为 Lync Server 2013 配置 Active Directory 联合身份验证服务 (AD FS 2.0) Configuring Active Directory Federation Services (AD FS 2.0) for Lync Server 2013

 

上次修改的主题: 2013-07-03Topic Last Modified: 2013-07-03

下一节介绍如何配置 Active Directory 联合身份验证服务 (AD FS 2.0) 以支持多重身份验证。The following section describes how to configure Active Directory Federation Services (AD FS 2.0) to support multi-factor authentication. 有关如何安装 AD FS 2.0 的信息,请参阅 AD FS 2.0 分步和操作方法指南 https://go.microsoft.com/fwlink/p/?LinkId=313374For information on how to install AD FS 2.0, see AD FS 2.0 Step-by-Step and How To Guides at https://go.microsoft.com/fwlink/p/?LinkId=313374.

备注

安装 AD FS 2.0 时,请勿使用 Windows Server 管理器添加 Active Directory 联合身份验证服务角色。When installing AD FS 2.0, do not use the Windows Server Manager to add the Active Directory Federation Services role. 请改为在上下载并安装 Active Directory 联合身份验证服务 2.0 RTW 包 https://go.microsoft.com/fwlink/p/?LinkId=313375Instead, download and install the Active Directory Federation Services 2.0 RTW package at https://go.microsoft.com/fwlink/p/?LinkId=313375.

将 AD FS 配置为进行双重身份验证To configure AD FS for two-factor Authentication

  1. 使用域管理员帐户登录到 AD FS 2.0 计算机。Log in to the AD FS 2.0 computer using a Domain Admin account.

  2. 启动 Windows PowerShell。Start Windows PowerShell.

  3. 从 Windows PowerShell 命令行中,运行以下命令:From the Windows PowerShell command-line, run the following command:

    add-pssnapin Microsoft.Adfs.PowerShell
    
  4. 使用 Lync Server 2013 的累积更新建立与每个 Lync Server 2013 的合作关系:7月 2013 Director、Enterprise Pool 和 Standard Edition Server,可通过运行以下命令替换特定于您的部署的服务器名称来启用被动身份验证:Establish a partnership with each Lync Server 2013 with Cumulative Updates for Lync Server 2013: July 2013 Director, Enterprise Pool, and Standard Edition server that will be enabled for passive authentication by running the following command, replacing the server name specific to your deployment:

    Add-ADFSRelyingPartyTrust -Name LyncPool01-PassiveAuth -MetadataURL https://lyncpool01.contoso.com/passiveauth/federationmetadata/2007-06/federationmetadata.xml
    
  5. 从 "管理工具" 菜单中,启动 AD FS 2.0 管理控制台。From the Administrative Tools menu, launch the AD FS 2.0 Management console.

  6. 展开 " 信任关系" > 信赖方信任Expand Trust Relationships > Relying Party Trusts.

  7. 验证是否已为你的 Lync Server 2013 创建了新的信任,并具有 Lync Server 2013 的累积更新:7月 2013 Enterprise Pool 或 Standard Edition Server。Verify that a new trust has been created for your Lync Server 2013 with Cumulative Updates for Lync Server 2013: July 2013 Enterprise Pool or Standard Edition server.

  8. 通过运行以下命令为您使用 Windows PowerShell 的信赖方信任创建并分配发布授权规则:Create and assign an Issuance Authorization Rule for your relying party trust using Windows PowerShell by running the following commands:

     $IssuanceAuthorizationRules = '@RuleTemplate = "AllowAllAuthzRule" => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");'
    
     Set-ADFSRelyingPartyTrust -TargetName LyncPool01-PassiveAuth 
     -IssuanceAuthorizationRules $IssuanceAuthorizationRules
    
  9. 通过运行以下命令为您使用 Windows PowerShell 的信赖方信任创建并分配一个颁发转换规则:Create and assign an Issuance Transform Rule for your relying party trust using Windows PowerShell by running the following commands:

     $IssuanceTransformRules = '@RuleTemplate = "PassThroughClaims" @RuleName = "Sid" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"]=> issue(claim = c);'
    
     Set-ADFSRelyingPartyTrust -TargetName LyncPool01-PassiveAuth -IssuanceTransformRules $IssuanceTransformRules
    
  10. 从 AD FS 2.0 管理控制台中,右键单击您的信赖方信任,然后选择 " 编辑声明规则"。From the AD FS 2.0 Management console, right click on your relying party trust and select Edit Claim Rules.

  11. 选择 " 颁发授权规则 " 选项卡,并验证是否已成功创建新的授权规则。Select the Issuance Authorization Rules tab and verify that the new authorization rule was created successfully.

  12. 选择 " 颁发转换规则 " 选项卡,并验证是否已成功创建新的转换规则。Select the Issuance Transform Rules tab and verify that the new transform rule was created successfully.