Replication: System.ComponentModel.Win32Exception: The target principal name is incorrect

[Patrick Carroll]

We have 3 raven instances on 3 separate machines

Were using the same domain based service account for all instances, it is in local administrators on all machines and it's a member of

<add key="Raven/Authorization/Windows/RequiredGroups" value="RavenUsers"/> 

which is in the config on all replication partners

They could be VM clones.......

Do I need to rebuild them

replication is failing with:

System.Net.WebException: The remote server returned an error: (401) Unauthorized. ---> System.ComponentModel.Win32Exception: The target principal name is incorrect

   at System.Net.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean throwOnError, SecurityStatus& statusCode)

   at System.Net.NTAuthentication.GetOutgoingBlob(String incomingBlob)

   at System.Net.NegotiateClient.DoAuthenticate(String challenge, WebRequest webRequest, ICredentials credentials, Boolean preAuthenticate)

   at System.Net.NegotiateClient.Authenticate(String challenge, WebRequest webRequest, ICredentials credentials)

   at System.Net.AuthenticationManager.Authenticate(String challenge, WebRequest request, ICredentials credentials)

   at System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials authInfo)

   at System.Net.HttpWebRequest.CheckResubmitForAuth()

   at System.Net.HttpWebRequest.CheckResubmit(Exception& e, Boolean& disableUpload)

   --- End of inner exception stack trace ---

   at System.Net.HttpWebRequest.GetResponse()

   at Raven.Abstractions.Connection.HttpRavenRequest.SendRequestToServer(Action`1 action) in c:\Builds\RavenDB-Stable\Raven.Abstractions\Connection\HttpRavenRequest.cs:line 201

   at Raven.Abstractions.Connection.HttpRavenRequest.ExecuteRequest() in c:\Builds\RavenDB-Stable\Raven.Abstractions\Connection\HttpRavenRequest.cs:line 158

   at Raven.Bundles.Replication.Tasks.ReplicationTask.TryReplicationDocuments(ReplicationStrategy destination, RavenJArray jsonDocuments)

thx

[Oren Eini (Ayende Rahien)]

First, check this:

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e9c162cb-1e26-43e0-80df-73c491c22aac/

It is also possible it is this: http://ayende.com/blog/16385/more-auth-issues-0xc000006d-on-windows-2008-r2

[Patrick Carroll]

We checked AD replication with the tool from Microsoft 

http://www.microsoft.com/en-us/download/details.aspx?id=30005

which did not reveal any replication issues

Next tried the 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\DisableLoopbackCheck=1 REG_DWORD
which did not work

tried giving the 3 services SPNs and allowing the user running the to be trusted for delegation to any service

The only way I can get replication to work is to set

    <add key="Raven/AnonymousAccess" value="All"/>

    <add key="Raven/Authorization/Windows/RequiredGroups" value="*"/>

Which somewhat defeats the purpose of my hardening exercise, well blows it open actually.

I have replicated this on 2 different rigs now with build 960 and 992 so I think it's a bug.

[Oren Eini (Ayende Rahien)]

Can you try this on 2.0 ? 

[Patrick Carroll]

Sure Ayende,

I'll try it out as soon as I have a spare moment.... before 9 Jan 13 in any event.

[Patrick Carroll]

Still the same error in the event log
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ravendb98
but now NO record in the ravendb logs
if I amend the raven.server.config as previously described it works again.
N.B. these are new databases on the release version

[Oren Eini (Ayende Rahien)]

Can you use the API Keys, instead?

[Patrick Carroll]

Sure - that works fine. I'd like to track this it's a workaround for my preferred solution which is to use AD.

Thanks Oren.