我想設置通過HTTPS使用NTLM身份驗證,並使用證書的安全性該消息的WCF服務(我知道,通常HTTPS否定了消息加密的需要)WCF與NTLM通過HTTPS和證書的消息?
我有證書在信息安全工作,但是當我嘗試使用TransportWithMessageCredential,客戶端會拋出異常:
未處理的異常:System.ServiceModel.Security.MessageSecurityException:HTTP請求是未經授權的客戶端身份驗證方案「匿名」。從服務器接收認證報頭是「協商,NTLM」
IIS配置爲只支持Windows身份驗證,需要SSL和接受客戶端證書,機器是在同一個Active Directory域(其實,我是現在在本地運行)
任何想法我做錯了什麼?
我的服務web.config文件看起來是這樣的:
<services>
<service name="ServiceHost.MyTestService" behaviorConfiguration="CertificateServiceBehavior">
<endpoint address="" binding="ws2007HttpBinding" contract="SharedLibrary.ITestService" bindingConfiguration="CertificateBindingConfig">
</endpoint>
</service>
</services>
<bindings>
<ws2007HttpBinding>
<binding name="CertificateBindingConfig">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Windows" />
<message clientCredentialType="Certificate" negotiateServiceCredential="true" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="CertificateServiceBehavior">
<serviceCredentials>
<windowsAuthentication allowAnonymousLogons="false" />
<clientCertificate>
<authentication certificateValidationMode="PeerTrust" trustedStoreLocation="LocalMachine" />
</clientCertificate>
<serviceCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="server" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
我的客戶的app.config是這樣的:
<client>
<endpoint address="https://server:9999/ServiceHost/TestService.svc" binding="ws2007HttpBinding"
contract="SharedLibrary.ITestService" bindingConfiguration="CertificateBindingConfig"
behaviorConfiguration="CertificateEndpointBehavior"
name="serviceEndpoint">
</endpoint>
</client>
<bindings>
<ws2007HttpBinding>
<binding name="CertificateBindingConfig">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Windows" />
<message clientCredentialType="Certificate" negotiateServiceCredential="true"/>
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="CertificateEndpointBehavior">
<clientCredentials>
<windows allowNtlm="true" allowedImpersonationLevel="Impersonation"/>
<clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="client"/>
<serviceCertificate>
<authentication certificateValidationMode="PeerTrust"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
我假設你的客戶證書是在客戶的可信證書中註冊的? –
@ M.Babcock是的,它在可信賴的人羣中。如果我針對未經身份驗證的HTTP端點使用Message安全性,它將起作用。 –
您是否在您的端點地址中使用本地主機? –