【问题标题】:Fails when running WCF service with certificate使用证书运行 WCF 服务时失败
【发布时间】:2015-10-02 09:53:53
【问题描述】:

我有一个托管 WCF 服务的 Windows 服务,配置如下。

  <system.serviceModel>
    <bindings>
      <wsHttpBinding>
        <binding name="wsHttpEndpointBinding">
          <security mode="Message">
            <message clientCredentialType="Certificate"/>
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <services>
      <service name="Carglass.Movil.Service.CarglassService" behaviorConfiguration="CarglassServiceBehavior">
        <host>
          <baseAddresses>
            <add baseAddress="http://localhost:9002/CarglassServiceAGI" />
          </baseAddresses>
        </host>
        <endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding" contract="Carglass.Movil.Service.ICarglassService" />
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="CarglassServiceBehavior">
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceMetadata httpGetEnabled="true" />
          <serviceCredentials>
            <serviceCertificate findValue="CN=MWMWCF"/>
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>

证书已安装在机器上,并且网络服务用户正在以本地管理员的身份运行windows服务。已通过运行以下 命令

授予权限
netsh http add urlacl url=http://+:9002/CarglassServiceAGI user="NT AUTHORITY\NETWORK SERVICE"

...并通过在 mmc.exe 中管理 私钥,为该用户提供“完全控制”

但是每次我尝试运行我的服务时都会遇到以下异常:

System.ArgumentException:证书“CN=MWMWCF”可能没有能够进行密钥交换的私钥,或者进程可能没有私钥的访问权限。有关详细信息,请参阅内部异常。\r\n 在 System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 证书)\r\n 在 System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateServerX509TokenProvider()\r\n 在 System.ServiceModel。 Security.ServiceCredentialsSecurityTokenManager.CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement)\r\n 在 System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement requirements)\r\n 在 System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateTlsnegoServerX509TokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement)\r\n System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, Boolean requireClientCertificate, SecurityTokenR esolver& sctResolver)\r\n 在 System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, SecurityTokenResolver& outOfBandTokenResolver)\r\n 在 System.ServiceModel.Security.SecuritySessionSecurityTokenAuthenticator.SessionRenewSecurityTokenManager.CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, SecurityTokenResolver& outOfBandTokenResolver)\r\n n 在 System.ServiceModel.Security.SymmetricSecurityProtocolFactory.OnOpen(时间跨度超时)\r\n 在 System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(时间跨度超时)\r\n 在 System.ServiceModel.Channels.CommunicationObject.Open(时间跨度超时) )\r\n 在 System.ServiceModel.Security.SecurityProtocolFactory.Open(布尔 actAsInitiator,TimeSpan 超时)\r\n 在 System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan 超时)\r\n 在 System.ServiceModel.Channels .SecurityChannelList ener1.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)\r\n at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)\r\n at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)\r\n at System.ServiceModel.Security.SecuritySessionSecurityTokenAuthenticator.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)\r\n at System.ServiceModel.Security.CommunicationObjectSecurityTokenAuthenticator.Open(TimeSpan timeout)\r\n at System.ServiceModel.Security.SecurityUtils.OpenCommunicationObject(ICommunicationObject obj, TimeSpan timeout)\r\n at System.ServiceModel.Security.SecurityUtils.OpenTokenAuthenticatorIfRequired(SecurityTokenAuthenticator tokenAuthenticator, TimeSpan timeout)\r\n at System.ServiceModel.Security.SecuritySessionServerSettings.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)\r\n at System.ServiceModel.Security.SecuritySessionServerSettings.Open(TimeSpan timeout)\r\n at System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout)\r\n at System.ServiceModel.Channels.SecurityChannelListener1.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)\r\n at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout)\r\ n 在 System.ServiceModel.Channels.CommunicationObject.Open(时间跨度超时)\r\n 在 System.ServiceModel.ServiceHostBase.OnOpen(时间跨度超时)\r\n 在 System.ServiceModel.Channels.CommunicationObject.Open(时间跨度超时)\ r\n 在 System.ServiceModel.Channels.CommunicationObject.Open()\r\n 在 c:\TeamCity\buildAgent\work\MWM-Refactor 中的 MWM.Service.WindowsService.AGI.ServiceController.OnStart(String[] args) \MWM.Service\MWM.Service.WindowsService.AGI\ServiceController.cs:第 45 行

如果我从配置中删除它,效果很好:

<message clientCredentialType="Certificate"/>

【问题讨论】:

  • 那个 netsh 命令不授予对主键的访问权限。
  • url中的netsh命令出错了。已编辑。是你指的吗?
  • 没有。该 netsh 命令授予服务在该 URL 上托管服务的权利。它对证书没有任何作用。见duplicate
  • 嗨@CodeCaster 这些步骤已经完成,但仍然无法正常工作。网络服务是本地管理员,可以完全控制证书密钥。

标签: c# wcf ssl


【解决方案1】:

这篇文章解释了如何正确构建您的证书以及如何安装它们以提供足够的权限以使所有工作正常: http://returnsmart.blogspot.co.uk/2015/10/how-to-create-your-own-signed.html

【讨论】:

    猜你喜欢
    • 2011-07-07
    • 2012-08-06
    • 2020-02-24
    • 1970-01-01
    • 2018-10-20
    • 2013-06-17
    • 1970-01-01
    • 2016-09-23
    • 2014-05-11
    相关资源
    最近更新 更多