WCF 证书身份验证
WCF certificate authentication
在使用证书实现 wcf 安全性时,我遇到了下面提到的错误。
无法打开安全通道,因为与远程终结点的安全协商失败。这可能是由于在用于创建通道的 EndpointAddress 中缺少或错误指定了 EndpointIdentity。
我已经把证书放在 Trusted People 中了。
看起来像是身份问题,我已经尝试在服务和客户端配置中设置身份,但仍然没有用。
配置详情如下。
服务配置
<bindings>
<wsHttpBinding>
<binding name="WSHTTP">
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<service name="WCFCertificateAuth.Service1">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration=""
bindingName="WSHTTP" contract="WCFCertificateAuth.IService1">
<!--<identity>
<dns value="WCfServer"/>
</identity>-->
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="True" httpsGetEnabled="True"/>
<serviceDebug includeExceptionDetailInFaults="False" />
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerTrust"/>
</clientCertificate>
<serviceCertificate findValue="WCfServer" storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
客户端配置
<bindings>
<wsHttpBinding>
<binding name="WSHTTP_IService1" sendTimeout="00:05:00">
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:8733/WCFCertificateAuth/Service1/"
binding="wsHttpBinding" bindingConfiguration="WSHTTP_IService1"
contract="IService1" name="WSHTTP_IService1">
<identity>
<dns value="WCfServer" />
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior>
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode="PeerTrust"/>
</serviceCertificate>
<clientCertificate findValue="WCfClient" storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
我删除了身份标签并在地址字段中使用机器的全名代替 "localhost" 并且它工作正常。希望这对遇到上述错误的人有所帮助。
在使用证书实现 wcf 安全性时,我遇到了下面提到的错误。
无法打开安全通道,因为与远程终结点的安全协商失败。这可能是由于在用于创建通道的 EndpointAddress 中缺少或错误指定了 EndpointIdentity。
我已经把证书放在 Trusted People 中了。
看起来像是身份问题,我已经尝试在服务和客户端配置中设置身份,但仍然没有用。
配置详情如下。
服务配置
<bindings>
<wsHttpBinding>
<binding name="WSHTTP">
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<service name="WCFCertificateAuth.Service1">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration=""
bindingName="WSHTTP" contract="WCFCertificateAuth.IService1">
<!--<identity>
<dns value="WCfServer"/>
</identity>-->
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="True" httpsGetEnabled="True"/>
<serviceDebug includeExceptionDetailInFaults="False" />
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerTrust"/>
</clientCertificate>
<serviceCertificate findValue="WCfServer" storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
客户端配置
<bindings>
<wsHttpBinding>
<binding name="WSHTTP_IService1" sendTimeout="00:05:00">
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:8733/WCFCertificateAuth/Service1/"
binding="wsHttpBinding" bindingConfiguration="WSHTTP_IService1"
contract="IService1" name="WSHTTP_IService1">
<identity>
<dns value="WCfServer" />
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior>
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode="PeerTrust"/>
</serviceCertificate>
<clientCertificate findValue="WCfClient" storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
我删除了身份标签并在地址字段中使用机器的全名代替 "localhost" 并且它工作正常。希望这对遇到上述错误的人有所帮助。