我想设置一个通过HTTPS使用NTLM身份验证的WCF服务,并使用证书安全性来表示消息(我知道,通常HTTPS不需要消息加密)
我有证书可以解决邮件安全问题,但是当我尝试使用TransportWithMessageCredential时,客户端会抛出异常:
未处理的异常:System.ServiceModel.Security.MessageSecurityException:HTTP请求未经授权,客户端身份验证方案为“匿名”。从服务器收到的身份验证标头是“Negotiate,NTLM”
IIS配置为仅支持Windows身份验证,需要SSL和接受客户端证书,计算机位于同一个Active Directory域中(事实上,我现在正在本地运行)
任何想法我做错了什么?
我的服务web.config如下所示:
<services>
<service name="ServiceHost.MyTestService" behaviorConfiguration="CertificateServiceBehavior">
<endpoint address="" binding="ws2007HttpBinding" contract="SharedLibrary.ITestService" bindingConfiguration="CertificateBindingConfig">
</endpoint>
</service>
</services>
<bindings>
<ws2007HttpBinding>
<binding name="CertificateBindingConfig">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Windows" />
<message clientCredentialType="Certificate" negotiateServiceCredential="true" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="CertificateServiceBehavior">
<serviceCredentials>
<windowsAuthentication allowAnonymousLogons="false" />
<clientCertificate>
<authentication certificateValidationMode="PeerTrust" trustedStoreLocation="LocalMachine" />
</clientCertificate>
<serviceCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="server" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
我的客户端app.config是这样的:
<client>
<endpoint address="https://server:9999/ServiceHost/TestService.svc" binding="ws2007HttpBinding"
contract="SharedLibrary.ITestService" bindingConfiguration="CertificateBindingConfig"
behaviorConfiguration="CertificateEndpointBehavior"
name="serviceEndpoint">
</endpoint>
</client>
<bindings>
<ws2007HttpBinding>
<binding name="CertificateBindingConfig">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Windows" />
<message clientCredentialType="Certificate" negotiateServiceCredential="true"/>
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="CertificateEndpointBehavior">
<clientCredentials>
<windows allowNtlm="true" allowedImpersonationLevel="Impersonation"/>
<clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="client"/>
<serviceCertificate>
<authentication certificateValidationMode="PeerTrust"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
答案 0 :(得分:1)
预定义模式不允许您实现此类安全性。 TransportWithMessageCredentials
表示:
尝试使用此方法(未经测试)以获取具有NTLM +相互消息安全性的HTTPS:
<bindings>
<customBinding>
<binding name="MegaSecurity">
<security authenticationMode="MutualCertificate"
messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
includeTimestamp="true" />
<textMessageEncoding messageVersion="Soap12WSAddressing10" />
<httpsTransport authenticationScheme="Ntlm" />
</binding>
</customBinding>
</bindings>
您还可以尝试使用MutualSslNegotiated
身份验证模式与Negotiate
进行服务凭据协商和authenticationScheme
,以便更好地匹配预定义绑定中的Windows
选项。