The user was unable to install the CCS console on a remote client computer using the installation files on the CCS application server. When the installation files where copied from the CCS application server to the remote client the installation was completed successfully, however any attempt to login to CCS using the remote console failed with the below error message being displayed.

Error occurred while downloading application configuration file.

SEVERITY: Error
CATEGORY: PreLaunchActivityProvider
PNAME: SymConsole
METHOD: HandleReturnMessage
MESSAGE: "ConfigFileManager.DownloadConfigThroughBridge : System.ServiceModel.Security.SecurityNegotiationException: SOAP security negotiation with 'net.tcp://secccsapprd:1431/CCS/Services/Applications/Console/IAppsInfraBridge/WindowsSecurity' for target 'net.tcp://secccsapprd:1431/CCS/Services/Applications/Console/IAppsInfraBridge/WindowsSecurity' failed. See inner exception for more details. ---> System.ComponentModel.Win32Exception: Security Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with identity 'Symantec.CSM.AppServer/SECCCSAPPRD'. If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server.

This issue is generally caused by the existence of duplicate SPN entries or incorrectly configured SPN entries. Reviewing the SymConsole logs will likely reveal errors similar to the one detailed below.

2010-11-30 07:25:34.944,2010-11-30 15:25:34.944,######,Error,PreLaunchActivityProvider,SymConsole,4364,,1,DownSymConsoleConfig,,0,0,Error occurred while downloading application configuration file
2010-11-30 07:25:34.975,2010-11-30 15:25:34.975,######,Error,PreLaunchActivityProvider,SymConsole,4364,,1,HandleReturnMessage,,0,0,"System.ServiceModel.Security.SecurityNegotiationException: SOAP security negotiation with 'net.tcp://######:1431/CCS/Services/Applications/Console/IAppsInfraBridge/WindowsSecurity' for target 'net.tcp://######:1431/CCS/Services/Applications/Console/IAppsInfraBridge/WindowsSecurity' failed. See inner exception for more details. ---> System.ComponentModel.Win32Exception: Security Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with identity 'Symantec.CSM.AppServer/######'. If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server.

Only one SPN configured per Directory service user and Application service user should exist.

See the following KB on how to configure CCS SPNs:

Where is the Service Principal Name (SPN) Utility for CCS located?