Question

我需要通过SSL使用WCF服务，而请求需要使用一个证书进行签名，并且响应需要使用其他证书进行验证。

执行代码时出现此错误：

找不到'System.IdentityModel.Tokens.X509SecurityToken'令牌类型的令牌身份验证器。根据当前的安全设置，不能接受该类型的标记。

根据WCF跟踪尝试验证响应签名时失败，因为我可以看到来自服务器的响应。

这是我的WCF服务设置：

<system.serviceModel>
  <diagnostics>
    <messageLogging logEntireMessage="true" logKnownPii="true" logMalformedMessages="true"
      logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" />
    <endToEndTracing propagateActivity="true" activityTracing="true"
      messageFlowTracing="true" />

  </diagnostics>
  <behaviors>
    <endpointBehaviors>
      <behavior name="CHClientCertificateBehavior">
        <clientCredentials supportInteractive="true">
          <clientCertificate findValue="clientcert" storeLocation="LocalMachine"
            storeName="My" x509FindType="FindBySubjectName" />
          <serviceCertificate>
            <defaultCertificate findValue="servercert" storeLocation="LocalMachine"
              storeName="My" x509FindType="FindBySubjectName" />
            <authentication certificateValidationMode="None" />
          </serviceCertificate>
        </clientCredentials>
      </behavior>
    </endpointBehaviors>
  </behaviors>

  <bindings>
    <basicHttpBinding>
      <binding name="DPBasicHttpBindingWithSSL" closeTimeout="00:01:00"
        openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:02:00"
        allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
        maxBufferPoolSize="2097152" maxBufferSize="524288" maxReceivedMessageSize="524288"
        textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true"
        messageEncoding="Text">
        <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
          maxBytesPerRead="4096" maxNameTableCharCount="16384" />
        <security mode="TransportWithMessageCredential">
          <transport clientCredentialType="None" proxyCredentialType="None"
            realm="" />
          <message clientCredentialType="Certificate" algorithmSuite="Default" />
        </security>
      </binding>
      </basicHttpBinding>
    <customBinding>
      <binding name="DPCustomHttpBindingWithSSL">
        <security authenticationMode="CertificateOverTransport" allowSerializedSigningTokenOnReply="true"                       messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" 
                  requireDerivedKeys="false" 
                  securityHeaderLayout="Lax" />
        <textMessageEncoding messageVersion="Soap11" />
        <httpsTransport maxBufferPoolSize="2097152" maxBufferSize="524288" maxReceivedMessageSize="524288" />
      </binding>

    </customBinding>
  </bindings>
    <client>
        <endpoint address="https://myserver/service.asmx"
            behaviorConfiguration="CHClientCertificateBehavior" binding="customBinding"
            bindingConfiguration="DPCustomHttpBindingWithSSL" contract="ServiceRef.smssoap"
            name="smsEndpoint">
            <identity>
                <certificateReference storeName="My" storeLocation="LocalMachine"
                    x509FindType="FindBySubjectName" findValue="myserver" />
            </identity>
        </endpoint>

    </client>
</system.serviceModel>

正如您所看到的，我尝试了basicHttpBinding和customBinding（使用在线工具http://webservices20.cloudapp.net/default.aspx转换），我尝试设置不同的设置组合变体，但仍然会出现此错误。

任何想法？取消响应证书签名验证也是一个选项，但我如何设置？

Answer 1

尝试使用具有以下配置的自定义绑定：

<security allowSerializedSigningTokenOnReply="true" />

Answer 2

我遇到了同样的问题，并在这里发布了一个解决方案（对于那些来这里寻找答案的人）：

WCF - Cannot find a token authenticator for X509SecurityToken

基于这个问题，它似乎是相同的解决方案：

将authenticationMode="CertificateOverTransport"更改为authenticationMode="MutualCertificate"
使用MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
在生成的客户端中，将ProtectionLevel = ProtectionLevel.Sign添加到ServiceContractAttribute。这样可以避免身体加密。

Answer 3

<强>解决！

<system.serviceModel>

  <behaviors>
    <endpointBehaviors>

      <behavior name="DPSSLXDIG">
        <clientCredentials supportInteractive="false">
          <clientCertificate findValue="clientcert" storeLocation="LocalMachine" x509FindType="FindBySubjectName" />
          <serviceCertificate>
            <defaultCertificate findValue="servercert" storeName="TrustedPeople" storeLocation="LocalMachine" x509FindType="FindBySubjectName" />
            <authentication certificateValidationMode="None" revocationMode="NoCheck" />
          </serviceCertificate>
          <windows allowNtlm="false" allowedImpersonationLevel="None" />
          <httpDigest impersonationLevel="None" />
          <peer>
            <peerAuthentication revocationMode="NoCheck" />
          </peer>
        </clientCredentials>
      </behavior>

    </endpointBehaviors>
  </behaviors>

  <bindings>

    <customBinding>

      <binding name="DPSSLXDIG">
        <textMessageEncoding messageVersion="Soap11WSAddressingAugust2004" />
        <security allowSerializedSigningTokenOnReply="true" authenticationMode="MutualCertificateDuplex"
            requireDerivedKeys="false" securityHeaderLayout="Lax" messageProtectionOrder="SignBeforeEncrypt"
            messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
            requireSecurityContextCancellation="false">
          <secureConversationBootstrap />
        </security>
        <httpsTransport authenticationScheme="Anonymous" requireClientCertificate="true" />
      </binding>

    </customBinding>

  </bindings>
    <client>

      <endpoint address="https://myserver/webservice.asmx"
           behaviorConfiguration="DPSSLXDIG" binding="customBinding"
           bindingConfiguration="DPSSLXDIG" contract="serviceRef.smssoap"
           name="smsEndpoint">
        <identity>
          <dns value="servercert" />
        </identity>

      </endpoint>

    </client>
</system.serviceModel>

WCF错误：找不到令牌验证器

这是我的WCF服务设置：

3 个答案: