WCF 客户端证书验证 + Windows 身份验证
[英]WCF Client Certificate Validation + Windows Authentication
问题描述
I've successfully created a WCF service which validates the incoming client certificate against the chain configured in IIS.
我已经成功创建了一个 WCF 服务,它根据 IIS 中配置的链验证传入的客户端证书。 However, as this is only a security mechanism to support authentication, I also need the Windows user calling my WCF service to handle authorization.但是,由于这只是支持身份验证的安全机制,我还需要 Windows 用户调用我的 WCF 服务来处理授权。
Normally when extracting the Windows User, you would do it like this通常在提取 Windows 用户时,您会这样做
ServiceSecurityContext.Current.WindowsIdentity.Name
When my service is configured with security mode TransportWithMessageCredentials , the PrimaryIdentity in the ServiceSecurityContext will return the certificate's SubjectName and the WindowsIdentity will be empty.当我的服务配置为安全模式TransportWithMessageCredentials , ServiceSecurityContext的PrimaryIdentity将返回证书的SubjectName , WindowsIdentity将为空。
To look at the client configuration, I've specified the WsHttpBinding like this为了查看客户端配置,我指定了WsHttpBinding这样
private static Binding GetHttpsBinding()
{
var binding = new WSHttpBinding();
binding.Security.Mode = SecurityMode.TransportWithMessageCredential;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
binding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;
return binding;
}
The client certificate is added like to the proxy client like this:客户端证书像这样添加到代理客户端:
private static void ApplyClientCertificate(HelloServiceClient client)
{
client.ClientCredentials.ClientCertificate.SetCertificate(
storeLocation: StoreLocation.CurrentUser,
storeName: StoreName.My,
findType: X509FindType.FindBySubjectName,
findValue: "ClientCertificatesTest"
);
}
Switching the two ClientCredentialType values so the binding looks like this切换两个ClientCredentialType值,使绑定看起来像这样
private static Binding GetHttpsBinding()
{
var binding = new WSHttpBinding();
binding.Security.Mode = SecurityMode.TransportWithMessageCredential;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;
return binding;
}
will work for extracting the Windows Credentials as described above, but when presenting an invalid certificate or no certificate at all are also accepted!将用于提取上述 Windows 凭据,但也接受提供无效证书或根本没有证书时! Therefore the authentication requirement is not fulfilled.因此,不满足认证要求。 I can also add that when configured this way my implementation of X509CertificateValidator on the server-side will not trigger, hence my suspicion that the client certificate is not added.我还可以补充一点,当以这种方式配置时,我在服务器端的X509CertificateValidator实现不会触发,因此我怀疑没有添加客户端证书。
Surely there must be some way to add a client certificate for authentication and add Windows Credentials to handle authorization in WCF?当然必须有某种方法来添加用于身份验证的客户端证书并添加 Windows 凭据来处理 WCF 中的授权? Is there any other way that I can add the certificate than adding it to the client credentials?除了将证书添加到客户端凭据之外,还有其他方法可以添加证书吗?
Thanks in advance!提前致谢!
2 个解决方案
解决方案1
0 2017-12-05 07:30:20
因此,此问题的答案将是创建您自己的CustomBinding以获取 Windows Credentails 和证书验证。
解决方案2
0 2021-05-24 13:00:34
With Web Service references you could present both a client certificate and Windows authentication credentials, so it's strange that this isn't available out of the box for WCF?使用 Web 服务引用,您可以同时提供客户端证书和 Windows 身份验证凭据,所以奇怪的是,WCF 不能开箱即用?
Did you implement the custom binding or have any links of examples of getting this working?您是否实现了自定义绑定或有任何示例链接可以使其正常工作?
UPDATE: here's the solution to create a custom binding to get both Windows Authentication and Client Certificates.更新:这是创建自定义绑定以获取 Windows 身份验证和客户端证书的解决方案。 http://david-homer.blogspot.com/2021/05/using-net-wcf-basichttpbinding-to.html http://david-homer.blogspot.com/2021/05/using-net-wcf-basichttpbinding-to.html
Thanks,谢谢,
Dave戴夫
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.