Random AuthenticationManager CustomTargetNameDictionary exception when calling a WCF service

Question

I Have been receiving this error when making a call to a WCF service from a ASP.Net application:

Unhandled Exception: System.InvalidOperationException

System.InvalidOperationException: The entry found in AuthenticationManager's CustomTargetNameDictionary for {URL} does not match the requested identity of host/{Hostname}.

Server stack trace: 
   at System.ServiceModel.Channels.HttpTransportSecurityHelpers.AddIdentityMapping(Uri via, EndpointAddress target)
   at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.PrepareOpen()
   at System.ServiceModel.Channels.HttpsChannelFactory.HttpsRequestChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

The strange part about it is that I can not reproduce it on any machine other than our production web servers, and it only happens sporadically. The service requires active directory authentication but I am sure that the user has the correct permission set.

It doesn't seem to be a problem with the WCF config because it works sometimes, and other applications make calls to the same service without error.

I have already tried completely recreating the user, recreating the app pool that it runs in and re-installing the application. Thanks for the help!

Answer 1

Hi,

This seems to match the "old" problem with "broken impersonation". Which part or you solutions runs with with credentials? If your Web user (even if he is logged in to your domain) is impersonated correctly in the ASP.net application, your chain might break when calling the WS (and the AD from there on). So make sure that your WS runs with a user context, and it is allowed to access the AuthManager parts. If you need, make sure that Kerberos' delegation is either enabled on the user account or on the machine accounts.

(You might not see this problem when developing on your PC 'cause you probably run as Admin and have "debug" permissions.)

HTH, Thomas