12

I'm trying to set up client impersonation on my service.

I need to set a value for the servicePrincipalName of my services endPoint

I'm looking at this MSDN article but still cannot quite figure it out

My service is hosted in a console app on a server that we'll call ServerName1.
The Uri is: net.tcp://ServerName1:9990/TestService1/.

What specifically should my servicePrincipalName be?

I tried, with no joy: 

<identity>
    <servicePrincipalName value="ServerName1" />
</identity>
abatishchev
  • 98,240
  • 88
  • 296
  • 433

4 Answers4

11

Configuring servicePrincipleName is a difficult topic to describe it in a few words Perhaps these articles will help:

Most probably, you need to configure it the following way

<identity>
    <servicePrincipalName value="HOST/ServerName1:9990" />
</identity>

We usually use userPrincipalName instead of servicePrincipalName, like this

<identity>
  <userPrincipalName value="account@domain.com" />
</identity>
abatishchev
  • 98,240
  • 88
  • 296
  • 433
Bogdan_Ch
  • 3,328
  • 4
  • 23
  • 39
9

The name of the user you wish the service to user (execute under). So if you want to execute it under 'local network' credentials the above XML should look like:

<identity>
    <servicePrincipalName value="Local Network" />
</identity>
Rune FS
  • 21,497
  • 7
  • 62
  • 96
  • 1
    So is there a list of accepted values that can be used here i.e. "Local Network" being one of them? What value should it be if i want to use the calling clients user credentials? –  Aug 18 '09 at 07:22
  • @Tom I don't believe you can set that in the configuration but you can do it from code – Rune FS Nov 01 '11 at 08:46
  • I was using a network service to run my automated tests including generating SOAP requests to test some WCF services. The requests were failing and this "Local Network" setting solved my issue. – No Spoon May 15 '13 at 21:21
1

For a complete guide on how to build your SPN, check out these articles:

https://geertbaeten.wordpress.com/2013/06/03/kerberos-authentication-and-delegation-serviceprincipalnames/

http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/the-biggest-mistake-serviceprincipalname-s.aspx

Those are more about the infrastructure side (ADDS) but the first part is very usefull for programmers too

Geert
  • 11
  • 1
0

When using WCF services hosted by IIS.

We have using "host/computerName", as <servicePrincipalName />, for anonymous connection. Inside of your WCF application, you can set the application pool, for example "iis apppool\defaultAppPool", this user will be the real connected user.

In the below image /C??????DataService is the application name ("Tom's TestService1") Application Pool: C????Pool can be "DefaultAppPool", in the case of "Application User (pass-through authentication)", you will use the "IIS AppPool\DefaultAppPool" as a user to grant rights to specific resource, like a file or a sql server connection string.

And, even using anonymous authentication, you can set "forms authorization", to an specific resource inside the WCF application, for example "MasterSettings.svc".

enter image description here

hope this helps

antonio
  • 548
  • 8
  • 16