1

我試圖在IIS上通過ssl和映射到Windows用戶的客戶端證書在IIS Express(.NET 3.5)上承載wcf服務。在IIS Express上調用WCF服務:未授權

當我使用的TestClient的我收到以下錯誤控制檯應用程序:

The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'NTLM,Negotiate'.

我不明白這是怎麼可能的,因爲當我檢查IIS快遞tracelogging我看到的則ClientCertificate映射在iisclientcertificatemapping httpmodule我的窗口用戶。

Extract from IIS tracelogging

正如截圖看到它是名稱爲「ServiceModel」凝固爲401

我啓用了SVC在客戶端和服務器端的,但是這是唯一跟蹤響應HTTP模塊登錄服務器端是

我的IIS快遞(對ApplicationHost.config)在web.config中被重寫了「連接‘https://myurl/orderservice.svc/ClientCert’接收字節」:

<system.webServer> 
    <security> 
     <authentication> 
     <windowsAuthentication enabled="true" /> 
     <anonymousAuthentication enabled="false" /> 
     <iisClientCertificateMappingAuthentication enabled="true" oneToOneCertificateMappingsEnabled="true" > 
      <oneToOneMappings> 
      <add enabled="true" certificate="MIICGjCCAYegAwIBAgIQfi996nkvEYdO6WBFfokO/jAJBgUrDgMCHQUAMCUxIzAhBgNVBAMTGkdsb2JhbFZpc2lvblNlcnZpY2VzUm9vdENBMB4XDTEyMDkwNzEyMjg1OVoXDTM5MTIzMTIzNTk1OVowHjEcMBoGA1UEAxMTR2xvYmFsVmlzaW9uQ2xpZW50MTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5qBoLtQjkN2LtWdCQVbWqMA5N4jMmDM3yscUi3c7mwO9iFZaOcf41+SUFMivEXOOVI/5qVdaMII/ombGPopKoZhtXYUkv90psWwQHXNfqE1L+Vkur/u2KiQSImXLhSPF8qTR5RbRj3inpTWTg74p1a1HjbndU/lwu1cznl5vW/sCAwEAAaNaMFgwVgYDVR0BBE8wTYAQjpcP+m/6Y3T5yi7PJKxrGqEnMCUxIzAhBgNVBAMTGkdsb2JhbFZpc2lvblNlcnZpY2VzUm9vdENBghB+Uxyrj6x2rEV3HQ6vVX48MAkGBSsOAwIdBQADgYEAT5CiQCj4y9dW+zBSq96dRye3FJswAYiZgMLLoiyRV5h2QT7H0nxcdQ0mtdcN3OPunuvrYYlS58QVlBx6aozznmKeBuRl6GwWwQLYGxBRsKbQTuEiI85v1n/jK0LTT6FSGBMUlcJSn2NgnUAWgXvlf8f0SqLqApwWPeYybQxfz4U=" 
       userName="CORP\mywindowsuser" password="mypassword" /> 
      </oneToOneMappings> 
     </iisClientCertificateMappingAuthentication> 
     </authentication> 
     <authorization> 
     <add users="*" accessType="Allow"/> 
     </authorization> 
     <!--Require SSL *AND* require a client certificate --> 
     <access sslFlags="Ssl, SslNegotiateCert"/> 
    </security> 
    </system.webServer> 

使用此配置時,瀏覽器在導航到svc文件(https://myurl/orderservice.svc?wsdl)時請求客戶端證書,並且當我選擇自簽名證書時,我能夠看到服務的wsdl。對我來說,這意味着證書(rootca,服務器和客戶端證書)是正確的,ssl正在工作。

完成,這是我的服務配置服務器端:

<system.serviceModel> 
<serviceHostingEnvironment aspNetCompatibilityEnabled="false"> 
    <baseAddressPrefixFilters> 
    <add prefix="https://myurl:443"/> 
    </baseAddressPrefixFilters> 
</serviceHostingEnvironment> 
<diagnostics wmiProviderEnabled="true"> 
    <messageLogging 
     logEntireMessage="true" 
     logMalformedMessages="true" 
     logMessagesAtServiceLevel="true" 
     logMessagesAtTransportLevel="true" 
     maxMessagesToLog="3000" 
    /> 
</diagnostics> 
<bindings> 
    <wsHttpBinding> 
    <binding name="ClientCert"> 
     <security mode="Transport"> 
     <message clientCredentialType="Certificate"/> 
     </security> 
    </binding> 
    </wsHttpBinding> 
</bindings> 
<behaviors> 
    <serviceBehaviors> 
    <behavior name="wsHttpCertificateBehavior"> 
     <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/> 
     <serviceDebug httpHelpPageEnabled="true" includeExceptionDetailInFaults="true"/> 
     <serviceAuthorization serviceAuthorizationManagerType="CompanyName.Model.Security.AuthorizationBehaviors.AdamAuthorizationManager,ServiceSecurity"> 
     <authorizationPolicies> 
      <add policyType="CompanyName.Model.Security.AuthorizationPolicies.AdamAuthorizationPolicy, ServiceSecurity" /> 
     </authorizationPolicies> 
     </serviceAuthorization> 
     <serviceCredentials> 
     <serviceCertificate findValue="certificatesubject" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/> 
     <clientCertificate> 
      <authentication revocationMode="NoCheck" mapClientCertificateToWindowsAccount="true" /> 
     </clientCertificate> 
     </serviceCredentials> 
    </behavior> 
    </serviceBehaviors> 
</behaviors> 
<services> 
    <service name="CompanyName.Model.Services.OrderService" behaviorConfiguration="wsHttpCertificateBehavior"> 
    <endpoint address="https://myurl/OrderService.svc/ClientCert" contract="CompanyName.Model.Services.ServiceContracts.IOrderService" binding="wsHttpBinding" bindingConfiguration="ClientCert"> 
    </endpoint> 
    </service> 
</services> 

服務配置客戶端

<system.serviceModel> 
    <diagnostics> 
     <messageLogging logEntireMessage="true" logMalformedMessages="true" logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" maxSizeOfMessageToLog="26214400" /> 
    </diagnostics> 
    <bindings> 
     <wsHttpBinding> 
     <binding name="ClientCertificate"> 
      <security mode="Transport"> 
      <transport clientCredentialType="Certificate"/> 
      </security> 
     </binding> 
     </wsHttpBinding> 
    </bindings> 
    <behaviors> 
     <endpointBehaviors> 
     <behavior name="wsHttpCertificateBehavior"> 
      <clientCredentials> 
      <clientCertificate findValue="39820c4f767c809bb8f64b0f52ccfd686093896c" storeLocation="CurrentUser" storeName="My" x509FindType="FindByThumbprint"/> 
      <serviceCertificate> 
       <authentication revocationMode="NoCheck"/> 
      </serviceCertificate> 
      </clientCredentials> 
     </behavior> 
     </endpointBehaviors> 
    </behaviors> 
    <client> 
     <endpoint name="ClientCertificate" address="https://myurl/OrderService.svc/ClientCert" contract="CompanyName.Model.Services.ServiceContracts.OrderService" binding="wsHttpBinding" bindingConfiguration="ClientCertificate" behaviorConfiguration="wsHttpCertificateBehavior"/> 
    </client> 
    </system.serviceModel> 

如果我瀏覽到該服務,我得到以下:

Choose certificate

如果我選擇了正確的證書我得到這個:

Browser response

當我嘗試訪問端點在瀏覽器中,它說400錯誤的請求(這是正常的)

我已經花了幾個小時在這個,如果有人發現一個錯誤的配置或有經驗的ssl和clientcertificatemapping與託管在IIS上的wcf讓我知道。

回答

3

有2個CONFIGS之間的不一致性:

的WsHttpBinding的被設置爲客戶端和服務器,但在服務器端Config中ClientCredentialType傳輸安全被配置成用於消息安全性,而不是運輸。

的服務需要使用證書,這意味着SslFlags在System.WebServer部分屬性可以設置爲以下幾點:

<access sslFlags="Ssl, SslNegotiateCert, SslRequireCert"/> 

我希望這有助於;)