在没有客户端证书的情况下使用Wcf SS1证书（仅限服务器端） [英] Using Wcf SSl certificate over Tcp without client certificate (Server side only)

问题描述

有没有办法使用WCF SSL与NetTcpBinding，不需要客户端机器上安装客户端证书？ （SSL V2，如果我没有错误）。

Is there any way to use WCF SSL with NetTcpBinding that would not require a client certificate to be installed on the client machine? (SSL V2 if i'm not mistaken).

我们希望服务器证书将在客户端的信任存储中进行身份验证
并加密其消息服务器的公共密钥，这意味着只有服务器机器将持有私钥证书。

we want the server certificate will be in the client's trusted store for authentication and Encrypting its message by the server's public key, which means, only the server machine will hold a private key certificate.

我们使用的是NetTcpBinding，而不是两边的customBinding。
如果可以bo做，有什么正确的配置呢？ （在客户端和服务器配置中）

we're using a NetTcpBinding and not customBinding on both sides. If its can bo done, what's the correct configuration for it? (on client & server configs)

提前感谢。

这是我的wcf配置。

服务器配置：

SERVER CONFIG:

    <configuration>
      <system.serviceModel>
        <bindings>
         <netTcpBinding>
            <binding name="TcpSecureBinding">
            <security mode="Transport">
              <transport clientCredentialType="Certificate"/>            
            </security>
       </binding>
         </netTcpBinding>
       </bindings>
       <behaviors>
         <serviceBehaviors>
           <behavior name="ServiceCredentialsBehavior">          
             <serviceDebug includeExceptionDetailInFaults="True" />
             <serviceMetadata httpGetEnabled="true" />
             <serviceAuthorization 
                 principalPermissionMode="UseWindowsGroups">
             </serviceAuthorization>
          <serviceCredentials>
               <windowsAuthentication includeWindowsGruops="true"            
                                      allowAnonymousLogons="false"/>
               <clientCertificate>
                     <authentication certificateValidationMode="none"/>
               </clientCertificate>
               <serverCertificate
                   findValue="thumbprint"
                   storelocation="LocalMachine"
                   x509FindType="FindMyThumbprint"
                   storeName="My"/>
           </serviceCredentials>
        </behavior>
       </serviceBehaviors>
      </behaviors>
    <services>
        <service behaviorConfiguration="ServiceCredentialsBehavior"
               name="ServiceModel.Calculator">
          <endpoint address="net.tcp://localhost:8040/Calculator"
                  binding="netTcpBinding"
                  bindingConfiguration="TcpSecureBinding"
                  contract="ServiceModel.ICalculator" >
           <identity>
               <dns value="localhost"/>
           </identity>
         </endpoint>
        </service>
     </services>
    </system.serviceModel>
    </configuration>

客户配置：

CLIENT CONFIG:

    <configuration>
      <system.serviceModel>
        <client>
         <endpoint address="net.tcp://localhost:8040/Calculator"
                behaviorConfiguration="endpointCredentialBehavior"
                binding="netTcpBinding" 
                bindingConfiguration="Binding1" 
                contract="ServiceModel.ICalculator">
          <identity>
               <dns value="localhost"/>
          </identity>
          </endpoint>
        </client>
      <behaviors>
        <endpointBehaviors>
          <behavior name="endpointCredentialBehavior">
          </behavior>
         </endpointBehaviors>
       </behaviors>
       <bindings>
         <netTcpBinding>
          <binding name="Binding1">
            <security mode="Transport">
              <transport clientCredentialType="Windows" />
             </security>
          </binding>
          </netTcpBinding>
        </bindings>
     </system.serviceModel>
    </configuration>

---

客户端配置。
另一个问题：

---

im adding my current server & client configs. another questions:

1. 在认证级别我们希望客户端验证服务器的证书
   

1. at the authentication level we want the client to authenticate ther server's cert (i think server's public key should be in trustedPeople store) , is this possible?

您是否建议我们使用传输安全或邮件？

do you recommend us use Transport Security Or Message?

如果我们要验证客户端&服务器通过NTLM（clientCredentialType = Windows）
是可以做到除了服务器的cert身份验证或只是其中一个可以应用？
到目前为止，我们已使用NTLM身份验证。

if we want to authenticate client & server by NTLM (clientCredentialType=Windows) is it can be done in addition to the server's cert authentication or just one of them can be applied? till now, we've used NTLM authentication.

现在获取异常：
'net.tcp：// servername：8040 / ** 。这可能是由于不匹配的绑定（例如客户端上启用的安全性，而不是服务器上的安全性）。
i理解此错误发生，因为客户端使用Windows安全和服务器在om证书，
但是当我将客户端安全更改为证书也，得到一个错误：
客户端证书不是提供。但我不想设置客户端的证书，这是我的主要问题的一部分。

right now im getting exception: "The requested upgrade is not supported by 'net.tcp://servername:8040/**'. This could be due to mismatched bindings (for example security enabled on the client and not on the server)." i understand this error occured because the client is using Windows Security and server in om Certificate, but when im changing client security to Certificate also,im getting an error: "The client certificate is not provided". but i don't want to set client's certificate and thats part of my main problem.

我们读到我们可以使用服务器的证书身份验证此标签： / p>

we read that we can use for server's cert authentication this tags:

    <identity>
      <certificate encodedValue="encoded certificate"/>
    </identity>

但我认为身份验证通过编码证书完成，当我们推断将通过搜索客户端商店（trustedPeople）中的服务器的公钥来执行证书的标识。这信息真的吗？这个身份标签是在客户端信任的商店中搜索公钥的替代方式吗？

but, i think this authentication by identity is done by an encoded certificate when we preffer that the cert's identification will be performed by searching the server's public key in the client's store (trustedPeople). does this information really true? that this tags of identity are alternative to searching public key in client"s trusted store?

希望你能够以这种方式帮助，
再次感谢。

hope you will be able to assist in this manners, thanks again.

推荐答案

它使用netTcpBiding并需要使用传输安全，那么你有3个选项，第一个选项需要服务证书，第二个要求没有证书，第三个要求服务证书和客户端证书。对于您的方案，您应该使用option1，将通过其证书验证服务，并将proice机密性和完整性的消息。

it you are using netTcpBiding and need to use Transport security then you have 3 options, the first option requires service cert, the second requires no cert at all, the third requires both service cert and client cert. for your scenario, you should use option1 that will authenticate the service via it's cert and will proice Confidentiality and Integrity for the messages.

C >>保密性
I >>完整性
A >>验证（会发生在客户端）

C >> Confidentiality
I >> Integrity
A >> Authentication (That will happen for the client)

1-选项一提供（C + I）不会对客户端进行身份验证，在这种情况下，TCP SSL（而不是HTPS SSL）将用于提供C和I，服务将为

1- Option one provide (C + I) no authentication will happen for the client, In this case the TCP SSL (not the HTPS SSL) will be used to provide the C and I, and the service will be

<!--//Below are the configuration for both the service and the client-->
<netTcpBinding>
    <binding name="TcpSecureBinding">
      <security mode="Transport">
        <transport clientCredentialType="None"></transport>
      </security>
    </binding>
  </netTcpBinding>

也因为将使用TCP SSL，那么服务必须为客户端提供证书，需要在服务器中安装证书并配置服务以使用此证书来证明其身份，还需要在客户端计算机上安装服务证书的根证书颁发机构证书（通常在LocalMachine /受信任的根证书颁发机构中） ，并且服务需要具有以下行为来指定服务的证书

also because the TCP SSL will be used then the service must provide a certificate for the client, so you need to install a certificate in the server and conigure the service to use this certificate to prove it's identity, also you need to install the root certificate authority certificate for the service certificate on the client machine (typically in the LocalMachine/Trusted Root Certification Authorities), and the service need to have the below behavior to specify the certificate for the service

<serviceBehaviors>
    <behavior>
      <serviceCredentials>
        <serviceCertificate findValue="localhost"
                            x509FindType="FindByIssuerName" />
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>

2-选项二提供（A + [C + I]），C和I是可选的您可以通过protectionLevel元素进行配置。客户端认证将是windows auth（通常将使用Windows Stream安全实现A，C和I）

2- option two provide (A+ [C + I]), the C and I are optional as you configure via the protectionLevel element. the client auth will be windows auth (Typically will use Windows Stream Security to achieve the A, C and I)

<!--//Below are the configuration for both the service and the client-->
<netTcpBinding>
    <binding name="TcpSecureBinding">
      <security mode="Transport">
        <transport clientCredentialType="Windows" protectionLevel="EncryptAndSign"></transport>
      </security>
    </binding>
  </netTcpBinding>

3-选项3提供（A + C + I），C和I不是可选的客户端认证将通过客户端证书（每个客户端必须有自己的证书），
在这种情况下，TCP SSL（不是HTPS SSL）将用于提供A，C和I。

3- option 3 provide (A + C + I), the C and I are not optional and the client authentication will be via client certificate (each client must have his own certificate ), In this case the TCP SSL (not the HTPS SSL) will be used to provide the A, C and I.

<!--//Below are the configuration for both the service and the client-->
<binding name="TcpSecureBinding">
      <security mode="Transport">
        <transport clientCredentialType="Certificate"></transport>
      </security>
    </binding>

也因为将使用TCP SSL，那么服务必须为客户端提供证书，需要在服务器中安装证书并配置服务以使用此证书来证明其身份，还需要在客户端计算机上安装服务证书的根证书颁发机构证书（通常在LocalMachine /受信任的根证书颁发机构中） ，并且服务需要具有以下行为来指定服务的证书

also because the TCP SSL will be used then the service must provide a certificate for the client, so you need to install a certificate in the server and conigure the service to use this certificate to prove it's identity, also you need to install the root certificate authority certificate for the service certificate on the client machine (typically in the LocalMachine/Trusted Root Certification Authorities), and the service need to have the below behavior to specify the certificate for the service

<serviceBehaviors>
    <behavior>
      <serviceCredentials>
        <serviceCertificate findValue="localhost"
                            x509FindType="FindByIssuerName" />
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>

这篇关于在没有客户端证书的情况下使用Wcf SS1证书（仅限服务器端）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！