在使用服务证书的 WCF 客户端配置中指定服务的 IP 地址
我有一个 WCF 自托管服务,客户端应用程序可以通过 VPN 访问该服务。这在大多数情况下有效,但某些客户端无法通过 DNS 名称找到服务器。我想对其进行配置,以便也指定 IP 地址。我不能简单地使用服务器的 IP 地址而不是客户端配置中的服务器名称,因为远程端点提供了其服务器名称的 DNS 声明,因此它无法通过安全检查。我可以将服务器证书替换为指定 IP 地址作为主题名称的证书,但我的理解是这也行不通。
如何更改配置,以便客户端可以通过其 Ip 地址找到服务,同时仍使用服务器名称作为其身份?
服务配置:
...
<bindings>
<customBinding>
<binding name="gzipBinding">
<gzipMessageEncoding />
<sslStreamSecurity />
<tcpTransport>
</tcpTransport>
</binding>
</customBinding>
<wsHttpBinding>
<binding name="ClientCertAuthenticationBinding">
<security mode="Message">
<message clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="MyServices.HandshakeService" behaviorConfiguration="HandshakeServiceBehavior">
<host>
<baseAddresses>
<add baseAddress="http://10.0.0.4:8000/Handshake"/>
</baseAddresses>
</host>
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="ClientCertAuthenticationBinding" contract="OCS.Client.KnownLayer.IHandshaker"/>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
</services>
<!--For debugging purposes set the includeExceptionDetailInFaults attribute to true-->
<behaviors>
<serviceBehaviors>
<behavior name="HandshakeServiceBehavior">
<serviceMetadata httpGetEnabled="True"/>
<serviceDebug includeExceptionDetailInFaults="True"/>
<serviceCredentials>
<serviceCertificate findValue="MyServiceComputerName" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/>
<clientCertificate>
<!-- <authentication certificateValidationMode="Custom" customCertificateValidatorType="Rdt.CertificateIdentification.ClientAuthentication.MyX509CertificateValidator, OCS"/>-->
<!-- The custom validator replicates the chaintrust functionality and extends it with a check against the identity database-->
<authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck"/>
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
客户端配置:
<system.serviceModel>
<client>
<endpoint address="http://MyServiceComputerName:8000/Handshake" binding="wsHttpBinding" behaviorConfiguration="ClientCertificateBehavior"
bindingConfiguration="WSHttpBinding_IHandshaker" contract="IHandshaker"
name="WSHttpBinding_IHandshaker"/>
</client>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IHandshaker">
<security>
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="ClientCertificateBehavior">
<clientCredentials>
<clientCertificate findValue="MyClientCert" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/>
<serviceCertificate>
<authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
I have a WCF self-hosted service that is accessed over a VPN by client applications. This works in most cases, but some clients are unable to find the server by the DNS name. I want to configure it so that the IP address is specified as well. I cannot simply use the server's IP address instead of the server name in the client config because then it fails the security check because the remote endpoint provides a DNS claim of its server name. I could replace the server certificate with one specifiying the IP address as the subject name, but my understanding is that this would not work either.
How can I change the configuration so that the client can find the service by its Ip address while still using the server name for its identity?
Service configuration:
...
<bindings>
<customBinding>
<binding name="gzipBinding">
<gzipMessageEncoding />
<sslStreamSecurity />
<tcpTransport>
</tcpTransport>
</binding>
</customBinding>
<wsHttpBinding>
<binding name="ClientCertAuthenticationBinding">
<security mode="Message">
<message clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="MyServices.HandshakeService" behaviorConfiguration="HandshakeServiceBehavior">
<host>
<baseAddresses>
<add baseAddress="http://10.0.0.4:8000/Handshake"/>
</baseAddresses>
</host>
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="ClientCertAuthenticationBinding" contract="OCS.Client.KnownLayer.IHandshaker"/>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
</services>
<!--For debugging purposes set the includeExceptionDetailInFaults attribute to true-->
<behaviors>
<serviceBehaviors>
<behavior name="HandshakeServiceBehavior">
<serviceMetadata httpGetEnabled="True"/>
<serviceDebug includeExceptionDetailInFaults="True"/>
<serviceCredentials>
<serviceCertificate findValue="MyServiceComputerName" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/>
<clientCertificate>
<!-- <authentication certificateValidationMode="Custom" customCertificateValidatorType="Rdt.CertificateIdentification.ClientAuthentication.MyX509CertificateValidator, OCS"/>-->
<!-- The custom validator replicates the chaintrust functionality and extends it with a check against the identity database-->
<authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck"/>
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
Client configuration:
<system.serviceModel>
<client>
<endpoint address="http://MyServiceComputerName:8000/Handshake" binding="wsHttpBinding" behaviorConfiguration="ClientCertificateBehavior"
bindingConfiguration="WSHttpBinding_IHandshaker" contract="IHandshaker"
name="WSHttpBinding_IHandshaker"/>
</client>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IHandshaker">
<security>
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="ClientCertificateBehavior">
<clientCredentials>
<clientCertificate findValue="MyClientCert" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/>
<serviceCertificate>
<authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您可以通过查看域名系统 (DNS) 问题疑难解答文档。
您可以尝试以下方法,详细信息请参阅这篇文章
1.)将IP添加到端点地址并添加IP地址。添加带有基本 IP 地址的主机名,如下所示:
2.) 如果您有域名 (www.myDomain.com< /a>),然后将其添加到 IIS 中的主机标头。
3.) 添加IP地址&客户端主机文件中的计算机名称(但是,简单的修复并不总是可以让所有客户端将其添加到其主机文件中)
You can resolve this issue by reviewing the Troubleshooting Domain Name System (DNS) issues document.
You can try the following methods, see this post for details
1.) Add the IP to the endpoint address & add a host name with the base IP address like so:
2.) If you have a domain name (www.myDomain.com) then add this to the host header in IIS.
3.) Add the IP address & computer name to the clients hosts file (easy fix not always possible to get all of your clients to add this to their host file however)