11

I've created a WCF service with a wsHttpBinding and Message security. Then I added a service reference which resulted in the client's config file being updated with this:

<client>
  <endpoint address="http://localhost:42160/Service1.svc/secure"
    binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IService1"
    contract="SecureProxy.IService1" name="WSHttpBinding_IService1">
    <identity>
        <userPrincipalName value="baria2@mydomain.com" />
    </identity>
  </endpoint>
</client>

I don't understand what the userPrincipalName is for. No matter what I modify the value to, the client and service communicate successfully. It doesn't seem to serve any purpose.

This MSDN article attempts to explain the purpose in detail, and somehow manages to explain nothing at all.

What problem was Microsoft trying to solve by adding that into the WCF story? Again, I can change the value to anything I want and it doesn't affect the client and service.

Also, here is a similar question.

Community
  • 1
  • 1
Brent Arias
  • 29,277
  • 40
  • 133
  • 234

3 Answers3

1

In general the upn is there to authenticate the server to the client (e.g. you instruct your client which server is trusted and which not, like client validate hosts in ssl).

I think if the upn has right value then communication will use kerberos and if it is wrong then communication would use ntlm (if available under some conditions). Try to disable ntlm and then only the right value for upn will work:

<clientCredentials>
   <windows allowNtlm="false" />
</clientCredentials>

There is also a way to check if kerberos or ntlm were used by putting a breakpoint/log on the server and checking the ServiceSecurityContext.Current. You should get different value depending on the upn value.

Yaron Naveh
  • 23,560
  • 32
  • 103
  • 158
-1

By default, when a service is configured to use Windows credentials, an <identity> and <userPrincipalName> element is generated.

Matt Klepeis
  • 1,724
  • 1
  • 14
  • 25
  • 3
    true, but what is the purpose of this? What problem does it solve? Why can the userPrincipalName value be changed to any arbitrary value without effect? – Brent Arias Jul 25 '13 at 14:07
-1

By default, when a service is configured to use Windows credentials, an and element is generated in the WSDL document produced the by Service Model Metadata Utility Tool (Svcutil.exe). If the service is running under the LocalSystem. LocalService, or NetworkService account, a Service Principal Name (SPN) will be generated in the form of host/ because those accounts have access to the computer's SPN data. If the service is running under a different account, WCF generates a Principal Name (UPN) in the form of @. This occurs because Kerberos authentication requires a UPN or SPN to be supplied to the client to authenticate the service.

This behavior does not occur if you set the Identity of the service endpoint in either code or configuration. You can also use the SetSpn.exe (http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/setspn-o.asp) tool register an additional SPN with a service's account in a domain. The SPN can then be used as the Identity of the service.

as mentioned here: https://social.msdn.microsoft.com/Forums/vstudio/en-US/78638457-ca7a-4f88-b8a9-9bc32d4b5c7d/userprincipalname-element-generated-in-client-config?forum=wcf

LucidObscurity
  • 309
  • 3
  • 4