Events
Mar 17, 9 PM - Mar 21, 10 AM
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowOverride the identity of a service for authentication
Typically, you do not have to set the identity on a service because the selection of a client credential type dictates the type of identity exposed in the service metadata. For example, the following configuration code uses the <wsHttpBinding> element and sets the clientCredentialType attribute to Windows.
The following Web Services Description Language (WSDL) fragment shows the identity for the endpoint previously defined. In this example, the service is running as a self-hosted service under a particular user account (username@contoso.com) and therefore the user principal name (UPN) identity contains the account name. The UPN is also known as the user sign-in name in a Windows domain.
For a sample application that demonstrates identity setting, see Service Identity Sample. For more information about service identity, see Service Identity and Authentication.
By default, when a service is configured to use a Windows credential, an <identity> element that contains a <userPrincipalName> or <servicePrincipalName> element is generated in the WSDL. If the service is running under the LocalSystem, LocalService, or NetworkService account, a service principal name (SPN) is generated by default in the form of host/<hostname> because those accounts have access to the computer's SPN data. If the service is running under a different account, Windows Communication Foundation (WCF) generates a UPN in the form of <username>@<domainName>. This occurs because Kerberos authentication requires that a UPN or SPN be supplied to the client to authenticate the service.
You can also use the Setspn tool to register an additional SPN with a service's account in a domain. You can then use the SPN as the identity of the service. For more information about the tool, see Setspn Overview.
Note
To use the Windows credential type without negotiation, the service's user account must have access to the SPN that is registered with the Active Directory domain. You can do this in the following ways:
Use the NetworkService or LocalSystem account to run your service. Because those accounts have access to the machine SPN that is established when the machine joins the Active Directory domain, WCF automatically generates the proper SPN element inside the service's endpoint in the service's metadata (WSDL).
Use an arbitrary Active Directory domain account to run your service. In this case, establish an SPN for that domain account, which you can do by using the Setspn.exe utility tool. Once you create the SPN for the service's account, configure WCF to publish that SPN to the service's clients through its metadata (WSDL). This is done by setting the endpoint identity for the exposed endpoint, either through an application configuration file or code.
For more information about SPNs, the Kerberos protocol, and Active Directory, see Kerberos Technical Supplement for Windows.
If you set the SPN or UPN equal to an empty string, a number of different things happen, depending on the security level and authentication mode being used:
If you are using transport level security, NT LanMan (NTLM) authentication is chosen.
If you are using message level security, authentication may fail, depending on the authentication mode:
If you are using
spnegomode and theAllowNtlmattribute is set tofalse, authentication fails.If you are using
spnegomode and theAllowNtlmattribute is set totrue, authentication fails if the UPN is empty but succeeds if the SPN is empty.If you are using Kerberos direct (also known as "one-shot"), authentication fails.
If you change the client credential type in the binding previously shown to Certificate, then the generated WSDL contains a Base64 serialized X.509 certificate for the identity value as shown in the following code. This is the default for all client credential types other than Windows.
You can change the value of the default service identity or change the type of the identity by using the <identity> element in configuration or by setting the identity in code. The following configuration code sets a domain name system (DNS) identity with the value contoso.com.
Your service does not have to explicitly specify an identity, because WCF automatically determines it. However, WCF allows you to specify an identity on an endpoint, if necessary. The following code adds a new service endpoint with a specific DNS identity.
C#
ServiceEndpoint ep = myServiceHost.AddServiceEndpoint(
typeof(ICalculator),
new WSHttpBinding(),
String.Empty);
EndpointAddress myEndpointAdd = new EndpointAddress(new Uri("http://localhost:8088/calc"),
EndpointIdentity.CreateDnsIdentity("contoso.com"));
ep.Address = myEndpointAdd;
Dim ep As ServiceEndpoint = myServiceHost.AddServiceEndpoint(GetType(ICalculator), New WSHttpBinding(), String.Empty)
Dim myEndpointAdd As New EndpointAddress(New Uri("http://localhost:8088/calc"), EndpointIdentity.CreateDnsIdentity("contoso.com"))
ep.Address = myEndpointAdd
Additional resources
Training
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.
Documentation
-
Service Identity and Authentication - WCF
Learn about the endpoint identity of a service, a value generated from the service WSDL, which WCF uses to authenticate the service.
-
Using Multiple Authentication Schemes with WCF - WCF
Learn more about: Using Multiple Authentication Schemes with WCF
-
Message Security with a Windows Client without Credential Negotiation - WCF
Learn more about: Message Security with a Windows Client without Credential Negotiation