带有客户端证书的WCF svcutil

Question

我开发了一个WCF服务，它使用带有所需客户端证书的传输安全性。 它托管在IIS 7.5上并且要求检查客户端证书。 我已经设置了一个mex端点，并且可以在我的浏览器中查看wsdl， 网址为https://mydomain.com/Folder/Service.svc/mex?wsdl 。 使用SoapUI，我能够成功连接并且服务完美运行。

但是，我想使用svcutil.exe设置测试客户端，因为这是我的客户端将要创建客户端的操作。 但是，当我跑：

svcutil https://mydomain.com/Folder/Service.svc/mex?wsdl /svcutilConfig:app.config

我收到以下错误：

C:\Program Files\Microsoft Visual Studio 9.0\VC>svcutil https://mydomain.com/Folder/Service.svc/mex?wsdl /svcutilConfig:app.config
Microsoft (R) Service Model Metadata Tool
[Microsoft (R) Windows (R) Communication Foundation, Version 3.0.4506.2152]
Copyright (c) Microsoft Corporation.  All rights reserved.

Attempting to download metadata from 'https://mydomain.com/Folder/Service.svc/mex?wsdl' using WS-Metadata Exchange or DISCO.
Microsoft (R) Service Model Metadata Tool
[Microsoft (R) Windows (R) Communication Foundation, Version 3.0.4506.2152]
Copyright (c) Microsoft Corporation.  All rights reserved.

Error: Cannot obtain Metadata from https://mydomain.com/Folder/Service.svc/mex?wsdl

If this is a Windows (R) Communication Foundation service to which you have access, please check that you have enabled metadata publishing at the specified address.  For help enabling metadata publishing, please refer to the MSDN documentation at http://go.microsoft.com/fwlink/?LinkId=65455.

WS-Metadata Exchange Error
URI: https://mydomain.com/Folder/Service.svc/mex?wsdl

Metadata contains a reference that cannot be resolved: 'https://mydomain.com/Folder/Service.svc/mex?wsdl'.

The HTTP request was forbidden with client authentication scheme 'Anonymous'.

The remote server returned an error: (403) Forbidden.

HTTP GET Error
URI: https://mydomain.com/Folder/Service.svc/mex?wsdl

There was an error downloading 'https://mydomain.com/Folder/Service.svc/mex?wsdl'.

The request failed with HTTP status 403: Forbidden.

以下是我的服务器web.config文件中的相关配置：

<system.serviceModel>
<bindings>
  <wsHttpBinding>
    <binding name="MyServices">
      <security mode="Transport">
        <transport clientCredentialType="Certificate"/>
      </security>
    </binding>
  </wsHttpBinding>
</bindings>
<services>
  <service behaviorConfiguration="ServiceBehavior" name="MyService.MyServiceManager">
    <endpoint address="" binding="wsHttpBinding" bindingConfiguration="MyServices"
     name="MyServices" contract="MyService.IMyServiceManager">
      <identity>
        <dns value="mydomain.com" />
      </identity>
    </endpoint>
    <endpoint address="mex" binding="wsHttpBinding"  bindingConfiguration="MyServices"
        name="mexEndpoint" contract="IMetadataExchange"/>
  </service>
</services>
<behaviors>
  <serviceBehaviors>
    <behavior name="ServiceBehavior">
      <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
      <serviceMetadata httpsGetEnabled="true" httpsGetUrl="https://mydomain.com:443/Folder/Service.svc/mex"/>
      <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
      <serviceDebug includeExceptionDetailInFaults="false"/>
      <serviceCredentials>
        <clientCertificate>
          <certificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" findValue="CN=tempClientcert"/>
        </clientCertificate>
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>

这是我的客户端/svcutilConfig:app.config文件：

<configuration>
    <system.serviceModel>
        <client>
            <endpoint name="mexEndpoint" address="mex" binding="wsHttpBinding" contract="IMetadataExchange" behaviorConfiguration="MyBehavior" />
        </client>
        <behaviors>
            <endpointBehaviors>
                <behavior name="MyBehavior">
                    <clientCredentials>
                        <clientCertificate storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectDistinguishedName" findValue="CN=tempClientcert" />
                    </clientCredentials>
                </behavior>
            </endpointBehaviors>
        </behaviors>
    </system.serviceModel>
</configuration>

我无法弄清楚为什么这个配置不起作用。 此外，所有wsdl导入都会解析为正确的FQDN URL，并且在IIS中启用匿名身份验证。

任何援助将不胜感激。 非常感谢你的帮助。

Answer 1

打这个也是。 我唯一能想到的是你引用了一个无法找到的证书，在这种情况下svcutil似乎没有正确地失败。 该证书肯定是在正确的商店，并具有该专有名称（不仅仅是'常规'主题名称）？

无论如何，我解决这个问题的时间已经足够长了以至于我决定写一篇关于如何做到的博客文章，可以在这里找到： http ： //blogs.msdn.com/b/stephens_scratchpad/archive/2012/12/19/ client-certificates-for-https-wcf-services.aspx - 希望对某人有所帮助！

Answer 2

旧问题，但我需要在它过期后更改客户端证书（之后它不起作用！）但是在更改之后，浏览器在wsdl端点上运行但是svcutil没有，它是由Windows凭据管理器引起的可以存储针对URL的证书，以便在访问URL时自动上载。

我忘了用新证书更新凭据管理器！