问题描述:

I am implementing mutual handshake over https using wcf, and I receive an error:

"The HTTP request was forbidden with client authentication scheme 'Anonymous'."

Service code:

 var binding = new BasicHttpBinding()

{

Security =

{

Mode = BasicHttpSecurityMode.Transport,

Transport = { ClientCredentialType = HttpClientCredentialType.Certificate },

},

};

var sh = new ServiceHost(typeof(EchoService), new Uri("https://localhost:9876"));

//sh.Description.Behaviors.Add(new ServiceMetadataBehavior());

//sh.AddServiceEndpoint(ServiceMetadataBehavior.MexContractName, MetadataExchangeBindings.CreateMexHttpsBinding(), "mex");

sh.AddServiceEndpoint(typeof(IEchoService), binding, "");

sh.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAA");

sh.Open();

Client code:

 var binding = new BasicHttpBinding()

{

Security =

{

Mode = BasicHttpSecurityMode.Transport,

Transport = { ClientCredentialType = HttpClientCredentialType.Certificate },

},

};

var sslClientFactory = new ChannelFactory<IEchoService>(binding, "https://localhost:9876");

sslClientFactory.Credentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");

var sslClient = sslClientFactory.CreateChannel();

var response = sslClient.Echo("Https Echo");

I have assign this certificate to port using httpcfg.

If I change binding from BasicHttpBinding to NetTcpBinding it works fine.

If I run two instances of my service (in one process), one which uses NetTcpBinding and second one which uses BasicHttpBinding, and consume it from net tcp client and https client, both works fine (clients use the same certificate).

What cases that if i run only my https client I get "The HTTP request was forbidden with client authentication scheme 'Anonymous'."?

网友答案:

I have noticed that I have a lot of doubled certs (pairs of two identically certs - with the same thumbrpint) in store (I dont know how i put them there like that), and I think that this was a problem. Maybe when certs are doubled in store, server sends to client only those issuers from not doubled certs?

相关阅读:
Top