客户端证书(来自商业 CA)由于过期而被更改,并且与一项服务的通信停止运行 - 我们在服务器跟踪中收到以下错误
System.IdentityModel.Tokens.SecurityTokenValidationException:X.509 证书 CN=aaa.ccc.ff、O=XXXXX、L=Brbr、C=XX 链构建失败。使用的证书具有无法验证的信任链。更换证书或更改certificateValidationMode。证书链已正确处理,但其中一个 CA 证书不受策略提供者信任。
相同的证书用于对使用相同配置的其他公司的服务进行身份验证,并且始终工作正常。
服务的配置如下:
<system.serviceModel>
<extensions>
<behaviorExtensions>
<add name="A2AValidation" type="xxxyyyzzz.A2AValidation+CustomBehaviorSection, xxxyyyzzz A2A, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
</behaviorExtensions>
</extensions>
<protocolMapping>
<add scheme="http" binding="wsHttpBinding" />
</protocolMapping>
<bindings>
<wsHttpBinding>
<binding name="WcfServiceBinding">
<security mode="Message">
<message clientCredentialType="Certificate" negotiateServiceCredential="true" establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="ClientSecBehavior" name="xxxyyyzzz.Service">
<endpoint address="" behaviorConfiguration="A2AValidationBehavior" binding="wsHttpBinding" bindingConfiguration="WcfServiceBinding" name="A2AmessageEndpoint" contract="xxxyyyzzz.IService" />
<endpoint address="mex" binding="mexHttpsBinding" name="A2AMessageEndpointMex" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="http://xxxyyyzzz:10002/XX/A2A/Service.svc" />
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<endpointBehaviors>
<behavior name="A2AValidationBehavior">
<A2AValidation />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="ClientSecBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerOrChainTrust" trustedStoreLocation="LocalMachine" revocationMode="NoCheck" mapClientCertificateToWindowsAccount="true" />
</clientCertificate>
<serviceCertificate findValue="______" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
<diagnostics wmiProviderEnabled="true">
<messageLogging logEntireMessage="true" logKnownPii="false" logMalformedMessages="true" logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" maxMessagesToLog="500" />
<endToEndTracing messageFlowTracing="true" />
</diagnostics>
</system.serviceModel>客户端配置如下(还包含在其他公司运行正常的其他服务的配置):
<system.serviceModel>
<diagnostics>
<messageLogging
logEntireMessage="true"
logMalformedMessages="true"
logMessagesAtServiceLevel="true"
logMessagesAtTransportLevel="true"
maxMessagesToLog="3000"
maxSizeOfMessageToLog="2000"/>
</diagnostics>
<bindings>
<wsHttpBinding>
<binding name="YYYY_A2AMessageEndpoint_BindingConfig" maxReceivedMessageSize="2147483647">
<security>
<message clientCredentialType="Certificate" />
</security>
</binding>
<binding name="XXXYYYZZZ_A2AMessageEndpoint_BindingConfig">
<security>
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="YYYY_A2AMessageEndpoint_BehaviorConfig">
<clientCredentials>
<serviceCertificate>
<authentication
certificateValidationMode="PeerOrChainTrust"
revocationMode="NoCheck"
trustedStoreLocation="LocalMachine" />
</serviceCertificate>
<clientCertificate findValue="__________" x509FindType="FindByThumbprint" storeLocation="LocalMachine" storeName="My" />
</clientCredentials>
</behavior>
<behavior name="XXXYYYZZZ_A2AMessageEndpoint_BehaviorConfig">
<clientCredentials>
<serviceCertificate>
<authentication
certificateValidationMode="PeerOrChainTrust"
revocationMode="NoCheck"
trustedStoreLocation="LocalMachine" />
</serviceCertificate>
<clientCertificate findValue="__________" x509FindType="FindByThumbprint" storeLocation="LocalMachine" storeName="My" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint
name="YYYY_A2AMessageEndpoint"
contract="A2AMessageService.IService"
address="http://YYYY:10002/a2a/Service.svc"
binding="wsHttpBinding" bindingConfiguration="YYYY_A2AMessageEndpoint_BindingConfig"
behaviorConfiguration="YYYY_A2AMessageEndpoint_BehaviorConfig" >
<identity>
<certificate encodedValue="xyz=" />
</identity>
</endpoint>
<endpoint
name="XXXYYYZZZ_A2AMessageEndpoint"
contract="A2APTAMessageService.IService"
address="http://XXXYYYZZZ:10002/PTA/A2A/Service.svc"
binding="wsHttpBinding" bindingConfiguration="XXXYYYZZZ_A2AMessageEndpoint_BindingConfig"
behaviorConfiguration="XXXYYYZZZ_A2AMessageEndpoint_BehaviorConfig" >
<identity>
<certificate encodedValue="xyz=" />
</identity>
</endpoint>
</client>
</system.serviceModel>证书在 IIS 证书映射和 AD 证书映射中正确注册,整个证书链在 IIS 和 AD 上正确显示客户端证书。 客户端使用的证书有以下用途:
但我不认为这是一个问题,因为一项服务使用此类证书没有问题。
将其他服务迁移到新服务器后,新服务器上也出现了问题。
还有一个想法 - 在高级密钥使用中,该证书除了“客户端身份验证”之外还有“服务器身份验证”。 这是否会改变 AD 安全提供程序在检查证书有效性时的行为? NTAuth 存储中的服务器上没有证书。
如果成功的计算机上的代码与您的相同,只有证书与您的不同,请尝试导出成功的计算机上的证书,然后导入到您的设备。