WCF 与 NTLM over HTTPS 和消息证书？

Question

我想设置一个 WCF 服务，通过 HTTPS 使用 NTLM 身份验证并为消息使用证书安全性（我知道，通常 HTTPS 不需要消息加密）

我有证书在消息安全上工作，但是当我尝试使用 TransportWithMessageCredential 时，客户端抛出异常：

未处理的异常：System.ServiceModel.Security.MessageSecurityException：HTTP 请求未经客户端身份验证方案“匿名”授权。从服务器收到的身份验证标头是 'Negotiate,NTLM'

IIS 配置为仅支持 Windows 身份验证、需要 SSL 和接受客户端证书，机器位于同一个 Active Directory 域中（事实上，我现在正在本地运行）

任何想法我做错了什么？

我的服务 web.config 如下所示：

<services>
    <service name="ServiceHost.MyTestService" behaviorConfiguration="CertificateServiceBehavior">
        <endpoint address="" binding="ws2007HttpBinding" contract="SharedLibrary.ITestService" bindingConfiguration="CertificateBindingConfig">
        </endpoint>
    </service>
</services>

<bindings>
    <ws2007HttpBinding>
        <binding name="CertificateBindingConfig">
            <security mode="TransportWithMessageCredential">
                <transport clientCredentialType="Windows" />
                <message clientCredentialType="Certificate" negotiateServiceCredential="true" />
            </security>
        </binding>
    </ws2007HttpBinding>
</bindings>

<behaviors>
    <serviceBehaviors>
        <behavior name="CertificateServiceBehavior">
            <serviceCredentials>
                <windowsAuthentication allowAnonymousLogons="false" />
                <clientCertificate>
                    <authentication certificateValidationMode="PeerTrust" trustedStoreLocation="LocalMachine" />
                </clientCertificate>
                <serviceCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="server" />
            </serviceCredentials>
        </behavior>
    </serviceBehaviors>
</behaviors>

我的客户 app.config 是这样的：

<client>
    <endpoint address="https://server:9999/ServiceHost/TestService.svc" binding="ws2007HttpBinding"
                contract="SharedLibrary.ITestService" bindingConfiguration="CertificateBindingConfig" 
                behaviorConfiguration="CertificateEndpointBehavior"
                name="serviceEndpoint">

    </endpoint>
</client>
<bindings>
    <ws2007HttpBinding>
        <binding name="CertificateBindingConfig">
            <security mode="TransportWithMessageCredential">
                <transport clientCredentialType="Windows" />
                <message clientCredentialType="Certificate" negotiateServiceCredential="true"/>
            </security>
        </binding>
    </ws2007HttpBinding>
</bindings>
<behaviors>
    <endpointBehaviors>
        <behavior name="CertificateEndpointBehavior">
            <clientCredentials>
                <windows allowNtlm="true" allowedImpersonationLevel="Impersonation"/>
                <clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="client"/>
                <serviceCertificate>
                    <authentication certificateValidationMode="PeerTrust"/>
                </serviceCertificate>
            </clientCredentials>
        </behavior>
    </endpointBehaviors>
</behaviors>

Answer 1

预定义模式不允许您实现这种安全性。 TransportWithMessageCredentials 表示：

• HTTPS
• 没有传输身份验证
• 用于客户端身份验证的消息中的安全令牌
• 无消息加密

试试这个（未经测试）以获得具有 NTLM + 相互消息安全性的 HTTPS：

<bindings>
  <customBinding>
    <binding name="MegaSecurity">
      <security authenticationMode="MutualCertificate"
                messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
                includeTimestamp="true" />
      <textMessageEncoding messageVersion="Soap12WSAddressing10" />
      <httpsTransport authenticationScheme="Ntlm" />
    </binding>
  </customBinding>
</bindings>

您还可以尝试MutualSslNegotiated 身份验证模式以进行服务凭据协商，并在authenticationScheme 中尝试Negotiate 以更好地匹配预定义绑定中的Windows 选项。