"the target principal name is incorrect" 401 error

iis reporting-services ssrs-2008-r2
Limey picture Limey · Sep 6, 2016 · Viewed 8k times · Source

So we have an small app that points to a report on a 2008 SSRS server.

This app works fine normally, but since we added more websites to the server, we have changed the web app binding to something that is not the name of the server.

This has caused us to get the following:

The target principal name is incorrect Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.ComponentModel.Win32Exception: The target principal name is incorrect

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[Win32Exception (0x80004005): The target principal name is incorrect] System.Net.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean throwOnError, SecurityStatus& statusCode) +2622099
System.Net.NTAuthentication.GetOutgoingBlob(String incomingBlob) +99
System.Net.NegotiateClient.DoAuthenticate(String challenge, WebRequest webRequest, ICredentials credentials, Boolean preAuthenticate) +767
System.Net.NegotiateClient.Authenticate(String challenge, WebRequest webRequest, ICredentials credentials) +18
System.Net.AuthenticationManager.Authenticate(String challenge, WebRequest request, ICredentials credentials) +146
System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials authInfo) +2279623
System.Net.HttpWebRequest.CheckResubmitForAuth() +3031261
System.Net.HttpWebRequest.CheckResubmit(Exception& e) +169

[WebException: The remote server returned an error: (401) Unauthorized.]

we added a spn for the new binding name to the SSRS server for the ID that runs the app, but nothing.

I see a lot of people who have SSPI issues doing this, but nothing with a 401 error.

the ID we are using has full access to both boxes and if you can go directly from the web server to the SSRS without issue. Its only when its wrapped in the app that we get an error.

Has anybody run into this issue before?

Thanks

Answer

Ravi A. picture Ravi A. · Sep 15, 2016

So I believe your webapp has a custom host name as opposed to server name (Please correct me if I am wrong here).

First thing you need to verify is if this hostname is A Record or CName . You can do a ping on hostname and see

  1. If it first resolves to server name and then ip - CName . You do not need new SPN in such case and you need to make sure that original SPN (the one with machine name) is using the same Identity as the application pool
  2. If directly resolves to server IP you need a SPN You need a new SPN and need to make sure that the application pool identity and SPN Identity are same . Make sure useAppPoolCredentials = true (IIS Manager -> web Site - > Configuration Editor - > system.webServer/security/authentication/windowsAuthentication)

Related questions

AppPool Permission Issue with Accessing Report Server

I have a SQL Server 2008 R2 Report Server running on a Windows 7 machine as well as an ASP.NET application. The ASP.NET application makes requests to the Report Server to display a list of reports, render reports, etc. My …

Read More
Does SSRS Report server run on top of IIS?

I am new to SSRS and Microsoft BI stack, and want to know if SSRS Report server runs on top of IIS or is it a separate entity (server) that runs independent of IIS? Secondly how to give public access …

Read More
WebRequest fails with "414 Request URI too long" in ASP.NET application

We have an ASP.NET application that requests an SSRS 2005 report in HTML format after passing the parameters for the report as a WebRequest. The application only fails when a report with a large number of multi-select parameters is requested, …

Read More