找不到“System.IdentityModel.Tokens.UserNameSecurityToken”令牌类型的令牌身份验证器。

Question

我正在尝试让第三方 Java 客户端与我编写的 WCF 服务进行通信。

收到消息时出现如下异常：

找不到令牌验证器 'System.IdentityModel.Tokens.UserNameSecurityToken' 令牌类型。代币 根据当前的安全性，不能接受该类型的 设置。

这是我的配置：

绑定

<customBinding>
    <binding name="TestSecureBinding">
        <security authenticationMode="MutualCertificate" />
        <textMessageEncoding messageVersion="Soap11WSAddressing10" />
        <httpsTransport requireClientCertificate="true" maxReceivedMessageSize="5242880" />
    </binding>
</customBinding>

行为：

  <serviceBehaviors>
    <behavior name="TestCertificateBehavior">
      <serviceCredentials>
        <clientCertificate>
          <certificate storeLocation="LocalMachine" x509FindType="FindBySubjectName" findValue="Test 01"/>
          <authentication certificateValidationMode="PeerTrust" trustedStoreLocation="LocalMachine" revocationMode="NoCheck"/>
        </clientCertificate>
        <serviceCertificate storeLocation="LocalMachine" x509FindType="FindBySubjectName" findValue="Test 01"/>
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>

端点：

  <service name="TestService"
           behaviorConfiguration="TestCertificateBehavior">
    <endpoint
      name="TestEndpoint"
      address="https://localhost:443"
      contract="TestServiceContract"
      binding="customBinding"
      bindingConfiguration="TestSecureBinding">
    </endpoint>
    <host>
      <baseAddresses>
        <add baseAddress="https://localhost:443" />
      </baseAddresses>
    </host>

  </service>

有人知道这是什么原因吗？

Answer 1

这是因为在某处使用了错误的证书引用方式，如果我没记错的话，您要么直接引用证书，要么使用密钥标识符 - 无论如何，要超越它，您应该能够添加 allowSerializedSigningTokenOnReply 标记到您的客户端绑定配置上的安全标签并将其设置为 true。

应该为你超越它 - 记住，把这个客户端放在一边

抱歉，我找不到参考资料 - 我记得在某处读过它，但现在找不到！ :( ****编辑这里是**** - http://webservices20.blogspot.co.uk/2010/10/wcf-cannot-find-token-authenticator.html

<customBinding>  
<binding name="TestSecureBinding"> 
        <security allowSerializedSigningTokenOnReply="true" /> 
        etc
    </binding> 
<customBinding> 

Answer 2

我已接受我无法在配置文件中执行此操作，并已求助于在代码中创建服务主机。

这里是创建绑定、绑定元素和创建服务宿主的完整示例。

请注意，您可能没有使用WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005W - 您使用的版本可能比我必须使用的更新 - 但只需将其替换为您服务的正确版本即可。

var securityBindingElement = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
securityBindingElement.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());
securityBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
securityBindingElement.IncludeTimestamp = true;
securityBindingElement.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.EncryptBeforeSign;

var customBinding = new CustomBinding();
customBinding.Elements.Add(securityBindingElement);
customBinding.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, Encoding.UTF8));
customBinding.Elements.Add(new HttpsTransportBindingElement() { MaxReceivedMessageSize = 5242880 });

ServiceHost customServiceHost = new ServiceHost(type);
customServiceHost.AddServiceEndpoint(typeof(ITestServiceContract), customBinding, "https://localhost:443");
customServiceHost.Open();

Answer 3

确保检查您的客户端调用的端点地址。我们为此纠结了太久，直到我们意识到自定义绑定地址附录中有错字。