Moving Services and User Principals

A user principal name is used as an identifier for accounts on a Windows domain. The user principal name has two parts, the user account name and the domain name. The typical way of writing a user principal name looks a lot like a standard email address, such as account@domain.com.

When using service authentication, the client needs some way of specifying the identity of the service account it expects to be connected to. There are several different types of identities that the client could use, but the default when using Windows credentials is sometimes a user principal name. I say sometimes because there are additional conditions that have to apply. The most stringent condition is that the service is not running under one of the standard system accounts, like NetworkService. When running under a system account, you end up getting a service principal name rather than a user principal name. Both of these principal types allow you to take advantage of Kerberos security if you're using Active Directory.

One of the disadvantages of principal names is that you tie services to your domain structure. If the client has a particular coded principal name for service authentication, then you can't move the web service off of a domain machine without breaking that identifier. For authenticated services that may need to migrate across domains, you should probably be using some sort of certificate mechanism instead of a Windows account to identify the service.

Next time: Throttling Sessions

Comments

• Anonymous
  April 16, 2007
  The comment has been removed