none
InvalidCredentialException on task submit to SOA service RRS feed

  • Question

  • Hi,
    I am able to successfully submit work to a SOA service using my own credentials.  However, when I try to use other credentials, I get an InvalidCredentialException (see below).  This happens after my connection succeeds and I've been assigned to a broker. 

    I have added the user to the the cluster with : Add-HpcMember -Name csfb\ditsmfarm -Role Administrator


    HPCClient.exe csfb\ditsmfarm
    Enter the password for 'csfb\ditsmfarm' to connect to 'SNYC12T10801-HN':
    Remember this password? (Y/N)n
    Session creation done!
    Session's Endpoint Reference:net.tcp://snyc12t10801-hn:9087/broker/59

    Unhandled Exception: System.ServiceModel.Security.SecurityNegotiationException: Either the target name is incorrect or the server has rejected the client credentials. ---> System.S
    ecurity.Authentication.InvalidCredentialException: Either the target name is incorrect or the server has rejected the client credentials. ---> System.ComponentModel.Win32Exception:
     The logon attempt failed
       --- End of inner exception stack trace ---

    What am I missing?
    thanks
    Phil

    Wednesday, October 7, 2009 2:11 PM

Answers

All replies

  • I have some more detail.  It appears that the identity is being passed is from my environment, rather than programatically .
    My code explicitly sets the credentials from user input.  However, the service only executes successfully when I run it from cmd prompt running as myself.  If I runas a cmd window as another user, and then execute from there, it fails with the same credential exception, even though I am giving valid credentials.
    SessionStartInfo ssInfo = new SessionStartInfo("snyc12t10801-hn", "CalculatorService");
    Console.WriteLine("got username=" + username + ", password=" + password);
    ssInfo.Password = password;
    ssInfo.Username = username;
    ssInfo.ResourceUnitType = Microsoft.Hpc.Scheduler.Properties.JobUnitType.Core;
    ssInfo.MinimumUnits = 1;
    using (Session session = Session.CreateSession(ssInfo)) ......

    Wednesday, October 7, 2009 3:33 PM
  • that will only work if your usewr is a cluster admin. Only an administrator can "runas"
    Wednesday, October 7, 2009 3:45 PM
  • Hi,
    I'm running my client on a remote machine from the cluster.  The credentials I'm presenting are for a user that is an administrator on the cluster.  That said, are SOA services only available to clients registered as cluster admins?

    this works:
    (from a cmd prompt running as pmolzer)   client.exe username=pmolzer password=xxxxx

    this does not work:
    (from a cmd prompt running as another user) client.exe username=pmolzer password=xxxxx


    The client uses the username and password aguments to set the credentials in ssInfo.  I also assign the credentials in my client proxy like this, although I'm unclear if it's needed.
    CalculatorClient Client = new CalculatorClient(myTcpBinding, session.EndpointReference);
    Client.ClientCredentials.Windows.ClientCredential.UserName = username;
    Client.ClientCredentials.Windows.ClientCredential.Password = password;
    Phil
    Wednesday, October 7, 2009 3:52 PM
  • I found some useful information about WCF Impersonation here:
    http://msdn.microsoft.com/en-us/library/ms730088.aspx

    looks like you need to expicitly specify an attribute in the contract:

    [OperationBehavior(Impersonation = ImpersonationOption.Allowed)]

    Wednesday, October 7, 2009 4:34 PM
  • Hi,
    Thanks for the link to impersonation.  I had not realized that my client usage was causing that behavior to be invoked.

    With this in mind, I removed the code for setting user/pass in the SessionStartInfo.  Now I am able to run from another user's cmd prompt without a problem.  However, the client prompts me for my password.  This is ok for interactive sessions.  However, it will not work for programatic use when my client will be part of another application.

    How can a client application get access to a service without having to supply credentials?  The production client will be running as a service with a login ID that is a user on the cluster.  However, I don't  have the password for the service account.

    For many generic services, we have no requirement for authentication.  Is it possible to permit clients to access selected services without providing credentials.

    Phil
    Wednesday, October 7, 2009 5:28 PM
  • Hi Phil,

    For a job (and thus a SOA session) in Windows HPC, there are 2 user account property. The 1st one is the "job owner", this is the one who creates the job. The 2nd one is the "runas user" or "submitted by" user" -- the one who provides the running credential when submitting the job.

    So if user A create a session and set username/password in the SessionStartInfo to B, the session will run under user account B. By default, the SOA session won't be shared with other user so your client (running as A) won't be able to use that session. To solve this problem there is 3 options:

    1. Make A as cluster admin. (Add-HpcMember -name A -role administrator). Admin account will override the security setting.
    2. Set ssi.Secure to false. This will disable all security check. Everyone can use the this session.
    3. Keep ssi.Secure to true but set ssi.ShareSession to true, which will enable all user on the job templated used by this session to consume it. Then you can put user A on the job template used by the SOA Session.

    Here is a description on all session fields:
    (http://msdn.microsoft.com/en-us/library/microsoft.hpc.scheduler.session.sessionstartinfo.sharesession(VS.85).aspx)

    If you don't need any authentication and you want eveybody to connect to the session, I'll recommend option 2.
    Thursday, October 8, 2009 3:55 AM
  • Hi,
    thanks for the input. Actually, I'm not interested in using ruans feature.  The issue I'm having is that I'm prompted for a password when running the client. This would be ok for interactive command line usage, but I'm writing an application that runs as windows service.  There is no opportunity to respond to request for a password. 
    For example:


    C:\Program Files\MC\Engine\B\6.4.4.GMAG.64>HPCClient.exe
    Enter the password for 'CSFB\ditsmfarm' to connect to 'SNYC12T10801-HN':
    Remember this password? (Y/N)N
    Session creation done!
    Session's Endpoint Reference:net.tcp://snyc12t10801-hn:9087/broker/131

    How can I avoid this kind of request to provide a password?  I have already set the password on the cluster manager like so:


    PS C:\Windows\System32> cluscfg setcreds
    Enter the user name for 'SNYC12T10801-HN': CSFB\ditsmfarm
    Enter the password for SNYC12T10801-HN:
    Remember this password? (Y/N)Y



    SessionStartInfo ssInfo = new SessionStartInfo("snyc12t10801-hn", "CalculatorService");




    My client code is like this.  I'm getting prompted for a password at the point where I call Session.CreateSession






    ssInfo.ResourceUnitType = Microsoft.Hpc.Scheduler.Properties.JobUnitType.Core; ssInfo.MinimumUnits = 1; using (Session session = Session.CreateSession(ssInfo)) { Console.WriteLine("Session creation done!"); Console.WriteLine("Session's Endpoint Reference:{0}", session.EndpointReference.ToString());

    thanks Phil.
    Thursday, October 8, 2009 3:16 PM
  • Hi,

    When you run your hpcclient.exe and prompted by "Remember this password?", if you answer yes, will the client ask for the password anymore?

    -yiding
    Thursday, October 8, 2009 3:23 PM
  • Hi,
    If I answer Y, it does not prompt me on the next attempt.  However, it must never request this, not even the first time.  This application will be installed on many machines in a corporate environment by an automated process, and will run as a windows service. There will be no opportunity to pre-load the password in this fashion.  Also, even when I do this from the command line, the stored credential is not picked up by the windows service, even though the service is running as the same user.  And even if it were possible to do this technically, it's not possible in practice due to constraints on access to production servers.   Such access is subject to regulatory restrictions.

    I need a way to supply this password programatically, rather than from the command line.

    thanks
    Phil
    Thursday, October 8, 2009 3:35 PM
  • I'm asking this just for verification. Let me verify this in our environment.

    Thursday, October 8, 2009 4:25 PM
  • Hi,

    I've tried in our environment and the "cluscfg setcreds" is working. So a couple of questions here:

    1. On a machine w/o credential, you run "cluscfg setcreds /scheduler:snyc12t10801-hn /user:CSFB\ditsmfarm" and let it remember the password. Do you an REG_BINARY entry in your registry "HKEY_CURRENT_USER\Software\Microsoft\HPC\CachedCredentials\snyc12t10801-hn" named "CSFB\ditsmfarm"?

    2. If so, can you try "job submit /scheduler:snyc12t10801-hn hostname" and see if it asks for a password?

    3. Are you trying all this on HN?

    -yiding
    Saturday, October 10, 2009 8:16 AM
  • No additional information was received on this issue. Assuming it has been resolved & closing.
    Friday, February 4, 2011 10:20 PM
    Moderator
  • [I'm hoping that Phil found an answer and is still getting notifications]

    I'm having the same problem with authentication challenge during session creation - I need to tell my customers what to configure in order to avoid application hangs when this occurs from a non-console application...


    • Edited by wbradney Tuesday, September 6, 2011 7:35 PM
    Tuesday, September 6, 2011 7:34 PM