The <identity> setting in the <endpoint> element(at client app.config file) is used for authentication against server-side service. wcf service use this setting to perform a mutual validation so that not only service can validate client
through authentication ,the client can also set expected service identity to ensure it is talking to the correctly service.
There are various built-in service identity types such as DnsIdentity, x509Identiy, userPrincipalName/servicePrincipalName(for windows authentication/kerberos case).
#Service Identity and Authentication
For your senario, since your WCF service is using nettcpbinding+ windows authentication(kerberos enabled), the client can use userPrincipalName to validate the serivce identity. And the userPrincipalName should be the security identity of your WCF service(the
domain account it runs or the registered UPN associated with the account). Or you can also use DnsIdentity (servername or IP) to validate the service.
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Thanks for your help.
I also found an useful link here :
By default, when a service is configured to use a Windows credential, an <identity> element that contains a <userPrincipalName> or <servicePrincipalName> element is generated in the WSDL. If the service is running under the
LocalSystem, LocalService, or NetworkService account, a service principal name (SPN) is generated by default in the form of
host/<hostname> because those accounts have access to the computer's SPN data. If the service is running under a different account, Windows Communication Foundation (WCF) generates a UPN in the form of <username>@<domainName>.
This occurs because kerberos authentication requires that a UPN or SPN be supplied to the client to authenticate the service.
It tells us the role of the UserPrincipalName.
But I have no Idea,why We can access the WCF Service without UserPrincipalName when using IP directly.