4

So we have an small app that points to a report on a 2008 SSRS server.

This app works fine normally, but since we added more websites to the server, we have changed the web app binding to something that is not the name of the server.

This has caused us to get the following:

The target principal name is incorrect Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.ComponentModel.Win32Exception: The target principal name is incorrect

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[Win32Exception (0x80004005): The target principal name is incorrect] System.Net.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean throwOnError, SecurityStatus& statusCode) +2622099
System.Net.NTAuthentication.GetOutgoingBlob(String incomingBlob) +99
System.Net.NegotiateClient.DoAuthenticate(String challenge, WebRequest webRequest, ICredentials credentials, Boolean preAuthenticate) +767
System.Net.NegotiateClient.Authenticate(String challenge, WebRequest webRequest, ICredentials credentials) +18
System.Net.AuthenticationManager.Authenticate(String challenge, WebRequest request, ICredentials credentials) +146
System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials authInfo) +2279623
System.Net.HttpWebRequest.CheckResubmitForAuth() +3031261
System.Net.HttpWebRequest.CheckResubmit(Exception& e) +169

[WebException: The remote server returned an error: (401) Unauthorized.]

we added a spn for the new binding name to the SSRS server for the ID that runs the app, but nothing.

I see a lot of people who have SSPI issues doing this, but nothing with a 401 error.

the ID we are using has full access to both boxes and if you can go directly from the web server to the SSRS without issue. Its only when its wrapped in the app that we get an error.

Has anybody run into this issue before?

Thanks

Limey
  • 2,642
  • 6
  • 37
  • 62

2 Answers2

3

So I believe your webapp has a custom host name as opposed to server name (Please correct me if I am wrong here).

First thing you need to verify is if this hostname is A Record or CName . You can do a ping on hostname and see

  1. If it first resolves to server name and then ip - CName . You do not need new SPN in such case and you need to make sure that original SPN (the one with machine name) is using the same Identity as the application pool
  2. If directly resolves to server IP you need a SPN You need a new SPN and need to make sure that the application pool identity and SPN Identity are same . Make sure useAppPoolCredentials = true (IIS Manager -> web Site - > Configuration Editor - > system.webServer/security/authentication/windowsAuthentication)
Ravi A.
  • 2,163
  • 2
  • 18
  • 26
2

So I did find the answer, and it was a double hop authentication issue.

You can find better descriptions out there, but basically the site tries to authenticate twice (once to the web server, once to the SQL server) however, Windows will only pass your login AND password on once. After that, it only passes the ID.

The solution is you need to have the app pool of the application use a Kerberos enabled ID, just like you would need if you were using Load Balance.

Limey
  • 2,642
  • 6
  • 37
  • 62
  • Hi, I am having the same issue; can you be a bit more specific about how exactly you fixed this please? – dragonfly02 Sep 23 '16 at 08:38
  • answering this late, but you need a kerberos enabled Id (talk to your admins, they should know how to create one). Then just use that ID in the appPool. The work is really all on the admin side. – Limey Jul 28 '17 at 17:40