All geek questions in one place

What is the purpose of the user name userPrincipalName specified by WCF?

I created a WCF service with wsHttpBinding and Message protection. Then I added a link to the service, which led to updating the client configuration file:

<client> <endpoint address="http://localhost:42160/Service1.svc/secure" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IService1" contract="SecureProxy.IService1" name="WSHttpBinding_IService1"> <identity> <userPrincipalName value=" baria2@mydomain.com " /> </identity> </endpoint> </client>

I do not understand what userPrincipalName belongs to. No matter what I change the value for, the client and the service successfully communicate. This does not seem to serve any purpose.

This article is an MSDN article that attempts to explain the purpose in detail and cannot explain anything in any way.

What problem did Microsoft try to solve by adding this to the WCF story? Again, I can change the value to whatever I want, and this does not affect the client and service.

In addition, there is a similar question .

+4
source share
3 answers

In general, upn tries to authenticate a server for a client (for example, you indicate to your client which server is trusted and which is not, for example, the client checks hosts in ssl).

I think that if upn has the correct meaning, then the connection will use kerberos, and if it is wrong, then the connection will use ntlm (if available under certain conditions). Try disabling ntlm, and then only the correct value for upn will work:

 <clientCredentials> <windows allowNtlm="false" /> </clientCredentials>

There is also a way to check if kerberos or ntlm was used by setting a breakpoint / log on the server and checking ServiceSecurityContext.Current. You should get a different value depending on the upn value.

+2
source

By default, when the service is configured to use Windows credentials, the <identity> and <userPrincipalName> .

0
source

By default, when a service is configured to use Windows credentials, a product and an item are created in the WSDL document that is created using the utility utility utility metadata model utility (Svcutil.exe). If the service is running under LocalSystem. The LocalService or NetworkService account, the Service Principal Name (SPN) will be generated in the form of host /, as these accounts have access to the SPN data of the computer. If the service is running under a different account, WCF generates a base name (UPN) in the form of @. This is because Kerberos authentication requires UPN or SPN authentication for service authentication.

This behavior does not occur if you set the service endpoint identifier in code or configuration. You can also use the SetSpn.exe tool ( http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/setspn-o.asp ) to register an additional SPN with a service account in the domain. Then the SPN can be used as a service identifier.

as stated here: https://social.msdn.microsoft.com/Forums/vstudio/en-US/78638457-ca7a-4f88-b8a9-9bc32d4b5c7d/userprincipalname-element-generated-in-client-config?forum=wcf

0
source

Source: https://habr.com/ru/post/1493340/

More articles:


All Articles