防止 IIS7 中的 WCF 缓存身份验证证书

Question

我正在构建一个基于 WCF 的应用程序，用户使用智能卡上的证书进行身份验证。该服务托管在 IIS7 上，客户端是 Windows 窗体应用程序。

问题在于，当添加新用户（创建新证书）时，该用户无法登录，直到 IIS 重新启动或应用程序池回收。如果现有用户被删除，他也可以登录，直到重新启动/回收。

在我的行为定义中我有

        <serviceCredentials>
            <serviceCertificate findValue="blahblah.local" 
    x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
            <userNameAuthentication userNamePasswordValidationMode="MembershipProvider"
     membershipProviderName="SqlMembershipProvider" cacheLogonTokens="true"/>
            <clientCertificate>
                <authentication mapClientCertificateToWindowsAccount="true" 
certificateValidationMode="ChainTrust" revocationMode="Online"/>
            </clientCertificate>
        </serviceCredentials>

有什么方法可以防止此证书“缓存”发生或按需刷新活动证书列表？

Answer 1

显然，缓存是 System.Identitymodel 的一个已知“功能”。已讨论 here 和更多信息 here。

我所做的是使用一个自定义验证器（下面的代码）来解决这个问题。

编辑：添加了更多代码，用于根据 CRL 实时验证 X.509 证书here

web.config

<clientCertificate>
    <authentication mapClientCertificateToWindowsAccount="true" certificateValidationMode="Custom" customCertificateValidatorType="My.IdentityModel.MyX509Validator, My.IdentityModel" />
</clientCertificate>

代码

using System;
using System.IO;
using System.IdentityModel.Selectors;
using System.IdentityModel.Tokens;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;

namespace My.IdentityModel
{
    /// <summary>
    /// Custom X.509 certificate validator
    /// Richard Ginzburg - richard (at) ginzburgconsulting (dot) com
    /// </summary>
    public class MyX509Validator : X509CertificateValidator
    {
        public override void Validate(X509Certificate2 certificate)
        {
            if (certificate == null)
            {
                throw new ArgumentNullException("certificate", "Certificate validation failed, no certificate provided");
            }

            X509ChainPolicy myChainPolicy = new X509ChainPolicy
                                                {
                                                    RevocationMode = X509RevocationMode.Online,
                                                    RevocationFlag = X509RevocationFlag.EntireChain,
                                                    VerificationFlags = X509VerificationFlags.NoFlag,
                                                    UrlRetrievalTimeout = new TimeSpan(0, 0, 10),
                                                    VerificationTime = DateTime.Now
                                                };
            X509Chain chain = new X509Chain(true) {ChainPolicy = myChainPolicy};

            try
            {
                bool ok = chain.Build(certificate);
                if(!ok)
                {
                    foreach (var status in chain.ChainStatus)
                    {
                        Logging.Log("MyX509Validator: Validation failed - " + status.StatusInformation);
                    }
                    throw new SecurityTokenValidationException("Certificate validation failed when building chain");
                }
            }
            catch (CryptographicException e)
            {
                throw new SecurityTokenValidationException("Certificate validation failed when building chain, " + e);
            }
        }
    }
}