【问题标题】:WCF error: Cannot find a token authenticator [duplicate]WCF 错误:找不到令牌身份验证器 [重复]
【发布时间】:2014-02-24 09:29:17
【问题描述】:

我需要通过 SSL 使用 WCF 服务,而请求需要使用一个证书进行签名,并且响应需要使用另一个证书进行验证。

执行代码时出现此错误:

找不到“System.IdentityModel.Tokens.X509SecurityToken”令牌类型的令牌验证器。根据当前的安全设置,该类型的令牌不能被接受。

根据 WCF 跟踪它在尝试验证响应签名时失败,因为我可以看到来自服务器的响应。

这是我的 WCF 服务设置:

<system.serviceModel>
  <diagnostics>
    <messageLogging logEntireMessage="true" logKnownPii="true" logMalformedMessages="true"
      logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" />
    <endToEndTracing propagateActivity="true" activityTracing="true"
      messageFlowTracing="true" />

  </diagnostics>
  <behaviors>
    <endpointBehaviors>
      <behavior name="CHClientCertificateBehavior">
        <clientCredentials supportInteractive="true">
          <clientCertificate findValue="clientcert" storeLocation="LocalMachine"
            storeName="My" x509FindType="FindBySubjectName" />
          <serviceCertificate>
            <defaultCertificate findValue="servercert" storeLocation="LocalMachine"
              storeName="My" x509FindType="FindBySubjectName" />
            <authentication certificateValidationMode="None" />
          </serviceCertificate>
        </clientCredentials>
      </behavior>
    </endpointBehaviors>
  </behaviors>

  <bindings>
    <basicHttpBinding>
      <binding name="DPBasicHttpBindingWithSSL" closeTimeout="00:01:00"
        openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:02:00"
        allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
        maxBufferPoolSize="2097152" maxBufferSize="524288" maxReceivedMessageSize="524288"
        textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true"
        messageEncoding="Text">
        <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
          maxBytesPerRead="4096" maxNameTableCharCount="16384" />
        <security mode="TransportWithMessageCredential">
          <transport clientCredentialType="None" proxyCredentialType="None"
            realm="" />
          <message clientCredentialType="Certificate" algorithmSuite="Default" />
        </security>
      </binding>
      </basicHttpBinding>
    <customBinding>
      <binding name="DPCustomHttpBindingWithSSL">
        <security authenticationMode="CertificateOverTransport" allowSerializedSigningTokenOnReply="true"                       messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" 
                  requireDerivedKeys="false" 
                  securityHeaderLayout="Lax" />
        <textMessageEncoding messageVersion="Soap11" />
        <httpsTransport maxBufferPoolSize="2097152" maxBufferSize="524288" maxReceivedMessageSize="524288" />
      </binding>

    </customBinding>
  </bindings>
    <client>
        <endpoint address="https://myserver/service.asmx"
            behaviorConfiguration="CHClientCertificateBehavior" binding="customBinding"
            bindingConfiguration="DPCustomHttpBindingWithSSL" contract="ServiceRef.smssoap"
            name="smsEndpoint">
            <identity>
                <certificateReference storeName="My" storeLocation="LocalMachine"
                    x509FindType="FindBySubjectName" findValue="myserver" />
            </identity>
        </endpoint>

    </client>
</system.serviceModel>

如您所见,我尝试了 basicHttpBinding 和 customBinding(使用在线工具 http://webservices20.cloudapp.net/default.aspx 转换),我尝试设置不同的设置组合变体,但仍然出现此错误。

有什么想法吗?取消响应证书签名验证也是一种选择,但我该如何设置呢?

【问题讨论】:

  • 您从哪里调用此服务?赢得表格申请?
  • “取消响应证书签名验证也是一种选择”...不要让 Dominick Baier 听到!
  • 是的,我开发了tester win form app
  • 是的,迈克 :) 我也不喜欢这个解决方案,但我该怎么做呢?我试过 但我一直收到同样的错误...
  • 我还想问一下,您是通过从 WCF 测试客户端复制粘贴来创建设置的吗?

标签: c# wcf ssl x509certificate http-token-authentication


【解决方案1】:

尝试使用具有以下配置的自定义绑定:

<security allowSerializedSigningTokenOnReply="true" />

【讨论】:

  • 我在另一篇文章中看到了这个,试过了,但没有帮助...... :(
【解决方案2】:

我遇到了同样的问题并在这里发布了解决方案(对于那些来这里寻找答案的人):

WCF - Cannot find a token authenticator for X509SecurityToken

根据问题,它似乎是相同的解决方案:

  1. authenticationMode="CertificateOverTransport" 更改为authenticationMode="MutualCertificate"
  2. 使用MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
  3. 在生成的客户端中,将ProtectionLevel = ProtectionLevel.Sign 添加到ServiceContractAttribute。这样可以避免对正文进行加密。

【讨论】:

  • @CodeCaster:这个问题比链接的问题更早。它是否仍应标记为重复?我可以复制/粘贴解决方案,但这似乎没有意义。
  • 另一个似乎比这个有更好的答案。我会关闭这个。
【解决方案3】:

已解决!

<system.serviceModel>

  <behaviors>
    <endpointBehaviors>

      <behavior name="DPSSLXDIG">
        <clientCredentials supportInteractive="false">
          <clientCertificate findValue="clientcert" storeLocation="LocalMachine" x509FindType="FindBySubjectName" />
          <serviceCertificate>
            <defaultCertificate findValue="servercert" storeName="TrustedPeople" storeLocation="LocalMachine" x509FindType="FindBySubjectName" />
            <authentication certificateValidationMode="None" revocationMode="NoCheck" />
          </serviceCertificate>
          <windows allowNtlm="false" allowedImpersonationLevel="None" />
          <httpDigest impersonationLevel="None" />
          <peer>
            <peerAuthentication revocationMode="NoCheck" />
          </peer>
        </clientCredentials>
      </behavior>

    </endpointBehaviors>
  </behaviors>

  <bindings>

    <customBinding>

      <binding name="DPSSLXDIG">
        <textMessageEncoding messageVersion="Soap11WSAddressingAugust2004" />
        <security allowSerializedSigningTokenOnReply="true" authenticationMode="MutualCertificateDuplex"
            requireDerivedKeys="false" securityHeaderLayout="Lax" messageProtectionOrder="SignBeforeEncrypt"
            messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
            requireSecurityContextCancellation="false">
          <secureConversationBootstrap />
        </security>
        <httpsTransport authenticationScheme="Anonymous" requireClientCertificate="true" />
      </binding>

    </customBinding>

  </bindings>
    <client>

      <endpoint address="https://myserver/webservice.asmx"
           behaviorConfiguration="DPSSLXDIG" binding="customBinding"
           bindingConfiguration="DPSSLXDIG" contract="serviceRef.smssoap"
           name="smsEndpoint">
        <identity>
          <dns value="servercert" />
        </identity>

      </endpoint>

    </client>
</system.serviceModel>

【讨论】:

  • 没错,是什么解决的?!
  • 就用这个配置
猜你喜欢
  • 1970-01-01
  • 2012-07-21
  • 2012-09-20
  • 2011-02-18
  • 2021-09-23
  • 2020-03-06
  • 1970-01-01
  • 1970-01-01
相关资源
最近更新 更多