帮助在 .net 上设置 wsHttpBinding WCF 服务
我正在尝试使用 wsHttpBinding 托管 WCF 服务。我使用 makecert 创建了一个证书,并在 web.config 中添加了一些行。
这是我收到的错误:
System.ArgumentException: The certificate 'CN=WCfServer' must have a private key that is capable of key exchange. The process must have access rights for the private key.
在谷歌搜索时,似乎存在证书文件访问权限的问题。我使用 cacls 授予 NETWORK SERVICE 和我的用户名的读取权限,但它没有改变任何内容。
我还进入了证书文件属性中的安全设置,并对 NETWORK SERVICE 和我的用户名进行了完全控制。再次无济于事。
您能指导我了解问题所在以及我到底需要做什么吗?我对这些证书的事情真的很敏感。
这是我的 web.config:
<system.serviceModel>
<services>
<service name="Abc.Service" behaviorConfiguration="Abc.ServiceBehavior">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="Abc.BindConfig" contract="Abc.IService">
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="Abc.ServiceBehavior">
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerTrust"/>
</clientCertificate>
<serviceCertificate findValue="WCfServer" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="Abc.BindConfig">
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
</system.serviceModel>
I'm trying to host a WCF service with wsHttpBinding. I created a certificate using makecert and put some lines in web.config.
This is the error that I'm getting:
System.ArgumentException: The certificate 'CN=WCfServer' must have a private key that is capable of key exchange. The process must have access rights for the private key.
On googling up it seems to be some issue with access rights on the certificate file. I used cacls to give read permission to NETWORK SERVICE and also my username but it didn't change anything.
I also went to security settings in the properties of the certificate file and gave full control to NETWORK SERVICE and my username. Again to no avail.
Can you guide me as to what the problem is and what exactly I need to do? I'm really flaky with these certificate things.
Here's my web.config:
<system.serviceModel>
<services>
<service name="Abc.Service" behaviorConfiguration="Abc.ServiceBehavior">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="Abc.BindConfig" contract="Abc.IService">
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="Abc.ServiceBehavior">
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerTrust"/>
</clientCertificate>
<serviceCertificate findValue="WCfServer" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="Abc.BindConfig">
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
</system.serviceModel>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
从我从网上收集到的信息来看,这似乎不是权限问题,更像是证书配置有问题。
此处提供了有关如何允许访问私钥的说明。
您是否已安装并运行 IIS7?那里有一个非常简单的工具用于创建我已成功用于 WCF 通信的证书(而不是 makecert)。
From what I could gather from the web it seems like it NOT an issue of permissions more like there is something wrong with configuration of the certificate.
Here there are instructions on how to allow access to the private key.
Do you have IIS7 installed and running. There is a very simple tool there for creating certificates (instead of makecert) that I have successfully used for WCF communication.
好吧..我知道问题出在哪里了。使用 makecert 创建证书时,必须使用 -pe 选项,这使得生成的私有证书可导出,以便可以在证书中使用。问题是与 vs2008 捆绑的 makecert 版本是 5.131,它没有 -pe 选项。我在 microsoft sdk 6 中找到了 6.0 版本,其中有该选项。
这是我作为 .net 初学者发现的最大问题。同一事物有很多不兼容的版本,当您在互联网上查找内容时,您不知道某人在谈论哪个版本。
Ok.. I figured out what the problem was. When using makecert to create the certificate, the -pe option must be used which makes the generated private exportable so that it can be used in the certificate. The problem was the makecert bundled with vs2008 is version 5.131 which does not have a -pe option. I found version 6.0 in microsoft sdk 6 which has the option.
This is the biggest problem I find as a beginner in .net. There are so many non-compatible versions of the same thing and when you look up stuff on the internet you don't know which version someone's talking about.
看一下 < strong>Windows HTTP 服务证书配置工具 (WinHttpCertCfg.exe)。它允许向 Windows 帐户授予对 X.509 证书私钥的访问权限。
这是一篇博客文章,解释了如何使用工具。
Take a look at the Windows HTTP Services Certificate Configuration Tool (WinHttpCertCfg.exe). It allows to grant access to the private key of X.509 certificate to a Windows account.
Here is a blog post that explains how to use the tool.