Microsoft Endpoint Security Review

I received the following error when connecting to a WCF service hosted on a remote server:

System.ServiceModel.Security.SecurityNegotiationException: SOAP security negotiation with ‘ for target ‘ failed. See inner exception for more details. —> System.ComponentModel.Win32Exception: Security Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with identity ‘host/ SERVERNAME’ . If the server is running in a service account (Network Service for example), specify the account’s ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account’s UserPrincipalName as the identity in the EndpointAddress for the server.    at System.ServiceModel.Security.WindowsSspiNegotiation.GetOutgoingBlob(Byte[] incomingBlob)    at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)    at System.ServiceModel.Security.IssuanceTokenProviderBase1.GetNextOutgoingMessage(MessageincomingMessage, T negotiationState)    at System.ServiceModel.Security.IssuanceTokenProviderBase1.DoNegotiation(TimeSpan timeout)    — End of inner exception stack trace — Server stack trace:    at System.ServiceModel.Security.IssuanceTokenProviderBase1.DoNegotiation(TimeSpan timeout)    at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)    at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)    at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)    at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout)    at System.ServiceModel.Security.SecurityUtils.OpenTokenProviderIfRequired(SecurityTokenProvider tokenProvider, TimeSpan timeout)    at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout)    at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)    atSystem.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)    at System.ServiceModel.Channels.SecurityChannelFactory1.ClientSecurityChannel1.OnOpen(TimeSpan timeout)    at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)    at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)    at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)    at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)    at System.ServiceModel.Security.SecuritySessionClientSettings1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)    at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)    at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)    at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)   at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)    at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)    at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)    at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)    at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs)    at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)    at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]:    at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg,IMessage retMsg)    at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)    at DevSQL.Replicator.SignalerSvc.ISignaler.Ping()    at DevSQL.Replicator.SignalerSvc.SignalerClient.Ping() in …SignalerSvc\Reference.cs:line 118    at DevSQL.Replicator.BackupUtility.signalRemoteServers() in …\BackupUtility.cs:line 84

The .NET Framework 3.5 SP1 README gives the answer:

2.3.2.2 Breaking changes in the SspiNegotiatedOverTransport authentication mode When WSHttpBinding, WS2007HttpBinding, or NetTcpBinding is used with SecurityMode = TransportWithMessageCredential and a client credential type of Windows, clients that previously authenticated to a service by using NTLM will now fail to authenticate, with the following error: "System.ComponentModel.Win32Exception: Security Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with identity ‘host/<hostname>’. If the server is running in a service account (Network Service for example), specify the account’s ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account’s UserPrincipalName as the identity in the EndpointAddress for the server." The error appears when the service is running on an account that has an identity other than ‘host/<hostname>’. This issue also applies toCustomBindings, which specify the SspiNegotiatedOverTransport authentication mode. To resolve this issue: If possible, clients should be updated by using a UPN or SPN endpoint identity that specifies the identity of the service so that Kerberos authentication occurs. The following configuration snippet shows how to do this in the UPN case; the SPN case is similar, but the <servicePrincipalName> element is used instead. <system.serviceModel>       <client>          <endpoint>             <identity>                <userPrincipalName value="user@domain" />             </identity>           </endpoint>      </client> </system.serviceModel> Additionally, clients that use NetTcpBinding or CustomBindings, with SspiNegotiatedOverTransport specified in the stack over SslStreamSecurityBindingElement, must specify a custom IdentityVerifier in the code to perform the CN check of the service’s certificate. The following code snippet shows how to do this and provides a starting point forIdentityVerifier implementations.