如何禁用Windows服务中托管的WCF的HTTPS调用的凭据输入 [英] How to disable credentials input for HTTPS call to my WCF hosted in windows service

问题描述

我刚刚创建了我的第一个WCF项目，所以我在这一领域的知识上有很多不足.我的问题是，当我在Web浏览器中调用WCF URL时，我必须输入凭据，但是我什至不能使用域名和密码，但必须选择个人芯片卡证书并输入其密码.之后，一切都像魅力一样.

I'm just creating my first WCF project, so I have a lot of deficiencies in knowledge in this field. My problem is that when I'm calling my WCF url in web browser, I have to enter the credentials but I cannot even use my domain name and password, but I have to choose my personal chip card certificate and enter it's password. After that, everything work like a charm.

我的最终产品应仅安装在我们域中的每个用户工作站上，仅用于IT操作.因此，此后将获得一些AD授权.关于证书...我们有自己的公司根CA证书，每个工作站都有它自己的证书，即孙子证书:

My final product should be installed on every user workstation in our domain for IT operations purposes only. So there will be some AD authorization after that. About certificate... We have our own company root CA certificate, and every workstation have it's own certificate which is it's grandchild:

我们的证书树示例:

COMPANYROOTCA >> COMPANYSUBCA1 >> WORKSTATIONNAME.DOMAIN(此文件用作WCF服务证书)

COMPANYROOTCA >> COMPANYSUBCA1 >> WORKSTATIONNAME.DOMAIN (this one is used as WCF service cert)

这是我现在要在运行在NetworkService帐户下的Windows服务中托管WCF的功能:

        serviceHost.Dispose(); //extension for close() and set to null

        Uri httpsUrl = new Uri("baseAdress");
        serviceHost = new ServiceHost(typeof(Service.myService), httpsUrl);

        WSHttpBinding wsHttpBinding = new WSHttpBinding();
        wsHttpBinding.Security.Mode = SecurityMode.Transport;
        wsHttpBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
        wsHttpBinding.Security.Transport.ProxyCredentialType = HttpProxyCredentialType.None;

        WebHttpBinding webHttpBinding = new WebHttpBinding();
        webHttpBinding.Security.Mode = WebHttpSecurityMode.Transport;
        webHttpBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
        webHttpBinding.Security.Transport.ProxyCredentialType = HttpProxyCredentialType.None;

        ServiceMetadataBehavior smb = new ServiceMetadataBehavior
        {
            HttpGetEnabled = false,
            HttpsGetEnabled = true,      
        };

        X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
        store.Open(OpenFlags.ReadOnly);
        X509Certificate2Collection collection = store.Certificates;
        X509Certificate2 cert = collection.OfType<X509Certificate2>().First(c => c.SubjectName.Name == "CN=WorkstationName.Domain");
        store.Close();

        serviceHost.Credentials.ServiceCertificate.Certificate = cert;           

        ServiceThrottlingBehavior throttleBehavior = new ServiceThrottlingBehavior
        {
            MaxConcurrentCalls = 16,
            MaxConcurrentInstances = 26,
            MaxConcurrentSessions = 10
        };
        serviceHost.Description.Behaviors.Add(throttleBehavior);

        ServiceEndpoint soapEndpoint = serviceHost.AddServiceEndpoint(typeof(Contract.IMyService), wsHttpBinding, "soap");
        ServiceEndpoint restEndpoint = serviceHost.AddServiceEndpoint(typeof(Contract.IMyService), webHttpBinding, "rest");
        ServiceEndpoint mexEndpoint = serviceHost.AddServiceEndpoint(typeof(IMetadataExchange), MetadataExchangeBindings.CreateMexHttpsBinding(), "mex");

        restEndpoint.Behaviors.Add(new WebHttpBehavior());

        tempAdminHost.Open();

所以我的问题是:有什么方法，例如，如何自动获取使用浏览器并调用url的域帐户，或者如何仍然使用HTTPS但又不放置任何其他方法.凭据?

So my question is: Is there any way, how to, for example, automaticaly get domain account which use the browser and call the url or any alternative how to still use HTTPS but without putting any credentials?

推荐答案

我没有看到您使用凭据对客户端进行身份验证的方式.用于承载服务的两个端点的客户端凭据类型为无".浏览器如何要求您输入凭证?此外，默认情况下，如果服务器将ClientCredentialType设置为Windows，则客户端将使用当前用户作为凭据.需要提供凭据时，当前用户的密码和帐户将是默认凭据.
还有一点要注意，如果仅在浏览器中提示您选择证书而不是凭据(用户/密码)，如下所示，

我们可能已经配置了以下参数( clientcertnegotiation 参数).

I didn’t see the way you use the credential to authenticate the client. the client credential type of the two endpoints you use to host the service are None. How does the browser ask you to input the credential? Besides, by default, If the server set up the ClientCredentialType to Windows, the client would use the current user as the credential. The current user’s password and account will be default credential when need to provide a credential.
One more thing to note, if you are simply prompted in the browser to select a certificate instead of the credential(user/password), as follows,

We may have configured the following parameter(clientcertnegotiation parameter).

netsh http add sslcert ipport=127.0.0.1:8000 certhash=c20ed305ea705cc4e36b317af6ce35dc03cfb83d appid={c9670020-5288-47ea-70b3-5a13da258012} clientcertnegotiation=enable

因为您用来提供证书以加密通信的方式不正确.

Because the way you use to provide a certificate to encrypt the communication is not correct.

serviceHost.Credentials.ServiceCertificate.Certificate = cert; 

我们需要将证书绑定到端口.

并且参数配置取决于以下内容.


因此，我怀疑将证书绑定到指定端口的过程是由IIS完成的.并且该参数应被忽略.
随时让我知道是否有什么可以帮助您的.

We need to bind the certificate to Port.
https://docs.microsoft.com/en-us/windows/desktop/http/add-sslcert
when hosting the service in IIS, we accomplish it by the below UI.

And the parameter configuration depends on the below.


So I suspect the process that binds the certificate to the specified port is completed by IIS. and the parameter should be ignored.
Feel free to let me know if there is anything I can help with.

这篇关于如何禁用Windows服务中托管的WCF的HTTPS调用的凭据输入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！