tags:

views:

292

answers:

1
+3  Q: 

WCF - Why netTCPBinding works fine with Kerberos authentication without any SPN setting?

In one of our networks we are utilizing the netTCPBinding. The WCF service hosted in windows service that run as a domain account.

From the event viewer I can see that my WCF service uses Kerberos authentication. Everything works seamlessly "out-of-the-box" with simple default configuration without an <identity> element in the configuration file and without any SPN setting for the machine like:

setspn -a WcfServiceName//Server domaonAccount

But from the multiple online references I concluded that SPN setting is necessary Its not clear, why in my case it works without those settings?

Looking forward for an explanation from WCF-Security experts.

A: 

Per the WCF Security Guidance: netTcpBinding : Specifies a secure, reliable, optimized binding suitable for cross-machine communication. By default, it generates a runtime communication stack with transport security and Windows authentication as default security settings. It uses TCP protocol for message delivery, and binary message encoding.

In essence, its secure by default, callers must provide Windows creds for authentication.

RandomNoob  2010-02-05 18:37:58
Thank you you for the reply. Unfortunately I've read many references that stated opposite.Take for instance this: http://mastermynd-code.blogspot.com/2009/06/service-principal-name-when-using-wcf.htmlwhich says ".. In order to use the WCF NetTcpBinding with a Windows Service, it is necessary to create a SPN."
ablei2000  2010-02-05 21:30:20
You say it is "..secure by default" and I can see that. But the system still execute Kerberos calls in spite of the "default secure" transport. The reason I'm asking is that in our internal network it works with no SPN setting. But the same application with the same configuration fails on our client's network, when trying to make Kerboros authentication. It works though with Ntlm + basicHttpbinding... but we would like to stay with tcp.
ablei2000  2010-02-05 21:30:52

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security