【发布时间】:2013-12-18 16:55:34
【问题描述】:
我正在尝试使用 SSL 服务上的证书设置安全传输。
该服务是通过 IIS 安装的,我使用“MyLaptop”证书(存储在本地机器/个人)配置它,该证书由自签名证书(“My Root CA”证书 - 存储在本地机器上受信任的根证书)验证当局)。服务似乎一切正常;我可以使用 Internet Explorer 访问它。
在服务器端,web.config 看起来像
<behaviors>
<serviceBehaviors>
<behavior name="EchoServiceBehavior">
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerTrust" revocationMode="NoCheck" />
</clientCertificate>
</serviceCredentials>
<serviceMetadata httpsGetEnabled="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="MutualSslBinding">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="EchoServiceBehavior" name="HttpsBindingDemo.EchoService">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="MutualSslBinding"
contract="HttpsBindingDemo.IEchoService">
<identity>
<dns value="MyLaptop" />
</identity>
</endpoint>
<host>
<baseAddresses>
<add baseAddress="https://MyLaptop:12643/EchoService/" />
</baseAddresses>
</host>
</service>
在客户端,我安装了一个新证书“MyClient”(存储在 CurrentUser/Personal 上),由相同的“My Root CA”证书验证。
在客户端,app.config 看起来像
<behaviors>
<endpointBehaviors>
<behavior name="EchoClientBehavior">
<clientCredentials>
<clientCertificate findValue="MyClient" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IEchoService">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://MyLaptop:12643/EchoService/EchoService.svc" behaviorConfiguration="EchoClientBehavior"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IEchoService"
contract="SecuredServices.IEchoService" name="WSHttpBinding_IEchoService">
<identity>
<dns value="MyLaptop" />
</identity>
</endpoint>
</client>
每次尝试执行 EchoService.svc 的操作时,我都会收到以下错误: “客户端身份验证方案‘匿名’禁止 HTTP 请求。” 启用服务的日志,我发现第一条异常消息实际上是“需要客户端证书。在请求中未找到证书。这可能是因为操作系统或 IIS 无法成功验证客户端证书。有关如何绕过这些验证并在 WCF 中使用自定义 X509CertificateValidator 的信息,请参阅http://go.microsoft.com/fwlink/?LinkId=208540。”。
您能否帮助我了解如何正确配置服务以避免所描述的错误? 谢谢!
【问题讨论】:
标签: wcf authentication iis https certificate