如何：指定客户端凭据值

Using Windows Communication Foundation (WCF), the service can specify how a client is authenticated to the service. For example, a service can stipulate that the client be authenticated with a certificate.

To determine the client credential type

1. Retrieve metadata from the service's metadata endpoint. The metadata typically consists of two files: the client code in the programming language of your choice (the default is Visual C#), and an XML configuration file. One way to retrieve metadata is to use the Svcutil.exe tool to return the client code and client configuration. For more information, see 检索元数据 and ServiceModel 元数据实用工具 (Svcutil.exe).

2. Open the XML configuration file. If you use the Svcutil.exe tool, the default name of the file is Output.config.

3. Find the <security> element with the mode attribute (<security mode = MessageOrTransport**>** where MessageOrTransport is set to one of the security modes.

4. Find the child element that matches the mode value. For example, if the mode is set to Message, find the <message> element contained in the <security> element.

5. Note the value assigned to the clientCredentialType attribute. The actual value depends on which mode is used, transport or message.

The following XML code shows configuration for a client using message security and requiring a certificate to authenticate the client.

<security mode="Message">
    <transport clientCredentialType="Windows" proxyCredentialType="None"
        realm="" />
     <message clientCredentialType="Certificate" negotiateServiceCredential="true"
    algorithmSuite="Default" establishSecurityContext="true" />
</security>

Example: TCP Transport Mode with Certificate as Client Credential

This example sets the security mode to Transport mode and sets the client credential value to an X.509 certificate. The following procedures demonstrate how to set the client credential value on the client in code and configuration. This assumes that you have used the ServiceModel 元数据实用工具 (Svcutil.exe) to return the metadata (code and configuration) from the service. 有关更多信息，请参见 如何：创建 Windows Communication Foundation 客户端.

To specify the client credential value on the client in code

1. Use the ServiceModel 元数据实用工具 (Svcutil.exe) to generate code and configuration from the service.

2. Create an instance of the WCF client using the generated code.

3. On the client class, set the ClientCredentials property of the ClientBase class to an appropriate value. This example sets the property to an X.509 certificate using the SetCertificate method of the X509CertificateInitiatorClientCredential class.

   ' Create a binding using Transport and a certificate.
   Dim b As New NetTcpBinding()
   b.Security.Mode = SecurityMode.Transport
   b.Security.Transport.ClientCredentialType = TcpClientCredentialType.Certificate
   
   ' Create an EndPointAddress.
   Dim ea As New EndpointAddress("net.tcp://localHost:8036/Calculator/MyCalculator")
   
   ' Create the client.
   Dim cc As New CalculatorClient(b, ea)
   
   ' Set the certificate for the client.
   cc.ClientCredentials.ClientCertificate.SetCertificate( _
   StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "cohowinery.com")
   Try
       cc.Open()
       ' Begin using the client.
       Console.WriteLine(cc.Divide(1001, 2))
       cc.Close()
   Catch adExc As AddressAccessDeniedException
       Console.WriteLine(adExc.Message)
       Console.ReadLine()
   Catch exc As System.Exception
       Console.WriteLine(exc.Message)
       Console.ReadLine()
   End Try
   

   // Create a binding using Transport and a certificate.
   NetTcpBinding b = new NetTcpBinding();
   b.Security.Mode = SecurityMode.Transport;
   b.Security.Transport.ClientCredentialType = 
       TcpClientCredentialType.Certificate;
   
   // Create an EndPointAddress.
   EndpointAddress ea = new EndpointAddress(
       "net.tcp://localHost:8036/Calculator/MyCalculator");
   
   // Create the client.
   CalculatorClient cc = new CalculatorClient(b, ea);
   
   // Set the certificate for the client.
   cc.ClientCredentials.ClientCertificate.SetCertificate(
       StoreLocation.LocalMachine,
       StoreName.My,
       X509FindType.FindBySubjectName,
       "cohowinery.com");
   try
   {
       cc.Open();
       // Begin using the client.
       Console.WriteLine(cc.Divide(1001, 2));
       cc.Close();
   }
   catch (AddressAccessDeniedException adExc)
   {
       Console.WriteLine(adExc.Message);
       Console.ReadLine();
   }
   catch (System.Exception exc)
   {
       Console.WriteLine(exc.Message);
       Console.ReadLine();
   }          
   

   You can use any of the enumerations of the X509FindType class. The subject name is used here in case the certificate is changed (due to an expiration date). Using the subject name enables the infrastructure to find the certificate again.

To specify the client credential value on the client in configuration

1. Add a <behavior> of <endpointBehaviors> element to the <behaviors> element.

2. Add a <clientCredentials> element to the <behaviors> element. Be sure to set the required name attribute to an appropriate value.

3. Add a <clientCertificate> of <serviceCredentials> element to the <clientCredentials> element.

4. Set the following attributes to appropriate values: storeLocation, storeName, x509FindType, and findValue, as shown in the following code. 有关 certificates, see 使用证书.

   <behaviors>
      <endpointBehaviors>
         <behavior name="endpointCredentialBehavior">
           <clientCredentials>
             <clientCertificate findValue="Contoso.com" 
                                storeLocation="LocalMachine"
                                storeName="TrustedPeople"
                                x509FindType="FindBySubjectName" />
           </clientCredentials>
         </behavior>
      </endpointBehaviors>
   </behaviors>
   

5. When configuring the client, specify the behavior by setting the behaviorConfiguration attribute of the <endpoint> element, as shown in the following code. The endpoint element is a child of the <client> element. Also, specify the name of the binding configuration by setting the bindingConfiguration attribute to the binding for the client. If you are using a generated configuration file, the binding's name is automatically generated. In this example, the name is "tcpBindingWithCredential".

   <client>
     <endpoint name =""
               address="net.tcp://contoso.com:8036/aloha"
               binding="netTcpBinding"
               bindingConfiguration="tcpBindingWithCredential"
               behaviorConfiguration="endpointCredentialBehavior" />
   </client>
   

另请参见

任务

如何：创建 Windows Communication Foundation 客户端

参考

NetTcpBinding
SetCertificate
X509CertificateRecipientServiceCredential
ClientBase
X509CertificateInitiatorClientCredential

概念

WCF 安全编程
选择凭据类型
ServiceModel 元数据实用工具 (Svcutil.exe)
使用证书

其他资源

<netTcpBinding>
<security> of <netTcpBinding>
<message> element of <netTcpBinding>
<behavior> of <endpointBehaviors>
<behaviors>
<clientCertificate> of <serviceCredentials>
<clientCredentials>