WCF Kerberos SSPI Fails when one Domain Controller is down

1k views Asked by At

My WCF Service is using Windows Authentication with Kerberos, we disable the NTLM. The service is running under one Domain user account and the client on the different Domain user account. And both are configure using UPN. Both client and service are in the same domain. And the domain has two domain controllers.

The communication between the client and the service is running smoothly without any issues when both the domain controllers are online. If one of the domain controller is down, I got the following error.

A call to SSPI failed, see inner exception. ---> System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you

Please advice what should I do to eliminate this error. Thanks.

1

There are 1 answers

0
John Larson On

Yes I happen to know what this is from. I just spent 2 and a half days trying to figure this out. It caused absolute chaos in my network of 60 workstations. Ahhhh! I was pullying my hair out. MCSE since 2005.

The problem is with IP6. Our replacement comcast business router was pushing a hidden scope to my LAN and superseding my IP4 scope inside domain. This meant the domain names were not valid because IP6 was washing them out. The second I turned of IP6 Protocol on my workstations, the error went away.

It's worth mentioning there were other problems - printing, application software - really one of my worst experiences on a LAN in my life. Simple fix but was not able to find it on line. So hope this helps someone out there.