WCF安全错误:未提供客户端证书. [英] WCF Security Error: The client certificate is not provided.

问题描述

未提供客户端证书.

尝试将客户端证书用于在配置了临时证书的IIS中托管的WCF Web服务使用客户端证书时，我一直在客户端收到此错误.

当安全模式设置为none时，一切正常，但是，客户端不需要证书！

The client certificate is not provided.

I keep getting this error on the client side when attempting to use a client cert for a WCF Webservice hosted in IIS configured with a temp cert.

When security mode is set to none, everything works, however, the client doens''t require a cert!

推荐答案

该解决方案是通过以下步骤组合而成的:在CodePlex上找到了两篇有用的文章，显示了如何创建证书，为客户端和服务器分配权限以及web.config设置.

服务器文章
如何:在WCF中创建和安装临时证书以在开发过程中实现消息安全性

http://wcfsecurity.codeplex.com/wikipage?title=How%20To%20-%20Create%20and%20Install%20Temporary%20Certificates%20in%20WCF%20for%20Message%20Security%20During%20Development&referringTitle=How%20To ％20-％20Use％20Certificate％20Authentication％20and％20Message％20Security％20in％20WCF％20calling％20from％20Windows％20Forms

客户文章
如何–在Windows窗体的WCF调用中使用证书身份验证和消息安全性

http://wcfsecurity.codeplex.com/wikipage?title=How%20To%20-%20Use%20Certificate%20Authentication%20and%20Message%20Security%20in%20WCF%20calling%20from%20Windows%20Forms

服务器步骤
在服务器上，使CA
makecert -n"CN = RootCAMyCompanyName" -r -sv RootCAMyCompanyName.pvk RootCAMyCompanyName.cer

密码:aSuperSecretPassword19

在服务器上，导入到RootCAMyCompanyName.cer到受信任的根证书颁发机构

在服务器上，制作证书
makecert -sk MyCompanyNameKey -iv RootCAMyCompanyName.pvk -n"CN = MyCompanyNameCert" -ic RootCAMyCompanyName.cer -sr localmachine -ss my -sky exchange -pe MyCompanyNameCert.cer

在服务器上，找到私钥
FindPrivateKey.exe我的本地计算机–n"CN = MyCompanyNameCert"

在服务器上，授予对私钥的访问权限，注释在语句结尾处切换
cacls.exe"C:\ Documents and Settings \ All Users \ Application Data \ Microsoft \ Crypto \ RSA \ Machinekeys \ abc57b73466481beba7b0e1b5781db81_c225a308-d2ad-4e58-91a8-6e87f354b030"/E/G"NT AUTHORITY \ NETWORK SERVICE":R

服务Web.config
< system.serviceModel>

< bindings>
< wsHttpBinding>
< binding name ="Binding1">
<安全模式=消息">
< message clientCredentialType ="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>

< services>
< service name ="TestService.Service1" behaviorConfiguration ="ServiceBehavior1">
< endpoint
name ="wsHttpEndpoint"
地址="
binding ="wsHttpBinding"
bindingConfiguration ="Binding1"
contract ="TestService.IService1">
< identity>
< dns value ="MyCompanyNameCert"/>
</identity>
</endpoint>
< endpoint address ="mex" binding ="mexHttpBinding" contract ="IMetadataExchange"/>
</service>
</services>

<行为>
< serviceBehaviors>
< behavior name ="ServiceBehavior1">
< serviceMetadata httpGetEnabled ="true"/>
< serviceDebug includeExceptionDetailInFaults ="false"/>
< serviceCredentials>
< clientCertificate>
< authentication revocationMode ="NoCheck"/>
</clientCertificate>
< serviceCertificate findValue ="CN = MyCompanyNameCert"/>
</serviceCredentials>
</行为>
</serviceBehaviors>
< endpointBehaviors>
< behavior name ="EndpointBehavior1">
< clientCredentials>
< serviceCertificate>
< authentication revocationMode ="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</行为>
</endpointBehaviors>
</行为>

< client>
< endpoint behaviorConfiguration ="EndpointBehavior1"/>
</client>
< serviceHostingEnvironment multipleSiteBindingsEnabled ="true"/>
</system.serviceModel>
-


客户步骤

在客户端上，将根CA证书(RootCAMyCompanyName.cer)和专用密钥文件(RootCAMyCompanyName.pvk)复制到客户端计算机.

在客户端上，将RootCAMyCompanyName.cer导入受信任的根证书颁发机构

在客户端上，创建客户端证书
makecert -sk MustBeUniqueKey -iv RootCAMyCompanyName.pvk -n"CN = MyCompanyNameCert" -ic RootCAMyCompanyName.cer -sr localmachine -ss my -sky exchange -pe MyCompanyNameCert.cer

客户端Web.config

< system.serviceModel>
<行为>
< endpointBehaviors>
< behavior name ="Behavior1">
< clientCredentials>
< clientCertificate findValue ="CN = MyCompanyNameCert" storeLocation ="LocalMachine"/>
< serviceCertificate>
< authentication revocationMode ="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</行为>
</endpointBehaviors>
</行为>
< bindings>
< wsHttpBinding>
< binding name ="wsHttpEndpoint" closeTimeout ="00:01:00" openTimeout ="00:01:00"
receiveTimeout ="00:10:00" sendTimeout ="00:01:00" passbyProxyOnLocal ="false"
transactionFlow ="false" hostNameComparisonMode ="StrongWildcard"
maxBufferPoolSize ="524288" maxReceivedMessageSize ="65536" messageEncoding =文本"
textEncoding ="utf-8" useDefaultWebProxy ="true" allowCookies ="false">
< readerQuotas maxDepth ="32" maxStringContentLength ="8192" maxArrayLength ="16384"
maxBytesPerRead ="4096" maxNameTableCharCount ="16384"/>
< reliableSessionordered ="true" inactivityTimeout ="00:10:00"
enabled ="false"/>
<安全模式=消息">
< transport clientCredentialType ="Windows" proxyCredentialType ="None"
realm ="/>
< message clientCredentialType ="Certificate" negotiationServiceCredential ="true"
algorithmSuite =默认"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
< client>
< endpoint address ="http://wcfcerttest.com/Service1.svc"
binding ="wsHttpBinding"
behaviorConfiguration ="Behavior1"
bindingConfiguration ="wsHttpEndpoint"
contract ="ServiceReference1.IService1"
name ="wsHttpEndpoint">
< identity>
< dns value ="MyCompanyNameCert"/>
</identity>
</endpoint>
</client>
</system.serviceModel>

The solution was found in a combination of steps from two useful articles found on CodePlex that shows creating certs, assigning permissions and web.config settings for client and server.

Server Article
How To: Create and Install Temporary Certificates in WCF for Message Security During Development

http://wcfsecurity.codeplex.com/wikipage?title=How%20To%20-%20Create%20and%20Install%20Temporary%20Certificates%20in%20WCF%20for%20Message%20Security%20During%20Development&referringTitle=How%20To%20-%20Use%20Certificate%20Authentication%20and%20Message%20Security%20in%20WCF%20calling%20from%20Windows%20Forms

Client Article
How To – Use Certificate Authentication and Message Security in WCF calling from Windows Forms

http://wcfsecurity.codeplex.com/wikipage?title=How%20To%20-%20Use%20Certificate%20Authentication%20and%20Message%20Security%20in%20WCF%20calling%20from%20Windows%20Forms

Server Steps
On Server, make CA
makecert -n "CN=RootCAMyCompanyName" -r -sv RootCAMyCompanyName.pvk RootCAMyCompanyName.cer

password: aSuperSecretPassword19

On Server, import into RootCAMyCompanyName.cer into Trusted Root Certification Authorities

On Server, Make Cert
makecert -sk MyCompanyNameKey -iv RootCAMyCompanyName.pvk -n "CN=MyCompanyNameCert" -ic RootCAMyCompanyName.cer -sr localmachine -ss my -sky exchange -pe MyCompanyNameCert.cer

On Server, Find Private Key
FindPrivateKey.exe My LocalMachine –n "CN=MyCompanyNameCert"

On Server, Grant Access to Private Key, note switches at end of statement
cacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\Machinekeys\abc57b73466481beba7b0e1b5781db81_c225a308-d2ad-4e58-91a8-6e87f354b030" /E /G "NT AUTHORITY\NETWORK SERVICE":R

Service Web.config
<system.serviceModel>

<bindings>
<wsHttpBinding>
<binding name="Binding1">
<security mode="Message">
<message clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>

<services>
<service name="TestService.Service1" behaviorConfiguration="ServiceBehavior1" >
<endpoint
name="wsHttpEndpoint"
address=""
binding="wsHttpBinding"
bindingConfiguration="Binding1"
contract="TestService.IService1">
<identity>
<dns value="MyCompanyNameCert"/>
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>

<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior1">
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
<serviceCredentials>
<clientCertificate>
<authentication revocationMode="NoCheck"/>
</clientCertificate>
<serviceCertificate findValue="CN=MyCompanyNameCert"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="EndpointBehavior1">
<clientCredentials>
<serviceCertificate>
<authentication revocationMode="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>

<client>
<endpoint behaviorConfiguration="EndpointBehavior1" />
</client>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
--


Client Steps

On client, Copy the root CA certificate (RootCAMyCompanyName.cer) and privatekeyfile (RootCAMyCompanyName.pvk) to the client machine.

On client, Import RootCAMyCompanyName.cer into Trusted Root Certificate Authorities

On client, create client cert
makecert -sk MustBeUniqueKey -iv RootCAMyCompanyName.pvk -n "CN=MyCompanyNameCert" -ic RootCAMyCompanyName.cer -sr localmachine -ss my -sky exchange -pe MyCompanyNameCert.cer

Client Web.config

<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="Behavior1">
<clientCredentials>
<clientCertificate findValue="CN=MyCompanyNameCert" storeLocation="LocalMachine"/>
<serviceCertificate>
<authentication revocationMode="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpoint" closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false"
transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Certificate" negotiateServiceCredential="true"
algorithmSuite="Default" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://wcfcerttest.com/Service1.svc"
binding="wsHttpBinding"
behaviorConfiguration="Behavior1"
bindingConfiguration="wsHttpEndpoint"
contract="ServiceReference1.IService1"
name="wsHttpEndpoint">
<identity>
<dns value="MyCompanyNameCert"/>
</identity>
</endpoint>
</client>
</system.serviceModel>

这篇关于WCF安全错误:未提供客户端证书.的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！