[英]WCF message security stopped working after server certificate changed
我们的服务器/服务证书已过期,我们颁发了新证书。 将其替换为证书存储区(作为SSL服务器证书,没有问题),为运行该服务的AppPoolIdentity设置对它的私钥的访问权限。 我的服务配置:
<system.serviceModel>
<extensions>
<behaviorExtensions>
<add name="A2AValidation" type="SPOZUS_T2S_A2A.A2AValidation+CustomBehaviorSection, SPOZUS_T2S_A2A, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
</behaviorExtensions>
</extensions>
<protocolMapping>
<add scheme="http" binding="wsHttpBinding" />
<add scheme="https" binding="wsHttpBinding" />
</protocolMapping>
<bindings>
<wsHttpBinding>
<binding name="MessageSecurityBinding">
<security mode="Message">
<message clientCredentialType="Certificate" establishSecurityContext="true" negotiateServiceCredential="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="ClientSecBehavior" name="SPOZUS_T2S_A2A.Service">
<endpoint address="" behaviorConfiguration="A2AValidationBehavior" bindingNamespace="https://DRW2012IIS.XXX.XXXX.XX:10002/A2A" binding="wsHttpBinding" bindingConfiguration="MessageSecurityBinding" name="A2AmessageEndpoint" contract="SPOZUS_T2S_A2A.IService" />
<endpoint address="mex" binding="mexHttpsBinding" name="A2AMessageEndpointMex" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="http://DRW2012IIS.XXX.XXXX.XX:10002/A2A/" />
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<endpointBehaviors>
<behavior name="A2AValidationBehavior">
<A2AValidation />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="ClientSecBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck" trustedStoreLocation="LocalMachine" mapClientCertificateToWindowsAccount="true" />
</clientCertificate>
<serviceCertificate findValue="DRW2012IIS.XXX.XXXX.XX" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
当我从浏览器访问该服务时,将引发错误:
[CryptographicException: Invalid provider type specified.
]
System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) +5273481
System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) +94
System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() +136
System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) +203
System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() +240
System.ServiceModel.Security.SecurityUtils.GetKeyContainerInfo(X509Certificate2 certificate) +42
System.ServiceModel.Security.SecurityUtils.CanKeyDoKeyExchange(X509Certificate2 certificate) +10
System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate) +64
[ArgumentException: It is likely that certificate 'CN=DRW2012IIS.XXX.XXXX.XX, OU=IT, O=XXXXX, L=XXXXX, S=XXXX, C=XX' may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail.]
System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate) +336
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateServerX509TokenProvider() +35
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement) +64
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement requirement) +59
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateTlsnegoServerX509TokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement) +261
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, Boolean requireClientCertificate, SecurityTokenResolver& sctResolver) +829
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, SecurityTokenResolver& outOfBandTokenResolver) +709
System.ServiceModel.Security.SymmetricSecurityProtocolFactory.OnOpen(TimeSpan timeout) +208
System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) +21
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout) +81
System.ServiceModel.Channels.SecurityChannelListener`1.OnOpen(TimeSpan timeout) +221
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout) +73
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) +130
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.Security.SecuritySessionSecurityTokenAuthenticator.OnOpen(TimeSpan timeout) +130
System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) +21
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.Security.CommunicationObjectSecurityTokenAuthenticator.Open(TimeSpan timeout) +16
System.ServiceModel.Security.SecuritySessionServerSettings.OnOpen(TimeSpan timeout) +842
System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) +21
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout) +125
System.ServiceModel.Channels.SecurityChannelListener`1.OnOpen(TimeSpan timeout) +221
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout) +73
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) +130
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.HostingManager.ActivateService(ServiceActivationInfo serviceActivationInfo, EventTraceActivity eventTraceActivity) +130
System.ServiceModel.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath, EventTraceActivity eventTraceActivity) +738
[ServiceActivationException: The service '/TEST/A2A/Service.svc' cannot be activated due to an exception during compilation. The exception message is: It is likely that certificate 'CN=DRW2012IIS.XXX.XXXX.XX, OU=IT, O=XXXXX, L=XXXXX, S=XXXX, C=XX' may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail..]
System.Runtime.AsyncResult.End(IAsyncResult result) +604003
System.ServiceModel.Activation.HostedHttpRequestAsyncResult.End(IAsyncResult result) +238
System.Web.CallHandlerExecutionStep.OnAsyncHandlerCompletion(IAsyncResult ar) +178
看来问题出在证书使用者名称中使用的大写使用者名称。 我重新发行了带有小写域名说明的证书,并且现在可以使用。
我们也有此确切的错误消息,并花了相当长的时间来缩小问题范围。 我们使用Octopus Deploy安装我们的PFX证书,而Tentacle作为LocalSystem运行。
有一些有趣的发现:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.