问题
How does WCF client generates target Service's SPN dynamically to get the kerberos ticket in Spnego Use case? For example, if the target service is running under domain machine account, SPN associated with the Service would be in the form 'host/machinename'.
If we try to call the service using wcf client, wcf client is able to get the ticket for host/machinename. I initially thought that wcf client might be using hardcoded string host/+domainname by default.
But If I change the target service to run under domain user and associate SPN named "http/machinename" with the domain user, wcf client is still able to generate the ticket for this service successfully.
How does WCF client decides whether to use prefix 'host/' or 'http/' in these scenarios.
I know that there is a way to add custom spn on the client side under endpoint element but I'm interested to know how it works by default.
回答1:
The default is host/myhostname for Windows credential type. This is also the expected SPN while running the WCF service with a machine account.
Note that the WSDL will include the Identity (e.g. SPN), so the WCF client can use that information while connecting. Check the WCF Test Client Config file to see what is actually generated.
来源:https://stackoverflow.com/questions/24966779/wcf-client-default-spn-generation