2

我有一个 WCF 服务,我需要在 IIS 7.5 上托管的 ASP.NET Web 应用程序中调用它。此 WCF 服务使用客户端证书的传输安全性。我获得了一个客户端证书,我使用 mmc 在“本地计算机/个人”存储位置安装了该证书。.pfx 安装了 2 个其他证书(无私钥),它们是我的带有私钥的客户端证书的 CA。我在运行时分配证书,因为将来我可能会将其他证书用于相同的 Web 服务。

 wcfClient.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySerialNumber, "XXXXXXXXXXXXXXXXXXXXXX");
 // debugging shows that client certificate was found
 var result = wcfClient.CallMyMethod();

对于在 ApplicationPoolIdentity 下运行的 Web 应用程序,调用 Web 服务会引发带有内部 WebException(403 禁止)的 MessageSecurityException,就好像我根本没有通过客户端证书一样。如果配置需要,实际上不设置有效证书将通过 InvalidOperationException。如果我在管理员帐户下运行,则不会引发异常。我需要能够调用 ApplicationPoolIdentity 下的 web 服务。

编辑:我认为证书链可能是这里的问题......

到目前为止我已经尝试过:

  1. 在 MMC 中:MyCertificate -> All Tasks -> Manage Private Keys... 我授予 IIS_IUSRS 管理私钥的权限
  2. 为 C:\ProgramData\Microsoft\Crypto\RSA 添加了对 IIS_IUSRS 的读取访问权限
  3. 我使用了 System.Net 跟踪,并比较了 ApplicationPoolIdentity 和我的管理员帐户的日志。在“我们有用户提供的证书。服务器已指定 24 个颁发者。寻找与任何颁发者匹配的证书。 ”行之后,一切看起来都一样,直到下面的某个点。

ApplicationPoolIdentity 日志:

System.Net Information: 0 : [5436] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=CredentialsNeeded).
System.Net Information: 0 : [5436] SecureChannel#20350898 - We have user-provided certificates. The server has specified 24 issuer(s). Looking for certificates that match any of the issuers.
System.Net Information: 0 : [5436] SecureChannel#20350898 - Left with 0 client certificates to choose from.
System.Net Information: 0 : [5436] Using the cached credential handle.
System.Net Information: 0 : [5436] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = fc5d070:1ffd1d0, targetName = ws.allianztiriac.ro, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5436] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=349, returned code=ContinueNeeded).
System.Net Information: 0 : [5436] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = fc5d070:1ffd1d0, targetName = ws.allianztiriac.ro, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5436] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net Information: 0 : [5436] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = fc5d070:1ffd1d0, targetName = ws.allianztiriac.ro, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5436] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=OK).
System.Net Information: 0 : [5436] Remote certificate: [bla bla remote certificate]
System.Net Information: 0 : [5436] SecureChannel#20350898 - Remote certificate was verified as valid by the user.

管理员帐户日志:

System.Net Information: 0 : [5952] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=CredentialsNeeded).
System.Net Information: 0 : [5952] SecureChannel#60080036 - We have user-provided certificates. The server has specified 24 issuer(s). Looking for certificates that match any of the issuers.
System.Net Information: 0 : [5952] SecureChannel#60080036 - Selected certificate: [Bla bla bla client cert info]
System.Net Information: 0 : [5952] SecureChannel#60080036 - Left with 1 client certificates to choose from.
System.Net Information: 0 : [5952] SecureChannel#60080036 - Trying to find a matching certificate in the certificate store.
System.Net Information: 0 : [5952] SecureChannel#60080036 - Locating the private key for the certificate: [Bla bla bla client cert info]
System.Net Information: 0 : [5952] SecureChannel#60080036 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [5952] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential)
System.Net Information: 0 : [5952] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 4e5bb48:1fff710, targetName = ws.allianztiriac.ro, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5952] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=5718, returned code=ContinueNeeded).
System.Net Information: 0 : [5952] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 4e5bb48:1fff710, targetName = ws.allianztiriac.ro, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5952] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net Information: 0 : [5952] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 4e5bb48:1fff710, targetName = ws.allianztiriac.ro, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5952] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=OK).
System.Net Information: 0 : [5952] Remote certificate: [bla bla bla remote certificate]
4

2 回答 2

0

作为一个想法 - 为什么不在您的网络应用程序的配置中指定要发送的证书?如果证书要求发生变化,只需将其添加到您的 Web 应用程序的 web.config 中。查看客户端的设置方式,例如: http: //www.codeproject.com/KB/WCF/Senthil.aspx

<identity><certificate encodedValue="AwAAAAEAAAAUAAAAOTDk6LO4LsMQaY+65EgACb==" /></identity>
于 2011-08-28T03:58:50.020 回答
0

我们在这里遇到了同样的问题。通过确保将链中的证书放置在适当的位置来解决此问题。使用管理帐户,将证书安装到本地计算机存储的个人文件夹中时,它将中间证书放在同一文件夹中。将它们移动到中间证书颁发机构文件夹提供了对完整链的 ApplicationPoolIdentity 访问权限。

于 2012-06-15T17:45:37.297 回答