Geek asks and answers

Is it possible to have WCF STS with username / password and client certificate?

I am using WIF with STS. Everything works fine, and the client authenticates by sending username / password to credentials.

We set customers on customer sites. I would like each client to use their own certificate for their clients. The reason for this is that checking the "client site" is not possible. I can deactivate some user accounts, but I cannot disconnect all clients installed on the client at the same time.
If each client had a different certificate, I could revoke the certificate, and no client will be able to connect from this client anymore.

I could not find a way to get the client to install their certificate for communication. This is usually automatic when a certificate is installed for authentication mode, but I need to install it in windows to send authentication.

Does anyone have an idea on how to achieve this? Or let me know if this is simply not possible.

Greetings.

+3
source share
1 answer

Undoubtedly, you just need to work a bit to get started with a custom security binding extension element for describing tokens and which you need to use for signing / support. For purposes of clarification, I assume that you always want both the certificate and username / password to be transferred.

TransportSecurityBindingElement . : SignedEncrypted, Signed Endorsing. , , UserNameSecurityTokenParameters SignedEncrypted X509SSecurityTokenParameters Endorsing. , / , /, / . :

public class MySecurityBindingElement : BindingElementExtensionElement
{
    public override void ApplyConfiguration(BindingElement bindingElement)
    {
        base.ApplyConfiguration(bindingElement);

        TransportSecurityBindingElement transportSecurityBindingElement = (TransportSecurityBindingElement)bindingElement;

        transportSecurityBindingElement.EndpointSupportingTokenParameters.SignedEncrypted.Add(new UserNameSecurityTokenParameters());

        transportSecurityBindingElement.EndpointSupportingTokenParameters.Endorsing.Add(new X509SecurityTokenParameters
        {
            InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient,
            ReferenceStyle = SecurityTokenReferenceStyle.Internal,
            RequireDerivedKeys = false,
            X509ReferenceStyle = X509KeyIdentifierClauseType.Any
        });         
    }

    protected override BindingElement CreateBindingElement()
    {
        TransportSecurityBindingElement result = new TransportSecurityBindingElement
        {
            IncludeTimestamp = true,
            LocalClientSettings.DetectReplays = false,
            LocalServiceSettings.DetectReplays = false
        };

        this.ApplyConfiguration(result);

        return result;
     }
}

, , , , , . , Credentials ChannelFactory, WCF, ClientBase proxy. , , - , :

<endpointBehavior>
    <behavior name="MyBehavior">
        <clientCredentials>
            <clientCertificate findValue="MySubject" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
        </clientCredentials>
    </behavior>
</endpointBehavior>

, / .

, STS , OperationContext::SupportingTokens. UserNameSecurityToken X509SecurityToken , .

+2

More articles:


All Articles