Skip to main content

Nintex Workflow 2013 v3.1.7.10

I am having an authorization issue using a Call Web Service action. When I select execute as per below, using my own account as the system workflow owner (network account is a site collection admin), I get 401 error

When I select Test connection I also get Unauthorised,

When I run the service using a web browser on the same server I have no issues:

 

I checked the Nintex ULS log files I can see
Web Exception: System.Net.WebException: The remote server returned an error: (401) Unauthorized. ---> System.ComponentModel.Win32Exception: The target principal name is incorrect    
 at System.Net.NTAuthentication.GetOutgoingBlob(Byteb] incomingBlob, Boolean throwOnError, SecurityStatus& statusCode)    
 at System.Net.NTAuthentication.GetOutgoingBlob(String incomingBlob)    
 at System.Net.NegotiateClient.DoAuthenticate(String challenge, WebRequest webRequest, ICredentials credentials, Boolean preAuthenticate)    
 at System.Net.NegotiateClient.Authenticate(String challenge, WebRequest webRequest, ICredentials credentials)    
 at System.Net.AuthenticationManagerDefault.Authenticate(String challenge, WebRequest request, ICredentials credentials)    
 at System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials authInfo)    
 at System.Net.HttpWebRequest.CheckResubmitForAuth()    
 at System.Net.HttpWebRequest.CheckResubmit(Exception& e, Boolean& disableUpload)     -
 -- End of inner exception stack trace ---    
 at System.Net.HttpWebRequest.GetResponse()    
 at Nintex.Workflow.Common.WsdlUtil.DoRequest(String url, NetworkCredential credentials)    
 at phM=.uxM=.vBM=(yhM= vRM=)    
 at Nintex.Workflow.Activities.Adapters.NWCallWebServiceAdapter.ExecuteRunNow(RunNowContext context) (Build:31710)

I found this post from someone with a similar issue iis - "the target principal name is incorrect" 401 error - Stack Overflow, which indicates it could be a double hop authentication issue.

Has anyone experienced this issue before, and can possibly suggest a solution?

Hi @scottiwillis,

If you run the workflow, do you see the same issue?


Yes, same error message

 


Just checked the Windows event viewer and seems to be a Kerberos issue

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server svcshrpntwebos. The target name used was HTTP/nuctntxapp01.lab.abc.net.au. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server.

svcshrpntwebos is the identity that is associated to the sites application pool, so looks like this is a network issue?


Hi @scottiwillis 
Have you resolved your issue?


Hi @MillaZ,

No, the issue is still not resolved. I have had our internal windows server engineers investigating and trying different options including adding the “target name” of http/nuctntx.lab.abc.net.au to the server multi values servicePrincipalName, but still get the same issue.

Hoping our server team engineers can work it out.

Scott.


I did manage to get a resolution to this issue, so I thought I would share. It was discovered that the servicePrincipalName was not set for the identity that was attached to the Sharepoint/Nintex web site application pool. So the following Powershell script was executed by the Windows engineers that set the servicePrincipalName for service account to be HTTP/nuctntxapp01.lab.abc.net.au and that fixed the issue, no more errors.

Scott.

 


Reply