
   System.ServiceModel.Channels.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity) +279
 
[SecurityNegotiationException: A call to SSPI failed, see inner exception.]
   System.Runtime.Remoting.Proxies.RealProxy.EndInvokeHelper(Message reqMsg, Boolean bProxyCase) +518
   System.Runtime.Remoting.Proxies.RemotingProxy.Invoke(Object NotUsed, MessageData& msgData) +401
   Microsoft.ApplicationServer.Caching.OpenDelegate.EndInvoke(IAsyncResult result) +0
   Microsoft.ApplicationServer.Caching.ChannelContainer.Opened(IAsyncResult ar) +128

What is missing in the documentation is a property called DataCacheServiceAccountType. You must set the security authentication account type to DomainAccount on the client side to resolve the error. The default type is SystemAccount.

You do this either in the app.config or Web.config:

<dataCacheClient name="default" dataCacheServiceAccountType="DomainAccount">

or in the client code:

DataCacheFactoryConfiguration factoryConfig = new DataCacheFactoryConfiguration();
factoryConfig.DataCacheServiceAccountType = DataCacheServiceAccountType.DomainAccount;

Comments

  • Anonymous
    August 21, 2013
    Thanks so much, this fixed my issue.  I am running a web service locally in VS2010 debug mode, and my web service couldn't connect to the app fabric cache.  Switching the account type to DomainAccount solved the issue.

  • Anonymous
    October 21, 2013
    Thank you :). This resolved our issue.

  • Anonymous
    June 05, 2014
    You are great...

  • Anonymous
    July 24, 2014
    awesome, thanks a lot, it resolved my issue.

  • Anonymous
    July 31, 2014
    Thanks, it resolved the issue. There was an error with the attribute - name="default". Just removed and it's fine.

  • Anonymous
    August 01, 2014
    SK, dataCacheServiceAccountType is an attribute in dataCacheClient. My sample sets the attribute on the default dataCacheClient.   msdn.microsoft.com/.../hh351483(v=azure.10).aspx

  • Anonymous
    September 15, 2015
    Thanks a lot!