消耗第三方WSDL文件并使用第三方证书和用户名凭证进行身份验证的问题
对于任何可以帮助的人,
To anyone who can help,
我在使用证书和用户名证券的组合时消耗了我提供的第三方WSDL和凭据,因此遇到了WCF .NET问题.无疑是与.NET WCF绑定有关.
I'm having WCF .NET issues with using a combination of certificate and user name securities consuming a 3rd Party WSDL and credentials I was provided. The confusion is definitely with .NET WCF binding.
首先让我开始使用SOAPUI来测试WSDL文件以及带有空SOAP消息的用户名和密码.为此,我指向了第三方WSDL文件,并使用用户名和密码创建了传出WS-Security配置. 和时间戳记.然后,我创建了一个新请求并添加了WS-Configuration.我在SOAPUI中运行了请求",并且一切正常,并且得到了答复.运行Wireshark会显示客户端和服务器Hello,正在通过证书 来回,以及应用程序数据.一切都很好.
Let me start off with that I used SOAPUI at first to test the WSDL file and the username and password with an empty SOAP message. To do this I pointed to the 3rd party WSDL file, and created the Outgoing WS-Security configurations with the username and password and Time Stamp. I then created a New Request and added the WS-Configuration. I ran the Request in SOAPUI and everything is working fine and I am getting a response back. Running Wireshark shows the Client and Server Hellos, the cert being passed back and forth, and the Application Data. All looks fine.
我现在需要在.NET中复制此通信!
I NOW need to replicate this communication in .NET!
-我已经在本地系统\个人存储"和本地系统\受信任的根存储"中安装了证书.
- I have installed the certificate in the both the Local System\Personal Store and the Local System\Trusted Root Stores.
-我已将对证书的私钥的访问权限授予了我的本地域帐户,网络服务和IIS \ app池.
- I have granted access to the private keys to the certificate to my local domain account, Network Service, and IIS\app pool.
-我将服务参考添加到.Net项目
- I added the Service Reference to the .Net Project
-然后我执行以下操作:
- I then did the following:
将商店作为新的X509Store
store =新的X509Store(StoreName.Root,StoreLocation.LocalMachine)
store.Open(OpenFlags.ReadOnly或OpenFlags.OpenExistingOnly)
Dim store As New X509Store
store = New X509Store(StoreName.Root, StoreLocation.LocalMachine)
store.Open(OpenFlags.ReadOnly Or OpenFlags.OpenExistingOnly)
将newCert视作新的X509Certificate2
newCert = store.Certificates.Find(X509FindType.FindBySubjectName,"XXXXXXXXXX",False)(0)
Dim newCert As New X509Certificate2
newCert = store.Certificates.Find(X509FindType.FindBySubjectName, "XXXXXXXXXX", False)(0)
昏暗的身份= EndpointIdentity.CreateDnsIdentity("XXXXXXXX")
昏暗的端点=新的EndpointAddress(新的Uri(https://),身份)
昏暗的绑定=新的WSHttpBinding
binding.Security.Mode = SecurityMode.TransportWithMessageCredential'运输---不确定其中之一
Dim identity = EndpointIdentity.CreateDnsIdentity("XXXXXXXX")
Dim endpoint = New EndpointAddress(New Uri(https://), identity)
Dim binding = New WSHttpBinding
binding.Security.Mode = SecurityMode.TransportWithMessageCredential 'Transport --- NOT SURE WHICH ONE
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate
binding.UseDefaultWebProxy = True
binding.BypassProxyOnLocal = False
binding.Security.Message.NegotiateServiceCredential = True'False
binding.Security.Message.CreateSecurityContext = False
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate
binding.UseDefaultWebProxy = True
binding.BypassProxyOnLocal = False
binding.Security.Message.NegotiateServiceCredential = True 'False
binding.Security.Message.EstablishSecurityContext = False
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName
'将svc作为新的SvcClient(GetCustomBinding(),端点)
'将svc作为新的SvcClient(GetCustomBinding2(),端点)
昏暗的svc作为新的SvcClient(绑定,端点)
'Dim svc As New SvcClient(GetCustomBinding(), endpoint)
'Dim svc As New SvcClient(GetCustomBinding2(), endpoint)
Dim svc As New SvcClient(binding, endpoint)
'svc.Endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.None
svc.ClientCredentials.UserName.UserName ="XXXX"
svc.ClientCredentials.UserName.Password ="XXXX"
'svc.Endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.None
svc.ClientCredentials.UserName.UserName = "XXXX"
svc.ClientCredentials.UserName.Password = "XXXX"
svc.ClientCredentials.ClientCertificate.Certificate = newCert
svc.ClientCredentials.ServiceCertificate.DefaultCertificate = newCert
'svc.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust
svc.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None
svc.ClientCredentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.Offline
svc.ClientCredentials.ClientCertificate.Certificate = newCert
svc.ClientCredentials.ServiceCertificate.DefaultCertificate = newCert
'svc.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust
svc.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None
svc.ClientCredentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.Offline
-现在我尝试使用WSHttpBinding并执行TransportWithMessageCredential,但是随后出现错误:无法使用授权"为SSL/TLS建立安全通道.并且WIRESHARK显示SSL握手失败.
- Now I tried using WSHttpBinding and doing the TransportWithMessageCredential, but then I get a " Error: Could not establish secure channel for SSL/TLS with authority" and WIRESHARK shows a SSL Handshake Failure.
如果我将WSHttpBinding更改为使用"Transport",那么我不会得到WIRESHARK的"SSL握手失败",该证书看起来像是与加密的握手消息"一起使用时一样.我看到应用程序数据"发送, 但是我得到内部错误(来自服务器)" .NET错误System.ServiceModel.FaultException.
If I change the WSHttpBinding to use "Transport", then I don't get the WIRESHARK "SSL Handshake failure", the Certificate looks like it works with a "Encrypted Handshake Message" I see "Application Data" sends, but then I get "Internal Error (from server)" .NET Error System.ServiceModel.FaultException.
-因此,我决定尝试使用不同的Custom BindingMethods.
- SO, I then I decided to try and use different Custom BindingMethods.
-首先,我尝试将非对称绑定和对称绑定与 一起使用用户名和密码的X509SecurityTokenParameters和UserNameSecurityTokenParameters.当我以这种方式进行自定义绑定时,WIRESHARK仍然显示正在发送的证书, 但随后我在.NET错误中得到System.ServiceModel.FaultException,内部消息为内部错误"
- First, I tried using Asymetric Binding and Symetric Binding with X509SecurityTokenParameters and UserNameSecurityTokenParameters for the UserName and Password. When I did custom Binding this way, WIRESHARK still shows the certificate being sent, but I then get System.ServiceModel.FaultException in .NET error with the Inner Message of "Internal Error"
-上次我尝试使用
-Lastly I tried using
将messageSecurity设置为TransportSecurityBindingElement = SecurityBindingElement.CreateUserNameOverTransportBindingElement()
Dim messageSecurity As TransportSecurityBindingElement = SecurityBindingElement.CreateUserNameOverTransportBindingElement()
'为客户端X509证书创建支持令牌参数.
将昏暗的clientX509SupportingTokenParameters设置为新的X509SecurityTokenParameters()
'指定将支持令牌传递到客户端发送给服务的消息中
clientX509SupportingTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient
'关闭派生键
clientX509SupportingTokenParameters.RequireDerivedKeys = False
'增强绑定元素,要求客户端的X509证书作为消息中的认可令牌
messageSecurity.EndpointSupportingTokenParameters.Endorsing.Add(clientX509SupportingTokenParameters)
messageSecurity.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Default
messageSecurity.IncludeTimestamp = True
messageSecurity.SecurityHeaderLayout = SecurityHeaderLayout.LaxTimestampLast
'Create supporting token parameters for the client X509certificate.
Dim clientX509SupportingTokenParameters As New X509SecurityTokenParameters()
' Specify that the supporting token is passed in message send by the client to the service
clientX509SupportingTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient
' Turn off derived keys
clientX509SupportingTokenParameters.RequireDerivedKeys = False
' Augment the binding element to require the client's X509certificate as an endorsing token in the message
messageSecurity.EndpointSupportingTokenParameters.Endorsing.Add(clientX509SupportingTokenParameters)
messageSecurity.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Default
messageSecurity.IncludeTimestamp = True
messageSecurity.SecurityHeaderLayout = SecurityHeaderLayout.LaxTimestampLast
该最后一种绑定方法仍然成功通过了证书,但是.NET错误为System.ServiceModel.Security.MessageSecurityException,其内部异常为从另一方收到了不安全或不正确的安全错误".
This last binding method still passed the Cert successfully but the .NET Error is System.ServiceModel.Security.MessageSecurityException with the Inner Exception of "An unsecured or incorrectly secured fault was received from the other party"
通过所有这些尝试,我错过了一些东西,而且我完全不确定接下来会发生什么.
With all these attempts, I am missing something and I am totally unsure what is going on anymore.
WCF日志似乎具有上述自定义绑定"尝试所需的整个信封,但我仍然茫然.
WCF Logging appears to have the whole envelope as needed with the Custom Binding attempts above, but I am still at a loss.
建议?
D,
您的SvcClient是什么?
What is your SvcClient?
这是3 sup rd</sup>吗?第三方服务WCF服务还是ASMX服务?
Is this 3<sup>rd</sup> party service WCF Service or ASMX service?
为了使用WCF服务,我们通常通过VS生成客户端代码.
For consuming WCF Service, we usually generate the client code by VS. Details like Right Click project->Add Service Reference->Enter the WSDL address->Go->OK.
If there is only WCF WSDL file, you could try ServiceModel Metadata Utility Tool (Svcutil.exe) to generate client code and app.config.
您可以参考下面的链接来访问服务.
You could refer the link below for accessing the service.
#访问服务
https://msdn.microsoft.com/en-us/library/bb386386.aspx
最好的问候,
爱德华