迁移的Web服务（IIS到Azure）上的客户端证书身份验证问题 [英] Issue with Client Certificate auth on migrated Web service (IIS to Azure)

问题描述

我正在尝试从当前没有问题的IIS网络服务迁移到Azure Web应用程序并收到以下响应： 
客户端身份验证方案"匿名"禁止HTTP请求。 

I'm trying to migrate from an IIS webservice that is currently working with no issues to an Azure Web Application and receive the following response:  The HTTP request was forbidden with client authentication scheme 'Anonymous'. 

我们使用自定义域，已导入私有SSL证书，创建绑定并导入公共.cer以进行客户端身份验证。 

我还完成了以下操作：  

https://docs.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-互认

https://docs.microsoft.com/en-us/azure/app-service/ app-service-web-ssl-cert-load。 

任何帮助都会非常感谢。

服务器端，所有客户端证书处理通过WCF配置完成，如下所示：

<!-- this security section in the binding -->
<security mode="TransportWithMessageCredential">
    <transport clientCredentialType="None" />
    <message clientCredentialType="Certificate" />
</security>

<!-- and this credentials section in the behavior -->
<serviceCredentials>
       <clientCertificate>
              <authentication certificateValidationMode="PeerTrust" />
       </clientCertificate>
</serviceCredentials>

推荐答案

首先查看证书是否通过邮件安全性进入请求。   例如。打开WCF日志记录或编写自定义证书验证程序。   如果是，那么您可以检查PeerTrust失败的原因（服务器上定义的证书与
传入的匹配）。

First see if the certificate flow in with the request thru message security.   Eg. turn on WCF logging or write custom cert validator.   If it does, then you can check why PeerTrust failed (cert defined on server is not matching the incoming).

这篇关于迁移的Web服务（IIS到Azure）上的客户端证书身份验证问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！