Is it possible to avoid specifying servicePrincipalName if both clients and services are running under the same account on the same server?

Question

Is it possible to avoid specifying servicePrincipalName if both clients and services are running under the same account on the same server?

I have a WCF service configured with net.tcp binding:

<netTcpBinding> <binding > <security mode="Transport"> <transport clientCredentialType="Windows" /> <message clientCredentialType="None" /> </security> </binding> </netTcpBinding>

I have a web client application. Both are running NT AUTHORITY \ NETWORK SERVICE on the same server, only on different ports.

When a client tries to connect to the service, this results in an error:

System.ComponentModel.Win32Exception: Login attempt failed

This can be fixed by specifying servicePrincipalName on the client side:

 <endpoint> <identity> <servicePrincipalName value="NT AUTHORITY\NETWORK SERVICE" /> </identity> </endpoint>

But can I avoid this? I want the client to use their current user.

+4

.net exception-handling wcf net.tcp wcf-security

abatishchev Jun 23 '12 at 8:58

source share

1 answer

Lucvk · Accepted Answer · 2013-01-08T09:34:13+0000

The servicePrincipalName int endpoint / identity parameter of the client configuration does not specify the client identifier, but the expected service identifier. Remember that WCF authentication is mutual (the client also identifies the service)

In this case, the client expects the service to run under the Network Service account.

 <endpoint> <identity> <servicePrincipalName value="NT AUTHORITY\NETWORK SERVICE" /> </identity> </endpoint>

If the client and the service are on the same computer, this can be replaced by

 <endpoint> <identity> <servicePrincipalName value="host/localhost" /> </identity> </endpoint>

Service authentication now depends on dns (localhost) name

Is it possible to avoid specifying servicePrincipalName if both clients and services are running under the same account on the same server?

More articles: