1

我想设置一个 WCF 服务,通过 HTTPS 使用 NTLM 身份验证并为消息使用证书安全性(我知道,通常 HTTPS 不需要消息加密)

我有证书在消息安全上工作,但是当我尝试使用 TransportWithMessageCredential 时,客户端抛出异常:

未处理的异常:System.ServiceModel.Security.MessageSecurityException:HTTP 请求未经客户端身份验证方案“匿名”授权。从服务器收到的身份验证标头是“协商,NTLM”

IIS 配置为仅支持 Windows Auth、需要 SSL 和接受客户端证书,机器位于同一个 Active Directory 域中(事实上,我现在正在本地运行)

任何想法我做错了什么?

我的服务 web.config 如下所示:

<services>
    <service name="ServiceHost.MyTestService" behaviorConfiguration="CertificateServiceBehavior">
        <endpoint address="" binding="ws2007HttpBinding" contract="SharedLibrary.ITestService" bindingConfiguration="CertificateBindingConfig">
        </endpoint>
    </service>
</services>

<bindings>
    <ws2007HttpBinding>
        <binding name="CertificateBindingConfig">
            <security mode="TransportWithMessageCredential">
                <transport clientCredentialType="Windows" />
                <message clientCredentialType="Certificate" negotiateServiceCredential="true" />
            </security>
        </binding>
    </ws2007HttpBinding>
</bindings>

<behaviors>
    <serviceBehaviors>
        <behavior name="CertificateServiceBehavior">
            <serviceCredentials>
                <windowsAuthentication allowAnonymousLogons="false" />
                <clientCertificate>
                    <authentication certificateValidationMode="PeerTrust" trustedStoreLocation="LocalMachine" />
                </clientCertificate>
                <serviceCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="server" />
            </serviceCredentials>
        </behavior>
    </serviceBehaviors>
</behaviors>

我的客户 app.config 是这样的:

<client>
    <endpoint address="https://server:9999/ServiceHost/TestService.svc" binding="ws2007HttpBinding"
                contract="SharedLibrary.ITestService" bindingConfiguration="CertificateBindingConfig" 
                behaviorConfiguration="CertificateEndpointBehavior"
                name="serviceEndpoint">

    </endpoint>
</client>
<bindings>
    <ws2007HttpBinding>
        <binding name="CertificateBindingConfig">
            <security mode="TransportWithMessageCredential">
                <transport clientCredentialType="Windows" />
                <message clientCredentialType="Certificate" negotiateServiceCredential="true"/>
            </security>
        </binding>
    </ws2007HttpBinding>
</bindings>
<behaviors>
    <endpointBehaviors>
        <behavior name="CertificateEndpointBehavior">
            <clientCredentials>
                <windows allowNtlm="true" allowedImpersonationLevel="Impersonation"/>
                <clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="client"/>
                <serviceCertificate>
                    <authentication certificateValidationMode="PeerTrust"/>
                </serviceCertificate>
            </clientCredentials>
        </behavior>
    </endpointBehaviors>
</behaviors>
4

1 回答 1

1

预定义模式不允许您实现这种安全性。TransportWithMessageCredentials方法:

  • HTTPS
  • 没有传输身份验证
  • 用于客户端身份验证的消息中的安全令牌
  • 没有消息加密

试试这个(未经测试)以获得具有 NTLM + 相互消息安全性的 HTTPS:

<bindings>
  <customBinding>
    <binding name="MegaSecurity">
      <security authenticationMode="MutualCertificate"
                messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
                includeTimestamp="true" />
      <textMessageEncoding messageVersion="Soap12WSAddressing10" />
      <httpsTransport authenticationScheme="Ntlm" />
    </binding>
  </customBinding>
</bindings>

您还可以尝试MutualSslNegotiated身份验证模式以进行服务凭据协商,并Negotiate更好authenticationScheme地匹配Windows预定义绑定中的选项。

于 2012-09-25T09:29:03.680 回答