自托管WCF服务+客户端证书身份验证
[英]selfhosted WCF-Service + client certificate authentication
问题描述
i'm trying to implement a self hosted WCF-Service which should use client authentication by certificate. 
我正在尝试实现自托管的WCF服务,该服务应通过证书使用客户端身份验证。 Unfortunately the authentication fails. 不幸的是,身份验证失败。 The log file says, that the client does not provide a certificate. 日志文件说,客户端不提供证书。 If try to reach the service through firefox, it says: "Error 403 - Forbidden". 如果尝试通过firefox访问该服务,则会显示:“错误403-禁止访问”。
The following code shows the configuration via the app-config file. 以下代码显示了通过app-config文件进行的配置。
<serviceBehaviors>
<behavior name="sslbehaviour">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="ChainTrust" trustedStoreLocation="CurrentUser"/>
</clientCertificate>
<serviceCertificate findValue="cert-thumb-print" x509FindType="FindByThumbprint" storeLocation="CurrentUser" storeName="My"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
endpoint address="https://localhost:443/service" binding="wsHttpBinding"
bindingConfiguration="BindingForResultPost" contract="MobD.IEndpointService" />
The error msg: System.ServiceModel.Channels.HttpsClientCertificateNotPresent.aspx 错误消息:System.ServiceModel.Channels.HttpsClientCertificateNotPresent.aspx
i guess that i've created and installed my certs correctly. 我想我已经正确创建并安装了我的证书。
I would be very grateful for every hint... 我将非常感谢每一个提示...
Kind regards, Michael 亲切的问候,迈克尔
3 个解决方案
解决方案1
0 2012-02-20 12:59:20
You say that when you try and reach it through Firefox you get a 403. Has Firefox got the client certificate installed? 您说当您尝试通过Firefox访问它时,您会得到403。Firefox是否已安装了客户端证书?
What is the Http sub code? 什么是Http子代码? My guess is you are getting a 403.7 (which means the client certificate is not installed, or not being presented by the browser), 403.16 (client certificate is untrusted), 403.17 (client certificate has expired) or possibly 403.13 (client certificate revoked). 我的猜测是您得到403.7(这意味着未安装客户端证书或浏览器未提供客户端证书),403.16(客户端证书不受信任),403.17(客户端证书已过期)或可能是403.13(客户端证书已撤销) 。
One problem I have seen - on servers that do not have outgoing web access - is you get one of the above 403 codes (can't remember which) because the server is unable to get a certificate revocation list - and so it declines all certificates. 我看到的一个问题-在没有传出网络访问权限的服务器上-是您获得上述403代码之一(不记得是哪一个),因为服务器无法获取证书吊销列表-因此它拒绝了所有证书。 This check can be disabled, but obviously there are security considerations to be aware of. 可以禁用此检查,但是显然有一些安全注意事项。
解决方案2
0 2012-02-20 16:39:46
Please refer to the below steps on where to install the client certificates: 请参考以下步骤在何处安装客户端证书:
You need to have the client certificate as follows: 您需要具有以下客户端证书:
On the client machine : 在客户端计算机上:
Current User --> Personal folder should have client certificate MyClientCert.pfx installed 当前用户->个人文件夹应安装客户端证书MyClientCert.pfx
On Server machines: 在服务器计算机上:
Local Machine --> TrusterPeople should have MyClientCert.cer installed 本地计算机-> TrusterPeople应该安装了MyClientCert.cer
Make sure that the setup is correct. 确保设置正确。 I see that you have the client certificate in the TrustedPeople of current user. 我看到您在当前用户的TrustedPeople中拥有客户端证书。 Hope now its clear on the certificates installation 希望现在清除证书安装
Please refer to this LINK that explains a bit on client certificate being installed and how to tell the browser to pick one from the store: 请参考此LINK ,该链接对正在安装的客户端证书以及如何告诉浏览器从商店中选择一个进行了一些解释:
NOTE: When to use the .pfx and .cer files 注意:何时使用.pfx和.cer文件
解决方案3
0 2012-02-22 13:55:13
You have to assign port rights in Windows when you are self hosting WCF services. 自托管WCF服务时,必须在Windows中分配端口权限。
See this article on MSDN: How to: Configure a Port with an SSL Certificate 请参阅MSDN上的本文: 如何:使用SSL证书配置端口
You can also use OpenSSL to check the port status. 您还可以使用OpenSSL检查端口状态。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.