C# WCF wsHttpBinding证书安全协商异常
因此,在梳理了MSDN、无数文章之后,即使如此,我仍然没有任何东西可以展示,这几天的斗争 所以我有这样一个问题:WCF服务需要由客户机使用,而我只是不断遇到SecurityNegotiationException 无法打开安全通道,因为与远程终结点的安全协商失败。这可能是由于用于创建通道的EndpointAddress中缺少EndpointIdentity或未正确指定EndpointIdentity造成的。请验证EndpointAddress指定或暗示的EndpointIdentity是否正确标识远程端点 我在网上看到过这个错误,似乎没有人知道我的确切情况(至少有一个可行的答案) 我的安装程序是本地的,暂时不由IIS托管,而是通过Visual Studio 2010托管。我的GenericIntegration(WCF服务)使用了通过证书验证的wsHttpBinding(消息模式)(我有一个非常定制的用户名/密码验证+授权类,通过设计作为参数传递),并且没有退出安全措施 主机配置C# WCF wsHttpBinding证书安全协商异常,c#,wcf,x509certificate,ca,wshttpbinding,C#,Wcf,X509certificate,Ca,Wshttpbinding,因此,在梳理了MSDN、无数文章之后,即使如此,我仍然没有任何东西可以展示,这几天的斗争 所以我有这样一个问题:WCF服务需要由客户机使用,而我只是不断遇到SecurityNegotiationException 无法打开安全通道,因为与远程终结点的安全协商失败。这可能是由于用于创建通道的EndpointAddress中缺少EndpointIdentity或未正确指定EndpointIdentity造成的。请验证EndpointAddress指定或暗示的EndpointIdentity是否正确标
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpintBinding">
<security mode ="Message">
<message clientCredentialType="Certificate" establishSecurityContext="false" negotiateServiceCredential="false"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="wsHttpBehaviour" name="GenericIntegration.GenericService">
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpintBinding"
name="wsHttpEndpoint" contract="GenericIntegration.GenInterface" />
<host>
<baseAddresses>
<!--<add baseAddress="http://localhost:59082/GenericService.svc" />-->
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="wsHttpBehaviour">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<clientCertificate>
<certificate findValue="GenIntegrationClient" storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName" />
<authentication certificateValidationMode="PeerTrust" />
</clientCertificate>
<serviceCertificate findValue="GenIntegrationClient" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
<behavior name="metadataBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="endpointBehaviour">
<clientCredentials>
<clientCertificate findValue="GenIntegrationClient" storeLocation="LocalMachine" storeName="My"
x509FindType="FindBySubjectName" />
<serviceCertificate>
<authentication certificateValidationMode="PeerTrust" revocationMode="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpoint" maxBufferPoolSize="20000000" maxReceivedMessageSize="20000000">
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:59082/GenericService.svc"
binding="wsHttpBinding" bindingConfiguration="wsHttpEndpoint" behaviorConfiguration="endpointBehaviour"
contract="GenService.GenInterface" name="wsHttpEndpoint">
<identity>
<certificate encodedValue="AwAAAAEAAAAUAAAAKdyUELIKMtdh2MFsYQ09ja+vyeEgAAAAAQAAACICAAAwggIeMIIBi6ADAgECAhCFBfF1EXQZhkPKaBpQCl84MAkGBSsOAwIdBQAwJDEiMCAGA1UEAxMZNE1PU1RHZW5JbnRlZ3JhdGlvblNlcnZlcjAeFw0xNjA3MjgxNDQ5MjVaFw0zOTEyMzEyMzU5NTlaMCQxIjAgBgNVBAMTGTRNT1NUR2VuSW50ZWdyYXRpb25DbGllbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIwsIlz5nZ3HxeYofTpYKr6RcfQMe/jZxPuHcljT+8pBOZ6KmYcyxeRTO074yP6yF8b1IqFskII+qqmCT8nDsb8xdo5Ee0oqL1LKR+xeTgg2ZXXoocxqR1AdxWFVdlMxMSjKIEGE+MnSDdB6vgXahhpUbAS7cdrNoAFKNIz+vrt1AgMBAAGjWTBXMFUGA1UdAQROMEyAEB4cu6OjBqQHct6przmowGyhJjAkMSIwIAYDVQQDExk0TU9TVEdlbkludGVncmF0aW9uU2VydmVyghD75YH5y52zsU5wcmZLJzPiMAkGBSsOAwIdBQADgYEA2BinUmEfgZKcb1qFD1T5ajc2OWHGLjDLpDi8Y7amM4P3rFGvelx7NmCNUH88iGS9LcbDsmY59HcZwUavtPOr4LMRDhl+5YuGht1fIYEk8QSDIhjevijgDOIVBBAeNIA8tva1faMNtYnFXsj0VxMvlrZ4exeKFVFjv2sib5YNFxY=" />
</identity>
</endpoint>
</client>
</system.serviceModel>
和客户端的配置
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpintBinding">
<security mode ="Message">
<message clientCredentialType="Certificate" establishSecurityContext="false" negotiateServiceCredential="false"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="wsHttpBehaviour" name="GenericIntegration.GenericService">
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpintBinding"
name="wsHttpEndpoint" contract="GenericIntegration.GenInterface" />
<host>
<baseAddresses>
<!--<add baseAddress="http://localhost:59082/GenericService.svc" />-->
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="wsHttpBehaviour">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<clientCertificate>
<certificate findValue="GenIntegrationClient" storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName" />
<authentication certificateValidationMode="PeerTrust" />
</clientCertificate>
<serviceCertificate findValue="GenIntegrationClient" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
<behavior name="metadataBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="endpointBehaviour">
<clientCredentials>
<clientCertificate findValue="GenIntegrationClient" storeLocation="LocalMachine" storeName="My"
x509FindType="FindBySubjectName" />
<serviceCertificate>
<authentication certificateValidationMode="PeerTrust" revocationMode="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpoint" maxBufferPoolSize="20000000" maxReceivedMessageSize="20000000">
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:59082/GenericService.svc"
binding="wsHttpBinding" bindingConfiguration="wsHttpEndpoint" behaviorConfiguration="endpointBehaviour"
contract="GenService.GenInterface" name="wsHttpEndpoint">
<identity>
<certificate encodedValue="AwAAAAEAAAAUAAAAKdyUELIKMtdh2MFsYQ09ja+vyeEgAAAAAQAAACICAAAwggIeMIIBi6ADAgECAhCFBfF1EXQZhkPKaBpQCl84MAkGBSsOAwIdBQAwJDEiMCAGA1UEAxMZNE1PU1RHZW5JbnRlZ3JhdGlvblNlcnZlcjAeFw0xNjA3MjgxNDQ5MjVaFw0zOTEyMzEyMzU5NTlaMCQxIjAgBgNVBAMTGTRNT1NUR2VuSW50ZWdyYXRpb25DbGllbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIwsIlz5nZ3HxeYofTpYKr6RcfQMe/jZxPuHcljT+8pBOZ6KmYcyxeRTO074yP6yF8b1IqFskII+qqmCT8nDsb8xdo5Ee0oqL1LKR+xeTgg2ZXXoocxqR1AdxWFVdlMxMSjKIEGE+MnSDdB6vgXahhpUbAS7cdrNoAFKNIz+vrt1AgMBAAGjWTBXMFUGA1UdAQROMEyAEB4cu6OjBqQHct6przmowGyhJjAkMSIwIAYDVQQDExk0TU9TVEdlbkludGVncmF0aW9uU2VydmVyghD75YH5y52zsU5wcmZLJzPiMAkGBSsOAwIdBQADgYEA2BinUmEfgZKcb1qFD1T5ajc2OWHGLjDLpDi8Y7amM4P3rFGvelx7NmCNUH88iGS9LcbDsmY59HcZwUavtPOr4LMRDhl+5YuGht1fIYEk8QSDIhjevijgDOIVBBAeNIA8tva1faMNtYnFXsj0VxMvlrZ4exeKFVFjv2sib5YNFxY=" />
</identity>
</endpoint>
</client>
</system.serviceModel>
现在,关于证书(是的,这仅用于测试):GenIntegrationServer.cer已创建为自签名CA根证书,带有用于签署客户端证书的私钥。GenIntegrationServer和GenIntegrationClient证书都是使用makecert生成的。客户端证书链接到私钥,并正确安装在个人存储中
我对证书、私钥和安全通信还是很陌生——我根本无法解释我在哪里犯了错误。我没有找到太多关于以这种方式专门使用证书的帖子
在我掉头发或睡觉之前,有人能帮我吗
更新
根据请求,我添加了日志记录。但他们透露的最多的是:
<s:Body>
<s:Fault>
<s:Code>
<s:Value>s:Sender</s:Value>
<s:Subcode>
<s:Value>a:InvalidSecurity</s:Value>
</s:Subcode>
</s:Code>
<s:Reason>
<s:Text xml:lang="en-ZA">An error occurred when verifying security for the message.</s:Text>
</s:Reason>
</s:Fault>
</s:Body>
s:发件人
a:无效安全
验证邮件的安全性时出错。
遗憾的是,我仍然不明白为什么安全验证失败了。有什么想法吗?原来我需要将证书添加到不同的存储区 除了已经在个人存储中设置了证书(如配置所示),我还必须在客户机上安装服务器的证书,反之亦然。我还必须确保客户机包含客户机证书的个人密钥,服务器也包含同样的密钥
这听起来不太完整,但我将发布一篇完整的文章,介绍我是如何做到这一点的。为详细日志记录配置服务客户端和主机()。这会让你更好地了解谈判失败时内部的问题所在。使用此信息可以解决问题,或者在获得更多信息后询问更具体的问题。此外,我在安装程序中遇到的一个常见问题是IIS服务帐户对私钥没有读取权限。安装WSE3.0工具,然后使用证书工具授予私钥权限。根据请求添加日志记录。我将根据结果编辑我的问题。您是否使用服务日志查看器工具查看日志?这里应该有更多的信息。我确实使用了跟踪日志查看器,但这似乎不是我的问题(是的,它产生了很多信息,但没有一个与我相关)。我的证书没有安装在正确的证书存储中。除了安装在个人存储中之外,各方还需要在受信任的人员证书存储中安装彼此的证书。稍后我将发布完整的解决方案。谢谢如果您找到了自己问题的解决方案,请注意,您可以将自己的答案标记为正确答案。