基于 WCF 证书的身份验证问题。服务正在使用无效证书进行身份验证
WCF Certificate Based Authentication Issue. Service is Getting authenticated with an invalid Certificate
我是 WCF 服务的初学者。尝试在 WCF 服务上实施基于证书的身份验证并遇到问题。该服务需要来自调用客户端的特定证书。如果客户端未通过任何证书,服务器将抛出身份验证错误。但与此同时,服务调用正在通过客户端提供的任何证书进行身份验证(服务假设在客户端提供特定证书时进行身份验证)。
以下是服务器配置的代码片段:
服务配置:
<bindings>
<wsHttpBinding>
<binding name="MyWsHttpBinding" maxReceivedMessageSize="2147483647" receiveTimeout="00:30:00">
<readerQuotas maxStringContentLength="2147483647" maxBytesPerRead="2147483647" maxDepth="2147483647" maxArrayLength="2147483647"/>
<security mode="Transport">
<transport clientCredentialType="None" proxyCredentialType="None"/>
<message clientCredentialType="Certificate" algorithmSuite="Default"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<serviceBehaviors>
<behavior name="MyServiceBehavior">
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="ChainTrust" />
</clientCertificate>
<serviceCertificate findValue="e616ebcd940951794736624acc6484802018c8d4" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
</serviceCredentials>
<serviceMetadata httpsGetEnabled="true" httpGetEnabled="true"/>
<CustomBehaviorExtensionElement/>
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="MyEndpointBehavior">
<MySchemaValidator validateRequest="True" validateReply="False">
<schemas>
<add location="App_Data\model-service.xsd"/>
</schemas>
</MySchemaValidator>
</behavior>
</endpointBehaviors>
<services>
<service name="MyService" behaviorConfiguration="MyServiceBehavior">
<endpoint binding="wsHttpBinding" bindingConfiguration="MyWsHttpBinding" contract="MyExchangeService" behaviorConfiguration="MyEndpointBehavior" bindingNamespace="http://www.mycompany.com/exchange/"/>
<endpoint contract="IMetadataExchange" binding="mexHttpsBinding" address="mex" name="mex"/>
</service>
</services>
问题的原因是您使用的安全模式是传输,所以只有以下代码有效:
<transport clientCredentialType="None" proxyCredentialType="None"/>
以下消息设置无效:
<message clientCredentialType="Certificate" algorithmSuite="Default"/>
将传输中的值更改为证书,您也可以下载wcf demo on the official website, there are examples of related certificate verification, and there are tutorials corresponding to the demo。
我看到您的代码中使用的证书验证模式是ChainTrust。
<clientCertificate>
<authentication certificateValidationMode="ChainTrust" />
</clientCertificate>
如Microsoft Docs所述,使用ChainTrust意味着-
The certificate is valid if the chain builds to a certification authority in the trusted root store
意思是,客户端不需要发送与您的服务中提到的指纹完全相同的证书web.config。
事实上,您的 VM Trusted Root Store 中存在其根/中间证书颁发机构的任何证书都将通过验证。
要确保客户端能够使用仅特定证书来验证您的服务,更改ChainTrust 到 PeerTrust 并将证书添加到 VM 证书存储 (certmgr) 上的受信任人员存储。
<authentication certificateValidationMode="PeerTrust" />
参考文献:
我是 WCF 服务的初学者。尝试在 WCF 服务上实施基于证书的身份验证并遇到问题。该服务需要来自调用客户端的特定证书。如果客户端未通过任何证书,服务器将抛出身份验证错误。但与此同时,服务调用正在通过客户端提供的任何证书进行身份验证(服务假设在客户端提供特定证书时进行身份验证)。
以下是服务器配置的代码片段:
服务配置:
<bindings>
<wsHttpBinding>
<binding name="MyWsHttpBinding" maxReceivedMessageSize="2147483647" receiveTimeout="00:30:00">
<readerQuotas maxStringContentLength="2147483647" maxBytesPerRead="2147483647" maxDepth="2147483647" maxArrayLength="2147483647"/>
<security mode="Transport">
<transport clientCredentialType="None" proxyCredentialType="None"/>
<message clientCredentialType="Certificate" algorithmSuite="Default"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<serviceBehaviors>
<behavior name="MyServiceBehavior">
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="ChainTrust" />
</clientCertificate>
<serviceCertificate findValue="e616ebcd940951794736624acc6484802018c8d4" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
</serviceCredentials>
<serviceMetadata httpsGetEnabled="true" httpGetEnabled="true"/>
<CustomBehaviorExtensionElement/>
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="MyEndpointBehavior">
<MySchemaValidator validateRequest="True" validateReply="False">
<schemas>
<add location="App_Data\model-service.xsd"/>
</schemas>
</MySchemaValidator>
</behavior>
</endpointBehaviors>
<services>
<service name="MyService" behaviorConfiguration="MyServiceBehavior">
<endpoint binding="wsHttpBinding" bindingConfiguration="MyWsHttpBinding" contract="MyExchangeService" behaviorConfiguration="MyEndpointBehavior" bindingNamespace="http://www.mycompany.com/exchange/"/>
<endpoint contract="IMetadataExchange" binding="mexHttpsBinding" address="mex" name="mex"/>
</service>
</services>
问题的原因是您使用的安全模式是传输,所以只有以下代码有效:
<transport clientCredentialType="None" proxyCredentialType="None"/>
以下消息设置无效:
<message clientCredentialType="Certificate" algorithmSuite="Default"/>
将传输中的值更改为证书,您也可以下载wcf demo on the official website, there are examples of related certificate verification, and there are tutorials corresponding to the demo。
我看到您的代码中使用的证书验证模式是ChainTrust。
<clientCertificate>
<authentication certificateValidationMode="ChainTrust" />
</clientCertificate>
如Microsoft Docs所述,使用ChainTrust意味着-
The certificate is valid if the chain builds to a certification authority in the trusted root store
意思是,客户端不需要发送与您的服务中提到的指纹完全相同的证书web.config。
事实上,您的 VM Trusted Root Store 中存在其根/中间证书颁发机构的任何证书都将通过验证。
要确保客户端能够使用仅特定证书来验证您的服务,更改ChainTrust 到 PeerTrust 并将证书添加到 VM 证书存储 (certmgr) 上的受信任人员存储。
<authentication certificateValidationMode="PeerTrust" />
参考文献: