如何实现客户端证书验证的正确方法？ [英] How do I implement Client Certificate authentication the right way?

问题描述

WCF是高度可扩展，有很多现成的使用的功能，但是我继续与一些话题和更多的文档阅读我挣扎，我就越感到困惑。

WCF is extremely extensible and has a lot of ready-to-use features, however I continue struggling with some topics and the more documentation I read, the more I get confused.

我希望得到来自社会的一些答案。任何假设或问题的反馈是非常欢迎的。

I hope to get some answers from the community. Feedback on any assumption or question is extremely welcome.

有关记录：要真正接受一个单一的答案，我应该把这个帖子在多个问题，但它会导致更多的混乱。
我是pretty肯定有一些真正的WCF专家在线谁可以一次全部回答这个文件中的一些问题，所以我可以为实打实设置clientcertificate验证使用IIS的正确方法接受一个单一的答案。

For the record: to really accept a single answer I should divide this post in multiple questions but it would lead to even more confusion. I am pretty sure there are some real WCF experts online who can answer the few questions in this document all at once so I can accept a single answer as the real deal to setup clientcertificate authentication using IIS the right way.

让我勾画的情况和合作伙伴的要求：

Let me sketch the situation and partner request:

1：合作伙伴的要求和问题使用客户端证书

1: The partner requirement and the question to use a client certificate.

合作伙伴X需要调用的API在我的后台，他们必须使用Clientcertificate认证的明确要求。
他们创造则ClientCertificate和提供给我们的证书，只有公共密钥，因为它似乎只是逻辑他们保持私钥私人实际上并在自己的系统（S）。
该证书是进口于本地计算机帐户并查看证书路径，这是有效的。所有中间证书颁发机构，并在最后的根证书颁发机构是可信任的。

Partner X needs to call an API on my backend and they have the clear requirement to use Clientcertificate authentication. They created the clientcertificate and provided us the certificate with only the public key since it seems only logic they keep the private key actually private and in their own system(s). The certificate was imported on the local computer account and looking at the certification path this is valid. All intermediate certification authorities and in the end the root certification authority are trusted.

2：我们的WCF的服务器端配置

2: Our WCF serverside configuration

我有配置这样的serviceBehavior：

I have a serviceBehavior configured as such:

<behavior name="ClientCertificateBehavior">
    <serviceMetadata httpsGetEnabled="true" />
        <serviceCredentials>
        <serviceCertificate findValue="<serialnumber here>" x509FindType="FindBySerialNumber" />
        <clientCertificate>
          <authentication certificateValidationMode="PeerTrust" />
        </clientCertificate>
    </serviceCredentials>
</behavior>

的我想我在这里做了第一个错误，并应使用ChainTrust使用其证书路径的实际验证证书。你觉得呢？

I guess I made a first mistake here and should use ChainTrust to actually validate the certificate using its certification path. What do you think?

该服务被配置为这样的：

The service is configured as such:

<service behaviorConfiguration="ClientCertificateBehavior" name="<Full service namespace and servicename>">
    <endpoint binding="basicHttpBinding" bindingConfiguration="Soap11CertificateBasicHttpBinding"
        contract="<The interface>"></endpoint>
</service>

的结合看起来是这样的：

The binding looks like this:

有一个basicHttpBinding的强制SOAP1.1（根据伙伴的规格）。

It is a basicHttpBinding to force SOAP1.1 (according to the partner's specifications).

<binding name="Soap11CertificateBasicHttpBinding">
  <security mode="Transport">
    <transport clientCredentialType="Certificate" />
  </security>
</binding>

3：托管在IIS中的WCF服务和IIS配置

3: Hosting the WCF service in IIS and the IIS configuration

我们在IIS7托管我们的WCF服务。
我们配置其中的服务驻留要求SSL，并接受客户证书的文件夹。
验证明智的匿名身份验证功能。

We host our WCF services in IIS7. We configured the folder in which the services reside to require SSL and to accept Client certificates. Authentication-wise anonymous authentication is enabled.

问题是从合作伙伴的沟通工作和我们确信一切正常，但是切换的IIS设定为要求客户端证书告诉我们，突然不再可能成功地拨打我们的服务

The thing is that communication from the partner works and we were confident that everything was OK, however toggling the IIS-setting to 'require' client certificate shows us that all of a sudden it is no longer possible to successfully call our service.

我是正确的假设，下面的事情都没有做正确：

Am I correct to assume that following things are not done correctly:

• 在serviceBehavior的serviceCerticate是不是真的有必要。这是由客户端所使用的设定。或者是否有必要提供的服务端点这个证书信息到该公司正由客户端发送的证书匹配？

• The serviceCerticate in the serviceBehavior is not really necessary. This is a setting used by the client. Or is it necessary to provide this certificate information for the service endpoint to match the certificate that's being send by the client?

有关clientcertificate认证，真正在IIS的工作证需要映射到用户。此用户应该被授予包含的服务和所有身份验证机制的文件夹的权限（匿名，窗户，...）应禁用。
这样，IIS将处理实际握手并验证servicecommunication。
或者是更多的额外的安全证书映射到一个用户的问题？

For clientcertificate authentication to really work in IIS the certificate needs to be mapped to a user. This user should be granted permissions on the folder containing the services and all authentication mechanisms (anonymous, windows,...) should be disabled. This way IIS will handle the actual handshake and validate the servicecommunication. Or is it more a matter of extra security mapping the certificate to a user?

• 通过设置接受在IIS上，我们绕过客户端和服务器之间的实际证书验证。

• By setting 'Accept' on IIS we bypass the actual certificate validation between client and server.

所有的身份验证机制，例如匿名和窗口对IIS被禁用为持有该服务的文件夹。

All authentication mechanisms like 'anonymous' and 'windows' have to be disabled on IIS for the folder which holds the services.

推荐答案

在您的情况，您无需在WCF配置证书，IIS处理那些你。您可以清除整个＆LT; serviceCredentials＆GT; 块，这是因为：

In your scenario, you don't need to configure certificates in WCF, IIS handles those for you. You can clear the entire <serviceCredentials> block, because:

＆LT; serviceCertificate＆GT; 的＆LT; serviceCredentials＆GT; 指定将用于验证使用为客户服务的消息安全模式，你不使用，且 ＆LT; clientCertificate＆GT ; ＆LT的; serviceCredentials＆GT; 定义用于签名和加密邮件给客户，形成了一个服务的X.509证书双工通信模式。

请参阅此处如何客户端证书映射到用户帐户。

See here how to map client certificates to user accounts.

这篇关于如何实现客户端证书验证的正确方法？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！