客户端身份验证方案“匿名”禁止 HTTP 请求;
我正在尝试配置 WCF 服务器\客户端以使用 SSL,
但出现以下异常:
客户端身份验证方案禁止 HTTP 请求 “匿名”
我有一个自托管的 WCF 服务器。 我已经运行 hhtpcfg 我的客户端和服务器证书都存储在本地计算机上的个人和受信任的人员下
这是服务器代码:
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
binding.Security.Mode = WebHttpSecurityMode.Transport;
_host.Credentials.ClientCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.PeerOrChainTrust;
_host.Credentials.ClientCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;
_host.Credentials.ClientCertificate.Authentication.TrustedStoreLocation = StoreLocation.LocalMachine;
_host.Credentials.ServiceCertificate.SetCertificate("cn=ServerSide", StoreLocation.LocalMachine, StoreName.My);
客户端代码:
binding.Security.Mode = WebHttpSecurityMode.Transport;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
WebChannelFactory<ITestClientForServer> cf =
new WebChannelFactory<ITestClientForServer>(binding, url2Bind);
cf.Credentials.ClientCertificate.SetCertificate("cn=ClientSide", StoreLocation.LocalMachine, StoreName.My);
ServicePointManager.ServerCertificateValidationCallback
+= RemoteCertificateValidate;
查看 web_tracelog.svclog 和trace.log 显示服务器无法验证客户端证书 我的证书未经授权 CA 签名 但这就是为什么我将他们添加到“受信任的人”中......
我错过了什么? 我缺少什么?
I am trying to configure a WCF server\client to work with SSL
I get the following exception:
The HTTP request was forbidden with client authentication scheme
'Anonymous'
I have a self hosted WCF server.
I have run hhtpcfg
both my client and server certificates are stored under Personal and Trusted People on the Local Machine
Here is the server code:
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
binding.Security.Mode = WebHttpSecurityMode.Transport;
_host.Credentials.ClientCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.PeerOrChainTrust;
_host.Credentials.ClientCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;
_host.Credentials.ClientCertificate.Authentication.TrustedStoreLocation = StoreLocation.LocalMachine;
_host.Credentials.ServiceCertificate.SetCertificate("cn=ServerSide", StoreLocation.LocalMachine, StoreName.My);
Client Code:
binding.Security.Mode = WebHttpSecurityMode.Transport;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
WebChannelFactory<ITestClientForServer> cf =
new WebChannelFactory<ITestClientForServer>(binding, url2Bind);
cf.Credentials.ClientCertificate.SetCertificate("cn=ClientSide", StoreLocation.LocalMachine, StoreName.My);
ServicePointManager.ServerCertificateValidationCallback
+= RemoteCertificateValidate;
Looking at web_tracelog.svclog and trace.log
reveals that the server cannot autheticate the client certificate
My certificate are not signed by an Authorized CA
but this is why I added them to the Trusted People....
What Am I missing?
What am I missing?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
诀窍是使客户端证书有效,
为此,您有两个选择:
1)使其自签名,然后将其置于“受信任的根证书颁发机构”下。
显然,在生产中,您希望客户端证书由受信任的 CA 签名,而不是自签名。
请参阅 http://msdn.microsoft.com/en-us/library/ms733813。 2
) 使用您创建的另一个证书(我们称之为 MyCA)对您的客户端证书进行签名,并将 MyCA 放入“受信任的根证书颁发机构”中,并将客户端证书放入“受信任的人”中。这样您的开发环境就更加接近部署。
如何创建和签署证书:
查看 http://msdn.microsoft.com/en-us/library/bfsktky3 .aspx
这是我使用的一系列命令:
1)makecert -r -pe -ss My -sr LocalMachine -a sha1 -sky Exchange -n cn=MyCA -sv "MyCAPrivate.pvk"
2)makecert - pe -ss My -sr LocalMachine -a sha1 -sky 交换 -n cn=SignedClientCertificate -iv "MyCAPrivate.pvk" -ic "MyCAPublic.cer"
The trick was to make the Client Certificate valid,
To do that you have two option:
1) make it self signed and then put it under the "Trusted Root Certification Authority".
Obviously in production you would like your client certificate to be signed by a trusted CA and not self signed.
see http://msdn.microsoft.com/en-us/library/ms733813.aspx
2) Sign your client certificate by another certificate you created (let's call it MyCA) and put MyCA in the "Trusted Root Certification Authority" and have the client certificate in the "Trusted People". This way your development environment is even more close to the deployment.
How to create and sign the certificates:
Look under http://msdn.microsoft.com/en-us/library/bfsktky3.aspx
Here is the series of commands I used:
1)makecert -r -pe -ss My -sr LocalMachine -a sha1 -sky exchange -n cn=MyCA -sv "MyCAPrivate.pvk"
2) makecert -pe -ss My -sr LocalMachine -a sha1 -sky exchange -n cn=SignedClientCertificate -iv "MyCAPrivate.pvk" -ic "MyCAPublic.cer"
我收到此错误的原因是在我的 webconfig 中,Web 服务的 URL 为 http://localhost/myservicename.svc,并且在我们的开发服务器上我们有一个 FQDN http: //dev.myname.com/myservicename.svc.
仔细检查您的 web.configs 以确保 Web 服务的 URL 指向正确的位置。
The reason I was receiving this error was because in my webconfig, the web services had the URL of
http://localhost/myservicename.svcand on our dev server we had a FQDNhttp://dev.myname.com/myservicename.svc.Double check your web.configs to ensure the URLS to the web services are pointing to the proper location.