WCF - 找不到 X509SecurityToken 的令牌验证器
WCF - Cannot find a token authenticator for X509SecurityToken
我正在尝试调用第 3 方网络服务,我已经到了可以在服务跟踪查看器中实际看到来自服务器的响应的地步。但是,我不断收到 .NET 的异常:
Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type.
Tokens of that type cannot be accepted according to current security settings.
我的 app.config 看起来像这样(指纹被占位符替换):
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="OteBehavior">
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode="None"/>
<defaultCertificate findValue="<ThumbprintPlaceholder1>" x509FindType="FindByThumbprint" storeLocation="CurrentUser" storeName="TrustedPeople"/>
</serviceCertificate>
<clientCertificate findValue="<ThumbprintPlaceholder2>" x509FindType="FindByThumbprint"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<customBinding>
<binding name="MyBinding">
<textMessageEncoding messageVersion="Soap11" />
<security authenticationMode="CertificateOverTransport"
messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
requireSecurityContextCancellation="false"
enableUnsecuredResponse="true"
allowSerializedSigningTokenOnReply="true">
</security>
<httpsTransport maxBufferPoolSize="2147483646" maxBufferSize="2147483646" maxReceivedMessageSize="2147483646" requireClientCertificate="true" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="https://example.com:1443/xxx/someService/"
binding="customBinding" bindingConfiguration="MyBinding" behaviorConfiguration="OteBehavior"
contract="ReportGasService.ReportGas" name="ReportGasEndpoint" />
</client>
现在,我已经尝试了所有我能找到的有关此异常的方法。
- 设置
authenticationMode为MutualCertificate:服务器响应404
- 设置
allowSerializedSigningTokenOnReply:无变化
来自服务器的响应包含:
<ds:KeyInfo Id="KI-1DE4B371623632132E1468838210413180294">
<wsse:SecurityTokenReference wsu:Id="STR-1DE4B271123632132E1468838710413180295">
<wsse:Reference URI="#X509-1DE4B271523632132E1468833710413180293" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
我能否在某处添加 x508SecurityToken 处理程序或以其他方式忽略此错误(这样做安全吗)
异常堆栈跟踪:
Server stack trace:
at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList`1 allowedTokenAuthenticators, SecurityTokenAuthenticator& usedTokenAuthenticator)
at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlDictionaryReader reader, Int32 position, Byte[] decryptedBuffer, SecurityToken encryptionToken, String idInEncryptedForm, TimeSpan timeout)
at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader reader)
at System.ServiceModel.Security.StrictModeSecurityHeaderElementInferenceEngine.ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader)
at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)
at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessageCore(Message& message, TimeSpan timeout)
at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout)
at System.ServiceModel.Security.SecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
上面的意思是serverside吗?
您的 findValue 属性值都不正确。您应该将相应客户端证书的特定指纹值放在 app.config 中。
您可以通过证书 MMC 加载项查看证书指纹值。
我还要仔细检查是否像往常一样需要客户端 X509 证书,只有服务器端操作才需要它们。
我找到了解决方案:
- 将
authenticationMode="CertificateOverTransport"更改为authenticationMode="MutualCertificate"
- 使用
MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
- 在生成的客户端中,将
ProtectionLevel = ProtectionLevel.Sign添加到ServiceContractAttribute。这避免了对正文进行加密。
我还没有完全通过,但我相信这只是从提供商那里获得正确证书的问题。
对于其他人,这是我创建代理的方式:
var binding = new BasicHttpsBinding();
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
var address = new EndpointAddress(new Uri("https://xxx/yyy/someService/"));
binding.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.Certificate;
var securityElement = SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10, true);
securityElement.IncludeTimestamp = true;
var customBinding = new CustomBinding(binding);
customBinding.Elements.Insert(0, securityElement);
var client = new ReportGasClient(customBinding, address);
client.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByThumbprint, "BCC3929F9C115D4BCA1C697E2557B7FC7D6C8C8C");
client.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
client.ClientCredentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.CurrentUser, StoreName.TrustedPeople, X509FindType.FindByThumbprint, "87C3B5EE3913937459D2FFBF105ADBD1A578E823");
请注意,我仅在沙盒环境中将 ValidationMode 设置为 None。这绝不能在生产中使用。
我正在尝试调用第 3 方网络服务,我已经到了可以在服务跟踪查看器中实际看到来自服务器的响应的地步。但是,我不断收到 .NET 的异常:
Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type.
Tokens of that type cannot be accepted according to current security settings.
我的 app.config 看起来像这样(指纹被占位符替换):
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="OteBehavior">
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode="None"/>
<defaultCertificate findValue="<ThumbprintPlaceholder1>" x509FindType="FindByThumbprint" storeLocation="CurrentUser" storeName="TrustedPeople"/>
</serviceCertificate>
<clientCertificate findValue="<ThumbprintPlaceholder2>" x509FindType="FindByThumbprint"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<customBinding>
<binding name="MyBinding">
<textMessageEncoding messageVersion="Soap11" />
<security authenticationMode="CertificateOverTransport"
messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
requireSecurityContextCancellation="false"
enableUnsecuredResponse="true"
allowSerializedSigningTokenOnReply="true">
</security>
<httpsTransport maxBufferPoolSize="2147483646" maxBufferSize="2147483646" maxReceivedMessageSize="2147483646" requireClientCertificate="true" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="https://example.com:1443/xxx/someService/"
binding="customBinding" bindingConfiguration="MyBinding" behaviorConfiguration="OteBehavior"
contract="ReportGasService.ReportGas" name="ReportGasEndpoint" />
</client>
现在,我已经尝试了所有我能找到的有关此异常的方法。
- 设置
authenticationMode为MutualCertificate:服务器响应404 - 设置
allowSerializedSigningTokenOnReply:无变化
来自服务器的响应包含:
<ds:KeyInfo Id="KI-1DE4B371623632132E1468838210413180294">
<wsse:SecurityTokenReference wsu:Id="STR-1DE4B271123632132E1468838710413180295">
<wsse:Reference URI="#X509-1DE4B271523632132E1468833710413180293" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
我能否在某处添加 x508SecurityToken 处理程序或以其他方式忽略此错误(这样做安全吗)
异常堆栈跟踪:
Server stack trace:
at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList`1 allowedTokenAuthenticators, SecurityTokenAuthenticator& usedTokenAuthenticator)
at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlDictionaryReader reader, Int32 position, Byte[] decryptedBuffer, SecurityToken encryptionToken, String idInEncryptedForm, TimeSpan timeout)
at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader reader)
at System.ServiceModel.Security.StrictModeSecurityHeaderElementInferenceEngine.ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader)
at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)
at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessageCore(Message& message, TimeSpan timeout)
at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout)
at System.ServiceModel.Security.SecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
上面的意思是serverside吗?
您的 findValue 属性值都不正确。您应该将相应客户端证书的特定指纹值放在 app.config 中。
您可以通过证书 MMC 加载项查看证书指纹值。
我还要仔细检查是否像往常一样需要客户端 X509 证书,只有服务器端操作才需要它们。
我找到了解决方案:
- 将
authenticationMode="CertificateOverTransport"更改为authenticationMode="MutualCertificate" - 使用
MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10 - 在生成的客户端中,将
ProtectionLevel = ProtectionLevel.Sign添加到ServiceContractAttribute。这避免了对正文进行加密。
我还没有完全通过,但我相信这只是从提供商那里获得正确证书的问题。
对于其他人,这是我创建代理的方式:
var binding = new BasicHttpsBinding();
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
var address = new EndpointAddress(new Uri("https://xxx/yyy/someService/"));
binding.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.Certificate;
var securityElement = SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10, true);
securityElement.IncludeTimestamp = true;
var customBinding = new CustomBinding(binding);
customBinding.Elements.Insert(0, securityElement);
var client = new ReportGasClient(customBinding, address);
client.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByThumbprint, "BCC3929F9C115D4BCA1C697E2557B7FC7D6C8C8C");
client.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
client.ClientCredentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.CurrentUser, StoreName.TrustedPeople, X509FindType.FindByThumbprint, "87C3B5EE3913937459D2FFBF105ADBD1A578E823");
请注意,我仅在沙盒环境中将 ValidationMode 设置为 None。这绝不能在生产中使用。