Vista Forums - View Single Post - using localhost v/s Environment.MachineName

04-15-2008

Dee,

Some facts to take into account here.

(taken from MSDN - http://msdn2.microsoft.com/en-us/library/ms733130.aspx)
<quote>
Specifying the identity programmatically (using the Identity property)
is optional. If no identity is specified, and the client credential
type is Windows, the default is SPN with the value set to the hostname
part of the service endpoint address prefixed with the "host/"
literal. If no identity is specified, and the client credential type
is a certificate, the default is Certificate. This applies to both
message- and transport-level security.
</quote>

If you do not set the <identity/servicePrincipalName> in the client,
WCF will default to host/xxxx where xxxx is the hostname of the URL
where the service endpoint is located. This means you end up having to
re-use (or reset) the SPN added by Active Directory when adding a
machine to a domain. To view a machine HOST SPN run:
# setspn.exe -L domain\machine

(taken from MSDN - http://msdn2.microsoft.com/en-us/library/bb463274.aspx)
<quote>
To use the Kerberos authentication protocol with delegation, you must
implement the Kerberos protocol with credential negotiation (sometimes
called "multi-leg" or "multi-step" Kerberos). If you implement
Kerberos authentication without credential negotiation (sometimes
called "one-shot" or "single-leg" Kerberos), an exception will be
thrown.
</quote>

This means that if you want to use kerberos delegation you need to set
negotiateServiceCredential=true.

<quote>
Kerberos Protocol Direct Requires the Service to Run Under a Domain
Machine Account
This occurs when the ClientCredentialType property is set to Windows
and the NegotiateServiceCredential property is set to false ...
</quote>

If you set negotiateServiceCredential=false you need the service to be
running with a well known account such as NetworkService or
LocalService, and its SPN is tipically the built-in SPN host/
machine.domain added by Active Directory.

---

What this all means is that if you do not want to set <identity/
servicePrincipalName> on the client, then you have to run your service
with NetworkService/LocalService. If kerberos delegation is not
required you may set negotiateServiceCredential to false or true. If
delegation is required you need to set
negotiateServiceCredential=true.

Tiago Halm

04-15-2008	#6 (permalink)
tiago.halm Guest	Re: using localhost v/s Environment.MachineName Dee, Some facts to take into account here. (taken from MSDN - http://msdn2.microsoft.com/en-us/library/ms733130.aspx) <quote> Specifying the identity programmatically (using the Identity property) is optional. If no identity is specified, and the client credential type is Windows, the default is SPN with the value set to the hostname part of the service endpoint address prefixed with the "host/" literal. If no identity is specified, and the client credential type is a certificate, the default is Certificate. This applies to both message- and transport-level security. </quote> If you do not set the <identity/servicePrincipalName> in the client, WCF will default to host/xxxx where xxxx is the hostname of the URL where the service endpoint is located. This means you end up having to re-use (or reset) the SPN added by Active Directory when adding a machine to a domain. To view a machine HOST SPN run: # setspn.exe -L domain\machine (taken from MSDN - http://msdn2.microsoft.com/en-us/library/bb463274.aspx) <quote> To use the Kerberos authentication protocol with delegation, you must implement the Kerberos protocol with credential negotiation (sometimes called "multi-leg" or "multi-step" Kerberos). If you implement Kerberos authentication without credential negotiation (sometimes called "one-shot" or "single-leg" Kerberos), an exception will be thrown. </quote> This means that if you want to use kerberos delegation you need to set negotiateServiceCredential=true. <quote> Kerberos Protocol Direct Requires the Service to Run Under a Domain Machine Account This occurs when the ClientCredentialType property is set to Windows and the NegotiateServiceCredential property is set to false ... </quote> If you set negotiateServiceCredential=false you need the service to be running with a well known account such as NetworkService or LocalService, and its SPN is tipically the built-in SPN host/ machine.domain added by Active Directory. --- What this all means is that if you do not want to set <identity/ servicePrincipalName> on the client, then you have to run your service with NetworkService/LocalService. If kerberos delegation is not required you may set negotiateServiceCredential to false or true. If delegation is required you need to set negotiateServiceCredential=true. Tiago Halm