c# - WCF 服务客户端配置生成错误

Question

我想对使用 ADFS 2.0 的用户进行身份验证，以使用自写的 WCF 服务。该服务已准备就绪且功能齐全。ADFS 2.0 也设置正确。

当我在代码中设置客户端绑定并在那里执行操作时，一切都按预期工作。但是当我喜欢使用“更新服务引用”生成的配置时，绑定是错误的，不能按预期工作。

我在哪里错过了什么？欢迎任何提示。

给出错误

未处理的异常：System.ServiceModel.FaultException：带有操作“http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue”的消息无法在接收器处处理，因为EndpointDispatcher 的 ContractFilter 不匹配。这可能是因为合约不匹配（发送方和接收方之间的操作不匹配）或发送方和接收方之间的绑定/安全不匹配。检查发送方和接收方是否具有相同的合同和相同的绑定（包括安全要求，例如消息、传输、无）。

服务器配置：

<bindings>
  <ws2007FederationHttpBinding>
    <binding>
      <security mode="TransportWithMessageCredential">
        <message establishSecurityContext="false">
          <issuerMetadata address="https://sts.local.domain/adfs/services/trust/mex" />
          <issuer address="https://sts.local.domain/adfs/services/trust/2005/windowstransport" binding="ws2007HttpBinding" />
          <claimTypeRequirements>
            <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="true" />
            <add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" isOptional="true" />
          </claimTypeRequirements>
        </message>
      </security>
    </binding>
  </ws2007FederationHttpBinding>
  <ws2007HttpBinding>
    <binding>
      <security mode="Transport">
        <transport clientCredentialType="Windows" proxyCredentialType="None" realm=""/>
        <message clientCredentialType="None" establishSecurityContext="false" negotiateServiceCredential="true" />
      </security>
    </binding>
  </ws2007HttpBinding>
</bindings>

客户端配置（不工作）：

<bindings>
  <ws2007FederationHttpBinding>
    <binding name="WS2007FederationHttpBinding_IMyService" closeTimeout="00:01:00"
      openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
      bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
      maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
      textEncoding="utf-8" useDefaultWebProxy="true">
      <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
      <reliableSession ordered="true" inactivityTimeout="00:10:00"
        enabled="false" />
      <security mode="TransportWithMessageCredential">
        <message algorithmSuite="Default" establishSecurityContext="false"
          issuedKeyType="SymmetricKey" negotiateServiceCredential="true">
          <issuer address="https://sts.local.domain/adfs/services/trust/2005/windowstransport" binding="ws2007HttpBinding" />
          <issuerMetadata address="https://sts.local.domain/adfs/services/trust/mex" />
          <tokenRequestParameters>
            <AppliesTo xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy">
              <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
                <Address>https://service.machine.local/STSWcfService/MyService.svc</Address>
              </EndpointReference>
            </AppliesTo>
            <trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
              <trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
              <trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize>
              <trust:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"
                xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                <wsid:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
                  Optional="true" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
                <wsid:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
                  Optional="true" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
              </trust:Claims>
              <trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
              <trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
              <trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith>
              <trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
              <trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
            </trust:SecondaryParameters>
          </tokenRequestParameters>
        </message>
      </security>
    </binding>
  </ws2007FederationHttpBinding>
  <ws2007HttpBinding>
    <binding>
      <security mode="Transport">
        <transport clientCredentialType="Windows" />
        <message clientCredentialType="Windows" establishSecurityContext="false" />
      </security>
    </binding>
  </ws2007HttpBinding>
</bindings>
<client>
  <endpoint address="https://service.machine.local/STSWcfService/MyService.svc"
    binding="ws2007FederationHttpBinding" bindingConfiguration="WS2007FederationHttpBinding_IMyService"
    contract="ServiceReference.IMyService" name="WS2007FederationHttpBinding_IMyService" />
</client>

代码中的客户端绑定（工作）：

private static SecurityToken GetToken()
{
    var factory = new WSTrustChannelFactory(new WindowsWSTrustBinding(SecurityMode.Transport), adfsEndPoint)
    {
        TrustVersion = TrustVersion.WSTrustFeb2005
    };

    var requestSecurityToken = new RequestSecurityToken
    {
        RequestType = WSTrustFeb2005Constants.RequestTypes.Issue,
        AppliesTo = new EndpointAddress(serviceEndPoint),
        KeyType = WSTrustFeb2005Constants.KeyTypes.Symmetric
    };

    var channel = factory.CreateChannel();
    return channel.Issue(requestSecurityToken);
}

private static void CallService(SecurityToken token)
{
    // create binding and turn off sessions
    var binding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential);
    binding.Security.Message.EstablishSecurityContext = false;

    // create factory and enable WIF plumbing
    var factory = new ChannelFactory<IMyService>(binding, new EndpointAddress(serviceEndPoint));
    factory.ConfigureChannelFactory();

    // turn off CardSpace - we already have the token
    factory.Credentials.SupportInteractive = false;

    var channel = factory.CreateChannelWithIssuedToken(token);
    foreach (var claim in channel.GetClaims())
    {
        Console.WriteLine("{0}\n {1}\n  {2} ({3})\n", claim.ClaimType, claim.Value, claim.Issuer, claim.OriginalIssuer);
    }
}

Answer 1

我认为您的安全模式和客户端凭据可能不匹配。

将它放在您的 app.config（客户端和服务器）中，并确保进程对目录具有写访问权。

 <system.diagnostics>
    <sources>
      <source name="Microsoft.IdentityModel" switchValue="Verbose">
        <listeners>
          <add name="xml" type="System.Diagnostics.XmlWriterTraceListener"
               initializeData="c:\temp\WIF.svclog" />
        </listeners>
      </source>
      <source name="System.ServiceModel.MessageLogging" switchValue="Verbose">
        <listeners>
          <add name="xml" type="System.Diagnostics.XmlWriterTraceListener"
               initializeData="c:\temp\WCF.svclog" />
        </listeners>
      </source>
    </sources>
    <trace autoflush="true" />
  </system.diagnostics>

在试图找出问题所在时，这对我有很大帮助。我还建议（仅用于测试）在您的故障中包含服务异常。

<behaviors>  
    <serviceBehaviors> 
      <behavior>
       <serviceDebug includeExceptionDetailInFaults="true" />  
      </behavior>  
    </serviceBehaviors> 
</behaviors>   

请执行此操作并使用日志中的错误更新您的问题。

Answer 2

您可以创建另一个绑定部分并为其命名，而不是 Visual Studio 生成的名称。在下一次更新中，绑定将被合并。

Answer 3

由于某种原因，我无法添加评论 - 但是我已经看到 WCF '忽略'我的 wshttpbinding 并在我更改了我的 SVC 文件内容时采用了 basichttpbinding - 它最终依赖于该方案来确定绑定，结果, 忽略 http 地址的 basicHttpBinding 之外的任何内容。

看看那里，看看是否有帮助。