HTTP请求被禁止使用客户端认证方案'匿名' [英] The HTTP request was forbidden with client authentication scheme 'Anonymous'

问题描述

我尝试配置WCF服务器\ client以使用SSL

我遇到以下异常：

HTTP请求被客户端认证方案禁止
'匿名'

我有一个自托管的WCF服务器。
我运行hhtpcfg
我的客户端和服务器证书存储在本地计算机上的个人和受信任的人

下

这里是服务器代码：

  binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate; 
 binding.Security.Mode = WebHttpSecurityMode.Transport; 
 _host.Credentials.ClientCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.PeerOrChainTrust; 
 _host.Credentials.ClientCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck; 
 _host.Credentials.ClientCertificate.Authentication.TrustedStoreLocation = StoreLocation.LocalMachine; 
 _host.Credentials.ServiceCertificate.SetCertificate（cn = ServerSide，StoreLocation.LocalMachine，StoreName.My）; 
  

客户代码：

  binding.Security.Mode = WebHttpSecurityMode.Transport; 
 binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate; 
 WebChannelFactory< ITestClientForServer> cf = 
 new WebChannelFactory< ITestClientForServer>（binding，url2Bind）; 
 cf.Credentials.ClientCertificate.SetCertificate（cn = ClientSide，StoreLocation.LocalMachine，StoreName.My）; 
 ServicePointManager.ServerCertificateValidationCallback 
 + = RemoteCertificateValidate; 
  

查看web_tracelog.svclog和trace.log
显示服务器无法自动验证客户端证书
我的证书不是由授权的CA
签署的，但这是为什么我将他们添加到受信任的人....

我错过了？
我缺少什么？

解决方案

诀窍是让客户端证书有效，

$ b为了做到这一点，你有两个选项：

1）使它自签名，然后把它放在受信任的根证书颁发机构 。

显然，在生产中，您希望您的客户端证书由受信任的CA签名，而不是自签名。
请参见 http://msdn.microsoft.com/en-us /library/ms733813.aspx

2）使用您创建的另一个证书（我们称为MyCA）签署您的客户端证书，并将MyCA放入受信任的根证书颁发机构，并在受信任的人中具有客户端证书。

如何创建和签名证书：
查看 http://msdn.microsoft.com/en-us/library/bfsktky3.aspx

这里是我使用的一系列命令：

1）makecert -r -pe -ss My -sr LocalMachine - a sha1 -sky exchange -n cn = MyCA -svMyCAPrivate.pvk

2）makecert -pe -ss My -sr LocalMachine -a sha1 -sky exchange - n cn = SignedClientCertificate -ivMyCAPrivate.pvk-icMyCAPublic.cer

I am trying to configure a WCF server\client to work with SSL

I get the following exception:

The HTTP request was forbidden with client authentication scheme 'Anonymous'

I have a self hosted WCF server. I have run hhtpcfg both my client and server certificates are stored under Personal and Trusted People on the Local Machine

Here is the server code:

binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
binding.Security.Mode = WebHttpSecurityMode.Transport;
_host.Credentials.ClientCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.PeerOrChainTrust;
_host.Credentials.ClientCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;
_host.Credentials.ClientCertificate.Authentication.TrustedStoreLocation = StoreLocation.LocalMachine;
_host.Credentials.ServiceCertificate.SetCertificate("cn=ServerSide", StoreLocation.LocalMachine, StoreName.My);

Client Code:

binding.Security.Mode = WebHttpSecurityMode.Transport;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate; 
WebChannelFactory<ITestClientForServer> cf =
                new WebChannelFactory<ITestClientForServer>(binding, url2Bind);
cf.Credentials.ClientCertificate.SetCertificate("cn=ClientSide", StoreLocation.LocalMachine, StoreName.My);
            ServicePointManager.ServerCertificateValidationCallback
                   += RemoteCertificateValidate;

Looking at web_tracelog.svclog and trace.log reveals that the server cannot autheticate the client certificate My certificate are not signed by an Authorized CA but this is why I added them to the Trusted People....

What Am I missing? What am I missing?

解决方案

The trick was to make the Client Certificate valid,

To do that you have two option:

1) make it self signed and then put it under the "Trusted Root Certification Authority".

Obviously in production you would like your client certificate to be signed by a trusted CA and not self signed. see http://msdn.microsoft.com/en-us/library/ms733813.aspx

2) Sign your client certificate by another certificate you created (let's call it MyCA) and put MyCA in the "Trusted Root Certification Authority" and have the client certificate in the "Trusted People". This way your development environment is even more close to the deployment.

How to create and sign the certificates: Look under http://msdn.microsoft.com/en-us/library/bfsktky3.aspx

Here is the series of commands I used:

1)makecert -r -pe -ss My -sr LocalMachine -a sha1 -sky exchange -n cn=MyCA -sv "MyCAPrivate.pvk"

2) makecert -pe -ss My -sr LocalMachine -a sha1 -sky exchange -n cn=SignedClientCertificate -iv "MyCAPrivate.pvk" -ic "MyCAPublic.cer"

这篇关于HTTP请求被禁止使用客户端认证方案'匿名'的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！