C# 客户端身份验证方案禁止HTTP请求';匿名';。远程服务器返回错误:(403)禁止
我正在尝试创建一个安全的Web服务 下面是合同和服务的实现C# 客户端身份验证方案禁止HTTP请求';匿名';。远程服务器返回错误:(403)禁止,c#,wcf,iis,ssl,C#,Wcf,Iis,Ssl,我正在尝试创建一个安全的Web服务 下面是合同和服务的实现 [ServiceContract()] public interface ICalculatorService { [OperationContract()] int Add(int x, int y); } [ServiceBehavior(IncludeExceptionDetailInFaults=true)] public class CalculatorService : ICalculatorService
[ServiceContract()]
public interface ICalculatorService
{
[OperationContract()]
int Add(int x, int y);
}
[ServiceBehavior(IncludeExceptionDetailInFaults=true)]
public class CalculatorService : ICalculatorService
{
public int Add(int x, int y)
{
return x + y;
}
}
这是服务代码
var b = new WSHttpBinding(SecurityMode.Transport);
b.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
b.Security.Message.ClientCredentialType = MessageCredentialType.None;
Type contractType = typeof(ICalculatorService);
Type implementedContract = typeof(CalculatorService);
Uri baseAddress = new Uri("https://localhost:8006/CalculatorService");
ServiceHost sh = new ServiceHost(implementedContract);
sh.AddServiceEndpoint(contractType, b, baseAddress);
//ServiceMetadataBehavior sm = new ServiceMetadataBehavior();
//sm.HttpsGetEnabled = true;
//sm.HttpsGetUrl = new Uri("https://localhost:8006/CalculatorServiceMex");
//sh.Description.Behaviors.Add(sm);
sh.Credentials.Peer.PeerAuthentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.PeerTrust;
sh.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.TrustedPeople, X509FindType.FindBySubjectName, "localhost");
sh.Open();
Console.WriteLine("Service is Listening");
Console.ReadLine();
sh.Close();
这是客户端代码
var b = new WSHttpBinding(SecurityMode.Transport);
b.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
b.Security.Message.ClientCredentialType = MessageCredentialType.None;
var factory = new ChannelFactory<ICalculatorService>(b);
factory.Credentials.Peer.PeerAuthentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.PeerTrust;
factory.Credentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.TrustedPeople, X509FindType.FindBySubjectName, "localhost");
var client = factory.CreateChannel(new EndpointAddress(new Uri("https://localhost:8006/CalculatorService")));
ServicePointManager.ServerCertificateValidationCallback =
((sender, certificate, chain, sslPolicyErrors) =>
{
return true;
});
ICommunicationObject comObject = client as ICommunicationObject;
int result = -1;
try
{
comObject.Open();
result = client.Add(10, 2);
}
catch (Exception ex)
{
}
Console.WriteLine(string.Format("Service say 10 + 2 = {0}", -1));
Console.ReadLine();
var b=新的WSHttpBinding(SecurityMode.Transport);
b、 Security.Transport.ClientCredentialType=HttpClientCredentialType.Certificate;
b、 Security.Message.ClientCredentialType=MessageCredentialType.None;
var工厂=新工厂(b);
factory.Credentials.Peer.PeerAuthentication.CertificateValidationMode=System.ServiceModel.Security.X509CertificateValidationMode.PeerTrust;
factory.Credentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine,StoreName.TrustedPeople,X509FindType.FindBySubjectName,“localhost”);
var client=factory.CreateChannel(新端点地址(新Urihttps://localhost:8006/CalculatorService")));
ServicePointManager.ServerCertificateValidationCallback=
((发件人、证书、链、sslPolicyErrors)=>
{
返回true;
});
ICommunicationObject comObject=作为ICommunicationObject的客户端;
int结果=-1;
尝试
{
coObject.Open();
结果=客户。添加(10,2);
}
捕获(例外情况除外)
{
}
WriteLine(string.Format(“Service say 10+2={0}”,-1));
Console.ReadLine();
该服务运行正常,在进行ServicePointManager.ServerCertificateValidationCallback检查时,没有策略错误,并生成了正确的证书链
我的CA位于受信任的根目录中,服务器/客户端证书位于受信任的人员存储中。此外,如果我从浏览器导航到该站点,我会看到返回的页面。没有错误
我已将IIS更新为我认为必需的,并在IIS中绑定了证书
并通过下面的命令行。
我已将SSL设置设置为接受证书
并启用匿名身份验证。
有人知道我做的哪些步骤不正确,或者有什么不对劲吗?我不断收到相同的错误“客户端身份验证方案“匿名”禁止HTTP请求。”当您在IIS中使用安全类型传输和客户端凭据类型证书托管WCF服务时,将您的客户端证书放在根存储上,并在IIS中启用匿名身份验证 如果运行自托管WCF服务(无IIS),则只需在配置文件(服务器中)中添加以下设置即可启用匿名客户端:
<behaviors>
<serviceBehaviors>
<behavior name="limitedAuthBehavior">
<serviceAuthenticationManager authenticationSchemes="Anonymous, Basic, Digest, Negotiate"/>
<!-- ... -->
</behavior>
</serviceBehaviors>
</behaviors>
另外,将clientCredentialType设置为“InheritedFromHost”:
参考资料:
我们收到了此错误消息,解决方案是未为脚本启用处理程序映射功能权限。您可以在IIS中的处理程序映射>编辑功能权限下启用此功能,或者通过将
Script
添加到web.config中handlers
节点的accessPolicy
属性来启用此功能:
<system.webServer>
<handlers accessPolicy="Script">
...
</handlers>
</system.webServer>
...
另一个原因是您访问的服务器上的证书本身。确保已导入私钥。在MMC中,这将显示一个“友好名称”。我花了好几天才弄明白。一旦我导入了私钥,匿名错误就消失了,一切都很好 我犯了这种错误。该证书是子域通配符。我不得不将私钥导入LocalMachine的“受信任的人”存储区,这个错误消失了。正如其他人所指出的,您也可以尝试将私钥导入LocalMachine的“受信任的根”存储。我遇到了此异常,但这是由于我的ssl证书即将过期。对于WCF,是否有IIS的替代方案。我讨厌IIS,前一天它工作正常,下一天它开始给出各种各样的错误,这些错误需要一整天才能解决。
<system.webServer>
<handlers accessPolicy="Script">
...
</handlers>
</system.webServer>