Login/Register
What purpose does the WCF client-specified "userPrincipalName" serve?
Asked Answered
wcfwcf-security
S

3

11

I've created a WCF service with a wsHttpBinding and Message security. Then I added a service reference which resulted in the client's config file being updated with this:

<client>
  <endpoint address="http://localhost:42160/Service1.svc/secure"
    binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IService1"
    contract="SecureProxy.IService1" name="WSHttpBinding_IService1">
    <identity>
        <userPrincipalName value="[email protected]" />
    </identity>
  </endpoint>
</client>

I don't understand what the userPrincipalName is for. No matter what I modify the value to, the client and service communicate successfully. It doesn't seem to serve any purpose.

This MSDN article attempts to explain the purpose in detail, and somehow manages to explain nothing at all.

What problem was Microsoft trying to solve by adding that into the WCF story? Again, I can change the value to anything I want and it doesn't affect the client and service.

Also, here is a similar question.

Suzansuzann answered 25/7, 2013 at 2:28 Comment(1)
I'm curious if it works when you totally remove it?Abeabeam
D
1

In general the upn is there to authenticate the server to the client (e.g. you instruct your client which server is trusted and which not, like client validate hosts in ssl).

I think if the upn has right value then communication will use kerberos and if it is wrong then communication would use ntlm (if available under some conditions). Try to disable ntlm and then only the right value for upn will work:

<clientCredentials>
   <windows allowNtlm="false" />
</clientCredentials>

There is also a way to check if kerberos or ntlm were used by putting a breakpoint/log on the server and checking the ServiceSecurityContext.Current. You should get different value depending on the upn value.

Darkroom answered 25/7, 2013 at 22:12 Comment(0)
A
-1

By default, when a service is configured to use Windows credentials, an <identity> and <userPrincipalName> element is generated.

Azide answered 25/7, 2013 at 3:5 Comment(1)
true, but what is the purpose of this? What problem does it solve? Why can the userPrincipalName value be changed to any arbitrary value without effect?Suzansuzann
P
-1

By default, when a service is configured to use Windows credentials, an and element is generated in the WSDL document produced the by Service Model Metadata Utility Tool (Svcutil.exe). If the service is running under the LocalSystem. LocalService, or NetworkService account, a Service Principal Name (SPN) will be generated in the form of host/ because those accounts have access to the computer's SPN data. If the service is running under a different account, WCF generates a Principal Name (UPN) in the form of @. This occurs because Kerberos authentication requires a UPN or SPN to be supplied to the client to authenticate the service.

This behavior does not occur if you set the Identity of the service endpoint in either code or configuration. You can also use the SetSpn.exe (http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/setspn-o.asp) tool register an additional SPN with a service's account in a domain. The SPN can then be used as the Identity of the service.

as mentioned here: https://social.msdn.microsoft.com/Forums/vstudio/en-US/78638457-ca7a-4f88-b8a9-9bc32d4b5c7d/userprincipalname-element-generated-in-client-config?forum=wcf

Photomultiplier answered 6/7, 2017 at 18:42 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.