我们希望服务器证书将位于客户端的受信任存储中进行身份验证,并通过服务器的公钥加密其消息,这意味着只有服务器机器持有私钥证书。
我们在两侧使用NetTcpBinding而不是customBinding。如果可以实现,那么正确的配置是什么?(在客户端和服务器配置中)
谢谢提前。
以下是我的wcf配置。
<configuration>
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="TcpSecureBinding">
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</netTcpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceCredentialsBehavior">
<serviceDebug includeExceptionDetailInFaults="True" />
<serviceMetadata httpGetEnabled="true" />
<serviceAuthorization
principalPermissionMode="UseWindowsGroups">
</serviceAuthorization>
<serviceCredentials>
<windowsAuthentication includeWindowsGruops="true"
allowAnonymousLogons="false"/>
<clientCertificate>
<authentication certificateValidationMode="none"/>
</clientCertificate>
<serverCertificate
findValue="thumbprint"
storelocation="LocalMachine"
x509FindType="FindMyThumbprint"
storeName="My"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="ServiceCredentialsBehavior"
name="ServiceModel.Calculator">
<endpoint address="net.tcp://localhost:8040/Calculator"
binding="netTcpBinding"
bindingConfiguration="TcpSecureBinding"
contract="ServiceModel.ICalculator" >
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
</service>
</services>
</system.serviceModel>
</configuration>
客户端配置:
<configuration>
<system.serviceModel>
<client>
<endpoint address="net.tcp://localhost:8040/Calculator"
behaviorConfiguration="endpointCredentialBehavior"
binding="netTcpBinding"
bindingConfiguration="Binding1"
contract="ServiceModel.ICalculator">
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="endpointCredentialBehavior">
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<netTcpBinding>
<binding name="Binding1">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
</bindings>
</system.serviceModel>
</configuration>
我正在添加我的当前服务器和客户端配置信息。 另外还有一些问题:
at the authentication level we want the client to authenticate ther server's cert (i think server's public key should be in trustedPeople store) , is this possible?
do you recommend us use Transport Security Or Message?
if we want to authenticate client & server by NTLM (clientCredentialType=Windows) is it can be done in addition to the server's cert authentication or just one of them can be applied? till now, we've used NTLM authentication.
right now im getting exception: "The requested upgrade is not supported by 'net.tcp://servername:8040/**'. This could be due to mismatched bindings (for example security enabled on the client and not on the server)." i understand this error occured because the client is using Windows Security and server in om Certificate, but when im changing client security to Certificate also,im getting an error: "The client certificate is not provided". but i don't want to set client's certificate and thats part of my main problem.
we read that we can use for server's cert authentication this tags:
<identity> <certificate encodedValue="encoded certificate"/> </identity>