AD FS 配置数据库的角色The Role of the AD FS Configuration Database

AD FS 配置数据库存储所有表示单个实例的配置数据 Active Directory 联合身份验证服务 ( AD FS 即 ) ( 联合身份验证服务 ) 。The AD FS configuration database stores all the configuration data that represents a single instance of Active Directory Federation Services (AD FS) (that is, the Federation Service). AD FS 配置数据库定义联合身份验证服务识别伙伴、证书、属性存储、声明和有关这些相关联实体的各种数据所需的参数集。The AD FS configuration database defines the set of parameters that a Federation Service requires to identify partners, certificates, attribute stores, claims, and various data about these associated entities. 你可以将此配置数据存储在 ® ( ) windows Server ® 2008、windows Server 2008 R2 和 windows server 2012 附带的 Microsoft SQL Server 数据库或 windows 内部数据库 WID 功能中 ® 。You can store this configuration data in either a Microsoft SQL Server® database or the Windows Internal Database (WID) feature that is included with Windows Server® 2008, Windows Server 2008 R2 and Windows Server® 2012.

备注

AD FS 配置数据库的全部内容可以存储在 WID 实例中或 SQL 数据库的实例中,但不能同时存储在这两者中。The entire contents of the AD FS configuration database can be stored either in an instance of WID or in an instance of the SQL database, but not both. 这意味着你无法对 AD FS 配置数据库的同一个实例拥有某些使用 WID 的联合服务器和其他使用 SQL Server 数据库的服务器。This means that you cannot have some federation servers using WID and others using a SQL Server database for the same instance of the AD FS configuration database.

你可以使用本主题中的以下信息以及 AD FS 部署拓扑注意事项中提供的内容了解有关选择 WID 或 SQL Server 存储 AD FS 配置数据库的优缺点:You can use the following information in this topic along with the content provided in AD FS Deployment Topology Considerations to learn about the advantages and disadvantages of choosing either WID or SQL Server to store the AD FS configuration database:

WID 使用关系数据存储,并且没有自己的管理用户界面 ( UI ) 。WID uses a relational data store and does not have its own management user interface (UI). 相反,管理员可以通过使用 AD FS 管理 "管理单元 - 、Fsconfig.exe 或 Windows PowerShell cmdlet 来修改 AD FS 配置数据库的内容 ™ 。Instead, administrators can modify the contents of the AD FS configuration database by using either the AD FS Management snap-in, Fsconfig.exe, or Windows PowerShell™ cmdlets.

使用 WID 存储 AD FS 配置数据库Using WID to store the AD FS configuration database

可以通过使用 Fsconfig.exe 命令 - 行工具或 AD FS 联合服务器配置向导,使用 WID 作为存储创建 AD FS 配置数据库。You can create the AD FS configuration database using WID as the store by using either the Fsconfig.exe command-line tool or the AD FS Federation Server Configuration Wizard. 当你使用这些工具中的任何一个时,可以选择以下任一选项来创建你的联合服务器拓扑结构。When you use either of these tools, you can choose any of the following options to create your federation server topology. 上述的每个选项将 WID 用于存储 AD FS 配置数据库:Each of these options uses WID for storing the AD FS configuration database:

  • 创建独立 - 联合服务器Create a stand-alone federation server

  • 在联合服务器场中创建第一个联合服务器Create the first federation server in a federation server farm

  • 将联合服务器添加到联合服务器场Add a federation server to a federation server farm

如果选择独立 - 选项,WID 将用于存储 AD FS 配置数据库的单个实例。If you select the stand-alone option, WID is used to store a single instance of the AD FS configuration database. 不能跨多个联合服务器共享此实例。This instance cannot be shared across multiple federation servers. 它仅适用于测试实验室环境。It is meant for test lab environments only. 有关 "独立 - 联合服务器" 选项或如何设置其中一个选项的详细信息,请参阅使用 WID 的独立联合服务器创建独立的联合服务器For more information about the stand-alone federation server option or how to set one up, see Stand-Alone Federation Server Using WID or Create a Stand-Alone Federation Server.

如果你在联合服务器场选项中选择第一个联合服务器,则 WID 配置的可伸缩性允许稍后将其他联合服务器添加到服务器场。If you select the first federation server in a federation server farm option, WID is configured for scalability that will permit additional federation servers to be added to the farm at a later time. 有关部署 WID 场或如何设置其中一个服务器的详细信息,请参阅使用 WID 的联合服务器场在联合服务器场中创建第一个联合服务器For more information about deploying a WID farm or how to set one up, see Federation Server Farm Using WID or Create the First Federation Server in a Federation Server Farm

如果你选择“添加联合服务器”选项,则 WID 配置为按设置的间隔将配置数据库的更改复制到新的联合服务器。If you select the add a federation server option, WID is configured to replicate configuration database changes to the new federation server at set intervals. 有关将联合服务器添加到 WID 场中的详细信息,请参阅使用 WID 的联合服务器场将联合服务器添加到联合服务器场For more information about adding a federation server to a WID farm, see Federation Server Farm Using WID or Add a Federation Server to a Federation Server Farm.

备注

当你使用 WID 部署联合服务器场时,AD FS 的某些功能可能不可用。When you deploy a federation server farm using WID, some features of AD FS may not be available. 若要在配置服务器场时访问完整的功能集,请考虑改用 Microsoft SQL Server 以存储 AD FS 配置数据库。To have access to the full feature set when you configure your server farm, consider using Microsoft SQL Server to store the AD FS configuration database instead. 有关详细信息,请参阅 AD FS 部署拓扑注意事项For more information, see AD FS Deployment Topology Considerations.

WID 联合服务器场的工作原理How a WID federation server farm works

本部分介绍一些重要概念,这些概念描述 WID 联合服务器场如何在主联合服务器和辅助联合服务器之间复制数据。This section describes important concepts that describe how the WID federation server farm replicates data between a primary federation server and secondary federation servers. ..

主联合服务器Primary federation server

主联合服务器是运行 Windows Server 2008、Windows Server 2008 R2 或 Windows Server 2012 的计算机,该计算机已 ® 使用 AD FS 联合服务器配置向导进行了配置,并且具有 AD FS 配置数据库的读/写副本。A primary federation server is a computer running Windows Server 2008, Windows Server 2008 R2 or Windows Server® 2012 that has been configured in the federation server role with the AD FS Federation Server Configuration Wizard and that has a read/write copy of the AD FS configuration database. 当你使用 AD FS 联合服务器配置向导并选择创建新联合身份验证服务的选项并使该计算机成为服务器场中的第一台联合服务器时,将始终创建主联合服务器。The primary federation server is always created when you use the AD FS Federation Server Configuration Wizard and select the option to create a new Federation Service and make that computer the first federation server in the farm. 所有在此服务器场中的其他联合服务器,也称为辅助联合服务器,必须将主联合服务器所做的更改同步到存储在本地的 AD FS 配置数据库的副本。All other federation servers in this farm, also known as secondary federation servers, must synchronize changes that are made on the primary federation server to a copy of the AD FS configuration database that is stored locally.

辅助联合服务器Secondary federation servers

辅助联合服务器将从主联合服务器存储 AD FS 配置数据库的副本,但这些副本是只读的 - 。Secondary federation servers store a copy of the AD FS configuration database from the primary federation server, but these copies are read-only. 辅助联合服务器通过定期轮询来连接到场中的主联合服务器并与之同步数据,以检查数据是否已更改。Secondary federation servers connect to and synchronize the data with the primary federation server in the farm by polling it at regular intervals to check whether data has changed. 辅助联合服务器存在,可为主联合服务器提供容错,同时用于在 - 整个网络环境中的不同站点中进行的负载平衡访问请求。The secondary federation servers exist to provide fault tolerance for the primary federation server while acting to load-balance access requests that are made in different sites throughout your network environment.

备注

如果主联合服务器崩溃,并且处于脱机状态,则所有辅助联合服务器将继续按常规处理请求。If a primary federation server crashes and is offline, all secondary federation servers continue to process requests as normal. 但是,无法对联合身份验证服务进行任何新的更改,直到主联合服务器重新恢复联机。However, no new changes can be made to the Federation Service until the primary federation server has been brought back online. 此外你可以通过使用 Windows PowerShell 指定辅助联合服务器成为主联合服务器。You can also nominate a secondary federation server to become the primary federation server by using Windows PowerShell. 有关详细信息,请参阅借助 Windows PowerShell 的 AD FS 管理For more information, see the AD FS Administration with Windows PowerShell.

AD FS 配置数据库的同步方式How the AD FS configuration database is synchronized

由于 AD FS 配置数据库扮演着重要的角色,因此它在网络中的所有联合服务器上可用,以在 - ( 使用网络负载平衡器时处理请求时提供容错和负载平衡功能 - ) 。Because of the important role that the AD FS configuration database plays, it is made available on all the federation servers in the network to provide fault tolerance and load-balancing capabilities when processing requests (when network load-balancers are used). 但是,为了使辅助联合服务器执行该功能,必须同步存储在主联合服务器上的 AD FS 配置数据库。However, for secondary federation servers to serve in this capacity, the AD FS configuration database that is stored on the primary federation server must be synchronized.

当你将联合服务器添加到场中时,新计算机将成为连接到主联合服务器的辅助联合服务器,以复制 AD FS 配置数据库的副本。When you add a federation server to the farm, the new computer that will become a secondary federation server connects to the primary federation server to replicate the copy of the AD FS configuration database. 从这一刻起,新的联合服务器继续从主联合服务器上定期提取更新,如下图中所示。From this point forward, the new federation server continues to pull updates from the primary federation server on a regular basis, as shown in the following illustration.

AD FS 角色

每个辅助联合服务器每五分钟向主联合服务器轮询更改。Each secondary federation server polls the primary federation server every five minutes for changes. 你可以 - 使用 Windows PowerShell cmdlet 调整此默认的5分钟值或随时强制立即同步。You can adjust this default five-minute value or force an immediate synchronization anytime by using a Windows PowerShell cmdlet. 有关如何执行此操作的详细信息,请参阅通过 Windows PowerShell 进行 AD FS 管理For more information about how to do this, see AD FS Administration with Windows PowerShell.

WID 同步过程还支持用于中间更改的更高效传输的增量传输。The WID synchronization process also supports incremental transfers for more efficient transfers of intermediate changes. 增量传输过程需要在网络上大大降低流量,这样传输将完成得更快。The incremental transfer process requires substantially less traffic on a network, and transfers are completed much faster.

备注

支持从 WID 到 SQL Server 实例的 AD FS 配置数据库的迁移。The migration of an AD FS configuration database from WID to an instance of SQL Server is supported. 有关如何执行此操作的详细信息,请参阅 TechNet Wiki 网站上的AD FS:将 AD FS 配置数据库迁移到 SQL ServerFor more information about how to do this, see AD FS: Migrate Your AD FS Configuration Database to SQL Server on the TechNet Wiki site.

使用 SQL Server 存储 AD FS 配置数据库Using SQL Server to store the AD FS configuration database

您可以通过使用 Fsconfig.exe 命令行工具,将单个 SQL Server 数据库实例用作存储区来创建 AD FS 配置数据库 - 。You can create the AD FS configuration database using a single SQL Server database instance as the store by using the Fsconfig.exe command-line tool. 使用 SQL Server 数据库作为 AD FS 配置数据库,通过 WID 提供以下优势:Using a SQL Server database as the AD FS configuration database provides the following benefits over WID:

  • 管理员可以利用 SQL Server 的高可用性功能Administrators can leverage the high availability features of SQL Server

  • 它为高流量提供额外的性能增加。It provides additional performance increases for high traffic.

  • 它提供下述 SAML 项目解析和 SAML/WS - 联合身份验证令牌重放检测功能支持 ( ) 。It provides feature support of SAML artifact resolution and SAML/WS-Federation token replay detection (described below).

当 AD FS 配置数据库存储在 SQL 数据库实例中时,术语 "主联合服务器" 不适用,因为所有联合服务器都可以对使用同一个聚集 SQL Server 实例的 AD FS 配置数据库进行同样的读取和写入,如下图所示。The term "primary federation server" does not apply when the AD FS configuration database is stored in a SQL database instance because all federation servers can equally read and write to the AD FS configuration database that is using the same clustered SQL Server instance, as shown in the following illustration.

AD FS 角色

你可以使用 SQL Server 将两个或多个服务器配置为作为服务器群集一起工作,以确保将 AD FS 高度提供给传入的客户端请求。You can use SQL Server to configure two or more servers to work together as a server cluster to ensure that AD FS is made highly available to service incoming client requests. 高可用性提供了扩展 - 体系结构,在该体系结构中,可以通过添加更多服务器来增加服务器容量。High availability provides a scale-out architecture in which you can increase server capacity by adding additional servers. 通过自动群集故障转移缓解单点故障。Single points of failure are mitigated by automatic cluster failover.

可以通过使用 - SQL 群集技术所提供的网络负载平衡和故障转移服务来实现高可用性。You can achieve high availability by using the network load-balancing and failover services that SQL clustering technologies provide. 有关如何配置 SQL Server 以实现高可用性的详细信息,请参阅高可用性解决方案概述For more information about how to configure SQL Server for high availability, see High Availability Solutions Overview.

SAML 项目解析SAML artifact resolution

安全断言标记语言 ( saml ) 项目解析是基于 saml 2.0 协议的一部分的终结点,它描述了依赖方如何直接从声明提供程序检索令牌。Security Assertion Markup Language (SAML) artifact resolution is an endpoint based on the part of the SAML 2.0 protocol that describes how a relying party can retrieve a token directly from a claims provider. 在解析过程的第一个阶段,浏览器客户端与资源联合服务器联系,并为其提供一个项目。In the first stage of the resolution process, a browser client contacts a resource federation server and provides it with an artifact. 在第二个阶段,资源联合服务器将项目发送到 SAML 项目终结点 URL,为了解析该项目消息,该 URL 托管于帐户伙伴组织中的某个位置。In the second stage, resource federation servers send the artifact to a SAML artifact endpoint URL that is hosted somewhere in an account partner organization in order to resolve the artifact message. 在最后阶段,帐户联合服务器代表浏览器客户端将令牌颁发给联合服务器。In the final stage, the account federation server issues the token to the federation server on behalf of the browser client.

备注

如果你是帐户伙伴组织中的管理员,请确保将 SSL 证书(该证书链接到 Windows 根证书程序成员的根证书)分配或绑定到 ( \ \ 在场中 \ \ ) 所有帐户联合服务器上的 IIS 站点默认网站 adfs ls 中的联合身份验证被动网站。If you are an administrator in an account partner organization, make sure to assign or bind an SSL certificate, which chains to a root certificate of a member of the Windows Root Certificate Program, to the federation passive Web site in IIS (\Sites\Default Web Site\adfs\ls) on all the account federation servers in the farm. 若要避免资源联合服务器通过手动将 SSL 证书添加到本地计算机受信任人证书存储,或无法解析你的组织中发布的项目,这样做是非常重要的。This is important to prevent resource federation servers from having to manually add the SSL certificate to the Local Computers Trusted People certificate store or from being unable to resolve the artifact that is published in your organization.

SAML/WS 联合身份验证令牌重放检测SAML/WS - Federation token replay detection

术语令牌重放是指在帐户伙伴组织中的浏览器客户端尝试将其从帐户联合服务器收到的同一个令牌进行多次发送,以对资源联合服务器进行身份验证的操作。The term token replay refers to the act by which a browser client in an account partner organization attempts to send the same token it received from an account federation server multiple times to authenticate to a resource federation server.在用户单击他们浏览器的“返回”**** 按钮时,会执行此操作以尝试重新提交身份验证页面。  This act occurs when a user clicks the Back button of their browser in an effort to resubmit the authentication page.

AD FS 提供称为令牌重放检测的功能,通过此功能,可检测使用相同令牌的多个令牌请求,然后丢弃这些令牌。AD FS provides a feature referred to as token replay detection by which multiple token requests using the same token can be detected and then discarded. 启用此功能后,令牌重播检测 - 通过确保从不多次使用同一令牌来保护 WS 联合身份验证被动配置文件和 SAML WebSSO 配置文件中的身份验证请求的完整性。When this feature is enabled, token replay detection protects the integrity of authentication requests in both the WS-Federation passive profile and the SAML WebSSO profile by making sure that the same token is never used more than once. 应在对安全有很高要求的情况下启用此功能,例如使用展台时。This feature should be enabled in situations where security is a very high concern such as when using kiosks.

在展台示例中,用户可以从所有网站注销,并且以后恶意用户可以尝试使用浏览器历史记录,以便重新提交前一个用户加载的联合身份验证页面。In the kiosk example, a user can log off of all Web sites and later a malicious user can attempt to use the browser history in order to resubmit the federated authentication page that was loaded by the previous user.此功能通过存储有关每个由帐户伙伴组织成功完成的身份验证的其他信息,以便检测后续令牌的重放,并防止来自已成功验证的多个身份验证尝试,从而缓解这一问题。 This feature mitigates this concern by storing additional information about each successful authentication made by an account partner organization in order to detect subsequent replays of the token and prevent multiple authentication attempts from succeeding.