我在让WCF客户端连接到需要客户端证书以及用户名/密码的服务器时遇到问题。
我已经验证使用客户端证书可以使用此功能:
var binding = new WSHttpBinding(SecurityMode.Transport);
binding.Security.Transport = new HttpTransportSecurity();
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
var ea = new EndpointAddress(EndpointUrl);
using (var p = new ServiceReference1.AAAClient(binding, ea))
{
try
{
p.ClientCredentials.ClientCertificate.SetCertificate(
System.Security.Cryptography.X509Certificates.StoreLocation.CurrentUser,
System.Security.Cryptography.X509Certificates.StoreName.My,
System.Security.Cryptography.X509Certificates.X509FindType.FindBySubjectName,
CertificateSubject);
var x = p.RequiresClientCertificateOnly();
Console.WriteLine("Status: " + x.status);
}
catch (Exception ex)
{
Console.WriteLine(ex.ToString());
}
Console.WriteLine();
}
下一个合乎逻辑的步骤是添加用户名/密码部分,但返回403未经授权。我知道凭据和证书是有效的,因为我在中间使用了提琴手来提供客户端证书和用户名/密码,并且可以正常工作,只是在通过WCF进行全部使用时似乎不起作用,或者使用同时发送客户端证书以及用户名/密码。
试图同时使用两者的代码如下(尝试使用WSHttpBinding和BasicHttpBinding-两者的结果相同:]
var binding = new BasicHttpBinding(BasicHttpSecurityMode.TransportWithMessageCredential);
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
binding.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.UserName;
var ea = new EndpointAddress(EndpointUrl);
using (var p = new ServiceReference1.PingPortTypeClient(binding, ea))
{
try
{
p.ClientCredentials.ClientCertificate.SetCertificate(
System.Security.Cryptography.X509Certificates.StoreLocation.CurrentUser,
System.Security.Cryptography.X509Certificates.StoreName.My,
System.Security.Cryptography.X509Certificates.X509FindType.FindBySubjectName,
CertificateSubject);
p.ClientCredentials.UserName.UserName = Username;
p.ClientCredentials.UserName.Password = Password;
var x = p.pingDatabase();
Console.WriteLine("Status: " + x.status);
}
catch (Exception ex)
{
Console.WriteLine(ex.ToString());
}
Console.WriteLine();
当我直接在浏览器中转到URL时,出现错误:
HTTP错误403.7-禁止访问您尝试访问的页面要求您的浏览器具有安全套接字层(SSL)客户端Web服务器可以识别的证书。
这表明在上面的第二个示例中未发送证书,因为它收到的是相同的错误(403)。
有人可以帮助我进行WCF的配置以提供客户端证书和用户名/密码吗?我已经拖网了,这里的“类似问题”根本没有帮助。现在变得非常沮丧-我想念什么?
如果要同时使用用户名(消息级别)和证书(传输级别),则必须使用自定义绑定。例如:
<customBinding>
<binding name="NewBinding0">
<textMessageEncoding messageVersion="Default" />
<security authenticationMode="UserNameOverTransport">
<secureConversationBootstrap />
</security>
<httpsTransport requireClientCertificate="true" />
</binding>
</customBinding>
messageVersion的值取决于您要使用WSHttp还是BasicHttp。当前,我已将其设置为“ Default”,即WSHttp,对于Basic,将其设置为“ Soap11”。
不是这个问题的答案,而是问题的标题将我带到了这里,所以也许其他人也可以:我需要一个Soap11绑定,同时具有证书(用于网关)和传输级别的用户名(用于应用程序)。 (这两个部分均由客户现场的不同团队和不同供应商维护。)
尽管名称为customBinding
和UserNameOverTransport
一起发送的用户名和密码在Soap-header(消息级别)中,而不在http-header(传输级别)中,导致用户名和密码到达FaultException
中的内部SecurityRequestChannel.ProcessReply
,源自应用程序:
FaultException: MustUnderstand headers: [{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood.
经过反复试验的[lot之后,事实证明可以通过组合配置和代码来完成。
<basicHttpBinding>
<binding name="cascheck_BasicHttpBinding_TransportCertificate_HttpauthInCode">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</basicHttpBinding>
<endpointBehaviors>
<behavior name="casCheckCertificateBehavior">
<clientCredentials>
<clientCertificate findValue="Technical Account CAS User INT" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
</clientCredentials>
</behavior>
using (new OperationContextScope(client.InnerChannel))
{
…
var httpRequestProperty = new HttpRequestMessageProperty();
httpRequestProperty.Headers[System.Net.HttpRequestHeader.Authorization] =
"Basic " + Convert.ToBase64String(System.Text.Encoding.ASCII.GetBytes($"{username}:{password}"));
OperationContext.Current.OutgoingMessageProperties[HttpRequestMessageProperty.Name] = httpRequestProperty;