WCF與NTLM通過HTTPS和證書的消息？

Question

我想設置通過HTTPS使用NTLM身份驗證，並使用證書的安全性該消息的WCF服務（我知道，通常HTTPS否定了消息加密的需要）

我有證書在信息安全工作，但是當我嘗試使用TransportWithMessageCredential，客戶端會拋出異常：

未處理的異常：System.ServiceModel.Security.MessageSecurityException：HTTP請求是未經授權的客戶端身份驗證方案「匿名」。從服務器接收認證報頭是「協商，NTLM」

IIS配置爲只支持Windows身份驗證，需要SSL和接受客戶端證書，機器是在同一個Active Directory域（其實，我是現在在本地運行）

任何想法我做錯了什麼？

我的服務web.config文件看起來是這樣的：

<services> 
    <service name="ServiceHost.MyTestService" behaviorConfiguration="CertificateServiceBehavior"> 
     <endpoint address="" binding="ws2007HttpBinding" contract="SharedLibrary.ITestService" bindingConfiguration="CertificateBindingConfig"> 
     </endpoint> 
    </service> 
</services> 

<bindings> 
    <ws2007HttpBinding> 
     <binding name="CertificateBindingConfig"> 
      <security mode="TransportWithMessageCredential"> 
       <transport clientCredentialType="Windows" /> 
       <message clientCredentialType="Certificate" negotiateServiceCredential="true" /> 
      </security> 
     </binding> 
    </ws2007HttpBinding> 
</bindings> 

<behaviors> 
    <serviceBehaviors> 
     <behavior name="CertificateServiceBehavior"> 
      <serviceCredentials> 
       <windowsAuthentication allowAnonymousLogons="false" /> 
       <clientCertificate> 
        <authentication certificateValidationMode="PeerTrust" trustedStoreLocation="LocalMachine" /> 
       </clientCertificate> 
       <serviceCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="server" /> 
      </serviceCredentials> 
     </behavior> 
    </serviceBehaviors> 
</behaviors> 

我的客戶的app.config是這樣的：

<client> 
    <endpoint address="https://server:9999/ServiceHost/TestService.svc" binding="ws2007HttpBinding" 
       contract="SharedLibrary.ITestService" bindingConfiguration="CertificateBindingConfig" 
       behaviorConfiguration="CertificateEndpointBehavior" 
       name="serviceEndpoint"> 

    </endpoint> 
</client> 
<bindings> 
    <ws2007HttpBinding> 
     <binding name="CertificateBindingConfig"> 
      <security mode="TransportWithMessageCredential"> 
       <transport clientCredentialType="Windows" /> 
       <message clientCredentialType="Certificate" negotiateServiceCredential="true"/> 
      </security> 
     </binding> 
    </ws2007HttpBinding> 
</bindings> 
<behaviors> 
    <endpointBehaviors> 
     <behavior name="CertificateEndpointBehavior"> 
      <clientCredentials> 
       <windows allowNtlm="true" allowedImpersonationLevel="Impersonation"/> 
       <clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="client"/> 
       <serviceCertificate> 
        <authentication certificateValidationMode="PeerTrust"/> 
       </serviceCertificate> 
      </clientCredentials> 
     </behavior> 
    </endpointBehaviors> 
</behaviors> 

Answer 1

預定義模式將不會允許你實現這種安全性。 TransportWithMessageCredentials手段：

• HTTPS
• 沒有交通工具認證
• 安全令牌消息客戶端身份驗證
• 沒有消息加密

試試這個（未測試），以獲得HTTPS使用NTLM +相互信息安全：

<bindings> 
    <customBinding> 
    <binding name="MegaSecurity"> 
     <security authenticationMode="MutualCertificate" 
       messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10" 
       includeTimestamp="true" /> 
     <textMessageEncoding messageVersion="Soap12WSAddressing10" /> 
     <httpsTransport authenticationScheme="Ntlm" /> 
    </binding> 
    </customBinding> 
</bindings> 

您還可以嘗試MutualSslNegotiated身份驗證模式以獲得服務憑據協商，Negotiate在authenticationScheme中可更好地匹配來自預定義綁定的Windows選項。