问题
I'm trying to set up client impersonation on my service.
I need to set a value for the servicePrincipalName of my services endPoint
I'm looking at this MSDN article but still cannot quite figure it out
My service is hosted in a console app on a server that we'll call ServerName1.
The Uri is: net.tcp://ServerName1:9990/TestService1/.
What specifically should my servicePrincipalName be?
I tried, with no joy:
<identity>
<servicePrincipalName value="ServerName1" />
</identity>
回答1:
Configuring servicePrincipleName is a difficult topic to describe it in a few words Perhaps these articles will help:
- Overriding the Identity of a Service for Authentication
- Security in Windows Communication Foundation
Most probably, you need to configure it the following way
<identity>
<servicePrincipalName value="HOST/ServerName1:9990" />
</identity>
We usually use userPrincipalName instead of servicePrincipalName, like this
<identity>
<userPrincipalName value="account@domain.com" />
</identity>
回答2:
The name of the user you wish the service to user (execute under). So if you want to execute it under 'local network' credentials the above XML should look like:
<identity>
<servicePrincipalName value="Local Network" />
</identity>
回答3:
For a complete guide on how to build your SPN, check out these articles:
https://geertbaeten.wordpress.com/2013/06/03/kerberos-authentication-and-delegation-serviceprincipalnames/
http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/the-biggest-mistake-serviceprincipalname-s.aspx
Those are more about the infrastructure side (ADDS) but the first part is very usefull for programmers too
回答4:
When using WCF services hosted by IIS.
We have using "host/computerName", as <servicePrincipalName />, for anonymous connection. Inside of your WCF application, you can set the application pool, for example "iis apppool\defaultAppPool", this user will be the real connected user.
In the below image /C??????DataService is the application name ("Tom's TestService1") Application Pool: C????Pool can be "DefaultAppPool", in the case of "Application User (pass-through authentication)", you will use the "IIS AppPool\DefaultAppPool" as a user to grant rights to specific resource, like a file or a sql server connection string.
And, even using anonymous authentication, you can set "forms authorization", to an specific resource inside the WCF application, for example "MasterSettings.svc".
hope this helps
来源:https://stackoverflow.com/questions/1292183/what-value-should-the-serviceprincipalname-have