Microsoft 365 测试环境的传递身份验证Pass-through authentication for your Microsoft 365 test environment

此测试实验室指南可用于 Microsoft 365 企业版和 Office 365 企业版测试环境。This Test Lab Guide can be used for both Microsoft 365 for enterprise and Office 365 Enterprise test environments.

想要直接使用本地 Active Directory 域服务 (AD DS) 基础结构来进行对 Microsoft 云服务的身份验证的组织可以使用直通身份验证。Organizations that want to directly use their on-premises Active Directory Domain Services (AD DS) infrastructure for authentication to Microsoft cloud-based services and applications can use pass-through authentication. 本文介绍了如何为直通身份验证配置 Microsoft 365 测试环境,生成的配置如下:This article describes how you can configure your Microsoft 365 test environment for pass-through authentication, resulting in the following configuration:

使用传递身份验证测试环境的模拟企业配置

此测试环境的设置分为以下两个阶段:There are two phases to setting up this test environment:

  1. 通过密码哈希同步创建 Microsoft 365 模拟企业测试环境。Create the Microsoft 365 simulated enterprise test environment with password hash synchronization.
  2. 在 APP1 上对 Azure AD Connect 进行传递身份验证配置。Configure Azure AD Connect on APP1 for pass-through authentication.

Microsoft 云测试实验室指南

提示

单击此处可查看 Microsoft 365 企业版测试实验室指南集合中所有文章的直观图。Click here for a visual map to all the articles in the Microsoft 365 for enterprise Test Lab Guide stack.

阶段 1:为 Microsoft 365 测试环境配置密码哈希同步Phase 1: Configure password hash synchronization for your Microsoft 365 test environment

按照 Microsoft 365 的密码哈希同步中的说明操作。下面是生成的配置。Follow the instructions in password hash synchronization for Microsoft 365. Here is your resulting configuration.

使用密码哈希同步测试环境的模拟企业配置

此配置包括:This configuration consists of:

  • Microsoft 365 E5 试用版或付费订阅。Microsoft 365 E5 trial or paid subscription.
  • 连接到 Internet 的简化的组织 Intranet,包含 Azure 虚拟网络子网中的 DC1、APP1 和 CLIENT1 虚拟机。A simplified organization intranet connected to the Internet, consisting of the DC1, APP1, and CLIENT1 virtual machines on a subnet of an Azure virtual network. 在 APP1 上运行的 Azure AD Connect,用于将 TESTLAB AD DS 域定期同步到 Microsoft 365 订阅的 Azure AD 租户。Azure AD Connect runs on APP1 to synchronize the TESTLAB AD DS domain to the Azure AD tenant of your Microsoft 365 subscription periodically.

阶段 2:在 APP1 上对 Azure AD Connect 进行传递身份验证配置Phase 2: Configure Azure AD Connect on APP1 for pass-through authentication

在该阶段,需在 APP1 上将 Azure AD Connect 配置为使用传递身份验证,然后验证该功能能否正常工作。In this phase, you configure Azure AD Connect on APP1 to use pass-through authentication, and then verify that it works.

在 APP1 上配置 Azure AD ConnectConfigure Azure AD Connect on APP1

  1. Azure 门户中,使用全局管理员帐户进行登录,然后使用 TESTLAB\User1 帐户连接到 APP1。From the Azure portal, sign in with your global administrator account, and then connect to APP1 with the TESTLAB\User1 account.

  2. 在 APP1 的桌面上,运行 Azure AD Connect。From the desktop of APP1, run Azure AD Connect.

  3. 在“欢迎页”上,单击“配置”。On the Welcome page, click Configure.

  4. 在“其他任务”页面上,依次单击“更改用户登录”和“下一步”。On the Additional tasks page, click Change user sign-in, and then click Next.

  5. 在“连接到 Azure AD”页面上,键入全局管理员帐户凭据,然后单击“下一步”。On the Connect to Azure AD page, type your global administrator account credentials, and then click Next.

  6. 在“用户登录”页面上,单击“传递身份验证”,然后单击“下一步”。On the User sign-in page, click Pass-through authentication, and then click Next.

  7. 在“准备配置”页面上,单击“配置”。On the Ready to configure page, click Configure.

  8. 在“配置完成”页面上,单击“退出”。On the Configuration complete page, click Exit.

  9. 在 Azure 门户的左窗格中,单击“Azure Active Directory > Azure AD Connect”。请验证 传递身份验证 功能的状态为“已启用”。From the Azure portal, in the left pane, click Azure Active Directory > Azure AD Connect. Verify that the Pass-through authentication feature appears as Enabled.

  10. 单击“传递身份验证”。“传递身份验证”窗格中会列出身份验证代理所安装到的服务器。APP1 应该会出现在该列表中。关闭“传递身份验证”窗格。Click Pass-through authentication. The Pass-through authentication pane lists the servers where your Authentication Agents are installed. You should see APP1 in the list. Close the Pass-through authentication pane.

接下来,测试能否使用 user1@testlab 登录订阅。<your public domain>Next, test the ability to sign in to your subscription with the user1@testlab.<your public domain> 测试能否登录订阅。user name of the User1 account.

  1. 在 APP1 中,注销,再重新登录,这次指定不同的帐户。From APP1, sign out, and then sign in again, this time specifying a different account.

  2. 当系统提示输入用户名和密码时,指定 user1@testlab.<your public domain>When prompted for a user name and password, specify user1@testlab.<your public domain> 和 User1 密码。and the User1 password. 你应该能以 User1 身份成功登录。You should successfully sign in as User1.

请注意,虽然 User1 具有 TESTLAB AD DS 域的域管理员权限,但它不是全局管理员。Notice that although User1 has domain administrator permissions for the TESTLAB AD DS domain, it is not a global administrator. 因此,不会看到作为一个选项的 管理员 图标。Therefore, you will not see the Admin icon as an option.

下面是生成的配置:Here is your resulting configuration:

使用传递身份验证测试环境的模拟企业配置

此配置包括:This configuration consists of:

  • 具有 DNS 域 testlab 的 Microsoft 365 E5 试用版或付费订阅。<your domain name>A Microsoft 365 E5 trial or paid subscriptions with the DNS domain testlab.<your domain name> registered.
  • 连接到 Internet 的简化的组织 Intranet,包含 Azure 虚拟网络子网中的 DC1、APP1 和 CLIENT1 虚拟机。身份验证代理在 APP1 上运行,以处理 Microsoft 365 订阅的 Azure AD 租户发出的直通身份验证请求。A simplified organization intranet connected to the Internet, consisting of the DC1, APP1, and CLIENT1 virtual machines on a subnet of an Azure virtual network. An Authentication Agent runs on APP1 to handle pass-through authentication requests from the Azure AD tenant of your Microsoft 365 subscription.

后续步骤Next step

在测试环境中探索其他标识特性和功能。Explore additional identity features and capabilities in your test environment.

另请参阅See also

Microsoft 365 企业版测试实验室指南Microsoft 365 for enterprise Test Lab Guides

Microsoft 365 企业版概述Microsoft 365 for enterprise overview

适用于企业的 Microsoft 365 文档Microsoft 365 for enterprise documentation