This project is read-only.

If you support non-WCF clients using windows authentication and message security, consider using the Kerberos direct option

J.D. Meier, Jason Taylor, Prashant Bansode, Carlos Farre, Madhu Sundararajan, Steve Gregersen.

If your WCF service needs to support non-WCF clients using Windows authentication and message security, consider using Kerberos direct. Set the negotiateServiceCredentials option to false to set the Kerberos direct option. This option is only available on the wsHttpBinding. The benefit is better performance and interoperability with non Microsoft clients consuming WCF services.

Consider that setting negotiateServiceCredentials to false will force the WCF service to run under the Network Service Identity’s SPN (Service Principal Name). It is not possible to host a service with a custom user identity’s UPN (User Principal Name). Consider also that delegation in WCF is not possible with Kerberos direct.

The following binding configuration shows how to set this option:
<binding name="BindingMessage">
    <security mode="Message">
          <message clientCredentialType="Windows"
                 negotiateServiceCredential="false" />
    </security>
</binding>

Last edited Apr 24, 2008 at 12:18 AM by prashantbansode, version 2

Comments

KjellSJ Sep 10, 2008 at 1:06 PM 
Please clarify the SPN restriction: can any domain account with a registered SPN be used to host the service, or does it have to be the NetworkService account?