hi What does it mean when we create an SPN for a user? We have a scenario where we have a WCF service that uses kerberos authentication. This service is running under a separate user account (not as LocalService). We have a java client which tries to connect to this service. If we run the service as a local service, the client is able to connect, but when we run this service as a separate user the java client is not able to complete the kerberos authentication. The links below indicate that Microsoft has an extension to the SPNEGO protocol http://blogs.msdn.com/b/openspecification/archive/2009/07/06/negtokeninit2.aspx and http://blogs.oracle.com/wangwj/entry/kerberos_programming_on_windows The second link indicates that java does not support this extension. This link http://msdn.microsoft.com/en-us/library/bb628618.aspx Indicates that for UPN (i.e services running under an account other than local service) "In this case, establish an SPN for that domain account, which you can do by using the Setspn.exe utility tool. Once you create the SPN for the service's account, configure WCF to publish that SPN to the service's clients through its metadata (WSDL). This is done by setting the endpoint identity for the exposed endpoint, either through an application configuration file or code. " Will creating this SPN create a security hole?

Hi gdmihir, Thanks for posting here. I do not see any security hole about creating SPN for a specific service if we want to configure it to run as a domain user account. Could you please discuss your concern in detail ? About Mutual Authentication Using Kerberos http://msdn.microsoft.com/en-us/library/windows/desktop/ms674944(v=VS.85).aspx Meanwhile, we have some good security suggestions about using a domain account to start service could be found from the guideline below: The Services and Service Accounts Security Planning Guide http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=5543 Thanks. Tiger LiPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.