Home » SQL ServerRSS

Why needs userPrincipalName in Client config file when using WCF Windows NetTcpBinding wth Kerbe

When I have developed a WCF Service,Client called Service using Windows NetTcpBinding wth Kerberos  Authentication.

<client>
    <endpoint address="net.tcp://WCFServer1:8001/WCFService" binding="netTcpBinding"
        bindingConfiguration="NetTcpBinding_IWCFService" contract="ClientProxy.IWCFService"
        name="NetTcpBinding_IWCFService">
        <identity>
            <userPrincipalName value=clientServerUserName@domain />
        </identity>
    </endpoint>
</client>

if we use server name to define the address, we have to set set        

<identity>
            <userPrincipalName value=clientServerUserName@domain />
        </identity>

or it will throw exceptions in client.

if use IP directly,We do not need to set the userPrincipalName ,Why ?

 

Thanks.

 

7 Answers Found

 

Answer 1

anybody know it?

 

Answer 2

Hi Frank,

The <identity> setting in the <endpoint> element(at client  app.config file) is used for authentication  against server-side service. WCF service  use this setting to perform a mutual validation so that not only service can validate client through authentication ,the client can also set  expected service identity to ensure it is talking to the correctly service.

There are various built-in service identity types such as DnsIdentity, x509Identiy, userPrincipalName/servicePrincipalName(for windows  authentication/kerberos case).

#Service Identity and Authentication
http://msdn.microsoft.com/en-us/library/ms733130.aspx

For your senario, since your WCF service is using nettcpbinding+ windows authentication(kerberos enabled), the client can use userPrincipalName to validate the serivce identity. And the userPrincipalName should be the security identity of your WCF service(the domain account it runs or the registered UPN associated with the account). Or you can also use DnsIdentity (servername or IP) to validate the service.


 

Answer 3

Hi Frank,

The <identity> setting in the <endpoint> element(at client  app.config file) is used for authentication  against server-side service. wcf  service use this setting to perform a mutual validation so that not only service  can validate client through authentication ,the client can also set  expected service identity to ensure it is talking to the correctly service.

There are various built-in service identity types such as DnsIdentity, x509Identiy, userPrincipalName/servicePrincipalName(for windows  authentication/kerberos case).

#Service Identity and Authentication
http://msdn.microsoft.com/en-us/library/ms733130.aspx

For your senario, since your WCF service is using nettcpbinding+ windows authentication(kerberos enabled), the client can use userPrincipalName to validate the serivce identity. And the userPrincipalName should be the security identity of your WCF service(the domain account it runs or the registered UPN associated with the account). Or you can also use DnsIdentity (servername or IP) to validate the service.


Please remember to mark the replies as answers if they help and unmark them if they provide no help.


Hi  Steven,

    Thanks  for your help.

   I also found an useful  link here : http://msdn.microsoft.com/en-us/library/bb628618.aspx

By default, when a service is configured to use a Windows credential, an <identity> element that contains a <userPrincipalName> or <servicePrincipalName> element is generated in the WSDL. If the service is running under the LocalSystem, LocalService, or NetworkService account, a service principal name (SPN) is generated by default in the form of host/<hostname> because those accounts have access to the computer's SPN data. If the service is running under a different account, Windows Communication Foundation (WCF) generates a UPN in the form of <username>@<domainName>. This occurs because kerberos  authentication requires that a UPN or SPN be supplied to the client to authenticate the service.

 

It tells us the role of the UserPrincipalName.

  

    But I have no Idea,why We can access the WCF Service without    UserPrincipalName when using IP directly.

 

 

 

Answer 4

I guess that .

The validation process of the WCF Service, the service  information contains  the Service IP.

so if When client  connect service using Ip,it is not necessary to supply the UPN or SNP of the Service in Client Indentity.

 

 

Answer 5

Thanks for reply Frank,

Yes, using Ip will also work as wcf  doesn't force you to use UPN/SPN for service  identity validation(when service is using windows  authentication), if you haven't explicitly set  a service identity mode in service, I think any valid identity at client  (as long as it matchs the service-side condition) is ok. For example, when you setup a service host which has configured a service credentials(identity) via x509 certificate, then at client-side, you can either use x509 identity or DNS identity( ip) to validate the service.
 

Answer 6

Hi,

Are you forcing the client  to use Kerberos?

With a WCF client you can set  the AllowNtlm flag to false, which will force the client to use Kerberos.

Regards,

Alan

 

 

Answer 7

Hi,

Are you forcing the client  to use Kerberos?

With a wcf  client you can set  the AllowNtlm flag to false, which will force the client to use Kerberos.

Regards,

Alan

 


www.CloudCasts.net - Community Webcasts Powered by Azure

Hi Alan,

     Thanks for your reply.

     I am testing Windows Kerberos.

     the client can call the WCF service  in same domain sucessfully,

     But, I have one question is : But I have no Idea,why We can access the WCF Service without    UserPrincipalName when using IP directly.

    

 
 
 

<< Previous      Next >>


Microsoft   |   Windows   |   Visual Studio   |   Follow us on Twitter