If you are hosting your service in a Windows Service, using a custom domain identity, and ASP.NET needs to use constrained trusted for delegation when calling the service, create an SPN

J.D. Meier, Jason Taylor, Prashant Bansode, Carlos Farre, Madhu Sundararajan, Steve Gregersen.

If you are running the ASP.NET with application pool using a custom domain identity and also if you need to configure this domain identity for constrained delegation, create a Service Principal Name (SPN) for the Custom Domain Identity, mapping to the server running the ASP.NET application.

To create Service Principal Name (SPN) for the Custom Domain Identity, go to the domain controller and execute the following commands from the command prompt to create two SPNs; one with the fully qualified name, and another with the netbois name of the machine running the ASP.NET application:
  • Setspn –a HTTP/fullyqualifiedName domainUsername
  • Setspn –a HTTP/netbiosMachineName domainUsername

When you have finished creating the SPNs you can verify if they were created correctly by running the following command from command line prompt:
  • Setspn –l domainUsername

If you want to delete all of the SPNs you can run the command with the –d switch as shown below:
  • Setspn –d domainUsername

To configure the Domain Identity to use Trusted for Delegation:
1. Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.
2. In the left pane of the MMC snap-in, click the Users node.
3. In the right pane, double-click your user account to display the Properties dialog box.
4. On the Delegation tab of the Properties window for the user account, Do not trust the computer for delegation is selected by default. Note that you will only see the delegation tab if the SPN has been created correctly in the previous step. To use constrained delegation, select Trust this computer for delegation to specified services only. You specify precisely which service or services can be accessed in the bottom pane.
5. Beneath Trust this computer for delegation to specified services only, select Use any authentication protocol.
6. Click the Add button. This displays the Add Services dialog box.
7. Click the Users or Computers button.
8. In the Select Users or Computers dialog, type the name of your WCF Service computer and then select Check Names. The name of the computer will be checked and displayed. Click Ok.
9. A list of services will be displayed for that computer. Select HOST/ComputerName and HTTP/ComputerName then click Ok. In the next screen click Apply.

Last edited Apr 16, 2008 at 11:59 PM by prashantbansode, version 1


No comments yet.