1

我正在尝试通过 ssl 在 IIS Express (.NET 3.5) 上托管 wcf 服务,并使用映射到 Windows 用户的客户端证书。

当我使用控制台应用程序作为测试客户端时,我收到以下错误:

HTTP 请求未经客户端身份验证方案“匿名”授权。从服务器收到的身份验证标头是“NTLM,Negotiate”。

我不明白这是怎么可能的,因为当我检查 IIS Express 跟踪记录时,我看到 iisclientcertificatemapping httpmodule 中的 clientcertificate 被映射到我的窗口用户。

从 IIS 跟踪日志中提取

如屏幕截图所示,名称为“ServiceModel”的 httpmodule 将响应设置为 401。

我在客户端和服务器端都启用了 svc 跟踪,但服务器端唯一记录的是“连接时接收字节' https://myurl/orderservice.svc/ClientCert '”

我的 IIS express (applicationhost.config) 在 web.config 中被覆盖:

<system.webServer>
    <security>
      <authentication>
        <windowsAuthentication enabled="true" />
        <anonymousAuthentication  enabled="false" />
        <iisClientCertificateMappingAuthentication enabled="true" oneToOneCertificateMappingsEnabled="true" >
          <oneToOneMappings>
            <add enabled="true" certificate="MIICGjCCAYegAwIBAgIQfi996nkvEYdO6WBFfokO/jAJBgUrDgMCHQUAMCUxIzAhBgNVBAMTGkdsb2JhbFZpc2lvblNlcnZpY2VzUm9vdENBMB4XDTEyMDkwNzEyMjg1OVoXDTM5MTIzMTIzNTk1OVowHjEcMBoGA1UEAxMTR2xvYmFsVmlzaW9uQ2xpZW50MTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5qBoLtQjkN2LtWdCQVbWqMA5N4jMmDM3yscUi3c7mwO9iFZaOcf41+SUFMivEXOOVI/5qVdaMII/ombGPopKoZhtXYUkv90psWwQHXNfqE1L+Vkur/u2KiQSImXLhSPF8qTR5RbRj3inpTWTg74p1a1HjbndU/lwu1cznl5vW/sCAwEAAaNaMFgwVgYDVR0BBE8wTYAQjpcP+m/6Y3T5yi7PJKxrGqEnMCUxIzAhBgNVBAMTGkdsb2JhbFZpc2lvblNlcnZpY2VzUm9vdENBghB+Uxyrj6x2rEV3HQ6vVX48MAkGBSsOAwIdBQADgYEAT5CiQCj4y9dW+zBSq96dRye3FJswAYiZgMLLoiyRV5h2QT7H0nxcdQ0mtdcN3OPunuvrYYlS58QVlBx6aozznmKeBuRl6GwWwQLYGxBRsKbQTuEiI85v1n/jK0LTT6FSGBMUlcJSn2NgnUAWgXvlf8f0SqLqApwWPeYybQxfz4U="
                 userName="CORP\mywindowsuser" password="mypassword" />
          </oneToOneMappings>
        </iisClientCertificateMappingAuthentication>
      </authentication>
      <authorization>
        <add users="*" accessType="Allow"/>
      </authorization>
      <!--Require SSL *AND* require a client certificate -->
      <access sslFlags="Ssl, SslNegotiateCert"/>
    </security>
  </system.webServer>

使用此配置,当我导航到 svc 文件 ( https://myurl/orderservice.svc?wsdl ) 时,浏览器会要求提供 clientcertificate,当我选择自签名证书时,我能够看到服务的 wsdl。对我来说,这意味着证书(rootca、服务器和客户端证书)是正确的并且 ssl 正在工作。

为了完成,这是我的服务配置服务器端:

<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="false">
  <baseAddressPrefixFilters>
    <add prefix="https://myurl:443"/>
  </baseAddressPrefixFilters>
</serviceHostingEnvironment>
<diagnostics wmiProviderEnabled="true">
  <messageLogging
       logEntireMessage="true"
       logMalformedMessages="true"
       logMessagesAtServiceLevel="true"
       logMessagesAtTransportLevel="true"
       maxMessagesToLog="3000"
   />
</diagnostics>
<bindings>
  <wsHttpBinding>
    <binding name="ClientCert">
      <security mode="Transport">
        <message clientCredentialType="Certificate"/>
      </security>
    </binding>
  </wsHttpBinding>
</bindings>
<behaviors>
  <serviceBehaviors>
    <behavior name="wsHttpCertificateBehavior">
      <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/>
      <serviceDebug httpHelpPageEnabled="true" includeExceptionDetailInFaults="true"/>
      <serviceAuthorization serviceAuthorizationManagerType="CompanyName.Model.Security.AuthorizationBehaviors.AdamAuthorizationManager,ServiceSecurity">
        <authorizationPolicies>
          <add policyType="CompanyName.Model.Security.AuthorizationPolicies.AdamAuthorizationPolicy, ServiceSecurity" />
        </authorizationPolicies>
      </serviceAuthorization>
      <serviceCredentials>
        <serviceCertificate findValue="certificatesubject" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
        <clientCertificate>
          <authentication revocationMode="NoCheck" mapClientCertificateToWindowsAccount="true" />
        </clientCertificate>
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>
<services>
  <service name="CompanyName.Model.Services.OrderService" behaviorConfiguration="wsHttpCertificateBehavior">
    <endpoint address="https://myurl/OrderService.svc/ClientCert" contract="CompanyName.Model.Services.ServiceContracts.IOrderService" binding="wsHttpBinding" bindingConfiguration="ClientCert">
    </endpoint>
  </service>
</services>

服务配置客户端

<system.serviceModel>
    <diagnostics>
      <messageLogging logEntireMessage="true" logMalformedMessages="true" logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" maxSizeOfMessageToLog="26214400" />
    </diagnostics>
    <bindings>
      <wsHttpBinding>
        <binding name="ClientCertificate">
          <security mode="Transport">
            <transport clientCredentialType="Certificate"/>
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <behaviors>
      <endpointBehaviors>
        <behavior name="wsHttpCertificateBehavior">
          <clientCredentials>
            <clientCertificate findValue="39820c4f767c809bb8f64b0f52ccfd686093896c" storeLocation="CurrentUser" storeName="My" x509FindType="FindByThumbprint"/>
            <serviceCertificate>
              <authentication revocationMode="NoCheck"/>
            </serviceCertificate>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <client>
      <endpoint name="ClientCertificate" address="https://myurl/OrderService.svc/ClientCert" contract="CompanyName.Model.Services.ServiceContracts.OrderService" binding="wsHttpBinding" bindingConfiguration="ClientCertificate" behaviorConfiguration="wsHttpCertificateBehavior"/>
    </client>
  </system.serviceModel>

如果我浏览到该服务,我会得到以下信息:

选择证书

如果我选择正确的证书,我会得到:

浏览器响应

当我尝试在浏览器中访问端点时,它显示 400 Bad request(这是正常的)

如果有人发现错误的配置或有使用 iis express 上托管的 wcf 进行 ssl 和 clientcertificatemapping 的经验,我已经花费了几个小时让我知道。

4

1 回答 1

3

2个配置之间存在不一致:

wshttpbinding 设置为在客户端和服务器上传输安全性,但在服务器端配置中,ClientCredentialType 被配置为消息安全性而不是传输。

该服务需要使用证书,这意味着 System.WebServer 部分中的 SslFlags 属性可以设置为以下内容:

 <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert"/>

我希望这有帮助 ;)

于 2012-09-11T12:20:59.643 回答