如何設置WCF安全性以要求客戶端證書？

Question

我有WCF服務。我要求客戶用證書進行認證。 這是服務配置：

<system.serviceModel> 
     <services> 
      <service name="FilmLibrary.FilmManager" behaviorConfiguration="FilmService.Service1Behavior"> 
       <endpoint address="manager" name="certBinding" binding="basicHttpBinding" contract="FilmContract.IFilmManager" /> 
      </service>    
     </services> 
     <bindings> 
      <basicHttpBinding> 
       <binding name="certBinding"> 
        <security mode="Message"> 
         <message clientCredentialType="Certificate" /> 
        </security> 
       </binding> 
      </basicHttpBinding> 
     </bindings> 
     <behaviors> 
      <serviceBehaviors> 
       <behavior name="FilmService.Service1Behavior"> 
        <serviceCredentials> 
         <clientCertificate> 
          <authentication trustedStoreLocation="LocalMachine" 
          certificateValidationMode="PeerTrust" /> 
         </clientCertificate>            
        </serviceCredentials>  
      </behavior> 
      </serviceBehaviors> 
     </behaviors> 
    </system.serviceModel> 
</configuration> 

公共密鑰安裝在LOCALMACHINE，信任的人

客戶端的配置如下：

<system.serviceModel> 
     <bindings> 
      <basicHttpBinding> 
       <binding name="certBinding" closeTimeout="00:01:00" openTimeout="00:01:00" 
        receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false" 
        bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" 
        maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" 
        messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" 
        useDefaultWebProxy="true"> 
        <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" 
         maxBytesPerRead="4096" maxNameTableCharCount="16384" /> 
        <security mode="Message"> 
         <message clientCredentialType="Certificate"/> 
        </security> 
       </binding> 
      </basicHttpBinding> 
     </bindings> 
     <behaviors> 
      <endpointBehaviors> 
       <behavior name="certBehaviour"> 
        <clientCredentials> 
         <clientCertificate findValue="SubjectKey" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName"/> 
        </clientCredentials> 
       </behavior> 
      </endpointBehaviors> 
     </behaviors> 
     <client> 
      <endpoint address="[...]/Service1.svc/manager" 
       binding="basicHttpBinding" bindingConfiguration="certBinding" behaviorConfiguration="certBehaviour" 
       contract="FilmsService.IFilmManager" name="certBinding" /> 
     </client> 
    </system.serviceModel> 

私有密鑰安裝在個人，當前用戶。

沒有安全性，服務工作。啓用安全性 - 不會。我嘗試了幾種配置，發現身份驗證失敗或我必須在clientCredentials元素中設置服務證書等錯誤。我不明白，因爲我根本不想驗證服務。

Answer 1

而不是

  <serviceCredentials> 
       <clientCertificate> 
        <authentication trustedStoreLocation="LocalMachine" 
        certificateValidationMode="PeerTrust" /> 
       </clientCertificate>            
      </serviceCredentials> 

我想你應該有

  <serviceCredentials> 
       <serviceCertificate findValue="SubjectKey" storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectName"/>            
      </serviceCredentials> 

您不受此認證服務，而不是你說的是服務的客戶端是如何進行認證。

Answer 2

我能夠通過使用customBinding來完成同樣的事情，就像這樣：

<customBinding> 
    <binding name="bindingName"> 
     <security authenticationMode="UserNameOverTransport" /> 
     <httpsTransport requireClientCertificate="true"/> 
    </binding> 
    </customBinding> 

（我忽略了你的情況不相關的屬性）

至於authenticationMode，我想你可以使用它們中的任何一個 - httpsTransport和requireClientCertificate是這裏的重要部分。

Answer 3

我發現以下指南非常有幫助和非常詳細。 https://notgartner.wordpress.com/2007/09/06/using-certificate-based-authentication-and-protection-with-windows-communication-foundation-wcf/

它涵蓋了創建服務，客戶端，證書和調整2配置。

服務器：

<bindings> 
    <basicHttpBinding> 
    <binding name="secureHttpBinding"> 
     <security mode="TransportWithMessageCredential"> 
     <message clientCredentialType="Certificate" /> 
     </security> 
    </binding> 
    </basicHttpBinding> 
</bindings> 

<behaviors> 
    <serviceBehaviors> 
    <behavior> 
     <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" /> 
     <serviceDebug includeExceptionDetailInFaults="true" /> 
     <serviceCredentials> 
     <clientCertificate> 
      <!--only accept certificates in "Trusted People"--> 
      <authentication certificateValidationMode="PeerTrust" trustedStoreLocation="LocalMachine" /> 
     </clientCertificate> 
     </serviceCredentials> 
    </behavior> 
    </serviceBehaviors> 
</behaviors> 

客戶：

<bindings> 
    <basicHttpBinding> 
    <binding name="customBinding1"> 
     <security mode="TransportWithMessageCredential"> 
     <message clientCredentialType="Certificate" /> 
     </security> 
    </binding> 
    </basicHttpBinding> 
</bindings> 

<behaviors> 
    <endpointBehaviors> 
    <behavior name="customBehavior1"> 
     <clientCredentials> 
     <!--fabrkam--> 
     <clientCertificate storeName="My" storeLocation="CurrentUser" x509FindType="FindByThumbprint" findValue="d2 31 6a 73 1b 59 68 3e 74 41 09 27 8c 80 e2 61 45 03 b1 7e"/> 
     </clientCredentials> 
    </behavior> 
    </endpointBehaviors> 
</behaviors> 

我們自動重定向任何HTTP請求到HTTPS，所以我們必須使用TransportWithMessageCredential類型的安全性。對於正常的Http只使用Message作爲安全類型也應該起作用。