The Kerberos over SSL samples (like the calculator one) demonstrate WWSAPI mixed mode security that matches the WCF’s KerberosOverTransport authentication mode. In this mode, the Kerberos AP-REQ ticket is wrapped in a WS-Security header for client and server authentication. There is no negotiation here as in Negotiate header authentication or default SSPI over TCP binding. In order to get a Kerberos ticket, you’ll need a KDC, which means the machine needs to be joined to a domain. The other thing about Kerberos is that the AP-REQ ticket is encrypted for a certain server account and only that server can decrypt it to complete the authentication. The server is identified on the client using the Service Principal Name (SPN), which is set in WS_ENDPOINT_ADDRESS as the identity field. SPN can be set on the domain controller for domain accounts. The machines joined to a domain will automatically get an SPN. Processes running as Local System or Network Service will have the machine credential and therefore can decrypt Kerberos tickets issued for the machine account. The SPN for a given machine account looks like “HOST/<MachineName>”.


With the background information above, we can now start running the Kerberos over SSL samples. First, please follow the steps in my previous post to set up SSL. In order to avoid confusion around which SPN to use for an arbitrary domain user, I am leveraging the fact the machine accounts get SPNs automatically when joining a domain. Let’s run the server under Local System account! You can do this in Task Scheduler, but here is how you do it in a command line prompt (elevated when you use Vista and above):

1.       Find out the current time:

echo %time%

2.       Schedule the server to run at a future time. Please give the full path of the executable and make sure WebServices.dll is available in the system path. For example:

at.exe 11:04am "C:\Program Files\Microsoft SDKs\Windows\v7.0\Samples\bin\WsCalculatorServiceKerberosOverSsl.exe" /interactive

3.       Wait until 11:04am and verify that WsCalculatorServiceKerberosOverSsl.exe has been started (Task Manager shows SYSTEM account), then run the client with the SPN as the parameter:

WsCalculatorClientKerberosOverSsl.exe HOST/%ComputerName%


If you turn on WWSAPI message tracing, you’ll see that a big Security header with base64-encoded Kerberos AP-REQ ticket there.