4
votes

My WCF Service is using Windows Authentication with Kerberos, we disable the NTLM. The service is running under one Domain user account and the client on the different Domain user account. And both are configure using UPN. Both client and service are in the same domain. And the domain has two domain controllers.

The communication between the client and the service is running smoothly without any issues when both the domain controllers are online. If one of the domain controller is down, I got the following error.

A call to SSPI failed, see inner exception. ---> System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you

Please advice what should I do to eliminate this error. Thanks.

1
I suspect a configuration error in one or both domain controllers. Some very general information is here. Is it possible to enable WCF tracing, then post the portion of the trace that documents the error?Andrew
@JohnHpa, the error implies that you're re-using the ticket, in that instance i assume that the apps (client/service) were online and the second DC was shut down. What if you start the app AFTER the DC was shutdown? also, are you getting the tickets on behalf of the user or are you relying on the OS impersonation? Specifically, if the user logged on to a DC that is unavailable, the app may be trying to use their ticket from that DC and that is unverifiable in the service.zaitsman
Thanks @zaitsman. The getting of the tickets rely on the OS. I need to try starting the app AFTER the DC was shutdown. I haven't tried it yet.John Hpa

1 Answers

4
votes

Yes I happen to know what this is from. I just spent 2 and a half days trying to figure this out. It caused absolute chaos in my network of 60 workstations. Ahhhh! I was pullying my hair out. MCSE since 2005.

The problem is with IP6. Our replacement comcast business router was pushing a hidden scope to my LAN and superseding my IP4 scope inside domain. This meant the domain names were not valid because IP6 was washing them out. The second I turned of IP6 Protocol on my workstations, the error went away.

It's worth mentioning there were other problems - printing, application software - really one of my worst experiences on a LAN in my life. Simple fix but was not able to find it on line. So hope this helps someone out there.