Microsoft .NET Framework 3.5 SP1 breaks Microsoft CCF (Customer Care Framework)

So your seeing this exception in your WCF client application after installing SP1 on .NET Framework 3.5

System.ServiceModel.Security.MessageSecurityException occurred Message="The HTTP request is unauthorized with client authentication scheme ‘Negotiate’. The authentication header received from the server was ‘Negotiate

As described in this bug report Microsoft classifies this as a known issue, with the bug being resolved as ‘By Design’.

Your fix is to add an identity element to the WCF endpoint like this.

<identity>
    <userPrincipalName value="WcfServiceAccount@domain" />
</identity>

But the problem with CCF is that the url for some of the endpoints are read through code from a database and set through the proxy class. Now when you do this the identity from the config file does not flow through resulting in the same exception you see above.

One option is to uninstall the service pack on the client. This is not as easy as it seems because the the 3.5 service pack also updates assemblies in the 2.0 and 3.0 frameworks to their SP2 levels.

To get back to pre 3.5 SP1 you need to uninstall all the frameworks and re-install them again avoiding the 3.5 SP1. The exact steps to do this is outlined here by Microsoft engineer, Aaron Stebner.

But what if you don’t have the luxury of walking all your end-users through the uninstall? A suggested fix from Microsoft (targeting CCF) is as follows:

  1. Set up a cNAME in DNS for the servername you are using in database urls.
  2. Use setspn -a HOST/CNAME domain\apppooluser
  3. Change all the database urls to this CNAME
  4. Do an iisreset
  5. Test

For example if the database urls are http://ccfserver/…..

  1. Create a  CNAME CCFALIAS in DNS
  2. setspn -a HOST/CCFALIAS ccf\aspuser
  3. Change all database urls to ccfalias
  4. iisreset
  5. Test if you reach /urls with this alias from web servers and from clients

Be careful not to set HOST/CCFSERVER spn for aspuser. Note we are setting HOST/CCFALIAS spn which is CNAME for ccfserver in DNS. If by mistake you set host/ccfserver it can wreak havoc  for Kerberos.

  • Shambhavi

    I had accessed your blog before, but today I did a detailed review. All because Google Reader recommended this blog, and blogs by a few other Sri Lankan brothers, as top read.

    Your blog, bro, is very well organized. And although the content is mostly esoteric, it is interesting for me. Unlike the blogs I tried to read, which suggest ways to present facts and principles and to create IT-related WBTs, your space actually presents the facts and principles. I notice how educative the content here is and how effortlessly you present it. You reinforce my belief that, when knowledge-sharing is the goal, gut instinct and subject-matter expertise are as, if not more, important as highly researched training strategies.

  • Pingback: Enable Windows Authentication in WCF (with SSL) « Hoa Chau’s weblog()

  • http://www.air-jordan-13.com air jordan 13

    Mark S. is definitely on the right track. If you want to get a professional looking email address, Id recommend buying your name domain name, like or
    Gucci sweaters
    If its common it might be difficult to get, however, be creative and you can usually find something.