我想设置一个WCF服务,它使用HTTPS上的NTLM身份验证,并使用证书安全性进行消息(我知道,通常HTTPS不需要消息加密)
我有证书处理邮件安全性,但当我尝试使用TransportWithMessageCredential时,客户端抛出异常:
未处理的异常:System.ServiceModel.Security.MessageSecurityException:HTTP请求未经授权,客户端身份验证方案为“匿名” . 从服务器收到的身份验证标头是“Negotiate,NTLM”
IIS配置为仅支持Windows身份验证,需要SSL和接受客户端证书,计算机位于同一个Active Directory域中(事实上,我现在正在本地运行)
我有什么想法我做错了吗?
我的服务web.config看起来像这样:
<services>
<service name="ServiceHost.MyTestService" behaviorConfiguration="CertificateServiceBehavior">
<endpoint address="" binding="ws2007HttpBinding" contract="SharedLibrary.ITestService" bindingConfiguration="CertificateBindingConfig">
</endpoint>
</service>
</services>
<bindings>
<ws2007HttpBinding>
<binding name="CertificateBindingConfig">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Windows" />
<message clientCredentialType="Certificate" negotiateServiceCredential="true" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="CertificateServiceBehavior">
<serviceCredentials>
<windowsAuthentication allowAnonymousLogons="false" />
<clientCertificate>
<authentication certificateValidationMode="PeerTrust" trustedStoreLocation="LocalMachine" />
</clientCertificate>
<serviceCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="server" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
我的客户端app.config是这样的:
<client>
<endpoint address="https://server:9999/ServiceHost/TestService.svc" binding="ws2007HttpBinding"
contract="SharedLibrary.ITestService" bindingConfiguration="CertificateBindingConfig"
behaviorConfiguration="CertificateEndpointBehavior"
name="serviceEndpoint">
</endpoint>
</client>
<bindings>
<ws2007HttpBinding>
<binding name="CertificateBindingConfig">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Windows" />
<message clientCredentialType="Certificate" negotiateServiceCredential="true"/>
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="CertificateEndpointBehavior">
<clientCredentials>
<windows allowNtlm="true" allowedImpersonationLevel="Impersonation"/>
<clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="client"/>
<serviceCertificate>
<authentication certificateValidationMode="PeerTrust"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
1 回答
预定义模式不允许您实现此类安全性 .
TransportWithMessageCredentials
表示:HTTPS
没有运输身份验证
用于客户端身份验证的消息中的安全令牌
无邮件加密
试试这个(未经测试)以获得具有NTLM相互消息安全性的HTTPS:
您还可以尝试使用
MutualSslNegotiated
身份验证模式进行服务凭据协商,并在authenticationScheme
中使用Negotiate
以更好地匹配预定义绑定中的Windows
选项 .