For kerberos authentication, SPN (Service Principal Name) is the preferred
mechanism versus UPN (User Principal Name), since it frees the client from
having to know the backend account used.
In your case, if you're setting negotiateServiceCredential to false, I
believe the SPN must be set to a well known account (NetworkService,
LocalService) which means that its the machine account that is running the
kerberos service instead of a user account.
Interesting details can be found here:
http://www.zamd.net/CategoryView,cat...BSecurity.aspx
Tiago Halm
"DEE" <tsdeepak@xxxxxx> wrote in message
news:b25b698e-c255-4de7-9c91-87493c4b55b4@xxxxxx
| Quote: |  | |
|
> Hi Tiago,
>
> Thanks for the response .
>
> my client is not using any SPN or UPN , in my binding configuration ,i
> have set " negotiateServiceCredential="true" " ,when this is set the
> client need not provide the supply SPN or UPN out of bound, i beleive
> WCF will take care of the negotiation . but if i give the UPN in the
> client config it works !!! .
> so might be my theory is wrong . but take this secanrio
> 1. my service is running in Machine A
> 2. now i decide to move the service to Machine B
> 3. in the client config i will change the address of the service ,now
> i need to change the UPN also .
>
> is there an alternative for this. i do not want to use the UPN in my
> client config (presumming the configuration will be complicated for
> system integration engineers who may not know the details).
>
> Hope i am clear ,Thanks for your time.
>
> Regards
> DEE
| |
| | |