通过HTTPS使用NTLM的WCF和消息的证书?

时间:2012-09-22 00:54:00

标签: .net wcf x509certificate ntlm

我想设置一个通过HTTPS使用NTLM身份验证的WCF服务,并使用证书安全性来表示消息(我知道,通常HTTPS不需要消息加密)

我有证书可以解决邮件安全问题,但是当我尝试使用TransportWithMessageCredential时,客户端会抛出异常:

  

未处理的异常:System.ServiceModel.Security.MessageSecurityException:HTTP请求未经授权,客户端身份验证方案为“匿名”。从服务器收到的身份验证标头是“Negotiate,NTLM”

IIS配置为仅支持Windows身份验证,需要SSL和接受客户端证书,计算机位于同一个Active Directory域中(事实上,我现在正在本地运行)

任何想法我做错了什么?

我的服务web.config如下所示:

<services>
    <service name="ServiceHost.MyTestService" behaviorConfiguration="CertificateServiceBehavior">
        <endpoint address="" binding="ws2007HttpBinding" contract="SharedLibrary.ITestService" bindingConfiguration="CertificateBindingConfig">
        </endpoint>
    </service>
</services>

<bindings>
    <ws2007HttpBinding>
        <binding name="CertificateBindingConfig">
            <security mode="TransportWithMessageCredential">
                <transport clientCredentialType="Windows" />
                <message clientCredentialType="Certificate" negotiateServiceCredential="true" />
            </security>
        </binding>
    </ws2007HttpBinding>
</bindings>

<behaviors>
    <serviceBehaviors>
        <behavior name="CertificateServiceBehavior">
            <serviceCredentials>
                <windowsAuthentication allowAnonymousLogons="false" />
                <clientCertificate>
                    <authentication certificateValidationMode="PeerTrust" trustedStoreLocation="LocalMachine" />
                </clientCertificate>
                <serviceCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="server" />
            </serviceCredentials>
        </behavior>
    </serviceBehaviors>
</behaviors>

我的客户端app.config是这样的:

<client>
    <endpoint address="https://server:9999/ServiceHost/TestService.svc" binding="ws2007HttpBinding"
                contract="SharedLibrary.ITestService" bindingConfiguration="CertificateBindingConfig" 
                behaviorConfiguration="CertificateEndpointBehavior"
                name="serviceEndpoint">

    </endpoint>
</client>
<bindings>
    <ws2007HttpBinding>
        <binding name="CertificateBindingConfig">
            <security mode="TransportWithMessageCredential">
                <transport clientCredentialType="Windows" />
                <message clientCredentialType="Certificate" negotiateServiceCredential="true"/>
            </security>
        </binding>
    </ws2007HttpBinding>
</bindings>
<behaviors>
    <endpointBehaviors>
        <behavior name="CertificateEndpointBehavior">
            <clientCredentials>
                <windows allowNtlm="true" allowedImpersonationLevel="Impersonation"/>
                <clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="client"/>
                <serviceCertificate>
                    <authentication certificateValidationMode="PeerTrust"/>
                </serviceCertificate>
            </clientCredentials>
        </behavior>
    </endpointBehaviors>
</behaviors>

1 个答案:

答案 0 :(得分:1)

预定义模式不允许您实现此类安全性。 TransportWithMessageCredentials表示:

  • HTTPS
  • 没有运输身份验证
  • 用于客户端身份验证的消息中的安全令牌
  • 无邮件加密

尝试使用此方法(未经测试)以获取具有NTLM +相互消息安全性的HTTPS:

<bindings>
  <customBinding>
    <binding name="MegaSecurity">
      <security authenticationMode="MutualCertificate"
                messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
                includeTimestamp="true" />
      <textMessageEncoding messageVersion="Soap12WSAddressing10" />
      <httpsTransport authenticationScheme="Ntlm" />
    </binding>
  </customBinding>
</bindings>

您还可以尝试使用MutualSslNegotiated身份验证模式与Negotiate进行服务凭据协商和authenticationScheme,以便更好地匹配预定义绑定中的Windows选项。