我有一个通过https托管在IIS中的Web服务。我可以从测试客户端应用程序连接到服务,并且ger返回结果。
我想查看请求中使用的证书,但是服务器似乎没有此记录。
我正在按照下面的定义进行basicHttpBinding:
<basicHttpBinding>
<binding name="basicHttpBinding">
<security mode="Transport" />
</binding>
</basicHttpBinding>
在客户端代码中创建本地服务代理时,我将因此附加一个x509证书,其中userCerts是本地证书存储中证书的非空列表
var service = new WcfBasicServiceClient();
service.ClientCredentials.ClientCertificate.Certificate = userCerts[0];
double randomDouble = service.GetRandomDouble();
同样,呼叫将转到该服务。
在服务器端,我正在尝试检查所使用的证书。但是,ServiceSecurityContext.Current.PrimaryIdentity
是通用标识。另外,OperationContext.Current.ServiceSecurityContext.AuthorizationContext.ClaimSets
是一个空集。就像服务器不知道所使用的证书一样。
var securityContext = ServiceSecurityContext.Current;
var primaryIdentity = securityContext.PrimaryIdentity;
Logger.Info("Primary Identity: " + primaryIdentity);
Logger.Info("auth type: " + primaryIdentity.AuthenticationType);
Logger.Info("name: " + primaryIdentity.Name);
// gets an empty list here
// https://stackoverflow.com/a/7528703/680268
if (OperationContext.Current.ServiceSecurityContext.AuthorizationContext.ClaimSets == null)
{
Logger.Warn("claimset service configured wrong");
return;
}
if (OperationContext.Current.ServiceSecurityContext.AuthorizationContext.ClaimSets.Count <= 0)
{
Logger.Warn("claimset empty - service configured wrong");
return;
}
var cert = ((X509CertificateClaimSet)OperationContext.Current.ServiceSecurityContext.
AuthorizationContext.ClaimSets[0]).X509Certificate;
Logger.Info("cert serial num: " + cert.SerialNumber);
Logger.Info("subj name: " + cert.SubjectName);
Logger.Info("thumb print: " + cert.Thumbprint);
此外,在IIS网站设置上,我已经在SSL设置下设置了“接受”,但是没有启用“要求SSL”。
在我的服务上有什么错误配置,即它不接受客户端请求中的x509证书?
这是我的服务的web.config:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="httpsBinding" allowCookies="true" maxReceivedMessageSize="2147483647" maxBufferPoolSize="2147483647">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service name="WcfServiceLibrary1.WcfBasicService">
<endpoint address="" binding="basicHttpBinding" contract="WcfServiceLibrary1.IWcfBasicService" name="basicHttpBinding" bindingConfiguration="httpsBinding">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information,
set the values below to false before deployment -->
<serviceMetadata httpGetEnabled="True" httpsGetEnabled="True" />
<!-- To receive exception details in faults for debugging purposes,
set the value below to true. Set to false before deployment
to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="True" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
编辑,我更新了web.config和app.config以指定证书的客户端凭据类型,但是随后在尝试在客户端上进行调用时出现以下错误:
ErrorSystem.ServiceModel.Security.MessageSecurityException: The HTTP request was forbidden with client authentication scheme 'Anonymous'. ---> System.Net.WebException: The remote server returned an error: (403) Forbidden.
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
--- End of inner exception stack trace ---
Server stack trace:
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory`1 factory)
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory`1 factory, WebException responseException, ChannelBinding channelBinding)