WCF客户端证书和用户名凭据禁止 [英] WCF Client Certificate AND UserName Credentials forbidden

问题描述

我在得到一个WCF客户端连接到需要客户端证书，也是一个用户名/密码的服务器的问题。

I'm having issues getting a WCF client to connect to a server that requires a client certificate and also a username / password.

我已经验证，使用JUST使用该客户端证书的作品：

I have verified that using JUST the client certificate works using this:

        var binding = new WSHttpBinding(SecurityMode.Transport);
        binding.Security.Transport = new HttpTransportSecurity();
        binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;

        var ea = new EndpointAddress(EndpointUrl);

        using (var p = new ServiceReference1.AAAClient(binding, ea))
        {
            try
            {
                p.ClientCredentials.ClientCertificate.SetCertificate(
                        System.Security.Cryptography.X509Certificates.StoreLocation.CurrentUser,
                        System.Security.Cryptography.X509Certificates.StoreName.My,
                        System.Security.Cryptography.X509Certificates.X509FindType.FindBySubjectName,
                        CertificateSubject);

                var x = p.RequiresClientCertificateOnly();
                Console.WriteLine("Status: " + x.status);
            }
            catch (Exception ex)
            {
                Console.WriteLine(ex.ToString());
            }

            Console.WriteLine();
        }

下一个逻辑步骤是添加的用户名/密码部分，但它涉及回来403未经授权。我知道凭据和证书是有效的，因为我已经使用小提琴手在中间，以提供客户端证书和用户名/密码，它工作正常，全部采用通过WCF只是当它似乎没有工作，或使用同时发送客户端证书以及用户名/密码

The next logical step was to add the username / password parts, but it comes back with 403 unauthorised. I know the credentials and the certificate are valid as I have used fiddler in the middle to provide the client certificate and username / password and it works fine, just when using all through WCF it doesnt seem to work, or use send both the client certificate and the username / password.

试图同时使用是下面的代码（试图用的WSHttpBinding和basicHttpBinding的 - 两个相同的结果）：

The code trying to use both is below (tried with WSHttpBinding and BasicHttpBinding - same result for both):

        var binding = new BasicHttpBinding(BasicHttpSecurityMode.TransportWithMessageCredential);
        binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
        binding.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.UserName;

        var ea = new EndpointAddress(EndpointUrl);

        using (var p = new ServiceReference1.PingPortTypeClient(binding, ea))
        {
            try
            {
                p.ClientCredentials.ClientCertificate.SetCertificate(
                        System.Security.Cryptography.X509Certificates.StoreLocation.CurrentUser,
                        System.Security.Cryptography.X509Certificates.StoreName.My,
                        System.Security.Cryptography.X509Certificates.X509FindType.FindBySubjectName,
                        CertificateSubject);

                p.ClientCredentials.UserName.UserName = Username;
                p.ClientCredentials.UserName.Password = Password;

                var x = p.pingDatabase();
                Console.WriteLine("Status: " + x.status);
            }
            catch (Exception ex)
            {
                Console.WriteLine(ex.ToString());
            }

            Console.WriteLine();

当我转到直接在浏览器的URL - 我得到的错误：

When I goto the URL directly in a browser - I get the error:

HTTP错误403.7 - 禁止您试图访问
的页面要求您的浏览器有安全套接字层（SSL）客户端
证书该Web服务器识别

HTTP Error 403.7 - Forbidden The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes.

此以表明证书没有被在第二示例中发送上面，因为它是在相同的错误（403）接收。

This to suggests that the certificate is not being sent in the second example above as it is the same error (403) being received.

有人可以帮我与配置WCF提供客户端证书和用户名/密码？我已经搜罗网页，并在这里的类似的问题根本没有帮助。过得去很挫折，现在 - 我失去了什么。

Can someone please help me with the configuration for WCF to provide the client certificate AND the username / password? I have trawled the web, and the 'similar questions' on here have not helped at all. Getting very frustrate by it now - what am i missing?

推荐答案

您如果希望两个用户名（使用定制的绑定？消息级别）和证书（传输层）。例如：

You have to use a custom binding if you want both username (message level) and certificate (transport level). For example:

        <customBinding>
            <binding name="NewBinding0">
                <textMessageEncoding messageVersion="Default" />
                <security authenticationMode="UserNameOverTransport">
                    <secureConversationBootstrap />
                </security>
                <httpsTransport requireClientCertificate="true" />
            </binding>
        </customBinding>

如果你想使用WSHttp或BasicHttp messageVersion的价值取决于。目前我已经将它设置为默认，这是WSHttp，基本设定为Soap11。

The value of messageVersion depends if you want to use WSHttp or BasicHttp. Currently I've set it to "Default" which is WSHttp, for Basic set it to "Soap11".

这篇关于WCF客户端证书和用户名凭据禁止的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！