If You are Using Kerberos Authentication or Delegation, Create an SPN

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

If you are using Kerberos authentication, create a service principle name. Without an SPN the Kerberos authentication will stop working when you switch from a machine account, such as Network Service, to a domain account.

Only Service Principal Name (SPN) can be configured for delegation in the Active Directory. In production scenario using delegation, where you want to run the WCF service using a low privileged custom domain account, you need to create an SPN for that account in order to enable delegation

To create an SPN for a domain account, run the Setspn tool from a command prompt as below
setspn -A HTTP/webservername domain\customAccountName 
setspn -A HTTP/webservername.fullyqualifieddomainname domain\customAccountName 

This creates an SPN for the custom domain account (domain\customAccountName) and associates the account with the HTTP service on the specified WCF server. By running the command twice as shown above you can associate the account with the NetBIOS server name and the fully qualified domain name of the server. This ensures that the SPN is established correctly even if your environment does not consistently use fully qualified domain names.

Additional Resources

Last edited Jun 12, 2008 at 11:39 PM by prashantbansode, version 1


No comments yet.