What value should the servicePrincipalName have?

Question

I'm trying to set up client impersonation on my service.

I need to set a value for the servicePrincipalName of my services endPoint

I'm looking at this MSDN article but still cannot quite figure it out

My service is hosted in a console app on a server that we'll call ServerName1.
The Uri is: net.tcp://ServerName1:9990/TestService1/.

What specifically should my servicePrincipalName be?

I tried, with no joy:

<identity>
    <servicePrincipalName value="ServerName1" />
</identity>

Answer 1

The name of the user you wish the service to user (execute under). So if you want to execute it under 'local network' credentials the above XML should look like:

<identity>
    <servicePrincipalName value="Local Network" />
</identity>

Answer 2

Configuring servicePrincipleName is a difficult topic to describe it in a few words Perhaps these articles will help:

• Overriding the Identity of a Service for Authentication
• Security in Windows Communication Foundation

Most probably, you need to configure it the following way

<identity>
    <servicePrincipalName value="HOST/ServerName1:9990" />
</identity>

We usually use userPrincipalName instead of servicePrincipalName, like this

<identity>
  <userPrincipalName value="account@domain.com" />
</identity>

Answer 3

For a complete guide on how to build your SPN, check out these articles:

https://geertbaeten.wordpress.com/2013/06/03/kerberos-authentication-and-delegation-serviceprincipalnames/

http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/the-biggest-mistake-serviceprincipalname-s.aspx

Those are more about the infrastructure side (ADDS) but the first part is very usefull for programmers too

Answer 4

When using WCF services hosted by IIS.

We have using "host/computerName", as <servicePrincipalName />, for anonymous connection. Inside of your WCF application, you can set the application pool, for example "iis apppool\defaultAppPool", this user will be the real connected user.

In the below image /C??????DataService is the application name ("Tom's TestService1") Application Pool: C????Pool can be "DefaultAppPool", in the case of "Application User (pass-through authentication)", you will use the "IIS AppPool\DefaultAppPool" as a user to grant rights to specific resource, like a file or a sql server connection string.

And, even using anonymous authentication, you can set "forms authorization", to an specific resource inside the WCF application, for example "MasterSettings.svc".

hope this helps