设置 AD FS 实验室环境Set up an AD FS lab environment

本主题概述了配置测试环境的步骤,该测试环境可用于在以下操作实例指南中完成演练:This topic outlines the steps to configure a test environment that can be used to complete the walkthroughs in the following walkthrough guides:

备注

我们不建议你将 Web 服务器和联合服务器安装在同一计算机上。We do not recommend that you install the web server and the federation server on the same computer.

若要设置此测试环境,完成以下步骤:To set up this test environment, complete the following steps:

  1. 步骤 1:配置域控制器 (DC1)Step 1: Configure the domain controller (DC1)

  2. 步骤2:通过设备注册服务配置联合服务器 (ADFS1) Step 2: Configure the federation server (ADFS1) with Device Registration Service

  3. 步骤 3:配置 Web 服务器 (WebServ1) 和一个基于声明的应用程序示例Step 3: Configure the web server (WebServ1) and a sample claims-based application

  4. 步骤 4:配置客户端计算机 (Client1)Step 4: Configure the client computer (Client1)

步骤 1:配置域控制器 (DC1)Step 1: Configure the domain controller (DC1)

在此测试环境中,可以调用根 Active Directory 域contoso.com ,并指定 pass@word1 作为管理员密码。For the purposes of this test environment, you can call your root Active Directory domain contoso.com and specify pass@word1 as the administrator password.

  • 安装 AD DS 角色服务并安装 Active Directory 域服务 (AD DS) 使计算机成为 Windows Server 2012 R2 中的域控制器。Install the AD DS role service and install Active Directory Domain Services (AD DS) to make your computer a domain controller in Windows Server 2012 R2 . 此操作会在创建域控制器的过程中升级你的 AD DS 架构。This action upgrades your AD DS schema as part of the domain controller creation. 有关详细信息和分步说明,请参阅 https://technet.microsoft.com/ library/hh472162.aspxFor more information and step-by-step instructions, seehttps://technet.microsoft.com/ library/hh472162.aspx.

创建测试 Active Directory 帐户Create test Active Directory accounts

在你的域控制器起作用后,可以在此域中创建一个测试组和测试用户帐户,并将该用户帐户添加到组帐户。After your domain controller is functional, you can create a test group and test user accounts in this domain and add the user account to the group account. 你可以使用这些帐户来完成本主题前面部分中引用的操作实例指南中的演练。You use these accounts to complete the walkthroughs in the walkthrough guides that are referenced earlier in this topic.

创建以下帐户:Create the following accounts:

  • User: Robert Hatley ,其凭据如下:用户名: RobertH和 password:P@sswordUser: Robert Hatley with the following credentials: User name: RobertH and password: P@ssword

  • 组: FinanceGroup: Finance

有关如何在 Active Directory (AD) 中创建用户和组帐户的信息,请参阅 https://technet.microsoft.com/library/cc783323%28v=ws.10%29.aspxFor information about how to create user and group accounts in Active Directory (AD), see https://technet.microsoft.com/library/cc783323%28v=ws.10%29.aspx.

Robert Hatley 帐户添加到 Finance 组。Add the Robert Hatley account to the Finance group. 有关如何向 Active Directory 中的组添加用户的信息,请参阅 https://technet.microsoft.com/library/cc737130%28v=ws.10%29.aspxFor information on how to add a user to a group in Active Directory, see https://technet.microsoft.com/library/cc737130%28v=ws.10%29.aspx.

创建 GMSA 帐户Create a GMSA account

在 Active Directory 联合身份验证服务 (AD FS) 安装和配置期间需要 (GMSA) 帐户的组托管服务帐户。The group Managed Service Account (GMSA) account is required during the Active Directory Federation Services (AD FS) installation and configuration.

创建 GMSA 帐户To create a GMSA account
  1. 打开 Windows PowerShell 命令窗口并键入:Open a Windows PowerShell command window and type:

    Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)
    New-ADServiceAccount FsGmsa -DNSHostName adfs1.contoso.com -ServicePrincipalNames http/adfs1.contoso.com
    
    

步骤 2:通过使用设备注册服务配置联合服务器 (ADFS1)Step 2: Configure the federation server (ADFS1) by using Device Registration Service

若要设置另一台虚拟机,请安装 Windows Server 2012 R2 并将其连接到域contoso.comTo set up another virtual machine, install Windows Server 2012 R2 and connect it to the domain contoso.com. 在将计算机加入域后设置计算机,然后继续安装和配置 AD FS 角色。Set up the computer after you have joined it to the domain, and then proceed to install and configure the AD FS role.

有关视频,请参阅 Active Directory 联合身份验证服务操作方法视频系列:安装 AD FS 服务器场For a video, see Active Directory Federation Services How-To Video Series: Installing an AD FS Server Farm.

安装服务器 SSL 证书Install a server SSL certificate

必须在本地计算机存储中的 ADFS1 服务器上安装服务器安全套接字层 (SSL) 证书。You must install a server Secure Socket Layer (SSL) certificate on the ADFS1 server in the local computer store. 该证书必须具有以下属性:The certificate MUST have the following attributes:

  • 使用者名称 (CN):adfs1.contoso.comSubject Name (CN): adfs1.contoso.com

  • 使用者备用名称 (DNS):adfs1.contoso.comSubject Alternative Name (DNS): adfs1.contoso.com

  • 使用者备用名称 (DNS):enterpriseregistration.contoso.comSubject Alternative Name (DNS): enterpriseregistration.contoso.com

证书注册 Web 服务指南Certificate Enrollment Web Service Guidance

Active Directory 联合身份验证服务操作方法视频系列:更新证书Active Directory Federation Services How-To Video Series: Updating Certificates.

安装 AD FS 服务器角色Install the AD FS server role

安装联合身份验证服务角色服务To install the Federation Service role service
  1. 使用域管理员帐户登录到服务器 administrator@contoso.com 。Log on to the server by using the domain administrator account administrator@contoso.com.

  2. 启动服务器管理器。Start Server Manager. 若要启动“服务器管理器”,请在 Windows“开始”**** 屏幕上单击“服务器管理器”****,或在 Windows 桌面上的 Windows 任务栏中单击“服务器管理器”****。To start Server Manager, click Server Manager on the Windows Start screen, or click Server Manager on the Windows taskbar on the Windows desktop. 在“仪表板”**** 页面上的“欢迎”**** 磁贴的“快速启动”**** 选项卡中,单击“添加角色和功能”****。On the Quick Start tab of the Welcome tile on the Dashboard page, click Add roles and features. 或者,也可以在“管理”**** 菜单中单击“添加角色和功能”****。Alternatively, you can click Add Roles and Features on the Manage menu.

  3. 在“开始之前” 页上,单击“下一步” 。On the Before you begin page, click Next.

  4. “选择安装类型” 页面上,单击 “基于角色或基于功能的安装”,然后单击 “下一步”On the Select installation type page, click Role-based or feature-based installation, and then click Next.

  5. 在“选择目标服务器”**** 页面上,单击“从服务器池中选择一个服务器”****,验证目标计算机是否已选中,然后单击“下一步”****。On the Select destination server page, click Select a server from the server pool, verify that the target computer is selected, and then click Next.

  6. “选择服务器角色” 页上,单击 “Active Directory 联合身份验证服务”,然后单击 “下一步”On the Select server roles page, click Active Directory Federation Services, and then click Next.

  7. 在“选择功能”**** 页上,单击“下一步”****。On the Select features page, click Next.

  8. “Active Directory 联合身份验证服务(AD FS)” 页上,单击 “下一步”On the Active Directory Federation Service (AD FS) page, click Next.

  9. 确认 “确认安装选择” 页上的信息后,选中 “如果需要,自动重新启动目标服务器” 复选框,然后单击 “安装”After you verify the information on the Confirm installation selections page, select the Restart the destination server automatically if required check box, and then click Install.

  10. “安装进度” 页上,确认已正确安装所有项目,然后单击 “关闭”On the Installation progress page, verify that everything installed correctly, and then click Close.

配置联合服务器Configure the federation server

下一步是配置联合服务器。The next step is to configure the federation server.

配置联合服务器To configure the federation server
  1. 在服务器管理器的 “仪表板” 页上,单击 “通知” 标志,然后单击 “在服务器上配置联合身份验证服务”On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the federation service on the server.

    打开“Active Directory 联合身份验证服务配置向导”****。The Active Directory Federation Service Configuration Wizard opens.

  2. 在“欢迎使用”**** 页面上,选择“在联合服务器场中创建第一个联合服务器”****,然后单击“下一步”****。On the Welcome page, select Create the first federation server in a federation server farm, and then click Next.

  3. 在“连接到 AD DS”**** 页面上,为此计算机加入的 contoso.com Active Directory 域指定具有域管理员权限的帐户,然后单击“下一步”****。On the Connect to AD DS page, specify an account with domain administrator rights for the contoso.com Active Directory domain that this computer is joined to, and then click Next.

  4. 在“指定服务属性”**** 页面上,执行以下操作,然后再单击“下一步”****:On the Specify Service Properties page, do the following, and then click Next:

    • 导入之前获得的 SSL 证书。Import the SSL certificate that you have obtained earlier. 此证书是所需的服务身份验证证书。This certificate is the required service authentication certificate. 浏览到你的 SSL 证书的位置。Browse to the location of your SSL certificate.

    • 若要为你的联合身份验证服务提供名称,请键入 adfs1.contoso.comTo provide a name for your federation service, type adfs1.contoso.com. 此值是注册 SSL 证书时在 Active Directory 证书服务 (AD CS) 中提供的相同的值。This value is the same value that you provided when you enrolled an SSL certificate in Active Directory Certificate Services (AD CS).

    • 若要为你的联合身份验证服务提供显示名称,请键入 Contoso CorporationTo provide a display name for your federation service, type Contoso Corporation.

  5. 在“指定服务帐户”**** 页面上,选择“使用现有的域用户帐户或组托管服务帐户”****,然后指定在你创建域控制器后创建的 GMSA 帐户 fsgmsaOn the Specify Service Account page, select Use an existing domain user account or group Managed Service Account, and then specify the GMSA account fsgmsa that you created when you created the domain controller.

  6. 在“指定配置数据库”**** 页面上,选择“使用 Windows 内部数据库在此服务器上创建数据库”****,然后单击“下一步”****。On the Specify Configuration Database page, select Create a database on this server using Windows Internal Database, and then click Next.

  7. 在“查看选项”**** 页面上,验证你的配置选择,然后单击“下一步”****。On the Review Options page, verify your configuration selections, and then click Next.

  8. 在“先决条件检查”**** 页面上,验证所有先决条件检查已成功完成,然后单击“配置”****。On the Pre-requisite Checks page, verify that all prerequisite checks were successfully completed, and then click Configure.

  9. 在“结果”**** 页面上、查看结果、检查是否已成功完成配置,然后单击“完成联合身份验证服务部署所需的后续步骤”****。On the Results page, review the results, check whether the configuration has completed successfully, and then click Next steps required for completing your federation service deployment.

配置设备注册服务Configure Device Registration Service

下一步是配置 ADFS1 服务器上的设备注册服务。The next step is to configure Device Registration Service on the ADFS1 server. 有关视频,请参阅 Active Directory 联合身份验证服务操作方法视频系列:启用设备注册服务For a video, see Active Directory Federation Services How-To Video Series: Enabling the Device Registration Service.

配置 Windows Server 2012 RTM 的设备注册服务To configure Device Registration Service for Windows Server 2012 RTM
  1. 重要

    以下步骤适用于 Windows Server 2012 R2 RTM 版本。The following step applies to the Windows Server 2012 R2 RTM build.

    打开 Windows PowerShell 命令窗口并键入:Open a Windows PowerShell command window and type:

    Initialize-ADDeviceRegistration
    

    当系统提示你输入服务帐户时,键入contosofsgmsa $When you are prompted for a service account, type contosofsgmsa$.

    现在,运行 Windows PowerShell cmdlet。Now run the Windows PowerShell cmdlet.

    Enable-AdfsDeviceRegistration
    
  2. 在 ADFS1 服务器上,在“AD FS 管理”**** 控制台中,导航到“身份验证策略”****。On the ADFS1 server, in the AD FS Management console, navigate to Authentication Policies. 选择“编辑全局主要身份验证”****。Select Edit Global Primary Authentication. 选中“启用设备身份验证”**** 旁边的复选框,然后单击“确定”****。Select the check box next to Enable Device Authentication, and then click OK.

将主机 (A) 和别名 (CNAME) 资源记录添加到 DNSAdd Host (A) and Alias (CNAME) Resource Records to DNS

在 DC1 上,你必须确保为设备注册服务创建以下域名系统 (DNS)。On DC1, you must ensure that the following Domain Name System (DNS) records are created for Device Registration Service.

条目Entry 类型Type 地址Address
adfs1adfs1 主机 (A)Host (A) AD FS 服务器的 IP 地址IP address of the AD FS server
enterpriseregistrationenterpriseregistration 别名 (CNAME)Alias (CNAME) adfs1.contoso.comadfs1.contoso.com

你可以使用以下过程为联合服务器和设备注册服务将主机 (A) 资源记录添加到公司 DNS 名称服务器。You can use the following procedure to add a host (A) resource record to corporate DNS name servers for the federation server and Device Registration Service.

管理员组中的成员身份或等效身份是完成此过程所需的最低要求。Membership in the Administrators group or an equivalent is the minimum requirement to complete this procedure. 请查看有关在超链接 " https://go.microsoft.com/fwlink/?LinkId=83477 本地和域默认组 () 中使用适当帐户和组成员身份的详细信息 https://go.microsoft.com/fwlink/p/?LinkId=83477Review details about using the appropriate accounts and group memberships in the HYPERLINK "https://go.microsoft.com/fwlink/?LinkId=83477" Local and Domain Default Groups (https://go.microsoft.com/fwlink/p/?LinkId=83477).

为联合服务器将主机 (A) 和别名 (CNAME) 资源记录添加到 DNSTo add a host (A) and alias (CNAME) resource records to DNS for your federation server
  1. 在 DC1 上,从“服务器管理器”中,在“工具”**** 菜单上,单击“DNS”**** 以打开 DNS 管理单元。On DC1, from Server Manager, on the Tools menu, click DNS to open the DNS snap-in.

  2. 在控制台树中,依次展开 DC1、“正向查找区域”****,右键单击“contoso.com”****,然后单击“新建主机 (A 或 AAAA)”****。In the console tree, expand DC1, expand Forward Lookup Zones, right-click contoso.com, and then click New Host (A or AAAA).

  3. 在“名称”**** 中,键入你希望用于 AD FS 场的名称。In Name, type the name you want to use for your AD FS farm. 对于此操作实例,则键入 adfs1For this walkthrough, type adfs1.

  4. 在“IP 地址”**** 中,键入 ADFS1 服务器的 IP 地址。In IP address, type the IP address of the ADFS1 server. 单击 “添加主机”Click Add Host.

  5. 右键单击“contoso.com”****,然后单击“新别名 (CNAME)”****。Right-click contoso.com, and then click New Alias (CNAME).

  6. 在“新资源记录”**** 对话框中,在“别名”**** 框内键入 enterpriseregistrationIn the New Resource Record dialog box, type enterpriseregistration in the Alias name box.

  7. 在目标主机框的完全限定域名 (FQDN) 中,键入“adfs1.contoso.com”****,然后单击“确定”****。In the Fully Qualified Domain Name (FQDN) of the target host box, type adfs1.contoso.com, and then click OK.

    重要

    在现实世界部署中,如果你的公司有多个用户主体名称 (UPN) 后缀,则必须创建多个 CNAME 记录,每个记录可用于那些在 DNS 中的 UPN 后缀。In a real-world deployment, if your company has multiple user principal name (UPN) suffixes, you must create multiple CNAME records, one for each of those UPN suffixes in DNS.

步骤 3:配置 Web 服务器 (WebServ1) 和一个基于声明的应用程序示例Step 3: Configure the web server (WebServ1) and a sample claims-based application

通过安装 Windows Server 2012 R2 操作系统 (WebServ1) 设置虚拟机,并将其连接到域contoso.comSet up a virtual machine (WebServ1) by installing the Windows Server 2012 R2 operating system and connect it to the domain contoso.com. 在加入域后,你可以继续安装和配置 Web 服务器角色。After it is joined to the domain, you can proceed to install and configure the Web Server role.

若要完成本主题前面部分中所引用的实例操作,你必须具备由联合服务器 (ADFS1) 保护的示例应用程序。To complete the walkthroughs that were referenced earlier in this topic, you must have a sample application that is secured by your federation server (ADFS1).

您可以下载 Windows Identity Foundation SDK (https://www.microsoft.com/download/details.aspx?id=4451 ,其中包括基于声明的示例应用程序。You can download Windows Identity Foundation SDK (https://www.microsoft.com/download/details.aspx?id=4451, which includes a sample claims-based application.

你必须完成以下步骤以使用该基于声明的应用程序示例设置 Web 服务器。You must complete the following steps to set up a web server with this sample claims-based application.

备注

这些步骤已在运行 Windows Server 2012 R2 操作系统的 web 服务器上进行了测试。These steps have been tested on a web server that runs the Windows Server 2012 R2 operating system.

  1. 安装 Web 服务器角色和 Windows Identity FoundationInstall the Web Server Role and Windows Identity Foundation

  2. 安装 Windows Identity Foundation SDKInstall Windows Identity Foundation SDK

  3. 在 IIS 中配置简单声明应用Configure the simple claims app in IIS

  4. 在联合服务器上创建信赖方信任Create a relying party trust on your federation server

安装 Web 服务器角色和 Windows Identity FoundationInstall the Web Server role and Windows Identity Foundation

  1. 备注

    你必须具有对 Windows Server 2012 R2 安装媒体的访问权限。You must have access to the Windows Server 2012 R2 installation media.

    使用和密码登录到 WebServ1 administrator@contoso.com pass@word1Log on to WebServ1 by using administrator@contoso.com and the password pass@word1.

  2. 从服务器管理器中,在“仪表板”**** 页面上的“欢迎”**** 磁贴的“快速启动”**** 选项卡上,单击“添加角色和功能”****。From Server Manager, on the Quick Start tab of the Welcome tile on the Dashboard page, click Add roles and features. 或者,也可以在“管理”**** 菜单中单击“添加角色和功能”****。Alternatively, you can click Add Roles and Features on the Manage menu.

  3. 在“开始之前” 页上,单击“下一步” 。On the Before you begin page, click Next.

  4. “选择安装类型” 页面上,单击 “基于角色或基于功能的安装”,然后单击 “下一步”On the Select installation type page, click Role-based or feature-based installation, and then click Next.

  5. 在“选择目标服务器”**** 页面上,单击“从服务器池中选择一个服务器”****,验证目标计算机是否已选中,然后单击“下一步”****。On the Select destination server page, click Select a server from the server pool, verify that the target computer is selected, and then click Next.

  6. 在“选择服务器角色”**** 页面上,选中“Web 服务器 (IIS)”**** 旁边的复选框,单击“添加功能”****,然后单击“下一步”****。On the Select server roles page, select the check box next to Web Server (IIS), click Add Features, and then click Next.

  7. 在“选择功能”**** 页面上,选中“Windows Identity Foundation 3.5”****,然后单击“下一步”****。On the Select features page, select Windows Identity Foundation 3.5, and then click Next.

  8. 在“Web 服务器角色 (IIS)”**** 页面上,单击“下一步”****。On the Web Server Role (IIS) page, click Next.

  9. 在“选择角色服务”**** 页面上,选中并展开“应用程序开发”****。On the Select role services page, select and expand Application Development. 选中“ASP.NET 3.5”****,单击“添加功能”****,然后单击“下一步”****。Select ASP.NET 3.5, click Add Features, and then click Next.

  10. 在“确认安装选择”**** 页面上,单击“指定备用源路径”****。On the Confirm installation selections page, click Specify an alternate source path. 输入位于 Windows Server 2012 R2 安装媒体中的 Sxs 目录的路径。Enter the path to the Sxs directory that is located in the Windows Server 2012 R2 installation media. 例如 D:SourcesSxs。For example D:SourcesSxs. 单击“确定”****,再单击“安装”****。Click OK, and then click Install.

安装 Windows Identity Foundation SDKInstall Windows Identity Foundation SDK

  1. 运行 WindowsIdentityFoundation-SDK-3.5.msi 以安装 Windows Identity Foundation SDK 3.5 (https://www.microsoft.com/download/details.aspx?id=4451) 。Run WindowsIdentityFoundation-SDK-3.5.msi to install Windows Identity Foundation SDK 3.5 (https://www.microsoft.com/download/details.aspx?id=4451). 选择所有默认选项。Choose all of the default options.

在 IIS 中配置简单声明应用Configure the simple claims app in IIS

  1. 在计算机证书存储中安装有效的 SSL 证书。Install a valid SSL certificate in the computer certificate store. 该证书应包含你的 Web 服务器的名称 webserv1.contoso.comThe certificate should contain the name of your web server, webserv1.contoso.com.

  2. 将 C:program files 文件的内容复制 (x86) Windows Identity Foundation SDKv 3.5 SamplesQuick StartWeb ApplicationPassiveRedirectBasedClaimsAwareWebApp 到 C:InetpubClaimapp。Copy the contents of C:Program Files (x86)Windows Identity Foundation SDKv3.5SamplesQuick StartWeb ApplicationPassiveRedirectBasedClaimsAwareWebApp to C:InetpubClaimapp.

  3. 编辑 Default.aspx.cs 文件,以便不发生声明过滤。Edit the Default.aspx.cs file so that no claim filtering takes place. 执行此步骤以确保示例应用程序显示由联合服务器颁发的所有声明。This step is performed to ensure that the sample application displays all the claims that are issued by the federation server. 请执行以下操作:Do the following:

    1. 在文本编辑器中打开 Default.aspx.csOpen Default.aspx.cs in a text editor.

    2. ExpectedClaims的第二个实例中搜索文件。Search the file for the second instance of ExpectedClaims.

    3. 注释掉整个 IF 语句及其左大括号。Comment out the entire IF statement and its braces. 通过在行的开头键入 "//" (而不是引号) 来指示注释。Indicate comments by typing "//" (without the quotes) at the beginning of a line.

    4. 你的 FOREACH 语句现在看起来应像此代码示例所示。Your FOREACH statement should now look like this code example.

      Foreach (claim claim in claimsIdentity.Claims)
      {
         //Before showing the claims validate that this is an expected claim
         //If it is not in the expected claims list then don't show it
         //if (ExpectedClaims.Contains( claim.ClaimType ) )
         // {
            writeClaim( claim, table );
         //}
      }
      
      
    5. 保存并关闭 Default.aspx.csSave and close Default.aspx.cs.

    6. 在文本编辑器中打开“web.config”****。Open web.config in a text editor.

    7. 删除整个 <microsoft.identityModel> 部分。Remove the entire <microsoft.identityModel> section. including <microsoft.identityModel> 开始删除包括 </microsoft.identityModel>在内的所有内容。Remove everything starting from including <microsoft.identityModel> and up to and including </microsoft.identityModel>.

    8. 保存并关闭“web.config”****。Save and close web.config.

  4. 配置 IIS 管理器Configure IIS Manager

    1. 打开“Internet Information Services (IIS)管理器” 。Open Internet Information Services (IIS) Manager.

    2. 转到“应用程序池”****,右键单击“DefaultAppPool”**** 以选中“高级设置”****。Go to Application Pools, right-click DefaultAppPool to select Advanced Settings. 将“加载用户配置文件”**** 设置为“True”****,然后单击“确定”****。Set Load User Profile to True, and then click OK.

    3. 右键单击“DefaultAppPool”**** 以选中“基本设置”****。Right-click DefaultAppPool to select Basic Settings. 将“.NET CLR 版本”更改到****“.NET CLR 版本 v2.0.50727”****。Change the .NET CLR Version to .NET CLR Version v2.0.50727.

    4. 右键单击“默认网站”**** 以选中“编辑绑定”****。Right-click Default Web Site to select Edit Bindings.

    5. 使用你已安装的 SSL 证书将“HTTPS”**** 绑定添加到端口“443”****。Add an HTTPS binding to port 443 with the SSL certificate that you have installed.

    6. 右键单击“默认网站”**** 以选中“添加应用程序”****。Right-click Default Web Site to select Add Application.

    7. 将别名设置为claimapp ,并将物理路径设置为c:inetpubclaimappSet the alias to claimapp and the physical path to c:inetpubclaimapp.

  5. 若要将 claimapp 配置为与你的联合服务器一起使用,请执行以下内容:To configure claimapp to work with your federation server, do the following:

    1. 运行 FedUtil.exe,它位于x86) Windows Identity Foundation sdkv 3.5 (C:program files 文件中。Run FedUtil.exe, which is located in C:Program Files (x86)Windows Identity Foundation SDKv3.5.

    2. 将应用程序配置位置设置为 " C:inetputclaimappweb.config ",并将 "应用程序 URI" 设置为站点** https://webserv1.contoso.com /claimapp/** 的 URL。Set the application configuration location to C:inetputclaimappweb.config and set the application URI to the URL for your site, https://webserv1.contoso.com /claimapp/. 单击“下一步”。Click Next.

    3. 选择 "使用现有 STS " 并浏览到 AD FS 服务器的元数据 URL https://adfs1.contoso.com/federationmetadata/2007-06/federationmetadata.xmlSelect Use an existing STS and browse to your AD FS server's metadata URL https://adfs1.contoso.com/federationmetadata/2007-06/federationmetadata.xml. 单击“下一步”。Click Next.

    4. 选中“禁用证书链验证”****,然后单击“下一步”****。Select Disable certificate chain validation, and then click Next.

    5. 选中“不加密”****,然后单击“下一步”****。Select No encryption, and then click Next. 在“提供的声明”页上,单击“下一步”********。On the Offered claims page, click Next.

    6. 选中“计划任务以执行每日 WS 联合身份验证元数据更新”**** 旁边的复选框。Select the check box next to Schedule a task to perform daily WS-Federation metadata updates. 单击“完成”。Click Finish.

    7. 现在配置你的示例应用程序。Your sample application is now configured. 如果测试应用程序 URL https://webserv1.contoso.com/claimapp ,它应将你重定向到联合服务器。If you test the application URL https://webserv1.contoso.com/claimapp, it should redirect you to your federation server. 联合服务器应显示一个错误页面,因为你尚未配置信赖方信任。The federation server should display an error page because you have not yet configured the relying party trust. 换句话说,你没有 AD FS 保护此测试应用程序。In other words, you have not secured this test application by AD FS.

你现在必须通过 AD FS 保护在 web 服务器上运行的示例应用程序。You must now secure your sample application that runs on your web server with AD FS. 可以通过在你的联合服务器 (ADFS1) 上添加信赖方信任执行此操作。You can do this by adding a relying party trust on your federation server (ADFS1). 有关视频,请参阅 Active Directory 联合身份验证服务操作方法视频系列:添加信赖方信任For a video, see Active Directory Federation Services How-To Video Series: Add a Relying Party Trust.

在联合服务器上创建信赖方信任Create a relying party trust on your federation server

  1. 在你的联合服务器 (ADFS1) 上,在“AD FS 管理控制台”**** 中,导航到“信赖方信任”****,然后单击“添加信赖方信任”****。On you federation server (ADFS1), in the AD FS Management console, navigate to Relying Party Trusts, and then click Add Relying Party Trust.

  2. 在“选择数据源”**** 页面上,选中“导入有关信赖方联机或在本地网络上发布的数据”****,为 claimapp 输入元数据 URL,然后单击“下一步”****。On the Select Data Source page, select Import data about the relying party published online or on a local network, enter the metadata URL for claimapp, and then click Next. 运行 FedUtil.exe 创建了元数据 .xml 文件。Running FedUtil.exe created a metadata .xml file. 该位置位于 https://webserv1.contoso.com/claimapp/federationmetadata/2007-06/federationmetadata.xmlIt is located at https://webserv1.contoso.com/claimapp/federationmetadata/2007-06/federationmetadata.xml.

  3. 在“指定显示名称”**** 页面上,为你的信赖方信任指定“显示名称”******claimapp**,然后单击“下一步”****。On the Specify Display Name page, specify the display name for your relying party trust, claimapp, and then click Next.

  4. 在“现在配置多重身份验证吗?”**** 页面上,选中“此时我不想为此信赖方信任指定多重身份验证设置”****,然后单击“下一步”****。On the Configure Multi-factor Authentication Now? page, select I do not want to specify multi-factor authentication setting for this relying party trust at this time, and then click Next.

  5. 在“选择颁发授权规则”**** 页面上,选中“允许所有用户访问此信赖方”****,然后单击“下一步”****。On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party, and then click Next.

  6. 在“准备好添加信任”**** 页面上,单击“下一步”****。On the Ready to Add Trust page, click Next.

  7. 在“编辑声明规则”**** 对话框上,单击“添加规则”****。On the Edit Claim Rules dialog box, click Add Rule.

  8. 在“选择规则类型”**** 页面上,选中“使用自定义规则发送声明”****,然后单击“下一步”****。On the Choose Rule Type page, select Send Claims Using a Custom Rule, and then click Next.

  9. 在“配置声明规则”**** 页面上,在“声明规则名称”**** 框中,键入 All ClaimsOn the Configure Claim Rule page, in the Claim rule name box, type All Claims. 在“自定义规则”**** 框中,键入以下声明规则。In the Custom rule box, type the following claim rule.

    c:[ ]
    => issue(claim = c);
    
    
  10. 单击“完成”****,然后单击“确定”****。Click Finish, and then click OK.

步骤 4:配置客户端计算机 (Client1)Step 4: Configure the client computer (Client1)

设置另一台虚拟机并安装 Windows 8.1。Set up another virtual machine and install Windows 8.1. 此虚拟机必须与其他虚拟机在相同的虚拟网络上。This virtual machine must be on the same virtual network as the other machines. 此虚拟机不应加入 Contoso 域。This machine should NOT be joined to the Contoso domain.

客户端必须信任用于联合服务器 (ADFS1) 的 SSL 证书(你在 Step 2: Configure the federation server (ADFS1) with Device Registration Service中设置)。The client MUST trust the SSL certificate that is used for the federation server (ADFS1), which you set up in Step 2: Configure the federation server (ADFS1) with Device Registration Service. 它还必须能够验证该证书的吊销信息。It must also be able to validate certificate revocation information for the certificate.

此外,你还必须设置和使用 Microsoft 帐户以登录到 Client1。You also must set up and use a Microsoft account to log on to Client1.

另请参阅See Also

Active Directory 联合身份验证服务操作方法视频系列:安装 AD FS 服务器场 Active Directory 联合身份验证服务操作方法视频系列:更新证书 Active Directory 联合身份验证服务操作方法视频系列:添加信赖方信任 Active Directory 联合身份验证服务操作方法视频系列:启用设备注册服务 Active Directory 联合身份验证服务操作方法视频系列:安装 Web 应用程序代理Active Directory Federation Services How-To Video Series: Installing an AD FS Server Farm Active Directory Federation Services How-To Video Series: Updating Certificates Active Directory Federation Services How-To Video Series: Add a Relying Party Trust Active Directory Federation Services How-To Video Series: Enabling the Device Registration Service Active Directory Federation Services How-To Video Series: Installing the Web Application Proxy