it:ad:kerberos:spn:how_to_set_for_a_wcf_server_endpoint

IT:AD:Kerberos:SPN:HowTo:How To Set for a WCF Server Endpoint

Setup an SPN for the Server

If you are creating a custom Domain Account for an AppPool Account for your WCF app in IIS:

  • Create an SPN for Kerberos to be able to authenticate the client.
    • By Default NT AUTHORITY\NETWORK SERVICE maps to the computer Account, so Kerberos works with this account:

      Create an SPN and map it to the AP account: SETSPN -a http/machinename myAccount SETSPN -a http/machinename.corp.com myAccount * Give persmissions to the Domain accoun to access c:\Windows\Temp\ * If not done, you will not be able to create a service ref or proxy client with svcutil.exe. * Permissions required: ListFolder|Read Data|Delete ## Set a ServicePrincipalName for the Server ## Set an SPN for the service <services> <service behaviorConfiguration=“ServiceBehavior” name=“Service”> <endpoint address=“” binding=“wsHttpBinding” bindingConfiguration=“WsHttpBindingConfig” contract=“IService”> <identity> <servicePrincipalName value=“Host/<MachineName>” /> </identity> </endpoint> </service> </services> ## Command Line Reference ## Unregister SPNs ## Resources ## * Excellent: * http://msdn.microsoft.com/en-us/library/ff650619.aspx

  • /home/skysigal/public_html/data/pages/it/ad/kerberos/spn/how_to_set_for_a_wcf_server_endpoint.txt
  • Last modified: 2023/11/04 22:59
  • by 127.0.0.1