1

For a WCF service "SuperService", installed on two separate servers "Server1" and "Server2" - is it possible to have a single SPN identity string to which the WCF client "SuperClient" can refer?

Such that SuperClient can consume the service hosted on either Server1 or Server2 without knowing which server is hosting the instance to which it is connecting but not have to change its identity string.

Richard
  • 105
  • 1
  • 2
  • 16
  • Seems like you would want the service identity to be a user account that holds the service principal name, and use that same account on both servers. – Greg Askew Aug 18 '15 at 16:13

1 Answers1

3

Two-parter:

Yes. First step is identity of the receiving process, so you'll need to use a common identity for the service on both (which functionally means a domain user account, or better, a GMSA.)

That'll let you interchangeably connect to either server by name (assuming an SPN is registered for each) but you did mention agnosticism towards which server is used...

The way to do that is to either use a Virtual IP, or a DNS A record with multiple targets (round robin) or similar.

So if www.example.com is the service you're pointing clients to, you'd then

SETSPN -S http/www.example.com MyDomain\GMSAICreatedEarlier

TristanK
  • 9,073
  • 2
  • 28
  • 39
  • should setspn -s take the FQDN of each actual server or should it take the name of the DNS A record for the vip? – Richard Aug 19 '15 at 17:29
  • Whatever the client uses to produce the SPN, so in most cases just the A record for the VIP. – TristanK Jan 07 '16 at 01:59