我正在以编程方式从App.config迁移到使用客户端证书身份验证/身份调用WCF服务。新代码是.NET Core,但测试控制台应用程序的目标框架已设置为net472,因此它在Azure Kudu中运行。
我到处搜索但无法摆脱这个错误信息。
错误:
未处理的异常:System.ServiceModel.Security.MessageSecurityException:传出消息的身份检查失败。对于'net.tcp:// myserver:1001 / MyServiceRelay / MyServiceRelay.svc'目标端点,预期标识是'identity(http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty:http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint)'。
服务器堆栈跟踪:位于System.ServiceModel.SecurityIdentity(EndpointAddress serviceReference,AuthorizationContext authorizationContext,String errorString)的System.ServiceModel.Security.MessageSecurityProtocol.EnsureOutgoingIdentity(SecurityToken令牌,SecurityTokenAuthenticator身份验证器)
App.config中:
<endpoint name="MyEndpoint"
address="[PLACEHOLDER]"
binding="netTcpBinding"
bindingConfiguration="NetTcpAzureBinding"
behaviorConfiguration="AzureCertificateBehavior"
contract="MyCalledService">
<identity>
<certificate encodedValue="[PLACEHOLDER]" />
</identity>
</endpoint>
<netTcpBinding>
<binding name="NetTcpAzureBinding" maxReceivedMessageSize="20485760">
<readerQuotas maxArrayLength="20485760" maxStringContentLength="20485760" />
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</netTcpBinding>
<behavior name="AzureCertificateBehavior">
<clientCredentials>
<clientCertificate storeName="My" storeLocation="CurrentUser" x509FindType="FindByThumbprint" findValue="[PLACEHOLDER]" />
<serviceCertificate>
<authentication certificateValidationMode="None" revocationMode="NoCheck" />
</serviceCertificate>
</clientCredentials>
</behavior>
代码相当于:
// My FindCertificate method performs a lookup by thumbprint, exactly the same code that below when using "SetCertificate".
X509Certificate2 certificate = Common.FindCertificate(settings.CertificateThumbprint);
var binding = new NetTcpBinding
{
// custom constant
MaxReceivedMessageSize = Common.MaxReceivedMessageSize
};
// custom constant
binding.ReaderQuotas.MaxArrayLength = Common.MaxArrayLength;
// custom constant
binding.ReaderQuotas.MaxStringContentLength = Common.MaxStringContentLength;
binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;
var endpoint = new EndpointAddress(new Uri(settings.MailService.EndpointAddress), EndpointIdentity.CreateX509CertificateIdentity(certificate));
_channelFactory = new ChannelFactory<IMailService>(binding, endpoint);
_channelFactory.Credentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByThumbprint, settings.CertificateThumbprint);
_channelFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;
_channelFactory.Credentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;
怎么了?谢谢你的想法。
好吧,没有什么是“错误的”,但错误信息并不令人满意。一旦我得到它,我只需要替换:
EndpointIdentity.CreateX509CertificateIdentity(certificate)
通过:
EndpointIdentity.CreateDnsIdentity(settings.MailService.EndpointDns)
在端点身份初始化中。预期值出现在错误消息中......
帮助我的是设置一个通道工厂,通过将经典.config文件读取到配置类来初始化:
ExeConfigurationFileMap fileMap = new ExeConfigurationFileMap();
fileMap.ExeConfigFilename = "MailService.config";
Configuration newConfiguration = ConfigurationManager.OpenMappedExeConfiguration(fileMap, ConfigurationUserLevel.None);
_channelFactory = new ConfigurationChannelFactory<IMailService>("MyEndpoint", newConfiguration, new EndpointAddress("net.tcp://myserver:1001/MyServiceRelay/MyServiceRelay.svc"));
(好吧,这没有成功调用端点,只是给了一个线索)。
仍有未解决的问题:为什么经典配置在没有抱怨端点DNS的情况下工作?我再次检查了一下。我读回2010年关于此安全检查的事情(防止网络钓鱼)。也很有用:https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/service-identity-and-authentication
欢迎评论。