WCF WS2007FederationHttpBinding 与 HTTPS
Posted
技术标签:
【中文标题】WCF WS2007FederationHttpBinding 与 HTTPS【英文标题】:WCF WS2007FederationHttpBinding with HTTPS 【发布时间】:2016-12-22 23:30:44 【问题描述】:我在尝试连接到 HTTPS 代理后面的 WCF API 时遇到以下错误:
名称为“CN=hostname”的服务器证书未能通过身份验证,因为其指纹(“X”)与端点身份(“Y”)中指定的指纹不匹配。因此,当前的 HTTPS 请求失败。请更新客户端使用的端点身份或服务器使用的证书。
其中 X 是代理使用的证书的指纹,Y 是服务使用的证书的指纹
问题是我设法从 STS 获取令牌,但之后我无法执行任何 Web 服务调用。
我使用本地 SSL 代理在我的 PC 上重现了该问题,代理上使用的证书在我的 PC 上是受信任的。使用 HTTP 时一切正常。
我搜索了几天的解决方案,发现这篇知识库文章与我的问题很接近,但不再适用(我在 .Net 4.5 中运行示例和服务器):https://support.microsoft.com/en-us/kb/2564823
我错过了什么?
代码如下:
class Program
static void Main(string[] args)
Thread.CurrentThread.CurrentUICulture = new CultureInfo("en-us");
string serverUrl = ConfigurationManager.AppSettings["ServerURL"];
GenericXmlSecurityToken token = GetToken(serverUrl);
Console.WriteLine("Token Received");
Console.WriteLine(token);
TestServiceClient client = CreateClient(serverUrl, token);
try
client.SearchSomething();
Console.WriteLine("SearchSomething succeeded");
catch (Exception e)
Console.WriteLine("SearchSomething failed :" + e);
Console.ReadLine();
private static TestServiceClient CreateClient(string serverUrl, GenericXmlSecurityToken token)
var binding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.Message)
MaxReceivedMessageSize = int.MaxValue,
MaxBufferPoolSize = int.MaxValue
;
binding.Security.Message.EstablishSecurityContext = false;
binding.Security.Message.IssuedTokenType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";
binding.Security.Message.NegotiateServiceCredential = false;
binding.ReaderQuotas.MaxDepth = int.MaxValue;
binding.ReaderQuotas.MaxStringContentLength = int.MaxValue;
binding.ReaderQuotas.MaxArrayLength = int.MaxValue;
binding.ReaderQuotas.MaxBytesPerRead = int.MaxValue;
binding.ReaderQuotas.MaxNameTableCharCount = int.MaxValue;
var uri = new Uri(serverUrl + "Test.Service/Test.Service.svc");
var identity = new X509CertificateEndpointIdentity(new X509Certificate2(ConfigurationManager.AppSettings["ServiceCertificate"], ConfigurationManager.AppSettings["ServiceCertificatePassword"]));
var client = new TestServiceClient(binding, new EndpointAddress(uri, identity));
client.ClientCredentials.SupportInteractive = false;
var customBinding = new CustomBinding();
var bindingElements = binding.CreateBindingElements();
if (serverUrl.Contains("https"))
bindingElements.Remove<HttpTransportBindingElement>();
bindingElements.Add(new HttpsTransportBindingElement() MaxReceivedMessageSize = int.MaxValue );
customBinding.Elements.AddRange(bindingElements.ToArray());
client.Endpoint.Binding = customBinding;
var clientCredentials = new SamlClientCredentials(token, client.ClientCredentials);
client.Endpoint.Behaviors.Remove<ClientCredentials>();
client.Endpoint.Behaviors.Add(clientCredentials);
return client;
private static GenericXmlSecurityToken GetToken(string serverUrl)
string username = ConfigurationManager.AppSettings["Username"];
string password = ConfigurationManager.AppSettings["Password"];
string identityDnsName = ConfigurationManager.AppSettings["IdentityDnsName"];
string ClientCertificate = ConfigurationManager.AppSettings["ClientCertificate"];
string ClientCertificatePassword = ConfigurationManager.AppSettings["ClientCertificatePassword"];
string ServiceCertificate = ConfigurationManager.AppSettings["ServiceCertificate"];
string ServiceCertificatePassword = ConfigurationManager.AppSettings["ServiceCertificatePassword"];
var stsUrl = serverUrl + "Security.Sts/Security.Sts.svc";
GenericXmlSecurityToken token = null;
try
var customBinding = new CustomBinding();
var securityBindingElement =
(SymmetricSecurityBindingElement) SecurityBindingElement.CreateMutualCertificateBindingElement();
securityBindingElement.SetKeyDerivation(true);
securityBindingElement.MessageSecurityVersion =
MessageSecurityVersion
.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
securityBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
securityBindingElement.RequireSignatureConfirmation = false;
var securityTokenParameters = new UserNameSecurityTokenParameters()
InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient,
RequireDerivedKeys = false
;
securityBindingElement.EndpointSupportingTokenParameters.SignedEncrypted.Add(securityTokenParameters);
customBinding.Elements.Add(securityBindingElement);
if (serverUrl.StartsWith("http:"))
customBinding.Elements.Add(new HttpTransportBindingElement()
MaxReceivedMessageSize = int.MaxValue,
MaxBufferPoolSize = int.MaxValue,
MaxBufferSize = int.MaxValue
);
else if (serverUrl.StartsWith("https:"))
customBinding.Elements.Add(new HttpsTransportBindingElement()
MaxReceivedMessageSize = int.MaxValue,
MaxBufferPoolSize = int.MaxValue,
MaxBufferSize = int.MaxValue
);
var stsChannelFactory = new WSTrustChannelFactory(customBinding,
new EndpointAddress(new Uri(stsUrl), new DnsEndpointIdentity(identityDnsName)));
stsChannelFactory.Credentials.SupportInteractive = false;
stsChannelFactory.Credentials.ClientCertificate.Certificate = new X509Certificate2(ClientCertificate,
ClientCertificatePassword);
stsChannelFactory.Credentials.ServiceCertificate.DefaultCertificate =
new X509Certificate2(ServiceCertificate, ServiceCertificatePassword);
stsChannelFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.None;
stsChannelFactory.Credentials.UserName.UserName = username;
stsChannelFactory.Credentials.UserName.Password = password;
foreach (OperationDescription operationDescription in stsChannelFactory.Endpoint.Contract.Operations)
var operationBehavior =
operationDescription.Behaviors.Find<DataContractSerializerOperationBehavior>();
if (operationBehavior != null)
operationBehavior.MaxItemsInObjectGraph = int.MaxValue;
var stsChannel = stsChannelFactory.CreateChannel();
RequestSecurityToken request = new RequestSecurityToken();
request.KeyType = "http://schemas.microsoft.com/idfx/keytype/symmetric";
request.RequestType = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue";
request.TokenType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";
token = (GenericXmlSecurityToken) stsChannel.Issue(request);
return token;
catch (Exception e)
Console.WriteLine("GetToken Exception :" + e);
return token;
internal class SamlClientCredentials : ClientCredentials
public GenericXmlSecurityToken Token get; private set;
public SamlClientCredentials(GenericXmlSecurityToken token, ClientCredentials clientCredentials)
: base(clientCredentials)
Token = token;
protected override ClientCredentials CloneCore()
return new SamlClientCredentials(Token, this);
public override SecurityTokenManager CreateSecurityTokenManager()
return new SamlSecurityTokenManager(this);
internal class SamlSecurityTokenManager : ClientCredentialsSecurityTokenManager
private SamlClientCredentials clientCredentials;
public SamlSecurityTokenManager(SamlClientCredentials clientCredentials)
: base(clientCredentials)
this.clientCredentials = clientCredentials;
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
if (tokenRequirement.TokenType == SecurityTokenTypes.Saml || tokenRequirement.TokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")
return new SamlSecurityTokenProvider(this.clientCredentials.Token);
return base.CreateSecurityTokenProvider(tokenRequirement);
internal class SamlSecurityTokenProvider : SecurityTokenProvider
private readonly GenericXmlSecurityToken token;
public SamlSecurityTokenProvider(GenericXmlSecurityToken token)
this.token = token;
protected override SecurityToken GetTokenCore(TimeSpan timeout)
return token;
【问题讨论】:
在花费大量时间寻找解决方案之后,由于服务器身份检查,具有安全模式“消息”的 WS2007FederationHttpBinding 似乎不适合在此上下文中使用。仍然可以在 SSL 卸载程序和服务标识上使用相同的证书。 另一种安全模式“TransportWithMessageCredential”旨在与 HTTPS 一起使用,但消息仅在客户端和 SSL 卸载程序之间受到保护,而且必须在服务器端调整绑定,因为网络服务器未根据:linklink 处理 HTTPS 【参考方案1】:正如我对这个问题的评论: 在花费大量时间寻找解决方案之后,由于服务器身份检查,看来具有安全模式“消息”的 WS2007FederationHttpBinding 并不打算在此上下文中使用。仍然可以在 SSL 卸载程序和服务标识上使用相同的证书。
这是我选择保留安全模型并解决我的问题的解决方案
【讨论】:
以上是关于WCF WS2007FederationHttpBinding 与 HTTPS的主要内容,如果未能解决你的问题,请参考以下文章
如何在具有 WCF 服务参考的客户端中使用 IssuedToken