What does it mean to have a DNS identity type with Windows Authentication?

Question

What does it mean, on a high level, to specify a DNS identity when using Windows Authentication for a WCF service? For example:

<configuration>
<system.serviceModel>
  <bindings>
    <wsHttpBinding>
      <binding name="WSHttpBinding_ICalculator_Windows">
        <security>
          <message clientCredentialType="Windows"/>
        </security>
      </binding>
    </wsHttpBinding>
  </bindings>
  <client>
    <endpoint address="http://localhost:8003/servicemodelsamples/service/dnsidentity"
      binding="wsHttpBinding"
      bindingConfiguration="WSHttpBinding_ICalculator_Windows"
      contract="ICalculator"
      name="WSHttpBinding_ICalculator">
      <identity>
        <dns value="contoso.com" />
      </identity>
    </endpoint>
  </client>
</system.serviceModel>
</configuration>

This page says:

In this case, when the client receives the Windows (Kerberos) credentials for the service, it expects the value to be contoso.com.

I don't really understand this. How can the value of credentials for the service be contoso.com? What does it mean by credentials?

Does it also verify that the actual DNS name of the service is indeed contoso.com? Otherwise, what would prevent someone from writing a rogue WCF service that says its identity is contoso.com?

Answer 1

If I am not mistaken, the contoso.com is used to resolve the SPN for Kerberos. The SPN looked up would be http/contoso.com:8003. This SPN would be mapped in Active Directory to a service account. The Kerberos ticket will be encrypted using the service account's credentials.

Answer 2

I realize this is an old question, but I have found that in a self-hosted service with tcp bindings with windows transport, the client doesn't seem to respect SpnIdentity settings, only DnsIdentity settings. Check here: wcf server authentication without certificates for more info and/or comments.