Configuring Identity Policy for a Service
The identity policy lets you define the Service Principal Name (SPN) under which the service is running. An SPN is the name by which a client uniquely identifies a service. You should configure the Identity policy when your service does not have access to the SPN key of the host computer, which prevents your service from automatically registering a valid SPN.
If you configure a security policy that requires the Kerberos protocol and the endpoint identity sent by the client application does not specify an SPN, any calls from the client will fail with a security exception. For more information, see Configuring Security Policy for a Service.
Note
Services that specify an Identity policy require that the service is hosted on a computer that has the .NET Framework 3.5 Service Pack 1 or later installed. If you attempt to apply an Identity policy to a service exposing an HTTPS endpoint running on a computer without the .NET Framework 3.5 Service Pack 1 installed, then the service might fail.
Configuring the Service
To configure a service to use the Identity policy, you must configure an SPN for the service and then provide the SPN details to the Identity policy.
Configuring a Service Principal Name
To configure an SPN, use the SetSpn.exe utility. For more information about the SetSpn utility, see SetSpn Overview.
You invoke the SetSpn.exe utility to map an SPN to the actual account under which the service runs. The following command line operation defines a new SPN, MyService/MyHost, and maps the SPN to the contoso\dcsuser user account.
setspn -A MyService/MyHost contoso\dcsuser
When a client application needs to communicate with the MyService service on the MyHost server, the client application requests a Kerberos token that uses this information.
Configuring an Identity Policy
When you configure an Identity policy in the DCS Management Services Console, the policy exposes a single property, PrincipalName, which you should set to the SPN required for your service.
To apply an identity policy to a service
- In the DCS Management Services Console, expand Policy Management, expand the service to which you want to apply a policy, and then click Policies.
- In the left pane, right-click the Policies folder, and then click New.
- In the Edit Policy dialog box, in the Policy Type list, click Microsoft.ConnectedIndustry.ServiceModel.Policy.EncodingPolicy.
- Set the Principal Name property to the SPN name defined for the service, and then click OK to apply the policy to the service.
Configuring the Client Application
When you configure an Identity policy on a service, you must also configure any client applications to enable them to import the policy configuration. You must add the following element to the client application configuration file.
<system.serviceModel>
...
<client>
<metadata>
<policyImporters>
...
<extension type="Microsoft.ConnectedIndustry.ServiceModel.ProtocolChannels.Identity.IdentityBindingElement, Microsoft.ConnectedIndustry.ServiceModel,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35"/>
...
</policyImporters>
</metadata>
</client>
...
</system.serviceModel>
You must also configure the client application to supply the correct SPN or User Principal Name (UPN) of the account under which the service is running, as part of the client application's endpoint identity.