How to set user principal name of service identity of an STS issuer for a ws-federation binding by config?

StackOverflow https://stackoverflow.com/questions/9751594

  •  24-05-2021
  •  | 
  •  

Question

How can I specify the service identity principal name in the WCF client config for the issuer STS when binding using WS-Federation?

I have an application pool running under a domain account on a front end server trying to authenticate using federation to backend services on an app server (running under domain accnts) using an STS also running on the app server and under a domain account.

In order to use Kerberos correctly I need to set the userprincipal name of the STS on the frontend client. I can't see how to do that.

I am experiencing a connected problem, which is that fallback to NTLM does not work when the issuer is specified using FQDN, and Kerberos fails (SSPI negotiation failed) I think because I have no issuer principal name in the config. If I set the issuer using IP address instead, then authentication to STS succeeds using NTLM, I think, so I have a workaround.

The STS is issuing tokens on the basis of Windows auth on that endpoint. It has other endpoints for forms-type auth and so on.

Possibly a related problem on our network is that silverlight clients that call back to web services are not working without the servers being manually added to Local Intranet zone in IE. Seems as though for some reason the app servers are not considered as being on same domain. Any clues much appreciated!

Was it helpful?

Solution

I found the solution regarding setting the user principal name of the STS. I just needed to set it in the issuer element of the federation binding: OK, don't know why I couldn't find this before, but first thing Monday morning the answer pops up immediately: http://msdn.microsoft.com/en-us/library/aa347735.aspx

The issuer element of the wsfederation is an endpoint config that allows you to set the user principal name within it.

The schema from the link above is here:

<issuer address="Uri" >
   <headers>
      <add name="String"
                 namespace="String" />
   </headers>
   <identity>
           <certificate encodedValue="String"/>
      <certificateReference findValue="String" 
         isChainIncluded="Boolean"
         storeName="AddressBook/AuthRoot/CertificateAuthority/Disallowed/My/Root/TrustedPeople/TrustedPublisher"
         storeLocation="LocalMachine/CurrentUser"
                  x509FindType=System.Security.Cryptography.X509certificates.X509findtype/>
      <dns value="String"/>
      <rsa value="String"/>
      <servicePrincipalName value="String"/>
      <usePrincipalName value="String"/>
   </identity>
</issuer>

Regarding the network issues, this was a DNS problem. PTR used instead of aliases.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top