我有WCF服务。我要求客户使用证书进行身份验证。 这是服务配置:
<system.serviceModel>
<services>
<service name="FilmLibrary.FilmManager" behaviorConfiguration="FilmService.Service1Behavior">
<endpoint address="manager" name="certBinding" binding="basicHttpBinding" contract="FilmContract.IFilmManager" />
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="certBinding">
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="FilmService.Service1Behavior">
<serviceCredentials>
<clientCertificate>
<authentication trustedStoreLocation="LocalMachine"
certificateValidationMode="PeerTrust" />
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
公钥安装在LocalMachine,Trusted People
中客户端配置如下:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="certBinding" closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="Message">
<message clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="certBehaviour">
<clientCredentials>
<clientCertificate findValue="SubjectKey" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint address="[...]/Service1.svc/manager"
binding="basicHttpBinding" bindingConfiguration="certBinding" behaviorConfiguration="certBehaviour"
contract="FilmsService.IFilmManager" name="certBinding" />
</client>
</system.serviceModel>
私钥安装在个人,当前用户。
没有安全性,服务有效。启用安全性后 - 它没有启用。我尝试了几种配置,我遇到了身份验证失败或我必须在clientCredentials元素中设置服务证书的错误。我不明白,因为我根本不想验证服务。
答案 0 :(得分:3)
我发现以下指南非常有用且非常详细。 https://notgartner.wordpress.com/2007/09/06/using-certificate-based-authentication-and-protection-with-windows-communication-foundation-wcf/
它包括创建服务,客户端,证书和调整2个配置。
服务器:
<bindings>
<basicHttpBinding>
<binding name="secureHttpBinding">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="Certificate" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<clientCertificate>
<!--only accept certificates in "Trusted People"-->
<authentication certificateValidationMode="PeerTrust" trustedStoreLocation="LocalMachine" />
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
客户端:
<bindings>
<basicHttpBinding>
<binding name="customBinding1">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="Certificate" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="customBehavior1">
<clientCredentials>
<!--fabrkam-->
<clientCertificate storeName="My" storeLocation="CurrentUser" x509FindType="FindByThumbprint" findValue="d2 31 6a 73 1b 59 68 3e 74 41 09 27 8c 80 e2 61 45 03 b1 7e"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
我们将任何HTTP请求自动重定向到HTTPS,因此我们必须使用TransportWithMessageCredential类型的安全性。对于普通的Http,只使用Message作为安全类型也应该有效。
答案 1 :(得分:2)
而不是
<serviceCredentials>
<clientCertificate>
<authentication trustedStoreLocation="LocalMachine"
certificateValidationMode="PeerTrust" />
</clientCertificate>
</serviceCredentials>
我认为你应该有
<serviceCredentials>
<serviceCertificate findValue="SubjectKey" storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectName"/>
</serviceCredentials>
您没有通过此身份验证服务,而是告诉服务如何对客户端进行身份验证。
答案 2 :(得分:2)
我能够通过使用customBinding来完成同样的事情,如下所示:
<customBinding>
<binding name="bindingName">
<security authenticationMode="UserNameOverTransport" />
<httpsTransport requireClientCertificate="true"/>
</binding>
</customBinding>
(我省略了与你的案件无关的属性。)
至于authenticationMode,我认为您可以使用其中的任何一种 - httpsTransport和requireClientCertificate是这里的重要部分。