首页 文章

通过HTTPS使用NTLM的WCF和消息的证书?

提问于
浏览
1

我想设置一个WCF服务,它使用HTTPS上的NTLM身份验证,并使用证书安全性进行消息(我知道,通常HTTPS不需要消息加密)

我有证书处理邮件安全性,但当我尝试使用TransportWithMessageCredential时,客户端抛出异常:

未处理的异常:System.ServiceModel.Security.MessageSecurityException:HTTP请求未经授权,客户端身份验证方案为“匿名” . 从服务器收到的身份验证标头是“Negotiate,NTLM”

IIS配置为仅支持Windows身份验证,需要SSL和接受客户端证书,计算机位于同一个Active Directory域中(事实上,我现在正在本地运行)

我有什么想法我做错了吗?

我的服务web.config看起来像这样:

<services>
    <service name="ServiceHost.MyTestService" behaviorConfiguration="CertificateServiceBehavior">
        <endpoint address="" binding="ws2007HttpBinding" contract="SharedLibrary.ITestService" bindingConfiguration="CertificateBindingConfig">
        </endpoint>
    </service>
</services>

<bindings>
    <ws2007HttpBinding>
        <binding name="CertificateBindingConfig">
            <security mode="TransportWithMessageCredential">
                <transport clientCredentialType="Windows" />
                <message clientCredentialType="Certificate" negotiateServiceCredential="true" />
            </security>
        </binding>
    </ws2007HttpBinding>
</bindings>

<behaviors>
    <serviceBehaviors>
        <behavior name="CertificateServiceBehavior">
            <serviceCredentials>
                <windowsAuthentication allowAnonymousLogons="false" />
                <clientCertificate>
                    <authentication certificateValidationMode="PeerTrust" trustedStoreLocation="LocalMachine" />
                </clientCertificate>
                <serviceCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="server" />
            </serviceCredentials>
        </behavior>
    </serviceBehaviors>
</behaviors>

我的客户端app.config是这样的:

<client>
    <endpoint address="https://server:9999/ServiceHost/TestService.svc" binding="ws2007HttpBinding"
                contract="SharedLibrary.ITestService" bindingConfiguration="CertificateBindingConfig" 
                behaviorConfiguration="CertificateEndpointBehavior"
                name="serviceEndpoint">

    </endpoint>
</client>
<bindings>
    <ws2007HttpBinding>
        <binding name="CertificateBindingConfig">
            <security mode="TransportWithMessageCredential">
                <transport clientCredentialType="Windows" />
                <message clientCredentialType="Certificate" negotiateServiceCredential="true"/>
            </security>
        </binding>
    </ws2007HttpBinding>
</bindings>
<behaviors>
    <endpointBehaviors>
        <behavior name="CertificateEndpointBehavior">
            <clientCredentials>
                <windows allowNtlm="true" allowedImpersonationLevel="Impersonation"/>
                <clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="client"/>
                <serviceCertificate>
                    <authentication certificateValidationMode="PeerTrust"/>
                </serviceCertificate>
            </clientCredentials>
        </behavior>
    </endpointBehaviors>
</behaviors>
.net wcf x509certificate ntlm

1 回答

  • 1

    预定义模式不允许您实现此类安全性 . TransportWithMessageCredentials 表示:

    • HTTPS

    • 没有运输身份验证

    • 用于客户端身份验证的消息中的安全令牌

    • 无邮件加密

    试试这个(未经测试)以获得具有NTLM相互消息安全性的HTTPS:

    <bindings>
  <customBinding>
    <binding name="MegaSecurity">
      <security authenticationMode="MutualCertificate"
                messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
                includeTimestamp="true" />
      <textMessageEncoding messageVersion="Soap12WSAddressing10" />
      <httpsTransport authenticationScheme="Ntlm" />
    </binding>
  </customBinding>
</bindings>

    您还可以尝试使用 MutualSslNegotiated 身份验证模式进行服务凭据协商,并在 authenticationScheme 中使用 Negotiate 以更好地匹配预定义绑定中的 Windows 选项 .

    回复于

相关问题