basicHttpBinding认证错误

Question

我在web服务上是新手，我需要为一个basicHttpBinding桌面应用程序用wsHttpsBinding和basicHttpBinding实现一个现有的web服务。当我尝试使用桌面应用程序使用该服务时，会出现以下错误：

HTTP请求被客户端身份验证方案“匿名”所禁止。

web服务上的web.config文件与basicHttpBinding和wsHttpsBinding如下所示：

<system.serviceModel>
<diagnostics>
  <messageLogging logEntireMessage="true" logMalformedMessages="true"
    logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true"
    maxMessagesToLog="25000">
    <filters>
      <clear />
    </filters>
  </messageLogging>
</diagnostics>

<behaviors>
  <serviceBehaviors>
    <behavior name="SecureBehave">
      <serviceCredentials>
        <clientCertificate>
          <authentication certificateValidationMode="PeerTrust"/>
        </clientCertificate>
        <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="HIBridgeLib.HIBridgeService.Security.MessageSecurityValidator, HIBridgeLib"/>
        <!--
        <serviceCertificate findValue="WCfServer"
          storeLocation="CurrentUser"
          storeName="My"
          x509FindType="FindBySubjectName" />
        -->
      </serviceCredentials>
      <serviceMetadata httpGetEnabled="True" httpsGetEnabled="True"/>
      <serviceDebug includeExceptionDetailInFaults="True" />
    </behavior>
  </serviceBehaviors>
</behaviors>

<bindings>
  <wsHttpBinding>
    <binding name="HIBridge_SSLBinding" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647">
      <security mode="TransportWithMessageCredential">
        <transport clientCredentialType="Certificate" proxyCredentialType="None" realm="" />
        <message clientCredentialType="UserName" negotiateServiceCredential="True" establishSecurityContext="True" />
      </security>
    </binding>
  </wsHttpBinding>

  <basicHttpBinding>
    <binding name="HIBridge_BasicBinding" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647">
      <security mode="Transport">
        <transport clientCredentialType="Certificate" proxyCredentialType="None" realm="" />
      </security>
      <readerQuotas maxStringContentLength="2147483647" />
    </binding>
  </basicHttpBinding>
</bindings>

<services>
  <service name="HIBridgeWebService.HIBridgeService" behaviorConfiguration="SecureBehave">
    <endpoint address="basic" binding="basicHttpBinding" bindingConfiguration="HIBridge_BasicBinding" contract="HIBridgeLib.HIBridgeService.IHIBridgeService"></endpoint>
    <endpoint address="ws" binding="wsHttpBinding" bindingConfiguration="HIBridge_SSLBinding" contract="HIBridgeLib.HIBridgeService.IHIBridgeService"></endpoint>
    <host>
      <baseAddresses>
        <add baseAddress="https://10.50.1.85:1125/HIBridge/HIBridgeService.svc" />
      </baseAddresses>
    </host>
  </service>
</services>

​

userNameAuthentication看起来如下所示：

namespace HIBridgeLib.HIBridgeService.Security
{
  public class MessageSecurityValidator : UserNamePasswordValidator
  {
     private const string USERNAME = "username";
     private const string PASSWORD = "password";

     public override void Validate(string userName, string password)
     {
        if (userName == null || password == null)
        {
            throw new ArgumentNullException();
        }

        if (USERNAME.Equals(userName) && PASSWORD.Equals(password))
        { 
        }
        else
        {    
            throw new FaultException("Invalid Message Security Credentials");
        }
    }
  }
}

我的桌面应用程序代码如下所示，用于使用web服务：

ChannelFactory<HIBridgeLib.HIBridgeService.IHIBridgeService> myChannelFactory = null;
HIBridgeLib.HIBridgeService.IHIBridgeService HIBridgeService = null;
System.ServiceModel.BasicHttpBinding basicHTTPBinding = new System.ServiceModel.BasicHttpBinding();

basicHTTPBinding.Name = "HIBridge_BasicBinding";
basicHTTPBinding.OpenTimeout = TimeSpan.FromMinutes(1);
basicHTTPBinding.CloseTimeout = TimeSpan.FromMinutes(1);
basicHTTPBinding.SendTimeout = TimeSpan.FromMinutes(1);
basicHTTPBinding.ReceiveTimeout = TimeSpan.FromMinutes(10);
basicHTTPBinding.BypassProxyOnLocal = false;                
basicHTTPBinding.HostNameComparisonMode = System.ServiceModel.HostNameComparisonMode.StrongWildcard;
basicHTTPBinding.MaxBufferPoolSize = 2147483647;
basicHTTPBinding.MaxReceivedMessageSize = 2147483647;
basicHTTPBinding.MessageEncoding = System.ServiceModel.WSMessageEncoding.Text;
basicHTTPBinding.TextEncoding = Encoding.UTF8;
basicHTTPBinding.UseDefaultWebProxy = true;
basicHTTPBinding.AllowCookies = false;
basicHTTPBinding.Security.Mode = System.ServiceModel.BasicHttpSecurityMode.TransportWithMessageCredential;
basicHTTPBinding.Security.Transport.ClientCredentialType = System.ServiceModel.HttpClientCredentialType.Certificate;
basicHTTPBinding.Security.Transport.ProxyCredentialType = System.ServiceModel.HttpProxyCredentialType.None;
basicHTTPBinding.Security.Transport.Realm = "";

System.ServiceModel.EndpointAddress endpointAddress = null;

if (LocalMedCart.CartProfile.ConsoleHostname.Contains("/HIBridge/HIBridgeService.svc"))
      endpointAddress = new System.ServiceModel.EndpointAddress(LocalMedCart.CartProfile.ConsoleHostname + "/basic");
else
      endpointAddress = new System.ServiceModel.EndpointAddress(string.Format("https://{0}:{1}/HIBridge/HIBridgeService.svc/basic", LocalMedCart.CartProfile.ConsoleHostname, LocalMedCart.CartProfile.CommunicationPort));

HIBridgeLib.HIBridgeService.Security.PermissiveCertificatePolicy.Enact(string.Format("CN={0}", LocalMedCart.CertificateName));

myChannelFactory = new ChannelFactory<HIBridgeLib.HIBridgeService.IHIBridgeService>(basicHTTPBinding, endpointAddress);
myChannelFactory.Credentials.UserName.UserName = "username";
HIBridgeService = myChannelFactory.CreateChannel();

//do something

((IClientChannel)HIBridgeService).Close();
myChannelFactory.Close();

是什么导致了错误？

Answer 1

听起来你是专门针对服务的basicHttpBinding的。因此，wsHttpBinding设置与MessageSecurityValidator类无关。通常，客户端设置应该与服务器端设置相匹配，服务器端设置使用transport安全性和客户端凭据证书。就WCF而言，此证书将标识用户。因此，您不需要尝试设置用户名，而是需要确保您使用的是有效的、服务器识别的证书。不幸的是，我没有足够的信息来准确地解决您的证书的问题，但是请检查：

1. 您的本地证书存储区(在运行桌面应用程序的计算机上)实际上拥有服务识别为有效的证书。
2. 正确指定证书。MSDN建议一些类似于myClient.ClientCredentials.ClientCertificate.SetCertificate(...)的东西来提供证书。(链接中的示例服务使用的是wsHttpBinding而不是basicHttpBinding，但是对于配置的这一方面，它应该没有什么区别。)
3. 承载该服务的web服务器实际上已配置为客户端证书身份验证。一次参考建议在web服务器上的管理员命令提示符下检查netsh http show sslcert的输出，以查看是否为站点启用了协商客户端证书。