我有一个 Windows 服务托管具有以下配置的 WCF 服务。
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security mode="Message">
<message clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="Carglass.Movil.Service.CarglassService" behaviorConfiguration="CarglassServiceBehavior">
<host>
<baseAddresses>
<add baseAddress="http://localhost:9002/CarglassServiceAGI" />
</baseAddresses>
</host>
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding" contract="Carglass.Movil.Service.ICarglassService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="CarglassServiceBehavior">
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceMetadata httpGetEnabled="true" />
<serviceCredentials>
<serviceCertificate findValue="CN=MWMWCF"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
证书已安装在计算机上,网络服务 用户正在以本地管理员 身份运行 Windows 服务。已通过运行以下命令
授予权限netsh http add urlacl url=http://+:9002/CarglassServiceAGI user="NT AUTHORITY\NETWORK SERVICE"
...并通过管理 mmc.exe 中的私钥,为该用户提供“完全控制”。
但每次我尝试运行我的服务时都会遇到以下异常:
System.ArgumentException: It is likely that certificate 'CN=MWMWCF' may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail.\r\n at System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate)\r\n at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateServerX509TokenProvider()\r\n at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement)\r\n at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement requirement)\r\n at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateTlsnegoServerX509TokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement)\r\n at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, Boolean requireClientCertificate, SecurityTokenResolver& sctResolver)\r\n at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, SecurityTokenResolver& outOfBandTokenResolver)\r\n at System.ServiceModel.Security.SecuritySessionSecurityTokenAuthenticator.SessionRenewSecurityTokenManager.CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, SecurityTokenResolver& outOfBandTokenResolver)\r\n at System.ServiceModel.Security.SymmetricSecurityProtocolFactory.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)\r\n at System.ServiceModel.Security.SecurityProtocolFactory.Open(Boolean actAsInitiator, TimeSpan timeout)\r\n at System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout)\r\n at System.ServiceModel.Channels.SecurityChannelListener
1.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)\r\n at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)\r\n at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)\r\n at System.ServiceModel.Security.SecuritySessionSecurityTokenAuthenticator.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)\r\n at System.ServiceModel.Security.CommunicationObjectSecurityTokenAuthenticator.Open(TimeSpan timeout)\r\n at System.ServiceModel.Security.SecurityUtils.OpenCommunicationObject(ICommunicationObject obj, TimeSpan timeout)\r\n at System.ServiceModel.Security.SecurityUtils.OpenTokenAuthenticatorIfRequired(SecurityTokenAuthenticator tokenAuthenticator, TimeSpan timeout)\r\n at System.ServiceModel.Security.SecuritySessionServerSettings.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)\r\n at System.ServiceModel.Security.SecuritySessionServerSettings.Open(TimeSpan timeout)\r\n at System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout)\r\n at System.ServiceModel.Channels.SecurityChannelListener1.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)\r\n at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)\r\n at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)\r\n at System.ServiceModel.Channels.CommunicationObject.Open()\r\n at MWM.Service.WindowsService.AGI.ServiceController.OnStart(String[] args) in c:\TeamCity\buildAgent\work\MWM-Refactor\MWM.Service\MWM.Service.WindowsService.AGI\ServiceController.cs:line 45
如果我从配置中删除它,工作正常:
<message clientCredentialType="Certificate"/>
最佳答案
这篇文章解释了如何正确构建您的证书以及如何安装它们以提供足够的权限让所有的工作: http://returnsmart.blogspot.co.uk/2015/10/how-to-create-your-own-signed.html
关于c# - 使用证书运行 WCF 服务时失败,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/32904736/