我们的客户也面临同样困扰so many other人的时钟偏差问题。
这些页面中的答案和进一步的网络搜索帮助了很多,但我遇到了一个不同的问题。
在本地计算机上调试时,我可以看到绑定的属性设置正确。
但由于我无法在本地测试代码(我只有一个时钟),我必须将服务发布到测试服务器。然而,当我使用时钟偏差连接到服务时,我仍然收到MessageSecurityException s。
我的第一个想法是绑定在创建后被修改,但是我和这个项目的同事都确认绑定创建一次而后没有被触及。
我显然是做错了[TM]。如果有人能够阐明这件事,我将非常感激。提前谢谢。
这是创建绑定的代码:
WSHttpBinding binding = new WSHttpBinding();
binding.Security.Mode = SecurityMode.TransportWithMessageCredential;
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
// ... blah blah ...
// fix ongoing security
sbe.LocalClientSettings.DetectReplays = false;
sbe.LocalClientSettings.MaxClockSkew = TimeSpan.MaxValue;
sbe.LocalClientSettings.SessionKeyRenewalInterval = TimeSpan.MaxValue;
sbe.LocalServiceSettings.DetectReplays = false;
sbe.LocalServiceSettings.MaxClockSkew = TimeSpan.MaxValue;
sbe.LocalServiceSettings.SessionKeyRenewalInterval = TimeSpan.MaxValue;
// fix bootstrap security
SecureConversationSecurityTokenParameters sct = null;
if (sbe is SymmetricSecurityBindingElement)
{
SecurityTokenParameters tokenParameters =
((SymmetricSecurityBindingElement)sbe).ProtectionTokenParameters;
if (tokenParameters is SecureConversationSecurityTokenParameters)
{
sct = tokenParameters as SecureConversationSecurityTokenParameters;
}
}
else if (sbe is TransportSecurityBindingElement)
{
sct = sbe.EndpointSupportingTokenParameters
.Endorsing
.OfType<SecureConversationSecurityTokenParameters>()
.FirstOrDefault();
}
else
{
throw new ArgumentException("Binding has neiter a " +
"SymmetricSecurityBindingElement nor " +
"TransportSecurityBindingElement");
}
SecurityBindingElement bootbe = sct.BootstrapSecurityBindingElement;
bootbe.LocalClientSettings.DetectReplays = false;
bootbe.LocalClientSettings.MaxClockSkew = TimeSpan.MaxValue;
bootbe.LocalClientSettings.SessionKeyRenewalInterval = TimeSpan.MaxValue;
bootbe.LocalServiceSettings.DetectReplays = false;
bootbe.LocalServiceSettings.MaxClockSkew = TimeSpan.MaxValue;
bootbe.LocalServiceSettings.SessionKeyRenewalInterval = TimeSpan.MaxValue;
这是我在服务跟踪日志中收到的异常的调用堆栈:
System.ServiceModel.Security.MessageSecurityException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout)
System.ServiceModel.Security.SecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
System.ServiceModel.Channels.SecurityChannelListener`1.ServerSecurityChannel`1.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationState)
System.ServiceModel.Channels.SecurityChannelListener`1.SecurityReplyChannel.ProcessReceivedRequest(RequestContext requestContext, TimeSpan timeout)
System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.OnInnerReceiveDone()
System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.InnerTryReceiveCompletedCallback(IAsyncResult result)
System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)
System.Runtime.InputQueue`1.AsyncQueueReader.Set(Item item)
System.Runtime.InputQueue`1.Dispatch()
System.Runtime.ActionItem.DefaultActionItem.Invoke()
System.Runtime.ActionItem.CallbackHelper.InvokeWithoutContext(Object state)
System.Runtime.IOThreadScheduler.ScheduledOverlapped.IOCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped)
System.Runtime.Fx.IOCompletionThunk.UnhandledExceptionFrame(UInt32 error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped)
System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)
答案 0 :(得分:1)
如果您的邮件由于服务器和客户端的时间差异超过时钟偏差设置而被拒绝,则您应该收到MessageSecurityException。鉴于你的描述,我认为你所看到的是预期的。
According to Microsoft,返回MessageSecurityException而非更具体的原因是因为
安全性异常可能会暴露一些非常敏感的信息 为此,我们决定不公开安全层的任何细节。 例如,您提到的时钟偏差问题,何时 暴露在故障异常中,会为攻击者提供时钟 倾斜服务的设置,并提供更多信息 特定攻击。