Gets the dictionary that contains Service Principal Names (SPNs) that are used to identify hosts during Kerberos authentication for requests made using System.Net.WebRequest and its derived classes.
Syntax
public static System.Collections.Specialized.StringDictionary CustomTargetNameDictionary { get; }
Value
Documentation for this section has not yet been entered.
Remarks
An SPN is a name by which a client uniquely identifies an instance of a service or application on a server for purposes of mutual authentication. Mutual authentication is requested by default, and you can require it by setting WebRequest.AuthenticationLevel to System.Net.Security.AuthenticationLevel.MutualAuthRequired in your request.
When a System.Net.WebRequest requires mutual authentication, the SPN for the destination must be supplied by the client. If you know the SPN, you can add it to the AuthenticationManager.CustomTargetNameDictionary before sending the request. If you have not added SPN information to this dictionary, the System.Net.AuthenticationManager uses the WebRequest.RequestUri method to compose the most likely SPN; however, this is a computed value and might be incorrect. If mutual authentication is attempted and fails, you can check the dictionary to determine the computed SPN. No SPN is entered into the dictionary if the authentication protocol does not support mutual authentication.
To add an SPN value to this dictionary, use the Uri.AbsoluteUri of the WebRequest.RequestUri as the key. Internally, the key is truncated to include the Uri.Scheme, Uri.Host, and the Uri.Port if it is not the default port.
Accessing the methods and properties of the AuthenticationManager.CustomTargetNameDictionary requires unrestricted System.Net.WebPermission.
When Kerberos authentication is performed through a proxy, both the proxy and the ultimate host name need to be resolved to an SPN. The proxy name resolution is protected by a timeout. Resolution of the ultimate host name to a SPN requires a DNS lookup, and there is no timeout associated directly with this operation. Therefore synchronous operations may take longer to timeout. To overcome this, add the ultimate host's URI prefix to the SPN cache prior to making requests to it.
Version 3.5 SP1 now defaults to specifying the host name used in the request URL in the SPN in the NTLM (NT LAN Manager) authentication exchange when the AuthenticationManager.CustomTargetNameDictionary property is not set. The host name used in the request URL may be different from the Host header specified in the System.Net.HttpRequestHeader in the client request. The host name used in the request URL may be different from the actual host name of the server, the machine name of the server, the computer's IP address, or the loopback address. In these cases, Windows will fail the authentication request. To address the issue, you may need to notify Windows that the host name used in the request URL in the client request ("contoso", for example) is actually an alternate name for the local computer.
Requirements
Assembly: System (in System.dll)
Assembly Versions: 2.0.0.0, 4.0.0.0