Wil*_*ill 5 c# security ssl wcf client-certificates
我们有大量由 WCF 服务引起的审核失败事件 (4652) 进入 Windows 事件日志。
问题
有谁知道为什么我们会收到这些审核日志条目,以及如何在不删除端点上的证书安全性的情况下阻止它们发生?
非常感谢任何帮助!
尝试过的事情
背景
当 Service2 调用 Service1 时,每次调用时我们都会在 Windows 安全事件日志中收到两个失败的审核条目。但是,调用成功,没有任何问题,并且数据成功返回。
仅当绑定在 WCF 绑定配置中的安全元素下使用“clientCredentialType="Certificate"”时,才会出现问题
事件日志条目 1
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: COMPUTERNAME$
Account Domain: DOMAINNAME
Logon ID: 0x3E7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x21c
Caller Process Name: C:\Windows\System32\lsass.exe
Network Information:
Workstation Name: COMPUTERNAME
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Schannel
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
事件日志条目 2
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000006D
Sub Status: 0x80090325
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Schannel
Authentication Package: Microsoft Unified Security Protocol Provider
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Service1和Service2绑定配置
<netTcpBinding>
<binding name="Service1Binding"
maxBufferPoolSize="0"
maxReceivedMessageSize="2147483647"
transactionFlow="true"
portSharingEnabled="true"
transferMode="Streamed">
<readerQuotas maxArrayLength="2147483647"
maxBytesPerRead="2147483647"
maxStringContentLength="2147483647"
maxDepth="2147483647"
maxNameTableCharCount="2147483647" />
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</netTcpBinding>
Service1行为配置
<behavior name="Service1Behavior">
<serviceThrottling maxConcurrentSessions="2147483647" maxConcurrentInstances="2147483647" maxConcurrentCalls="2147483647" />
<dataContractSerializer maxItemsInObjectGraph="2147483647" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceAuthorization principalPermissionMode="UseWindowsGroups" />
<serviceCredentials>
<serviceCertificate findValue="CN=CertificateName" x509FindType="FindBySubjectDistinguishedName" storeLocation="LocalMachine" storeName="Root" />
<clientCertificate>
<authentication certificateValidationMode="PeerTrust"></authentication>
</clientCertificate>
<peer>
<peerAuthentication certificateValidationMode="PeerTrust" />
<certificate findValue="CN=CertificateName" x509FindType="FindBySubjectDistinguishedName" storeLocation="LocalMachine" storeName="Root" />
</peer>
</serviceCredentials>
</behavior>
Service2行为配置
<behavior name="Service2Behavior">
<dataContractSerializer maxItemsInObjectGraph="2147483647" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceAuthorization principalPermissionMode="UseWindowsGroups" />
<serviceCredentials>
<serviceCertificate findValue="CN=CertificateName"
x509FindType="FindBySubjectDistinguishedName"
storeLocation="LocalMachine"
storeName="Root"/>
<clientCertificate>
<authentication certificateValidationMode="PeerTrust"></authentication>
</clientCertificate>
</serviceCredentials>
</behavior>
小智 1
我知道这是一个旧问题,但我在 Windows 更新后遇到了与客户相同的问题,并将安全模式更改为 TransportWithMessageCredential,并相应地更新凭据类型,似乎已经解决了该问题:
<security mode="TransportWithMessageCredential" >
<transport clientCredentialType="Windows" />
<message clientCredentialType="Certificate" />
</security>
只是想我会分享以防它对其他人有帮助。
| 归档时间: |
|
| 查看次数: |
1645 次 |
| 最近记录: |