Tag Archives: kerberos

A call to SSPI failed–DynAx 2012 AIF/WCF

Recently I deployed an AIF service to a customer environment. Everything was working fine in my single server development environment, but after deploy to the distributed customer environment, calls to the webservice resulted in the error “A call to sspi failed”.

The scenario:

  • My service – a simple document service. No hex about that.
  • I needed to deploy the service to IIS in order for it to be consumable from a corporate website
  • The customer environment contained a standalone server for the AOS and a standalone server for IIS
  • I created a simple test webform – my test client, in order to being able to test that everything was working ok.

Having deployed the service, the service was browsable. The identity of the application running the AIF site was the same as the one used for the Business connector proxy account (System administration –> setup –-> service accounts) The app pool was configured like this:


Authentication was configured like this:


Here’s a nice reference on how to install AIF on IIS when using Ax2012

From AX my service was configured to use a customBinding using NTLM and my clienct was also configured to use NTLM. Any call from the client to the service would result in the error “A call to SSPI failed – see inner exception…” – and no inner exception were to be found.

Trying to narrow down the problem a basicHTTPBinding was tried – still the same error.

As different kinds of blogposts suggested, I was able to call the AIF/WCF service when the service itself was using the ipaddress (to avoid the use of kerberos) of the aos server instead of the url. However this wasn’t an acceptable solution, as any new deployment of the service from AX, would result in a non working webservice, since the web.config would be overwritten when deploying from AX. And as it turned out, it was not possible to alter settings in AX forcing ax to deploy the service and having the endpoint in web.config reference the ip address instead af the FQDN. However the problem was now narrowed down to be caused by kerberos. I found this great blogpost explaining some basic things about Kerberos.

Another thing we tried out was to set the spn for the user running the service:

Setspn –A HTTP/2012webtest.myDomain.local myDomain\sa-proxy-lon

Having done that we tried to setup trust for delegation in AD according to this. We are not sure whether this had any effect, but we didn’t reverse the process.

This blogpost (see comment from Eric Ledoux and Brian Kinser) suggested that this might be caused by a kernel error. My customer recently upgraded to R2CU7 and I was expecting this to be fine, but talking with the technician from the customer revealed that IIS might not have been updated in that process with the new AX components. Running the setup file from the CU7 install media, suggested to update some core AX components. Choosing yes to update, restarting IIS and the AOS service, fault messages from ax started to show up when calling the webservice – meaning that everything was starting to work as expected.


In my case the “a call to sspi failed” error turned out to be resolved when upgrading to CU7. The problem I was facing was just caused by the fact that only the AOS had been upgraded – not IIS. Resolving this mismatch solved the problem.

Thanks to my colleague Morten Uldall for both moral and technical support:-)


Windows autentication problem on Dynamics AX WCF service

Over the past days I have been involved in a critical issue related to a Dynamics AX 2009 WCF service that used windows authentication on a Windows server 2008 box (IIS 7.0).

When trying to browse the service I was prompted for login credentials, but even though proper credentials were provided, I was not correctly authenticated (and neither was any of the clients that was supposed to consume the service) and a new login prompth just showed up. Looking in the eventviewer, in the security section, I was able to identify that a login attempt using my user account has been made and that it actually succeeded.
The funny thing – that wasn’t funny at all, was that how could it be that the eventviewer stated, that the login attempt was successfull when IIS still kept prompting me for credentials???
It somehow seemed that login credentials wasn’t properly passed on to the WCF service…

Analyzing the server setup further showed that a distributed environment had been configured. This pointed me in the direction of some Kerberos settings that hadn’t been properly configured.

The solution turned out to be quite simpel – the only thing I had to do was to disable “enable kernel-mode authentication” – this is what i did:

  • In the IIS manager right click the website or application where Windows Autentication has been configured
  • In the “features view” double click “autentication”. You will see a list of autentication profiles and their corresponding status.
  • Right click “windows autentication” and select “advanced settings”
  • Disable “enable Kernel-mode authentication”

    disable Kernel-mode

    disable Kernel-mode autentication

Be carefull… As the information box states, this should only be done when using a non custom identity. In my case, the problem related to a Dynamics AX WCF service. Such a service is always configured to use a domain account identity and therefore the “Kernel-mode” could be disabled.

For some reason unknown to me, the Kerberos ticket was not properly distributed to all involved servers – and due to that I was unable to logon to the WCF service. Disabling “Kernel-mode authentication” solved that problem and clients are now able to consume the service.

Update 24.01.2012

Today this woraround didn’t work – apparently I was facing a new problem and I had to have a colleague assist me. Fortunately he knows some tricks:-)

With reference to this article http://support.microsoft.com/kb/926642 (method 1) solved the problem – even though that my issue was on a server 2008 box – here’s a screendump:

For further references on troubleshooting and/or configuring kerberos, please check out this post: