何时创建联合服务器When to Create a Federation Server

当你创建 Active Directory 联合身份验证服务 AD FS 的联合身份验证 serverin 时 ( ) ,你可以提供一种方法,使你的组织能够:When you create a federation serverin Active Directory Federation Services (AD FS), you provide a means by which your organization can:

  • 在必要时,与另外包含 - - ( 至少一台联合服务器的其他组织进行基于 SSO 的 Web 单一登录, ) ( ) 并在必要时与需要通过 Internet 进行访问的组织中的员工合作 ( ) 。Engage in Web single-sign-on (SSO)–based communication with another organization (that also has at least one federation server) and, when necessary, with the employees in your own organization (who need access over the Internet).

  • 使前端服务可以使用标识委派向基础结构服务模拟用户。Enable front end services to impersonate users to infrastructure services using identity delegation. 有关详细信息,请参阅 When to Use Identity DelegationFor more information, see When to Use Identity Delegation.

以下部分介绍了确定何时以及在何处创建一个或多个联合服务器的一些关键决策。The following sections describe some of the key decisions for determining when and where to create one or more federation servers.

确定联合服务器的组织角色Determine the organizational role for the federation server

若要明智地决定何时创建新的联合服务器,你必须首先确定服务器将驻留在哪个组织中。To make an informed decision regarding when to create a new federation server, you must first determine in which organization the server will reside. 联合服务器在组织中扮演的角色取决于你是将联合服务器放在帐户伙伴组织中还是资源伙伴组织中。The role that a federation server plays in an organization depends on whether you place the federation server in the account partner organization or in the resource partner organization.

当联合服务器置于帐户伙伴的企业网络中时,其角色是对浏览器、Web 服务或身份选择器客户端的用户凭据进行身份验证,并将安全令牌发送到客户端。When a federation server is placed in the corporate network of the account partner, its role is to authenticate the user credentials of browser, Web service, or identity selector clients and send security tokens to the clients. 有关详细信息,请参阅 Review the Role of the Federation Server in the Account PartnerFor more information, see Review the Role of the Federation Server in the Account Partner.

当联合服务器位于资源伙伴的企业网络中时,其角色是基于由资源伙伴组织中的联合服务器颁发的安全令牌对用户进行身份验证,或其角色是将令牌请求从配置的 Web 应用程序或 Web 服务重定向到客户端所属的帐户伙伴组织。When a federation server is placed in the corporate network of the resource partner, its role is to authenticate users, based on a security token that is issued by a federation server in the resource partner organization, or its role is to redirect token requests from configured Web applications or Web services to the account partner organization that the client belongs to. 有关详细信息,请参阅 Review the Role of the Federation Server in the Resource PartnerFor more information, see Review the Role of the Federation Server in the Resource Partner.

确定要部署的 AD FS 设计Determine which AD FS design to deploy

每当要部署以下任何 AD FS 设计时,你将在组织中创建联合服务器:You create federation servers in your organization whenever you want to deploy any of the following AD FS designs:

如有必要,部署联合 Web SSO 设计的组织可以配置单个联合服务器,使其在帐户伙伴角色和资源伙伴角色中起作用。If necessary, an organization that deploys a Federated Web SSO design can configure a single federation server so that it acts in both the account partner role and in the resource partner role. 在这种情况下,联合服务器可能会 ( 基于 ) 其自己组织中的用户帐户生成安全断言标记语言 SAML 令牌,或根据用户帐户所在的位置将令牌请求重新路由到组织。In this case, the federation server may produce Security Assertion Markup Language (SAML) tokens, based on user accounts in its own organization, or reroute token requests to the organization, based on where the users' accounts reside.

备注

对于联合 Web SSO 设计,帐户伙伴中必须至少有一个联合服务器,并且资源伙伴中必须至少有一个联合服务器。For the Federated Web SSO design, there must be at least one federation server in the account partner and at least one federation server in the resource partner.

联合服务器与联合服务器代理之间的差异Differences between a federation server and a federation server proxy

联合服务器可以 - 用与联合服务器代理相同的方式为登录、策略、身份验证和发现提供 Web 页。A federation server can serve out Web pages for sign-in, policy, authentication, and discovery in the same way that a federation server proxy does. 联合服务器和联合服务器代理之间的主要区别与联合服务器代理无法执行的操作有关,而联合服务器代理无法执行的操作。The primary differences between a federation server and a federation server proxy have to do with what operations a federation server can perform that a federation server proxy cannot perform.

下面是只有联合服务器可以执行的操作:The following are the operations that only a federation server can perform:

  • 联合服务器执行生成令牌的加密操作。The federation server performs the cryptographic operations that produce the token. 尽管联合服务器代理无法生成令牌,但是它们可以用于将令牌路由或重定向到客户端,并在必要时将它们重定向到联合服务器。Although federation server proxies cannot produce tokens, they can be used to route or redirect the tokens to clients and, when necessary, back to the federation server. 有关使用联合服务器的详细信息,请参阅When To Create a Federation Server ProxyFor more information about using federation servers, see When to Create a Federation Server Proxy.

  • 联合服务器支持对企业网络上的客户端使用 Windows 集成身份验证;联合服务器代理不会。Federation servers support the use of Windows Integrated Authentication for clients on the corporate network; federation server proxies do not. 有关将 Windows 集成身份验证用于联合服务器的详细信息,请参阅何时创建联合服务器场For more information about using Windows Integrated Authentication with federation server, see When to Create a Federation Server Farm.

注意

联合服务器与 SQL Server 配置数据库、SQL Server 属性存储、域控制器和 AD LDS 实例之间的通信不是默认情况下受保护的完整性或机密性。Communication between federation servers and SQL Server configuration databases, SQL Server attribute stores, domain controllers, and AD LDS instances is not integrity or confidentiality protected by default.若要缓解此问题,请考虑通过使用 IPSEC 或是在所有这些服务器之间使用物理上安全的连接来保护这些服务器之间的通信通道。 To mitigate this, consider protecting the communication channel between these servers using IPSEC or using a physically secure connection between all of these servers.对于联合服务器与 SQL 服务器之间的通信,请考虑在连接字符串中使用 SSL 保护。 For communication between federation servers and SQL servers, consider using SSL protection in the connection string.对于联合服务器与域控制器之间的连接,请考虑启用 Kerberos 签名和加密。 For connections between federation servers and domain controllers, consider turning on Kerberos signing and encryption.对于 LDAP, / AD LDS AD DS 不支持 ldap / 。 For LDAP, LDAP/S is not supported for AD LDS/AD DS.

如何创建联合服务器How to create a federation server

您可以使用 AD FS 联合服务器配置向导或 Fsconfig.exe 命令行工具创建联合服务器 - 。You can create a federation server using the AD FS Federation Server Configuration Wizard or the Fsconfig.exe command-line tool. 当你使用任一工具时,可以选择以下任何选项来创建联合服务器。When you use either of these tools, you can select any of the following options to create a federation server.

有关这些选项各自的工作原理的更多详细信息,请参阅 The Role of the AD FS Configuration DatabaseFor more detailed information about how each of these options work, see The Role of the AD FS Configuration Database.

有关如何设置部署联合服务器所需的所有先决条件的详细信息,请参阅 Checklist: Setting Up a Federation ServerFor more information about how to set up all the prerequisites necessary to deploy a federation server, see Checklist: Setting Up a Federation Server.

另请参阅See Also

Windows Server 2012 中的 AD FS 设计指南AD FS Design Guide in Windows Server 2012