| Subject: using localhost v/s Environment.MachineName |
| Group: microsoft.public.windows.developer.winfx.indigo |
| Date: 4/11/2008 7:25:09 AM |
| From: DEE [Email Address Protection] |
Hi There , i am using wshttpbinding with client credentials set to windows .my service address looks like this "http://localhost:2005/SampleService" when this address is mentioned the service/client works perfect. but i want to replace "localhost" with "Environment.MachineName" so my address will look like http://mymachinename:2005/SampleService ,when this address is used the call to service fail the error message is something like this "SOAP security negotiation with 'http://mymachinename:2005/ SampleService' for target 'http://mymachinename:2005/SampleService' failed. See inner exception for more details." and the inner exception is "Security Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with identity 'host/mymachinename'. If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server" now my question is why does this work with localhost and not with Environment.MachineName could any body throw some light on this. Regards DEE PS: my windows HOST file has this entry 127.0.0.1 localhost |
| Back |
| Subject: Re: using localhost v/s Environment.MachineName |
| Group: microsoft.public.windows.developer.winfx.indigo |
| Date: 4/12/2008 9:52:53 AM |
| From: "Tiago Halm" [Email Address Protection] |
It all depends on you client config. Your client is trying to authenticate via Kerberos using an SPN or UPN. When using localhost the client will default to NTLM since it cannot use kerberos, while using the hostname it'll try kerberos. Show us your client configuration, the part inside the <client>...</client> tag. Tiago Halm "DEE" <tsdeepak@gmail.com> wrote in message news:214f1e4d-2c2d-4629-a5ee-0a92820315f6@b9g2000prh.googlegroups.com... > Hi There , > > i am using wshttpbinding with client credentials set to windows .my > service address looks like this > "http://localhost:2005/SampleService" when this address is mentioned > the service/client works perfect. > > but i want to replace "localhost" with "Environment.MachineName" so > my address will look like > http://mymachinename:2005/SampleService ,when this address is used the > call to service fail > the error message is something like this > "SOAP security negotiation with 'http://mymachinename:2005/ > SampleService' for target 'http://mymachinename:2005/SampleService' > failed. See inner exception for more details." > > and the inner exception is "Security Support Provider Interface (SSPI) > authentication failed. The server may not be running in an account > with identity 'host/mymachinename'. If the server is running in a > service account (Network Service for example), specify the account's > ServicePrincipalName as the identity in the EndpointAddress for the > server. If the server is running in a user account, specify the > account's UserPrincipalName as the identity in the EndpointAddress for > the server" > > now my question is why does this work with localhost and not with > Environment.MachineName > > could any body throw some light on this. > > > > Regards > DEE > > > PS: my windows HOST file has this entry 127.0.0.1 localhost |
| Back |
| Subject: Re: using localhost v/s Environment.MachineName |
| Group: microsoft.public.windows.developer.winfx.indigo |
| Date: 4/13/2008 1:01:10 AM |
| From: DEE [Email Address Protection] |
Hi Tiago, Thanks for the response . my client is not using any SPN or UPN , in my binding configuration ,i have set " negotiateServiceCredential="true" " ,when this is set the client need not provide the supply SPN or UPN out of bound, i beleive WCF will take care of the negotiation . but if i give the UPN in the client config it works !!! . so might be my theory is wrong . but take this secanrio 1. my service is running in Machine A 2. now i decide to move the service to Machine B 3. in the client config i will change the address of the service ,now i need to change the UPN also . is there an alternative for this. i do not want to use the UPN in my client config (presumming the configuration will be complicated for system integration engineers who may not know the details). Hope i am clear ,Thanks for your time. Regards DEE |
| Back |
| Subject: Re: using localhost v/s Environment.MachineName |
| Group: microsoft.public.windows.developer.winfx.indigo |
| Date: 4/13/2008 9:43:16 AM |
| From: "Tiago Halm" [Email Address Protection] |
For kerberos authentication, SPN (Service Principal Name) is the preferred mechanism versus UPN (User Principal Name), since it frees the client from having to know the backend account used. In your case, if you're setting negotiateServiceCredential to false, I believe the SPN must be set to a well known account (NetworkService, LocalService) which means that its the machine account that is running the kerberos service instead of a user account. Interesting details can be found here: http://www.zamd.net/CategoryView,category,WCF%2BSecurity.aspx Tiago Halm "DEE" <tsdeepak@gmail.com> wrote in message news:b25b698e-c255-4de7-9c91-87493c4b55b4@t12g2000prg.googlegroups.com... > Hi Tiago, > > Thanks for the response . > > my client is not using any SPN or UPN , in my binding configuration ,i > have set " negotiateServiceCredential="true" " ,when this is set the > client need not provide the supply SPN or UPN out of bound, i beleive > WCF will take care of the negotiation . but if i give the UPN in the > client config it works !!! . > so might be my theory is wrong . but take this secanrio > 1. my service is running in Machine A > 2. now i decide to move the service to Machine B > 3. in the client config i will change the address of the service ,now > i need to change the UPN also . > > is there an alternative for this. i do not want to use the UPN in my > client config (presumming the configuration will be complicated for > system integration engineers who may not know the details). > > Hope i am clear ,Thanks for your time. > > Regards > DEE |
| Back |
| Subject: Re: using localhost v/s Environment.MachineName |
| Group: microsoft.public.windows.developer.winfx.indigo |
| Date: 4/14/2008 4:07:04 AM |
| From: DEE [Email Address Protection] |
Hi Tiago, Thanks for the response . i went through the link you had mention .so " if i have negotiateServiceCredential="true" , then i do not need to have either SPN or UPN configured ". is this statement right ? for me when i have negotiateServiceCredential="true" , without SPN or UPN does not work ,but according to documentation ,it should. any comments on this . Regards Dee |
| Back |
| Subject: Re: using localhost v/s Environment.MachineName |
| Group: microsoft.public.windows.developer.winfx.indigo |
| Date: 4/15/2008 7:10:01 AM |
| From: tiago.halm@gmail.com |
Dee, Some facts to take into account here. (taken from MSDN - http://msdn2.microsoft.com/en-us/library/ms733130.aspx) <quote> Specifying the identity programmatically (using the Identity property) is optional. If no identity is specified, and the client credential type is Windows, the default is SPN with the value set to the hostname part of the service endpoint address prefixed with the "host/" literal. If no identity is specified, and the client credential type is a certificate, the default is Certificate. This applies to both message- and transport-level security. </quote> If you do not set the <identity/servicePrincipalName> in the client, WCF will default to host/xxxx where xxxx is the hostname of the URL where the service endpoint is located. This means you end up having to re-use (or reset) the SPN added by Active Directory when adding a machine to a domain. To view a machine HOST SPN run: # setspn.exe -L domain\machine (taken from MSDN - http://msdn2.microsoft.com/en-us/library/bb463274.aspx) <quote> To use the Kerberos authentication protocol with delegation, you must implement the Kerberos protocol with credential negotiation (sometimes called "multi-leg" or "multi-step" Kerberos). If you implement Kerberos authentication without credential negotiation (sometimes called "one-shot" or "single-leg" Kerberos), an exception will be thrown. </quote> This means that if you want to use kerberos delegation you need to set negotiateServiceCredential=true. <quote> Kerberos Protocol Direct Requires the Service to Run Under a Domain Machine Account This occurs when the ClientCredentialType property is set to Windows and the NegotiateServiceCredential property is set to false ... </quote> If you set negotiateServiceCredential=false you need the service to be running with a well known account such as NetworkService or LocalService, and its SPN is tipically the built-in SPN host/ machine.domain added by Active Directory. --- What this all means is that if you do not want to set <identity/ servicePrincipalName> on the client, then you have to run your service with NetworkService/LocalService. If kerberos delegation is not required you may set negotiateServiceCredential to false or true. If delegation is required you need to set negotiateServiceCredential=true. Tiago Halm |
| Back |