使用证书在 IIS 中保护 WCF 服务

Question

我想使用自签名证书（由 inetmgr 生成）保护 WCF 4 中的服务应用程序。

但是，我不能。当我调用服务的方法时，我有一个 MessageSecurityException：

HTTP 请求被客户端身份验证方案“匿名”禁止。

web.config 文件：

<?xml version="1.0"?>
<configuration>
    <system.web>
        <compilation debug="true" targetFramework="4.0" />
        <customErrors mode="Off"/>
    </system.web>

    <system.serviceModel>
        <bindings>
            <wsHttpBinding>
                <binding name="TransportSecurity">
                    <security mode="TransportWithMessageCredential">
                        <transport clientCredentialType="Certificate" />
                        <message clientCredentialType="Certificate"/>
                    </security>
                </binding>
            </wsHttpBinding>
        </bindings>

        <behaviors>
            <serviceBehaviors>
                <behavior name="testingServiceBehavior">
                    <serviceMetadata httpsGetEnabled="true" httpGetEnabled="false" />
                    <serviceDebug includeExceptionDetailInFaults="false"/>
                </behavior>
            </serviceBehaviors>
        </behaviors>

        <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />

        <services>
            <service behaviorConfiguration="testingServiceBehavior"
                     name="Testing.Service1">

                <endpoint address=""
                          binding="wsHttpBinding"
                          bindingConfiguration="TransportSecurity"
                          contract="Testing.IService1" />

                <endpoint address="mex"
                          binding="mexHttpsBinding"
                          contract="IMetadataExchange" />
            </service>
        </services>
    </system.serviceModel>

    <system.webServer>
        <modules runAllManagedModulesForAllRequests="true"/>
    </system.webServer>
</configuration>

我尝试使用该服务的代码是：

    public static bool validateCertificates(object sender,
                                            System.Security.Cryptography.X509Certificates.X509Certificate cert,
                                            System.Security.Cryptography.X509Certificates.X509Chain chain,
                                            System.Net.Security.SslPolicyErrors error)
    {
        return true;
    }

    private void button1_Click(object sender, EventArgs e)
    {
        System.Net.ServicePointManager.ServerCertificateValidationCallback = new System.Net.Security.RemoteCertificateValidationCallback(validateCertificates);

        WSHttpBinding binding = new WSHttpBinding();
        binding.Name = "secureBinding";

        binding.Security.Mode = SecurityMode.TransportWithMessageCredential;
        binding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;
        binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;

        EndpointAddress endpointAddress = new System.ServiceModel.EndpointAddress("https://rtsa.dnsalias.com:2490/Service1.svc");

        ProCell2.Servicios.Informes.Service1Client client = new Servicios.Informes.Service1Client(binding, endpointAddress);

        client.ClientCredentials.ClientCertificate.SetCertificate(
                StoreLocation.CurrentUser,
                StoreName.My,
                X509FindType.FindBySubjectName,
                "ServerWeb2");

        client.ClientCredentials.ServiceCertificate.SetDefaultCertificate(
                StoreLocation.CurrentUser,
                StoreName.My,
                X509FindType.FindBySubjectName,
                "ServerWeb2");

        client.GetInformation();  // <-------- Here cause the exception

SSL 配置：

Answer 1

请将以下几行添加到您的客户端代码中：

// Disable credential negotiation and the establishment of 
// a security context.
myBinding.Security.Message.NegotiateServiceCredential = false;
myBinding.Security.Message.EstablishSecurityContext = false;

请参阅http://msdn.microsoft.com/en-us/library/ms733102.aspx 了解更多详情，并参阅What are the impacts of setting establishSecurityContext="False" if i use https? 了解它对您的沟通的影响。