如何正确实施客户端证书身份验证?
[英]How do I implement Client Certificate authentication the right way?
问题描述
WCF is extremely extensible and has a lot of ready-to-use features, however I continue struggling with some topics and the more documentation I read, the more I get confused. 
WCF具有极强的可扩展性,并且具有许多现成的功能,但是我仍然在为某些主题而苦苦挣扎,阅读的文档越多,我就越会感到困惑。
I hope to get some answers from the community. 我希望能从社区中得到一些答案。 Feedback on any assumption or question is extremely welcome. 非常欢迎任何假设或问题的反馈。
For the record: to really accept a single answer I should divide this post in multiple questions but it would lead to even more confusion. 记录:要真正接受一个答案,我应该将此帖子分为多个问题,但这会导致更多的混乱。 I am pretty sure there are some real WCF experts online who can answer the few questions in this document all at once so I can accept a single answer as the real deal to setup clientcertificate authentication using IIS the right way. 我敢肯定,有一些真正的WCF在线专家可以同时回答本文档中的几个问题,因此我可以接受一个单独的答案作为使用IIS正确设置客户端证书身份验证的真正方法。
Let me sketch the situation and partner request: 让我概述一下情况和合作伙伴的要求:
1: The partner requirement and the question to use a client certificate. 1:合作伙伴要求和使用客户证书的问题。
Partner X needs to call an API on my backend and they have the clear requirement to use Clientcertificate authentication. 合作伙伴X需要在我的后端调用API,并且明确要求使用Clientcertificate身份验证。 They created the clientcertificate and provided us the certificate with only the public key since it seems only logic they keep the private key actually private and in their own system(s). 他们创建了客户证书,并仅向我们提供了带有公钥的证书,因为似乎只有逻辑上,他们才将私钥实际上保持私有并保存在自己的系统中。 The certificate was imported on the local computer account and looking at the certification path this is valid. 证书已导入本地计算机帐户,并查看证书路径是否有效。 All intermediate certification authorities and in the end the root certification authority are trusted. 所有中间证书颁发机构以及最终的根证书颁发机构都是受信任的。
2: Our WCF serverside configuration 2:我们的WCF 服务器端配置
I have a serviceBehavior configured as such: 我有这样配置的serviceBehavior:
<behavior name="ClientCertificateBehavior">
<serviceMetadata httpsGetEnabled="true" />
<serviceCredentials>
<serviceCertificate findValue="<serialnumber here>" x509FindType="FindBySerialNumber" />
<clientCertificate>
<authentication certificateValidationMode="PeerTrust" />
</clientCertificate>
</serviceCredentials>
</behavior>
I guess I made a first mistake here and should use ChainTrust to actually validate the certificate using its certification path . 我想我在这里犯了第一个错误,应该使用ChainTrust通过其证书路径实际验证证书 。 What do you think? 你怎么看?
The service is configured as such: 该服务配置如下:
<service behaviorConfiguration="ClientCertificateBehavior" name="<Full service namespace and servicename>">
<endpoint binding="basicHttpBinding" bindingConfiguration="Soap11CertificateBasicHttpBinding"
contract="<The interface>"></endpoint>
</service>
The binding looks like this: 绑定看起来像这样:
It is a basicHttpBinding to force SOAP1.1 (according to the partner's specifications). 它是强制SOAP1.1的basicHttpBinding(根据合作伙伴的规范)。
<binding name="Soap11CertificateBasicHttpBinding">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
3: Hosting the WCF service in IIS and the IIS configuration 3:在IIS和IIS配置中托管WCF服务
We host our WCF services in IIS7. 我们在IIS7中托管WCF服务。 We configured the folder in which the services reside to require SSL and to accept Client certificates. 我们将服务所在的文件夹配置为需要SSL并接受客户端证书。 Authentication-wise anonymous authentication is enabled. 启用了基于身份验证的匿名身份验证。
The thing is that communication from the partner works and we were confident that everything was OK, however toggling the IIS-setting to 'require' client certificate shows us that all of a sudden it is no longer possible to successfully call our service. 事实是,与合作伙伴的通信是有效的,并且我们确信一切都很好,但是将IIS设置切换为“需要”客户端证书,这表明我们突然无法成功调用我们的服务。
Am I correct to assume that following things are not done correctly: 我是否正确地假设以下事情未正确完成:
The serviceCerticate in the serviceBehavior is not really necessary.
真正不需要serviceBehavior中的serviceCerticate。 This is a setting used by the client. 这是客户端使用的设置。 Or is it necessary to provide this certificate information for the service endpoint to match the certificate that's being send by the client? 还是有必要为服务端点提供此证书信息,以匹配客户端发送的证书? For clientcertificate authentication to really work in IIS the certificate needs to be mapped to a user.
为了使客户端证书身份验证真正在IIS中有效,需要将证书映射到用户。 This user should be granted permissions on the folder containing the services and all authentication mechanisms (anonymous, windows,...) should be disabled. 应该为该用户授予包含服务的文件夹的权限,并且应禁用所有身份验证机制(匿名,Windows等)。 This way IIS will handle the actual handshake and validate the servicecommunication. 这样,IIS将处理实际的握手并验证服务通信。 Or is it more a matter of extra security mapping the certificate to a user? 还是将证书映射到用户需要额外的安全性? By setting 'Accept' on IIS we bypass the actual certificate validation between client and server.
通过在IIS上设置“接受”,我们绕过了客户端和服务器之间的实际证书验证。 All authentication mechanisms like 'anonymous' and 'windows' have to be disabled on IIS for the folder which holds the services.
必须在IIS上禁用用于保存服务的文件夹的所有身份验证机制,例如“匿名”和“窗口”。
1 个解决方案
解决方案1
2 已采纳 2013-01-21 12:33:06
In your scenario, you don't need to configure certificates in WCF, IIS handles those for you. 在您的方案中,您不需要在WCF中配置证书,IIS会为您处理那些证书。 You can clear the entire <serviceCredentials> block, because: 您可以清除整个<serviceCredentials>块,因为:
The <serviceCertificate> of <serviceCredentials> specifies an X.509 certificate that will be used to authenticate the service to clients using Message security mode , which you do not use, and the <clientCertificate> of <serviceCredentials> defines an X.509 certificate used to sign and encrypt messages to a client form a service in a duplex communication pattern. <serviceCertificate>的<serviceCredentials>指定一个X.509证书,该证书将用于使用您不使用的消息安全性模式向客户端验证服务,而<serviceCredentials>的<clientCertificate> <serviceCredentials>定义一个X.509证书。用于以双工通信模式对发送给客户端的消息进行签名和加密,从而形成一种服务。
See here how to map client certificates to user accounts. 请参阅此处如何将客户端证书映射到用户帐户。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.