Vista - using localhost v/s Environment.MachineName

Hi There ,

i am using wshttpbinding with client credentials set to windows .my
service address looks like this
"http://localhost:2005/SampleService" when this address is mentioned
the service/client works perfect.

but i want to replace "localhost" with "Environment.MachineName" so
my address will look like
http://mymachinename:2005/SampleService ,when this address is used the
call to service fail
the error message is something like this
"SOAP security negotiation with 'http://mymachinename:2005/
SampleService' for target 'http://mymachinename:2005/SampleService'
failed. See inner exception for more details."

and the inner exception is "Security Support Provider Interface (SSPI)
authentication failed. The server may not be running in an account
with identity 'host/mymachinename'. If the server is running in a
service account (Network Service for example), specify the account's
ServicePrincipalName as the identity in the EndpointAddress for the
server. If the server is running in a user account, specify the
account's UserPrincipalName as the identity in the EndpointAddress for
the server"

now my question is why does this work with localhost and not with
Environment.MachineName

could any body throw some light on this.



Regards
DEE


PS: my windows HOST file has this entry 127.0.0.1 localhost

It all depends on you client config.

Your client is trying to authenticate via Kerberos using an SPN or UPN. When
using localhost the client will default to NTLM since it cannot use
kerberos, while using the hostname it'll try kerberos.

Show us your client configuration, the part inside the <client>...</client>
tag.

Tiago Halm

"DEE" <tsdeepak@xxxxxx> wrote in message
news:214f1e4d-2c2d-4629-a5ee-0a92820315f6@xxxxxx

Hi Tiago,

Thanks for the response .

my client is not using any SPN or UPN , in my binding configuration ,i
have set " negotiateServiceCredential="true" " ,when this is set the
client need not provide the supply SPN or UPN out of bound, i beleive
WCF will take care of the negotiation . but if i give the UPN in the
client config it works !!! .
so might be my theory is wrong . but take this secanrio
1. my service is running in Machine A
2. now i decide to move the service to Machine B
3. in the client config i will change the address of the service ,now
i need to change the UPN also .

is there an alternative for this. i do not want to use the UPN in my
client config (presumming the configuration will be complicated for
system integration engineers who may not know the details).

Hope i am clear ,Thanks for your time.

Regards
DEE

For kerberos authentication, SPN (Service Principal Name) is the preferred
mechanism versus UPN (User Principal Name), since it frees the client from
having to know the backend account used.

In your case, if you're setting negotiateServiceCredential to false, I
believe the SPN must be set to a well known account (NetworkService,
LocalService) which means that its the machine account that is running the
kerberos service instead of a user account.

Interesting details can be found here:
http://www.zamd.net/CategoryView,cat...BSecurity.aspx

Tiago Halm

"DEE" <tsdeepak@xxxxxx> wrote in message
news:b25b698e-c255-4de7-9c91-87493c4b55b4@xxxxxx

Hi Tiago,

Thanks for the response .

i went through the link you had mention .so
" if i have negotiateServiceCredential="true" , then i do not need to
have either SPN or UPN configured ". is this statement right ?

for me when i have negotiateServiceCredential="true" , without SPN or
UPN does not work ,but according to documentation ,it should.

any comments on this .

Regards
Dee

Dee,

Some facts to take into account here.

(taken from MSDN - http://msdn2.microsoft.com/en-us/library/ms733130.aspx)
<quote>
Specifying the identity programmatically (using the Identity property)
is optional. If no identity is specified, and the client credential
type is Windows, the default is SPN with the value set to the hostname
part of the service endpoint address prefixed with the "host/"
literal. If no identity is specified, and the client credential type
is a certificate, the default is Certificate. This applies to both
message- and transport-level security.
</quote>

If you do not set the <identity/servicePrincipalName> in the client,
WCF will default to host/xxxx where xxxx is the hostname of the URL
where the service endpoint is located. This means you end up having to
re-use (or reset) the SPN added by Active Directory when adding a
machine to a domain. To view a machine HOST SPN run:
# setspn.exe -L domain\machine

(taken from MSDN - http://msdn2.microsoft.com/en-us/library/bb463274.aspx)
<quote>
To use the Kerberos authentication protocol with delegation, you must
implement the Kerberos protocol with credential negotiation (sometimes
called "multi-leg" or "multi-step" Kerberos). If you implement
Kerberos authentication without credential negotiation (sometimes
called "one-shot" or "single-leg" Kerberos), an exception will be
thrown.
</quote>

This means that if you want to use kerberos delegation you need to set
negotiateServiceCredential=true.

<quote>
Kerberos Protocol Direct Requires the Service to Run Under a Domain
Machine Account
This occurs when the ClientCredentialType property is set to Windows
and the NegotiateServiceCredential property is set to false ...
</quote>

If you set negotiateServiceCredential=false you need the service to be
running with a well known account such as NetworkService or
LocalService, and its SPN is tipically the built-in SPN host/
machine.domain added by Active Directory.

---

What this all means is that if you do not want to set <identity/
servicePrincipalName> on the client, then you have to run your service
with NetworkService/LocalService. If kerberos delegation is not
required you may set negotiateServiceCredential to false or true. If
delegation is required you need to set
negotiateServiceCredential=true.

Tiago Halm