protected override SspiNegotiationTokenProviderState CreateNegotiationState(EndpointAddress target, Uri via, TimeSpan timeout) { EnsureEndpointAddressDoesNotRequireEncryption(target); EndpointIdentity identity = null; if (this.identityVerifier == null) { identity = target.Identity; } else { this.identityVerifier.TryGetIdentity(target, out identity); } string spn; if (this.AuthenticateServer || !this.AllowNtlm) { spn = SecurityUtils.GetSpnFromIdentity(identity, target); } else { // if an SPN or UPN identity is configured (for example, in mixed mode SSPI), then // use that identity for Negotiate Claim identityClaim = identity.IdentityClaim; if (identityClaim != null && (identityClaim.ClaimType == ClaimTypes.Spn || identityClaim.ClaimType == ClaimTypes.Upn)) { spn = identityClaim.Resource.ToString(); } else { spn = "host/" + target.Uri.DnsSafeHost; } } string packageName; if (!this.allowNtlm && !SecurityUtils.IsOsGreaterThanXP()) { packageName = "Kerberos"; } else { packageName = "Negotiate"; } WindowsSspiNegotiation sspiNegotiation = new WindowsSspiNegotiation(packageName, this.credentialsHandle, this.AllowedImpersonationLevel, spn, true, this.InteractiveNegoExLogonEnabled, this.allowNtlm); return(new SspiNegotiationTokenProviderState(sspiNegotiation)); }