通过 SSL 配置 IIS6 的 WCF 传输安全性
我一直在尝试在 IIS6 上使用 SSL 设置 WCF 传输安全性。
客户端位于同一域的单独计算机上。
我了解证书、根 CA 等的前提,并且拥有一组用于消息安全的工作证书,并且可以在相同的环境设置中使用这些无问题。 (上周我学到的东西并不多:)
当我将客户端切换到 SSL 时,我试图让我的客户端针对 IIS 6 服务进行身份验证,这让我遇到了一场噩梦。打电话时总是收到“不允许匿名身份验证”。
在 IIS 中,我
- 在站点上设置了 SSL 端口 443 的根签名 CA 证书 (如果我浏览 https:// svc 页面,我可以看到 IE 挂锁,并且页面显示您需要证书才能进行通信)
在安全通信下,我
- 需要 SSL 通道,
- 需要 128 位加密,
- 需要客户端证书,
- 启用客户端证书映射(设置与 IIS 框上的管理员帐户进行多对一映射,目前
与网站安全(身份验证和访问控制)下的
- 证书主题 O 字段相匹配匿名访问 = 打开
- 集成 Windows 身份验证 = 关闭
- 基本身份验证 =
打开客户端 wsHttpBinding 我有一个准备进行身份验证的证书和一个自定义端点行为来提供此信息,但我认为它还没有走到这一步!
更新的服务器配置
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="CertificateWithTransport">
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="WCFServiceCertificate.Service1" behaviorConfiguration="credentialConfig">
<endpoint address="https://svnvmig02/Service1.svc"
binding="wsHttpBinding"
bindingConfiguration="CertificateWithTransport"
contract="WCFServiceCertificate.IService1">
</endpoint>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="credentialConfig">
<serviceMetadata httpsGetEnabled="true" httpGetEnabled="false"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
更新的客户端配置
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IService1">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://svnvmig02/Service1.svc" binding="wsHttpBinding" behaviorConfiguration="CustomBehavior"
bindingConfiguration="WSHttpBinding_IService1" contract="ServiceReference1.IService1"
name="WSHttpBinding_IService1">
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="CustomBehavior">
<clientCredentials>
<clientCertificate findValue="svnvmig02" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
<serviceCertificate>
<authentication certificateValidationMode="PeerTrust"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
编辑: 可能值得一提的是,我的 VS 项目是 3.5,但 IIS6 正在运行 .net4
通过修改后的配置(感谢 Fabio ;)我现在可以 IE 浏览地址
我在网上找到的大多数页面都涉及自托管或 IIS7....我希望 IIS7 支持更好;)
任何帮助将不胜感激:)
I've been attempting to set up WCF transport security using SSL on IIS6.
The client is on a seperate machine on the same domain.
I understand the premise of certificates, root CA etc and have a working set of certs for message security and can use these no probs in the same enviroment set up. (i've learn't a lot over the last week :)
I'm having an nightmare trying to get my client to authenticate against the IIS 6 service when i switch it to SSL. Always recieving 'annonymous authetication not allowed' when calling.
IN IIS i have
- a root signed CA cert set on the site for SSL port 443
(if i browse the https:// svc page i can see the IE padlock and the page says you need a cert to communicate)
under secure communications i have
- require SSL channel
- require 128 bit encryption
- require client certificates
- enable client certificate mapping (set up with a many to 1 mapping to a admin account on the IIS box for now matched on the cert subject O field )
under web site security (authentication and access control)
- Anonymous access = ON
- Intergrated Windows Authentication = OFF
- basic Authentication = ON
For the client wsHttpBinding i have a certificate ready to authenticate and a custom endpoint behaviour to supply this info but i don't think its getting this far!
UPDATED SERVER CONFIG
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="CertificateWithTransport">
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="WCFServiceCertificate.Service1" behaviorConfiguration="credentialConfig">
<endpoint address="https://svnvmig02/Service1.svc"
binding="wsHttpBinding"
bindingConfiguration="CertificateWithTransport"
contract="WCFServiceCertificate.IService1">
</endpoint>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="credentialConfig">
<serviceMetadata httpsGetEnabled="true" httpGetEnabled="false"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
UPDATED CLIENT CONFIG
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IService1">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://svnvmig02/Service1.svc" binding="wsHttpBinding" behaviorConfiguration="CustomBehavior"
bindingConfiguration="WSHttpBinding_IService1" contract="ServiceReference1.IService1"
name="WSHttpBinding_IService1">
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="CustomBehavior">
<clientCredentials>
<clientCertificate findValue="svnvmig02" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
<serviceCertificate>
<authentication certificateValidationMode="PeerTrust"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
EDIT:
Probably worth mentioning that my VS projects are 3.5 but IIS6 is running .net4
With the amended config (thanks Fabio ;) i can now IE browse the address https://svnvmig01/Service1.svc from the client machine and see the generated svc page which allows me to click on the wsdl URl which is also available.
The majority of the pages i have found on the net refer to selfhosting or IIS7....I'm hoping IIS7 support is better ;)
Any help would be greatly appreciated :)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您的配置包括:
ssl 的正常端口是 443。
请求可能不会发送到您期望它发送到的站点。因此,您会收到意外的错误消息。
检查 IIS 日志以确保哪个站点正在接收请求。
Your config includes:
The normal port for ssl is 443.
It may be that the request is not going to the site that you expect it to go to. Therefore, you are getting and unexpected error message.
Check the IIS logs to make sure which site is receiving the request.
我认为您的问题可能是您将 IIS 设置为:
我在几台服务器上使用传输安全性,所有 IIS6 的服务器都将该设置设置为打开,而不是关闭。这也对应于您提供的错误消息:
如果没有关闭匿名访问,IIS 将要求用户输入用户名/密码,或者传递 Windows/Active Directory/kerberos 凭据。
I think your issue here may be that you have IIS set to:
I use transport security on several of my servers, and all the IIS6 ones have that setting ON, not OFF. This also corresponds to the error message you provided:
Without anon access off, IIS will either want the user to enter a username/password, or pass along a windows / active directory / kerberos credentials.