Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
Windos
win32.3rdparty
win32.directx.audio
win32.directx.ddk
win32.directx.graphics
win32.directx.input
win32.directx.managed
win32.directx.misc
win32.directx.networking
win32.directx.sdk
win32.directx.video
win32.dirx.grap.shaders
win32.gdi
win32.international
win32.kernel
win32.messaging
win32.mmedia
win32.networks
win32.ole
win32.rtc
win32.tapi
win32.tapi.beta
win32.tools
win32.ui
win32.wince
win32.wmi
windows.mediacenter
winfx.aero
winfx.announcements
winfx.avalon
winfx.collaboration
winfx.fundamentals
winfx.general
winfx.indigo
winfx.sdk
winfx.winfs
  
 
date: Fri, 11 Apr 2008 07:25:09 -0700 (PDT),    group: microsoft.public.windows.developer.winfx.indigo        back       


using localhost v/s Environment.MachineName    
Hi There ,

i am using wshttpbinding with client credentials set to windows .my
service address looks like this
"http://localhost:2005/SampleService" when this address is mentioned
the service/client works perfect.

but i want to replace "localhost" with "Environment.MachineName"  so
my address will look like
http://mymachinename:2005/SampleService ,when this address is used the
call to service fail
the error message is something like this
"SOAP security negotiation with 'http://mymachinename:2005/
SampleService' for target 'http://mymachinename:2005/SampleService'
failed. See inner exception for more details."

and the inner exception is "Security Support Provider Interface (SSPI)
authentication failed. The server may not be running in an account
with identity 'host/mymachinename'. If the server is running in a
service account (Network Service for example), specify the account's
ServicePrincipalName as the identity in the EndpointAddress for the
server. If the server is running in a user account, specify the
account's UserPrincipalName as the identity in the EndpointAddress for
the server"

now my question is why does this work with localhost and not with
Environment.MachineName

could any body throw some light on this.



Regards
DEE


PS: my windows HOST file has this entry 127.0.0.1 localhost
date: Fri, 11 Apr 2008 07:25:09 -0700 (PDT)   author:   DEE

Re: using localhost v/s Environment.MachineName    
It all depends on you client config.

Your client is trying to authenticate via Kerberos using an SPN or UPN. When 
using localhost the client will default to NTLM since it cannot use 
kerberos, while using the hostname it'll try kerberos.

Show us your client configuration, the part inside the <client>...</client> 
tag.

Tiago Halm

"DEE"  wrote in message 
news:214f1e4d-2c2d-4629-a5ee-0a92820315f6@b9g2000prh.googlegroups.com...
> Hi There ,
>
> i am using wshttpbinding with client credentials set to windows .my
> service address looks like this
> "http://localhost:2005/SampleService" when this address is mentioned
> the service/client works perfect.
>
> but i want to replace "localhost" with "Environment.MachineName"  so
> my address will look like
> http://mymachinename:2005/SampleService ,when this address is used the
> call to service fail
> the error message is something like this
> "SOAP security negotiation with 'http://mymachinename:2005/
> SampleService' for target 'http://mymachinename:2005/SampleService'
> failed. See inner exception for more details."
>
> and the inner exception is "Security Support Provider Interface (SSPI)
> authentication failed. The server may not be running in an account
> with identity 'host/mymachinename'. If the server is running in a
> service account (Network Service for example), specify the account's
> ServicePrincipalName as the identity in the EndpointAddress for the
> server. If the server is running in a user account, specify the
> account's UserPrincipalName as the identity in the EndpointAddress for
> the server"
>
> now my question is why does this work with localhost and not with
> Environment.MachineName
>
> could any body throw some light on this.
>
>
>
> Regards
> DEE
>
>
> PS: my windows HOST file has this entry 127.0.0.1 localhost
date: Sat, 12 Apr 2008 17:52:53 +0100   author:   Tiago Halm

Re: using localhost v/s Environment.MachineName    
Hi Tiago,

Thanks for the response .

my client is not using any SPN or UPN , in my binding configuration ,i
have set " negotiateServiceCredential="true"  "  ,when this is set the
client need not provide the supply SPN or UPN out of bound, i beleive
WCF will take care of the negotiation . but if i give the UPN in the
client config it works !!! .
so might be my theory is wrong . but  take this secanrio
1. my service is running in Machine A
2. now i decide to move the service to Machine B
3. in the client config i will change the address of the service ,now
i need to change the UPN also .

is there an alternative for this. i do not want to use the UPN in my
client config (presumming the configuration will be complicated for
system integration engineers who may not know the details).

Hope i am clear ,Thanks for your time.

Regards
DEE
date: Sun, 13 Apr 2008 01:01:10 -0700 (PDT)   author:   DEE

Re: using localhost v/s Environment.MachineName    
For kerberos authentication, SPN (Service Principal Name) is the preferred 
mechanism versus UPN (User Principal Name), since it frees the client from 
having to know the backend account used.

In your case, if you're setting negotiateServiceCredential to false, I 
believe the SPN must be set to a well known account (NetworkService, 
LocalService) which means that its the machine account that is running the 
kerberos service instead of a user account.

Interesting details can be found here:
http://www.zamd.net/CategoryView,category,WCF%2BSecurity.aspx

Tiago Halm

"DEE"  wrote in message 
news:b25b698e-c255-4de7-9c91-87493c4b55b4@t12g2000prg.googlegroups.com...
> Hi Tiago,
>
> Thanks for the response .
>
> my client is not using any SPN or UPN , in my binding configuration ,i
> have set " negotiateServiceCredential="true"  "  ,when this is set the
> client need not provide the supply SPN or UPN out of bound, i beleive
> WCF will take care of the negotiation . but if i give the UPN in the
> client config it works !!! .
> so might be my theory is wrong . but  take this secanrio
> 1. my service is running in Machine A
> 2. now i decide to move the service to Machine B
> 3. in the client config i will change the address of the service ,now
> i need to change the UPN also .
>
> is there an alternative for this. i do not want to use the UPN in my
> client config (presumming the configuration will be complicated for
> system integration engineers who may not know the details).
>
> Hope i am clear ,Thanks for your time.
>
> Regards
> DEE
date: Sun, 13 Apr 2008 17:43:16 +0100   author:   Tiago Halm

Re: using localhost v/s Environment.MachineName    
Hi Tiago,

Thanks for the response .

i went through the link you had mention .so
" if i  have negotiateServiceCredential="true" , then i do not need to
have either SPN or UPN configured ".  is this statement right ?

for me when i have negotiateServiceCredential="true"  , without SPN or
UPN does not work ,but according to documentation ,it should.

any comments on this .

Regards
Dee
date: Mon, 14 Apr 2008 04:07:04 -0700 (PDT)   author:   DEE

Re: using localhost v/s Environment.MachineName    
Dee,

Some facts to take into account here.

(taken from MSDN - http://msdn2.microsoft.com/en-us/library/ms733130.aspx)
<quote>
Specifying the identity programmatically (using the Identity property)
is optional. If no identity is specified, and the client credential
type is Windows, the default is SPN with the value set to the hostname
part of the service endpoint address prefixed with the "host/"
literal. If no identity is specified, and the client credential type
is a certificate, the default is Certificate. This applies to both
message- and transport-level security.
</quote>

If you do not set the <identity/servicePrincipalName> in the client,
WCF will default to host/xxxx where xxxx is the hostname of the URL
where the service endpoint is located. This means you end up having to
re-use (or reset) the SPN added by Active Directory when adding a
machine to a domain. To view a machine HOST SPN run:
# setspn.exe -L domain\machine

(taken from MSDN - http://msdn2.microsoft.com/en-us/library/bb463274.aspx)
<quote>
To use the Kerberos authentication protocol with delegation, you must
implement the Kerberos protocol with credential negotiation (sometimes
called "multi-leg" or "multi-step" Kerberos). If you implement
Kerberos authentication without credential negotiation (sometimes
called "one-shot" or "single-leg" Kerberos), an exception will be
thrown.
</quote>

This means that if you want to use kerberos delegation you need to set
negotiateServiceCredential=true.

<quote>
Kerberos Protocol Direct Requires the Service to Run Under a Domain
Machine Account
This occurs when the ClientCredentialType property is set to Windows
and the NegotiateServiceCredential property is set to false ...
</quote>

If you set negotiateServiceCredential=false you need the service to be
running with a well known account such as NetworkService or
LocalService, and its SPN is tipically the built-in SPN host/
machine.domain added by Active Directory.

---

What this all means is that if you do not want to set <identity/
servicePrincipalName> on the client, then you have to run your service
with NetworkService/LocalService. If kerberos delegation is not
required you may set negotiateServiceCredential to false or true. If
delegation is required you need to set
negotiateServiceCredential=true.

Tiago Halm
date: Tue, 15 Apr 2008 07:10:01 -0700 (PDT)   author:   unknown

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us