使用憑證Working with Certificates

在針對 Windows Communication Foundation (WCF) 安全性設計程式時,通常會採用 X.509 數位憑證來驗證用戶端與伺服器、加密,以及數位簽署訊息。To program Windows Communication Foundation (WCF) security, X.509 digital certificates are commonly used to authenticate clients and servers, encrypt, and digitally sign messages. 本主題將簡要說明 X.509 數位憑證功能及如何在 WCF 中使用這些憑證,同時針對這些概念的進一步說明以及如何運用 WCF 與憑證來完成一般工作的主題說明提供連結。This topic briefly explains X.509 digital certificate features and how to use them in WCF, and includes links to topics that explain these concepts further or that show how to accomplish common tasks using WCF and certificates.

簡單地說,數位憑證是「公開金鑰基礎結構」(Public Key Infrastructure,PKI) 的一部分,這是一套結合數位憑證、憑證授權單位,與其他登錄授權單位,並以公開金鑰密碼編譯法來驗證參與電子異動每一方之有效性的系統。In brief, a digital certificate is a part of a public key infrastructure (PKI), which is a system of digital certificates, certificate authorities, and other registration authorities that verify and authenticate the validity of each party involved in an electronic transaction through the use of public key cryptography. 憑證授權單位會發出憑證,而每個憑證都會有一組欄位,其中包含如「主體」(也就是接受發行憑證的實體)、有效日期 (當憑證有效時)、簽發者 (發行憑證的實體) 與公開金鑰之類的資料。A certification authority issues certificates and each certificate has a set of fields that contain data, such as subject (the entity to which the certificate is issued), validity dates (when the certificate is valid), issuer (the entity that issued the certificate), and a public key. 在 WCF 中,每一個屬性都會被當成 Claim 處理,而且每個宣告還會進一步分成兩種類型:身分識別與權限。In WCF, each of these properties is processed as a Claim, and each claim is further divided into two types: identity and right. 如需 X.509 憑證的詳細資訊,請參閱 X.509 公用金鑰憑證For more information about X.509 certificates see X.509 Public Key Certificates. 如需宣告和 WCF 授權的詳細資訊,請參閱使用身分識別模型來管理宣告與授權For more information about Claims and Authorization in WCF see Managing Claims and Authorization with the Identity Model. 如需實作 PKI 的詳細資訊,請參閱 Windows Server 2008 R2 - 憑證服務For more information about implementing a PKI, see Windows Server 2008 R2 - Certificate Services.

憑證的主要功能就是向其他人驗證憑證擁有者的身分識別。The primary function of a certificate is to authenticate the identity of the owner of the certificate to others. 憑證包含擁有者的「公開金鑰」,而擁有者本身則保留私密金鑰。A certificate contains the public key of the owner, while the owner retains the private key. 公開金鑰可以用來加密傳送給憑證擁有者的訊息。The public key can be used to encrypt messages sent to the owner of the certificate. 只有擁有者才能存取私密金鑰,因此只有擁有者可以解密這些訊息。Only the owner has access to the private key, so only the owner can decrypt those messages.

憑證必須由憑證授權單位發行,此單位通常是憑證的協力廠商簽發者。Certificates must be issued by a certification authority, which is often a third-party issuer of certificates. 在 Windows 網域中,會包含憑證授權單位以便用來對網域中的電腦發行憑證。On a Windows domain, a certification authority is included that can be used to issue certificates to computers on the domain.

檢視憑證Viewing Certificates

使用憑證時,通常需要檢視並檢查其內容。To work with certificates, it is often necessary to view them and examine their properties. 您可以透過 Microsoft Management Console (MMC) 嵌入式管理單元工具輕鬆達到這個目的。This is easily done with the Microsoft Management Console (MMC) snap-in tool. 如需詳細資訊,請參閱如何:使用 MMC 嵌入式管理單元來檢視憑證For more information, see How to: View Certificates with the MMC Snap-in.

憑證存放區Certificate Stores

您可以在存放區中找到憑證。Certificates are found in stores. 兩個主要的存放區位置還可進一步細分為子存放區。Two major store locations exist that are further divided into sub-stores. 如果您是電腦的系統管理員,就可以使用 MMC 嵌入式管理單元工具來同時檢視兩個主要的存放區。If you are the administrator on a computer, you can view both major stores by using the MMC snap-in tool. 非系統管理員只能檢視目前使用者的存放區。Non-administrators can view only the current user store.

  • 本機電腦存放區The local machine store. 裡面包含了電腦處理序所存取的憑證,例如 ASP.NETASP.NETThis contains the certificates accessed by machine processes, such as ASP.NETASP.NET. 請使用此位置來存放可對用戶端驗證伺服器的憑證。Use this location to store certificates that authenticate the server to clients.

  • 目前使用者的存放區The current user store. 一般來說,互動性應用程式會將電腦目前使用者的憑證放在此處。Interactive applications typically place certificates here for the computer's current user. 如果您正在建立用戶端應用程式,通常會將用來向服務驗證使用者的憑證放在此處。If you are creating a client application, this is where you typically place certificates that authenticate a user to a service.

這兩個存放區還可進一步細分為子存放區。These two stores are further divided into sub-stores. 使用 WCF 來設計程式時,其中最重要的存放區為:The most important of these when programming with WCF include:

  • 可信任的根憑證授權單位Trusted Root Certification Authorities. 您可以使用此存放區中的憑證來建立憑證鏈結,並藉由這些憑證回溯追蹤到此存放區中某個憑證授權單位的憑證。You can use the certificates in this store to create a chain of certificates, which can be traced back to a certification authority certificate in this store.

    重要

    本機電腦會隱含地信任放在此存放區中的任何憑證,就算此憑證並未來自受信任的協力廠商憑證授權單位也是一樣。The local computer implicitly trusts any certificate placed in this store, even if the certificate does not come from a trusted third-party certification authority. 因此,除非您充分信任簽發者並了解其相關影響,否則請勿將任何憑證放在此存放區。For this reason, do not place any certificate into this store unless you fully trust the issuer and understand the consequences.

  • 個人Personal. 此存放區可用來存放與電腦使用者相關聯的憑證。This store is used for certificates associated with a user of a computer. 一般來說,此存放區是用來存放 [受信任的根憑證授權單位] 存放區中所找到的其中一個憑證授權單位所發行的憑證。Typically this store is used for certificates issued by one of the certification authority certificates found in the Trusted Root Certification Authorities store. 另外,此處找到的憑證可能是自動發行並由某個應用程式所信任。Alternatively, a certificate found here may be self-issued and trusted by an application.

如需憑證存放區的詳細資訊,請參閱憑證存放區For more information about certificate stores, see Certificate Stores.

選取存放區Selecting a Store

選取存放憑證的位置時,必須考量服務或用戶端執行的方式與時機,Selecting where to store a certificate depends how and when the service or client runs. 並套用下列一般規則:The following general rules apply:

  • 如果 WCF 服務是裝載在 Windows 服務中,請使用 [本機電腦] 存放區。If the WCF service is hosted in a Windows service use the local machine store. 請注意,您需要系統管理員權限將憑證安裝到本機電腦存放區。Note that administrator privileges are required to install certificates into the local machine store.

  • 如果服務或用戶端是透過使用者帳戶執行的應用程式,則請使用 [目前使用者] 存放區。If the service or client is an application that runs under a user account, then use the current user store.

存取存放區Accessing Stores

存放區會受到存取控制清單 (ACL) 的保護,就像電腦上的資料夾一樣。Stores are protected by access control lists (ACLs), just like folders on a computer. 當您建立由網際網路資訊服務 (IIS) 所裝載的服務時,ASP.NETASP.NET 處理序會透過 ASP.NETASP.NET 帳戶來執行。When creating a service hosted by Internet Information Services (IIS), the ASP.NETASP.NET process runs under the ASP.NETASP.NET account. 該帳戶必須能夠存取包含服務所使用之憑證的存放區。That account must have access to the store that contains the certificates a service uses. 每一個主要存放區都會以預設的存取清單加以保護,但是您可以修改此清單。Each of the major stores is protected with a default access list, but the lists can be modified. 如果您建立個別的角色來存取存放區,則必須授予該角色存取權限。If you create a separate role to access a store, you must grant that role access permission. 若要了解如何使用 WinHttpCertConfig.exe 工具來修改存取清單,請參閱如何:建立開發時要使用的暫時憑證To learn how to modify the access list using the WinHttpCertConfig.exe tool, see How to: Create Temporary Certificates for Use During Development. 如需將用戶端憑證搭配 IIS 一起使用的詳細資訊,請參閱如何在 ASP.NET Web 應用程式中使用用戶端憑證呼叫 Web 服務進行驗證For more information about using client certificates with IIS, see How to call a Web service by using a client certificate for authentication in an ASP.NET Web application.

鏈結信任與憑證授權單位Chain Trust and Certificate Authorities

憑證是在階層中建立的,其中每個個別憑證都會連結到核發憑證的 CA。Certificates are created in a hierarchy where each individual certificate is linked to the CA that issued the certificate. 此連結連至 CA 的憑證。This link is to the CA’s certificate. CA 的憑證然後發出原始 CA 的憑證的 CA 的連結。The CA’s certificate then links to the CA that issued the original CA’s certificate. 在找到根 CA 的憑證之前,會一直重複這個程序。This process is repeated up until the Root CA’s certificate is reached. 根 CA 的憑證在本質上會受到信任。The Root CA’s certificate is inherently trusted.

數位簽章會藉由依賴此階層 (也稱為「信任鏈結」來驗證實體。Digital certificates are used to authenticate an entity by relying on this hierarchy, also called a chain of trust. 您可以使用 MMC 嵌入式管理單元來檢視任何憑證的鏈結,只要按兩下任何憑證,然後按一下 [憑證路徑] 索引標籤即可。如需匯入憑證授權單位憑證鏈結的詳細資訊,請參閱如何:指定用來驗證簽章的憑證授權單位憑證鏈結You can view any certificate's chain using the MMC snap-in by double-clicking any certificate, then clicking the Certificate Path tab. For more information about importing certificate chains for a Certification authority, see How to: Specify the Certificate Authority Certificate Chain Used to Verify Signatures.

注意

您可以藉由將簽發者的憑證放在信任的根授權憑證存放區,為任何簽發者都指定一個信任的根授權。Any issuer can be designated a trusted root authority by placing the issuer's certificate in the trusted root authority certificate store.

停用鏈結信任Disabling Chain Trust

在建立新服務時,您可能使用並非由信任的根憑證所發行的憑證,或者發行的憑證本身並非位於 [受信任的根憑證授權單位] 存放區中。When creating a new service, you may be using a certificate that is not issued by a trusted root certificate, or the issuing certificate itself may not be in the Trusted Root Certification Authorities store. 如果只是做為開發用途,您可以暫時停用檢查憑證之信任鏈結的機制。For development purposes only, you can temporarily disable the mechanism that checks the chain of trust for a certificate. 若要這麼做,請將 CertificateValidationMode 屬性 (Property) 設為 PeerTrustPeerOrChainTrustTo do this, set the CertificateValidationMode property to either PeerTrust or PeerOrChainTrust. 每種模式都會將憑證指定為自動發行 (對等信任) 或是信任鏈結的一部分。Either mode specifies that the certificate can either be self-issued (peer trust) or part of a chain of trust. 您可以在下列任何一個類別中設定屬性。You can set the property on any of the following classes.

類別Class 屬性Property
X509ClientCertificateAuthentication X509ClientCertificateAuthentication.CertificateValidationMode
X509PeerCertificateAuthentication X509PeerCertificateAuthentication.CertificateValidationMode
X509ServiceCertificateAuthentication X509ServiceCertificateAuthentication.CertificateValidationMode
IssuedTokenServiceCredential IssuedTokenServiceCredential.CertificateValidationMode

您也可以使用組態來設定屬性。You can also set the property using configuration. 下列項目可用來指定驗證模式:The following elements are used to specify the validation mode:

自訂驗證Custom Authentication

CertificateValidationMode 屬性同時可讓您自訂憑證的驗證方式。The CertificateValidationMode property also enables you to customize how certificates are authenticated. 根據預設,層級會設為 ChainTrustBy default, the level is set to ChainTrust. 若要使用 Custom 值,您必須同時將 CustomCertificateValidatorType 屬性 (Attribute) 設為可用來驗證憑證的組件與型別。To use the Custom value, you must also set the CustomCertificateValidatorType attribute to an assembly and type used to validate the certificate. 若要建立自訂驗證程式,您必須繼承自抽象 X509CertificateValidator 類別。To create a custom validator, you must inherit from the abstract X509CertificateValidator class.

在建立自訂的驗證器時,要覆寫之最重要的方法是 Validate 方法。When creating a custom authenticator, the most important method to override is the Validate method. 如需自訂驗證的範例,請參閱 X.509 憑證驗證程式範例。For an example of custom authentication, see the X.509 Certificate Validator sample. 如需詳細資訊,請參閱自訂認證與認證驗證For more information, see Custom Credential and Credential Validation.

使用 Powershell New-selfsignedcertificate Cmdlet 來建置憑證鏈結Using the Powershell New-SelfSignedCertificate Cmdlet to Build a Certificate Chain

Powershell New-selfsignedcertificate cmdlet 會建立 X.509 憑證與私用的索引鍵/公開金鑰組。The Powershell New-SelfSignedCertificate cmdlet creates X.509 certificates and private key/public key pairs. 您可以將私密金鑰儲存到磁碟,然後用它來發行並簽署新的憑證,藉此模擬鏈結憑證的階層架構。You can save the private key to disk and then use it to issue and sign new certificates, thus simulating a hierarchy of chained certificates. 指令程式被供僅為協助開發服務及永遠不應該用來建立實際部署所需的憑證時。The cmdlet is intended for use only as an aid when developing services and should never be used to create certificates for actual deployment. 開發 WCF 服務時,請使用下列步驟來建置使用 New-selfsignedcertificate cmdlet 的信任鏈結。When developing a WCF service, use the following steps to build a chain of trust with the New-SelfSignedCertificate cmdlet.

若要建置使用 New-selfsignedcertificate cmdlet 的信任鏈結To build a chain of trust with the New-SelfSignedCertificate cmdlet

  1. 建立暫時的根授權單位 (自我簽署) 憑證使用 New-selfsignedcertificate cmdlet。Create a temporary root authority (self-signed) certificate using the New-SelfSignedCertificate cmdlet. 將私密金鑰儲存到磁碟。Save the private key to the disk.

  2. 使用新的憑證來發行另一個包含公開金鑰的憑證。Use the new certificate to issue another certificate that contains the public key.

  3. 將根授權憑證匯入 [受信任的根憑證授權單位] 存放區。Import the root authority certificate into the Trusted Root Certification Authorities store.

  4. 如需逐步教學說明,請參閱如何:建立開發時要使用的暫時憑證For step-by-step instructions, see How to: Create Temporary Certificates for Use During Development.

該使用哪個憑證?Which Certificate to Use?

關於憑證常見的問題包括該使用哪些憑證以及為何使用這些憑證。Common questions about certificates are which certificate to use, and why. 答案需視您是要針對用戶端或服務設計程式而定。The answer depends on whether you are programming a client or service. 下列資訊將提供您一般性的指示,可能無法完全解答這些問題。The following information provides a general guideline and is not an exhaustive answer to these questions.

服務憑證Service Certificates

服務憑證的主要工作就是對用戶端驗證伺服器。Service certificates have the primary task of authenticating the server to clients. 當用戶端驗證伺服器時,首先要執行的檢查項目之一就是將 [主體] 欄位的值與用來連絡服務的統一資源識別元 (URI) 加以比較:兩者的 DNS 必須相符。One of the initial checks when a client authenticates a server is to compare the value of the Subject field to the Uniform Resource Identifier (URI) used to contact the service: the DNS of both must match. 例如,如果服務的 URI 是http://www.contoso.com/endpoint/主旨欄位也必須包含值www.contoso.comFor example, if the URI of the service is http://www.contoso.com/endpoint/ then the Subject field must also contain the value www.contoso.com.

請注意,該欄位可以包含數個值,每個值都可加上代表該值的初始化前置詞。Note that the field can contain several values, each prefixed with an initialization to indicate the value. 大多數情況下,初始化是"CN"代表一般名稱,例如CN = www.contoso.comMost commonly, the initialization is "CN" for common name, for example, CN = www.contoso.com. 您也可以將 [主體] 欄位留空,在這種情況下,[主體別名] 欄位則可包含 [DNS 名稱] 值。It is also possible for the Subject field to be blank, in which case the Subject Alternative Name field can contain the DNS Name value.

另請注意,憑證的 [使用目的] 欄位值應該包含適當的值,例如 [伺服器驗證] 或 [用戶端驗證]。Also note the value of the Intended Purposes field of the certificate should include an appropriate value, such as "Server Authentication" or "Client Authentication".

用戶端憑證Client Certificates

用戶端憑證通常不是由協力廠商憑證授權單位所發行。Client certificates are not typically issued by a third-party certification authority. 反之,目前使用者位置上的 [個人] 存放區通常包含了由根授權所放置、帶有 [用戶端驗證] 使用目的之憑證。Instead, the Personal store of the current user location typically contains certificates placed there by a root authority, with an intended purpose of "Client Authentication". 需要雙向驗證時,用戶端可以使用此類憑證。The client can use such a certificate when mutual authentication is required.

線上撤銷與離線撤銷Online Revocation and Offline Revocation

憑證有效性Certificate Validity

每個憑證只有在指定期間 (稱為「有效期間」) 才有效。Every certificate is valid only for a given period of time, called the validity period. X.509 憑證的 [有效期自] 與 [有效期到] 欄位會定義有效期間。The validity period is defined by the Valid from and Valid to fields of an X.509 certificate. 在驗證期間,會檢查憑證以判斷憑證日期是否仍在有效期間內。During authentication, the certificate is checked to determine whether the certificate is still within the validity period.

憑證撤銷清單Certificate Revocation List

在有效期間內,憑證授權單位隨時可撤銷憑證。At any time during the validity period, the certification authority can revoke a certificate. 有許多原因會導致發生這種情況,例如憑證的私密金鑰遭到破壞。This can occur for many reasons, such as a compromise of the private key of the certificate.

一旦發生這種情況,任何來自已撤銷憑證的鏈結會同時失效,而且在驗證程序期間將不會受到信任。When this occurs, any chains that descend from the revoked certificate are also invalid, and are not trusted during authentication procedures. 為了找出已撤銷的憑證,每個簽發者會發佈一個包含時間與日期戳記的「憑證撤銷清單」(CRL)。To find out which certificates are revoked, each issuer publishes a time- and date-stamped certificate revocation list (CRL). 您也可以透過將下列類別的 RevocationModeDefaultRevocationMode 屬性設為其中一個 X509RevocationMode 列舉值的方式,使用線上撤銷或離線撤銷來檢查此清單:X509ClientCertificateAuthenticationX509PeerCertificateAuthenticationX509ServiceCertificateAuthenticationIssuedTokenServiceCredential 類別。The list can be checked using either online revocation or offline revocation by setting the RevocationMode or DefaultRevocationMode property of the following classes to one of the X509RevocationMode enumeration values: X509ClientCertificateAuthentication, X509PeerCertificateAuthentication, X509ServiceCertificateAuthentication, and the IssuedTokenServiceCredential classes. 所有屬性的預設值為 OnlineThe default value for all properties is Online.

您也可以在組態中同時使用 <authentication> (屬於 <serviceBehaviors>) 和 <authentication> (屬於 <endpointBehaviors>) revocationMode 屬性來設定模式。You can also set the mode in configuration using the revocationMode attribute of both the <authentication> (of the <serviceBehaviors>) and the <authentication> (of the <endpointBehaviors>).

SetCertificate 方法The SetCertificate Method

在 WCF 中,您必須經常指定服務或用戶端用來驗證、加密或數位簽署訊息的憑證或憑證集。In WCF, you must often specify a certificate or set of certificates a service or client is to use to authenticate, encrypt, or digitally sign a message. 您也可以使用代表 X.509 憑證之各種類別的 SetCertificate 方法,以程式設計方式來執行這項工作。You can do this programmatically by using the SetCertificate method of various classes that represent X.509 certificates. 下列類別會使用 SetCertificate 方法來指定憑證。The following classes use the SetCertificate method to specify a certificate.

類別Class 方法Method
PeerCredential SetCertificate
X509CertificateInitiatorClientCredential SetCertificate
X509CertificateRecipientServiceCredential SetCertificate
X509CertificateInitiatorServiceCredential
SetCertificate

SetCertificate 方法會藉由指定下列項目來進行運作:指定存放區位置與存放區、用來指定憑證欄位的 [尋找] 型別 (x509FindType 參數),以及指定要在欄位中尋找的值。The SetCertificate method works by designating a store location and store, a "find" type (x509FindType parameter) that specifies a field of the certificate, and a value to find in the field. 例如,下列程式碼會建立 ServiceHost 執行個體,並使用 SetCertificate 方法來設定用來向用戶端驗證服務的服務憑證。For example, the following code creates a ServiceHost instance and sets the service certificate used to authenticate the service to clients with the SetCertificate method.

Uri baseAddress = new Uri("http://cohowinery.com/services");
ServiceHost sh = new ServiceHost(typeof(CalculatorService), baseAddress );
sh.Credentials.ServiceCertificate.SetCertificate(
StoreLocation.LocalMachine, StoreName.My,
X509FindType.FindBySubjectName, "cohowinery.com");
Dim baseAddress As New Uri("http://cohowinery.com/services")
Dim sh As New ServiceHost(GetType(CalculatorService), baseAddress)
sh.Credentials.ServiceCertificate.SetCertificate( _
StoreLocation.LocalMachine, StoreName.My, _
X509FindType.FindBySubjectName, "cohowinery.com")

使用相同值的多個憑證Multiple Certificates with the Same Value

存放區可能包含使用相同主體名稱的多個憑證。A store may contain multiple certificates with the same subject name. 也就是說,如果您將 x509FindType 指定為 FindBySubjectNameFindBySubjectDistinguishedName,而且有一個以上的憑證使用相同值,則會因為無法區分所需的憑證是哪一個而擲回例外狀況。This means that if you specify that the x509FindType is FindBySubjectName or FindBySubjectDistinguishedName, and more than one certificate has the same value, an exception is thrown because there is no way to distinguish which certificate is required. 您可以將 x509FindType 設為 FindByThumbprint 來降低此行為的影響。You can mitigate this by setting the x509FindType to FindByThumbprint. 指紋欄位包含可用來尋找存放區中特定憑證的唯一值。The thumbprint field contains a unique value that can be used to find a specific certificate in a store. 然而,此欄位也有缺點:如果憑證遭到撤銷或更新,則 SetCertificate 方法會因為指紋一併消失而失敗。However, this has its own disadvantage: if the certificate is revoked or renewed, the SetCertificate method fails because the thumbprint is also gone. 或者,當憑證失效時,驗證也會失敗。Or, if the certificate is no longer valid, authentication fails. 降低這項風險的做法就是,將 x590FindType 參數設為 FindByIssuerName 並指定簽發者名稱。The way to mitigate this is to set the x590FindType parameter to FindByIssuerName and specify the issuer's name. 如果不需要特定的簽發者,則您也可以設定其他任何一個 X509FindType 列舉值,例如 FindByTimeValidIf no particular issuer is required, you can also set one of the other X509FindType enumeration values, such as FindByTimeValid.

組態中的憑證Certificates in Configuration

您也可以使用組態來設定憑證。You can also set certificates by using configuration. 如果您正在建立服務,則包括憑證的認證都會在 <serviceBehaviors> 底下指定。If you are creating a service, credentials, including certificates, are specified under the <serviceBehaviors>. 當您正在對用戶端設計程式時,憑證會於 <endpointBehaviors> 底下指定。When you are programming a client, certificates are specified under the <endpointBehaviors>.

將憑證對應至使用者帳戶Mapping a Certificate to a User Account

IIS 與 Active Directory 的其中一項功能,就是能夠將憑證對應至 Windows 使用者帳戶。A feature of IIS and Active Directory is the ability to map a certificate to a Windows user account. 如需功能的詳細資訊,請參閱將憑證對應至使用者帳戶For more information about the feature, see Map certificates to user accounts.

如需使用 Active Directory 對應的詳細資訊,請參閱將用戶端憑證與目錄服務進行對應For more information about using Active Directory mapping, see Mapping Client Certificates with Directory Service Mapping.

一旦您啟用這項功能,就可以將 MapClientCertificateToWindowsAccount 類別的 X509ClientCertificateAuthentication 屬性設為 trueWith this capability enabled, you can set the MapClientCertificateToWindowsAccount property of the X509ClientCertificateAuthentication class to true. 在組態中,您可以將 <authentication> 元素的 mapClientCertificateToWindowsAccount 屬性設為 true,如下列程式碼所示。In configuration, you can set the mapClientCertificateToWindowsAccount attribute of the <authentication> element to true, as shown in the following code.

<serviceBehaviors>  
 <behavior name="MappingBehavior">  
  <serviceCredentials>  
   <clientCertificate>  
    <authentication certificateValidationMode="None" mapClientCertificateToWindowsAccount="true" />  
   </clientCertificate>  
  </serviceCredentials>  
 </behavior>  
</serviceBehaviors>  

將 X.509 憑證對應至代表 Windows 使用者帳戶的權杖可視為權限的提升,因為一旦對應之後,就可以使用 Windows 權杖針對受保護的資源取得其存取權限。Mapping an X.509 certificate to the token that represents a Windows user account is considered an elevation of privilege because, once mapped, the Windows token can be used to gain access to protected resources. 因此,網域原則要求 X.509 憑證在執行對應之前必須先符合此原則規定。Therefore, domain policy requires the X.509 certificate to comply with its policy prior to mapping. SChannel 安全性套件會強制執行此要求。The SChannel security package enforces this requirement.

當使用 .NET Framework 3.5 版.NET Framework version 3.5 或更新版本時,WCF 會確保憑證符合網域原則,然後才將憑證對應至 Windows 帳戶。When using .NET Framework 3.5 版.NET Framework version 3.5 or later, WCF ensures the certificate conforms to domain policy before it is mapped to a Windows account.

在第一版的 WCF 中,您不需要諮詢網域原則便可進行對應。In the first release of WCF, mapping is done without consulting the domain policy. 因此,當啟用對應功能且 X.509 憑證無法滿足網域原則要求時,以往在第一版中能夠順利執行的舊版應用程式可能會無法執行。Therefore it is possible that older applications that used to work when running under the first release, fails if the mapping is enabled and the X.509 certificate does not satisfy the domain policy.

另請參閱See Also

System.ServiceModel.Channels
System.ServiceModel.Security
System.ServiceModel
X509FindType
保護服務和用戶端的安全Securing Services and Clients