Failed to get the SPR service account UPN from the server ‘..’ Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was ..
The following error message was received after a Specops Password Reset installation or upgrade:
Failed to get the SPR service account UPN from the server ‘..’
Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was ‘..’ but the remote endpoint provided DNS claim ‘..’. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity ‘..’ as the Identity property of EndpointAddress when creating channel proxy.
The wrong certificate or a non-working certificate has most likely been selected during the installation or upgrade process. Our recommendation is to change the certificate for the Specops Password Reset server to a self-signed certificate.
It’s completely fine to use a self-signed certificate for the Specops password reset server. It usually works flawlessly and it’s perfectly secure as it’s only used for signing the internal communications on the server between the WCF components. It has nothing to do with IIS and the client interaction.
However when you install or upgrade your Specops password reset web server services you should use a SSL certificate.
How to change to a self-signed certificate:
1. Uninstall the Specops password reset server component in “Programs and Features” or “Apps and Features”.
2. Run the Specops password reset setup assistance and install the password reset server. In the wizard: Select an existing self-signed certificate. If you’re uncertain about which one to pick just create a new one by clicking on the “Create Self-signed Certificate” button.
3. Finish the installation and if the Specops Password Reset service is not already up and running, start it in “Services”.
That’s it, hopefully it will work now.