我需要通过SSL使用WCF服务,而请求需要用一个证书签名,响应需要用另一个证书验证。
我在执行代码时遇到这个错误:
找不到"System.IdentityModel.Tokens.X509SecurityToken"令牌类型的令牌验证器。根据当前安全设置,不能接受该类型的令牌。
根据WCF跟踪,它在尝试验证响应签名时失败,因为我可以看到来自服务器的响应。
以下是我的WCF服务设置:
<system.serviceModel>
<diagnostics>
<messageLogging logEntireMessage="true" logKnownPii="true" logMalformedMessages="true"
logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" />
<endToEndTracing propagateActivity="true" activityTracing="true"
messageFlowTracing="true" />
</diagnostics>
<behaviors>
<endpointBehaviors>
<behavior name="CHClientCertificateBehavior">
<clientCredentials supportInteractive="true">
<clientCertificate findValue="clientcert" storeLocation="LocalMachine"
storeName="My" x509FindType="FindBySubjectName" />
<serviceCertificate>
<defaultCertificate findValue="servercert" storeLocation="LocalMachine"
storeName="My" x509FindType="FindBySubjectName" />
<authentication certificateValidationMode="None" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="DPBasicHttpBindingWithSSL" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:02:00"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="2097152" maxBufferSize="524288" maxReceivedMessageSize="524288"
textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true"
messageEncoding="Text">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Certificate" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
<customBinding>
<binding name="DPCustomHttpBindingWithSSL">
<security authenticationMode="CertificateOverTransport" allowSerializedSigningTokenOnReply="true" messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireDerivedKeys="false"
securityHeaderLayout="Lax" />
<textMessageEncoding messageVersion="Soap11" />
<httpsTransport maxBufferPoolSize="2097152" maxBufferSize="524288" maxReceivedMessageSize="524288" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="https://myserver/service.asmx"
behaviorConfiguration="CHClientCertificateBehavior" binding="customBinding"
bindingConfiguration="DPCustomHttpBindingWithSSL" contract="ServiceRef.smssoap"
name="smsEndpoint">
<identity>
<certificateReference storeName="My" storeLocation="LocalMachine"
x509FindType="FindBySubjectName" findValue="myserver" />
</identity>
</endpoint>
</client>
</system.serviceModel>
正如您所看到的,我尝试了basicHttpBinding和customBinding(使用在线工具转换http://webservices20.cloudapp.net/default.aspx),我尝试设置不同的设置组合变体,但仍然出现此错误。
知道吗?取消响应证书签名验证也是一个选项,但我该如何设置它
尝试使用具有以下配置的自定义绑定:
<security allowSerializedSigningTokenOnReply="true" />
我遇到了同样的问题,并在这里发布了解决方案(对于那些来这里寻求答案的人):
WCF-找不到X509SecurityToken 的令牌验证器
基于这个问题,它似乎是相同的解决方案:
- 将
authenticationMode="CertificateOverTransport"更改为authenticationMode="MutualCertificate" - 使用
MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10 - 在生成的客户端中,将
ProtectionLevel = ProtectionLevel.Sign添加到ServiceContractAttribute。这样可以避免对主体进行加密
已解决
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="DPSSLXDIG">
<clientCredentials supportInteractive="false">
<clientCertificate findValue="clientcert" storeLocation="LocalMachine" x509FindType="FindBySubjectName" />
<serviceCertificate>
<defaultCertificate findValue="servercert" storeName="TrustedPeople" storeLocation="LocalMachine" x509FindType="FindBySubjectName" />
<authentication certificateValidationMode="None" revocationMode="NoCheck" />
</serviceCertificate>
<windows allowNtlm="false" allowedImpersonationLevel="None" />
<httpDigest impersonationLevel="None" />
<peer>
<peerAuthentication revocationMode="NoCheck" />
</peer>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<customBinding>
<binding name="DPSSLXDIG">
<textMessageEncoding messageVersion="Soap11WSAddressingAugust2004" />
<security allowSerializedSigningTokenOnReply="true" authenticationMode="MutualCertificateDuplex"
requireDerivedKeys="false" securityHeaderLayout="Lax" messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
requireSecurityContextCancellation="false">
<secureConversationBootstrap />
</security>
<httpsTransport authenticationScheme="Anonymous" requireClientCertificate="true" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="https://myserver/webservice.asmx"
behaviorConfiguration="DPSSLXDIG" binding="customBinding"
bindingConfiguration="DPSSLXDIG" contract="serviceRef.smssoap"
name="smsEndpoint">
<identity>
<dns value="servercert" />
</identity>
</endpoint>
</client>
</system.serviceModel>