IIS 7.5上托管的ASP.NET应用程序中的WCF客户端证书存在问题
我需要在IIS 7.5上托管的ASP.NET web应用程序中调用一个WCF服务。此WCF服务使用客户端证书的传输安全性。我获得了一个客户端证书,我使用mmc安装在本地计算机/个人存储位置。.pfx安装了另外两个没有私钥的证书,它们是具有私钥的客户端证书的CA。我在运行时分配证书,因为将来可能会有其他证书与同一web服务一起使用IIS 7.5上托管的ASP.NET应用程序中的WCF客户端证书存在问题,asp.net,wcf,iis-7,x509certificate,client-certificates,Asp.net,Wcf,Iis 7,X509certificate,Client Certificates,我需要在IIS 7.5上托管的ASP.NET web应用程序中调用一个WCF服务。此WCF服务使用客户端证书的传输安全性。我获得了一个客户端证书,我使用mmc安装在本地计算机/个人存储位置。.pfx安装了另外两个没有私钥的证书,它们是具有私钥的客户端证书的CA。我在运行时分配证书,因为将来可能会有其他证书与同一web服务一起使用 wcfClient.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMac
wcfClient.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySerialNumber, "XXXXXXXXXXXXXXXXXXXXXX");
// debugging shows that client certificate was found
var result = wcfClient.CallMyMethod();
System.Net Information: 0 : [5436] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=CredentialsNeeded).
System.Net Information: 0 : [5436] SecureChannel#20350898 - We have user-provided certificates. The server has specified 24 issuer(s). Looking for certificates that match any of the issuers.
System.Net Information: 0 : [5436] SecureChannel#20350898 - Left with 0 client certificates to choose from.
System.Net Information: 0 : [5436] Using the cached credential handle.
System.Net Information: 0 : [5436] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = fc5d070:1ffd1d0, targetName = ws.allianztiriac.ro, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5436] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=349, returned code=ContinueNeeded).
System.Net Information: 0 : [5436] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = fc5d070:1ffd1d0, targetName = ws.allianztiriac.ro, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5436] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net Information: 0 : [5436] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = fc5d070:1ffd1d0, targetName = ws.allianztiriac.ro, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5436] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=OK).
System.Net Information: 0 : [5436] Remote certificate: [bla bla remote certificate]
System.Net Information: 0 : [5436] SecureChannel#20350898 - Remote certificate was verified as valid by the user.
System.Net Information: 0 : [5952] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=CredentialsNeeded).
System.Net Information: 0 : [5952] SecureChannel#60080036 - We have user-provided certificates. The server has specified 24 issuer(s). Looking for certificates that match any of the issuers.
System.Net Information: 0 : [5952] SecureChannel#60080036 - Selected certificate: [Bla bla bla client cert info]
System.Net Information: 0 : [5952] SecureChannel#60080036 - Left with 1 client certificates to choose from.
System.Net Information: 0 : [5952] SecureChannel#60080036 - Trying to find a matching certificate in the certificate store.
System.Net Information: 0 : [5952] SecureChannel#60080036 - Locating the private key for the certificate: [Bla bla bla client cert info]
System.Net Information: 0 : [5952] SecureChannel#60080036 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [5952] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Information: 0 : [5952] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 4e5bb48:1fff710, targetName = ws.allianztiriac.ro, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5952] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=5718, returned code=ContinueNeeded).
System.Net Information: 0 : [5952] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 4e5bb48:1fff710, targetName = ws.allianztiriac.ro, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5952] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
System.Net Information: 0 : [5952] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 4e5bb48:1fff710, targetName = ws.allianztiriac.ro, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [5952] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=OK).
System.Net Information: 0 : [5952] Remote certificate: [bla bla bla remote certificate]
作为一个想法,为什么不在web应用程序的配置中指定要发送的证书呢?如果证书要求更改,只需添加到web应用程序的web.config。 请参见此处如何设置客户端,例如:
作为一个想法,为什么不在web应用程序的配置中指定要发送的证书呢?如果证书要求更改,只需添加到web应用程序的web.config。 请参见此处如何设置客户端,例如:
我们这里也有同样的问题。通过确保链中的证书放置在适当的位置来解决此问题。使用管理帐户,在将证书安装到本地计算机存储的个人文件夹中时,它会将中间证书放在同一文件夹中。将它们移动到中间证书颁发机构文件夹提供了ApplicationPoolIdentity对整个链的访问。我们在这里遇到了相同的问题。通过确保链中的证书放置在适当的位置来解决此问题。使用管理帐户,在将证书安装到本地计算机存储的个人文件夹中时,它会将中间证书放在同一文件夹中。将它们移动到中间证书颁发机构文件夹提供了ApplicationPoolIdentity对整个链的访问。您是否尝试了此处描述的步骤?我使用mmc授予了权限,IIS完全控制证书的私钥。证书未被发送。我有一个不同的web服务,它使用客户端证书,在ApplicationPoolIdentity上运行该服务没有问题。您是否尝试了此处描述的步骤?我使用mmc授予了权限,IIS完全控制证书的私钥。证书未被发送。我有一个不同的web服务,它使用客户端证书,在ApplicationPoolIdentity上运行的web服务没有问题。我有许多相同web服务的客户端证书,这些证书将在运行时根据当前会话/用户进行选择。此外,访问私钥也没有问题——我尝试从X509Store读取私钥,直接从PKCS文件打开私钥——一切正常。但是使用AppPoolIdentity,远程服务器返回403禁止,就好像我根本没有发送证书一样。system.net跟踪显示它与证书链有关,至少我相信是这样。我有许多相同web服务的客户端证书,这些证书将在运行时根据当前会话/用户进行选择。此外,访问私钥也没有问题——我尝试从X509Store读取私钥,直接从PKCS文件打开私钥——一切正常。但是使用AppPoolIdentity,远程服务器返回403禁止,就好像我根本没有发送证书一样。system.net跟踪显示它与证书链有关,至少我认为是这样。
<identity><certificate encodedValue="AwAAAAEAAAAUAAAAOTDk6LO4LsMQaY+65EgACb==" /></identity>