它是一个.NET 6项目。证书从pfx文件导入到本地计算机存储。使用以下代码,跳过不相关的部分,当服务帐户添加到本地Administrators组时,一切都很好。
var certStore = new X509Store(storeName, storeLocation);
certStore.Open(OpenFlags.ReadOnly);
var _clientCertificate = certStore.Certificates
.Find(X509FindType.FindByThumbprint, thumbprint, false)
.FirstOrDefault();
...
BasicHttpsBinding binding = new BasicHttpsBinding(BasicHttpsSecurityMode.Transport);
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
var client = new Client(binding, endpoint);
client.ClientCredentials.ClientCertificate.Certificate = _clientCertificate;
...
当帐户不在本地管理员组中时,会引发以下异常:
System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority 'other.service.com'.
---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
---> System.ComponentModel.Win32Exception (0x8009030D): The credentials supplied to the package were not recognized
at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
我在这里错过了什么?
据我所知,可能有以下原因:
-
当您说您不在本地管理员组中时,错误将是因为管理员和常规成员具有不同的权限。您可以尝试将用户置于管理员中重试,如果成功,则说明问题所在。
-
验证网站SSL证书是否受信任。如果SSL证书不受信任,则需要安装SSL证书的根证书。您可以查看案例以获得更多解决方案。
希望能有所帮助。