Is it possible to avoid specifying servicePrincipalName if both client and service are running under the same account on the same server?

Question

I have a WCF service configured with net.tcp binding:

<netTcpBinding>
    <binding >
        <security mode="Transport">
            <transport clientCredentialType="Windows" />
            <message clientCredentialType="None" />
        </security>
    </binding>
</netTcpBinding>

I have a client - web application. Both are running under NT AUTHORITY\NETWORK SERVICE on the same server, just different ports.

When the client tries to connect to the service, this yields an error:

System.ComponentModel.Win32Exception: The logon attempt failed

This can be fixed specifying servicePrincipalName on the client side:

<endpoint>
    <identity>
        <servicePrincipalName value="NT AUTHORITY\NETWORK SERVICE" />
    </identity>
</endpoint>

But can I avoid that? I want the client to use its current user.

Answer 1

The servicePrincipalName value int endpoint/identity section of the client's config does not specify the client's identity but the expected service identity. Remember that WCF authentication is mutual (client also identifies the service)

In this case the client expects the service to be operating under the 'network service' account.

<endpoint>
    <identity>
        <servicePrincipalName value="NT AUTHORITY\NETWORK SERVICE" />
    </identity>
</endpoint>

If client and service are located on the same machine, this can be replaced by

<endpoint>
    <identity>
        <servicePrincipalName value="host/localhost" />
    </identity>
</endpoint>

Service authentication is now depending on the dns name (localhost)