We have a WCF client and server authenticating with Kerberos Authentication.
It is our understanding that during Kerberos authentication, if the server specifies the endpoint’s SPN, it will only accept connections from clients who specify that SPN. It is also our understanding that the SPN specified must be registered under the account running the server application.
However, it appears that the authentication goes through regardless of what SPN the client uses in the endpoint identity. (As long as the SPN is registered in the domain)
For example:
- User A registers the SPN “testspn/serveruser”.
- User B can run the WCF server.
- User C successfully connects to the WCF server with the SPN “testspn/serveruser” even though the SPN is not registered by user B.
Notes: We have verified that Kerberos authentication is in use by disabling NTLM authentication and traffic on the domain and setting up a behavior on the client to disable NTLM fallback. In addition to this, we enabled System.Net tracing to see how the authentication was negotiated. Questions:
- Is our WCF configuration correct?
- Is this by design?
- Is this secure even though the SPN is not registered under the account running the service?
- If not, how do we get it to validate that the SPN used is registered under the account running the service?