使用客户端证书的WCF服务需要IIS中的匿名访问，因此实际上不起作用吗? [英] WCF Service Using Client Certificates Requires Anonymous Access in IIS and Therefore Doesn't Actually Work?

问题描述

我在IIS(Windows Server 2008 R2上的7.5)上托管了WCF服务(.NET 4).我们的客户(我们正在为其提供服务的客户)要求使用Verisign的证书对服务的所有客户端进行身份验证.也就是说，客户从Verisign购买了证书，并向我们提供了公钥.该服务应仅接受可以使用我们从客户端收到的公共密钥之一进行验证的请求.

I have a WCF service (.NET 4) hosted in IIS (7.5 on Windows Server 2008 R2). Our customer (for whom we are building the service) requires that all clients of the service be authenticated using certificates from Verisign. That is, the client purchases a certificate from Verisign and provides us with the public key. The service should only accept requests that can be validated using one of the public keys that we have received from the clients.

我遇到的问题是IIS似乎要求启用匿名身份验证.如果不是，则为此服务的安全设置需要'匿名'身份验证，但未为承载此服务的IIS应用程序启用它.引发错误.但是，如果启用了匿名身份验证，则允许对提供 any 证书的服务进行任何调用.我们需要将其限制为仅允许提供特定证书的呼叫(即，已向我们提供了公共密钥的呼叫).

The problem that I am having is that IIS seems to require that Anonymous authentication be enabled. If it isn't, a "Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service." error is raised. However, if I enable anonymous authentication, any call to the service that provides any certificate is allowed. We need to restrict it to only allow calls that provide specific certificates (i.e. ones for which we have been supplied the public key).

在IIS中，我们需要SSL和客户端证书(在SSL设置下)，并且(在身份验证下)所有身份验证均被禁用(匿名除外).

In IIS we require SSL and client certificates (under SSL Settings), and (under Authentication) all authentication is disabled (except for anonymous).

web.config是:

The web.config is:

  <system.web>
    <compilation debug="false" targetFramework="4.0" />
    <authentication mode="Windows" />
    <authorization>
      <deny users="?" />
      <allow users="*" />
    </authorization>
    <customErrors mode="Off" />
    <pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" />
    <identity impersonate="false" />
  </system.web>

  <system.serviceModel>
    <services>
      <service behaviorConfiguration="XXXServiceBehavior" name="XXXService.NewService">
        <endpoint address=""
                  binding="wsHttpBinding"
                  bindingConfiguration="XXXServiceBinding"
                  contract="XXXService.INewService"
                  bindingNamespace="http://XXXX.com.au/XXXService/NewService">
        </endpoint>
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="XXXXServiceBehavior">
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceCredentials>
            <clientCertificate>
              <authentication certificateValidationMode="PeerTrust" mapClientCertificateToWindowsAccount="true" />
            </clientCertificate>
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <bindings>
      <wsHttpBinding>
        <binding name="XXXServiceBinding" maxReceivedMessageSize="1000000" maxBufferPoolSize="1000000">
          <readerQuotas maxStringContentLength="1000000" />
          <security mode="Transport">
            <transport clientCredentialType="Certificate" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
  </system.serviceModel>

如果任何人都可以使这种情况起作用，请您让我知道您在IIS和配置中使用了哪些设置?

If anyone is able to get this sort of scenario working, could you please let me know what settings you are using in IIS and in your configuration?

推荐答案

事实证明，我需要使用的是 TransportWithMessageCredential 的绑定安全模式和 message Certificate 的 clientCredentialType (请参阅下面的完整配置列表).

It turns out that what I needed was to use a binding security mode of TransportWithMessageCredential, and a message clientCredentialType of Certificate (see the full config listing below).

使用这种绑定配置，我不需要要求主体权限或证书到Windows帐户的任何映射，因为如果调用者未提供公认的证书(即，其公钥的证书)，则该服务将不会执行已导入到计算机上服务器上的受信任的人"商店中.

With this binding configuration I don't need to demand the principal permissions or any mapping of certificates to Windows accounts, since the service won't get executed if the caller does not provide a recognized certificate (i.e. a certificate whose public key has been imported into the 'Trusted People' store on the server, at the machine level).

唯一的其他设置更改是在IIS和SSL设置中.我必须将客户端证书"设置从要求"更改为接受".(将其保留为"Require"会导致客户端收到"HTTP请求被客户端身份验证方案'Anonymous'禁止"错误.)我不确定为什么会这样，但是我不认为这种情况这是一个问题，因为WCF将需要证书.

The only other setting change is in IIS and the SSL Settings. I had to change the 'Client certificate' setting from 'Require' to 'Accept'. (Leaving it as 'Require' results in a "The HTTP request was forbidden with client authentication scheme 'Anonymous'" error being received by the client.) I'm not sure why this is the case, but I don't think this is a problem since WCF will require the certificate.

所以这是相关的配置.这是服务器配置:

So here's the relevant config. This is the server config:

<system.web>
  <compilation debug="false" targetFramework="4.0" />
  <authentication mode="Windows" />
  <authorization>
    <deny users="?" />
    <allow users="*" />
  </authorization>
  <pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" />
  <identity impersonate="false" />
</system.web>

<system.serviceModel>
  <services>
    <service behaviorConfiguration="XXXWebServiceBehavior" name="XXXWebService.NewService">
      <endpoint address="" binding="wsHttpBinding" bindingConfiguration="XXXWebServiceBinding" contract="XXXWebService.INewService" />
    </service>
  </services>
  <behaviors>
    <serviceBehaviors>
      <behavior name="XXXWebServiceBehavior">
        <serviceDebug includeExceptionDetailInFaults="false" />
        <serviceCredentials>
          <clientCertificate>
            <authentication certificateValidationMode="PeerTrust" />
          </clientCertificate>
        </serviceCredentials>
      </behavior>
    </serviceBehaviors>
  </behaviors>
  <bindings>
    <wsHttpBinding>
      <binding name="XXXWebServiceBinding" maxReceivedMessageSize="1000000" maxBufferPoolSize="1000000">
        <readerQuotas maxStringContentLength="1000000" />
        <security mode="TransportWithMessageCredential">
          <message clientCredentialType="Certificate" />
        </security>
      </binding>
    </wsHttpBinding>
  </bindings>
</system.serviceModel>

这是客户端配置(主要由Visual Studio生成):

And here's the client config (mostly generated by Visual Studio):

<system.serviceModel>
  <bindings>
    <wsHttpBinding>
      <binding name="WSHttpBinding_INewService" closeTimeout="00:01:00"
               openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
               bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
               maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
               messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
               allowCookies="false">
        <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                      maxBytesPerRead="4096" maxNameTableCharCount="16384" />
        <reliableSession ordered="true" inactivityTimeout="00:10:00"
                         enabled="false" />
        <security mode="TransportWithMessageCredential">
          <message clientCredentialType="Certificate" />
        </security>
      </binding>
    </wsHttpBinding>
  </bindings>
  <client>
    <endpoint address="https://XXXX.XXXX.com.au/XXXServices/NewService.svc"
              binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_INewService"
              contract="ServiceReference1.INewService" name="WSHttpBinding_INewService">
      <identity>
        <dns value="localhost" />
      </identity>
    </endpoint>
  </client>
</system.serviceModel>

这篇关于使用客户端证书的WCF服务需要IIS中的匿名访问，因此实际上不起作用吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！