步骤4安装和配置 RSA and EDGE1STEP 4 Install and Configure RSA and EDGE1

适用于:Windows Server(半年频道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

RSA 是 RADIUS 和 OTP 服务器,在配置 RADIUS 和 OTP 之前安装。RSA is the RADIUS and OTP server, and is installed prior to configuring RADIUS and OTP.

你将执行以下步骤来配置 RSA 部署:You will perform the following steps to configure the RSA deployment:

  1. 在 RSA 服务器上安装操作系统。Install the operating system on the RSA server. 在 RSA 服务器上安装 Windows Server 2016、Windows Server 2012 R2 或 Windows Server 2012。Install Windows Server 2016, Windows Server 2012 R2 or Windows Server 2012 on the RSA server.

  2. 在 RSA 上配置 TCP/IP。Configure TCP/IP on RSA. 在 RSA 服务器上配置 TCP/IP 设置。Configure TCP/IP settings on the RSA server.

  3. 将身份验证管理器安装文件复制到 RSA 服务器。Copy Authentication Manager installation files to the RSA server. 在 RSA 上安装操作系统后,将身份验证管理器文件复制到 RSA 计算机。After installing the operating system on RSA, copy the Authentication Manager files to the RSA computer.

  4. 将 RSA 服务器联接到 CORP 域。Join the RSA server to the CORP domain. 将 RSA 加入 CORP 域。Join RSA to the CORP domain.

  5. 在 RSA 上禁用 Windows 防火墙。Disable Windows Firewall on RSA. 禁用 RSA 服务器上的 Windows 防火墙。Disable the Windows Firewall on the RSA server.

  6. 在 RSA 服务器上安装 RSA 身份验证管理器。Install RSA Authentication Manager on the RSA server. 安装 RSA 身份验证管理器。Install RSA Authentication Manager.

  7. 配置 RSA 身份验证管理器。Configure RSA Authentication Manager. 配置身份验证管理器。Configure Authentication Manager.

  8. 创建 DAProbeUser。Create DAProbeUser. 为探测目的创建用户帐户。Create a user account for probing purposes.

  9. 在 CLIENT1 上安装 RSA SecurID 软件令牌。Install RSA SecurID software token on CLIENT1. 在 CLIENT1 上安装 RSA SecurID 软件令牌。Install RSA SecurID software token on CLIENT1.

  10. 将 EDGE1 配置为 RSA 身份验证代理。Configure EDGE1 as an RSA Authentication Agent. 在 EDGE1 上配置 RSA Authentication 代理。Configure RSA Authentication Agent on EDGE1.

  11. 配置 EDGE1 以支持 OTP 身份验证。Configure EDGE1 to support OTP authentication. 为 DirectAccess 配置 OTP,并验证配置。Configure OTP for DirectAccess, and verify the configuration.

在 RSA server 上安装操作系统Install the operating system on the RSA server

  1. 在 RSA 上,开始安装 Windows Server 2016、Windows Server 2012 R2 或 Windows Server 2012。On RSA, start the installation of Windows Server 2016, Windows Server 2012 R2 or Windows Server 2012 .

  2. 按照说明完成安装,为本地管理员帐户指定 Windows Server 2016、Windows Server 2012 R2 或 Windows Server 2012 (完全安装) 和强密码。Follow the instructions to complete the installation, specifying Windows Server 2016, Windows Server 2012 R2 or Windows Server 2012 (Full Installation) and a strong password for the local Administrator account. 使用本地管理员账户登录。Log on using the local Administrator account.

  3. 将 RSA 连接到具有 Internet 访问权限的网络,然后运行 Windows 更新以安装 Windows Server 2016、Windows Server 2012 R2 或 Windows Server 2012 的最新更新,然后从 Internet 断开连接。Connect RSA to a network that has Internet access and run Windows Update to install the latest updates for Windows Server 2016, Windows Server 2012 R2 or Windows Server 2012 , and then disconnect from the Internet.

  4. 将 RSA 连接到公司网络子网。Connect RSA to the Corpnet subnet.

在 RSA 上配置 TCP/IPConfigure TCP/IP on RSA

  1. 在初始配置任务中,单击 "配置网络"。In Initial Configuration Tasks, click Configure networking.

  2. 在 "网络连接" 中,右键单击 "本地连接",然后单击 "属性"。In Network Connections, right-click Local Area Connection, and then click Properties.

  3. 单击 “Internet 协议版本 4 (TCP/IPv4)”,然后单击 “属性”Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  4. 单击 “使用下面的 IP 地址”Click Use the following IP address. 在“IP 地址”**** 中,键入“10.0.0.5”****。In IP address, type 10.0.0.5. “子网掩码” 框中,键入 255.255.255.0In Subnet mask, type 255.255.255.0. 在 "默认网关" 中,键入10.0.0.2In Default Gateway, type 10.0.0.2. 单击 "使用以下 dns 服务器地址",在 "首选 dns 服务器" 中,键入10.0.0.1Click Use the following DNS server addresses, in Preferred DNS server, type 10.0.0.1.

  5. 单击 “高级”,然后单击 “DNS” 选项卡。Click Advanced, and then click the DNS tab.

  6. 在 "此连接的 DNS 后缀" 中,键入corp.contoso.com,然后单击 "确定" 两次。In DNS suffix for this connection, type corp.contoso.com, and then click OK twice.

  7. 在 "本地连接属性" 对话框中,单击 "关闭"。On the Local Area Connection Properties dialog box, click Close.

  8. 关闭 “网络连接” 窗口。Close the Network Connections window.

将身份验证管理器安装文件复制到 RSA 服务器Copy Authentication Manager installation files to the RSA server

  1. 在 RSA 服务器上,创建 C:\RSA 安装的文件夹。On the RSA server create the folder C:\RSA Installation.

  2. 将 RSA Authentication Manager 7.1 SP4 媒体的内容复制到 C:\RSA 安装文件夹中。Copy the contents of the RSA Authentication Manager 7.1 SP4 media to the C:\RSA Installation folder.

  3. 创建子文件夹 C:\RSA Installation\License and Token。Create the subfolder C:\RSA Installation\License and Token.

  4. 将 RSA 许可证文件复制到 C:\RSA Installation\License 和标记。Copy the RSA license files to C:\RSA Installation\License and Token.

将 RSA 服务器联接到 CORP 域Join the RSA server to the CORP domain

  1. 右键单击我的电脑,然后单击 "属性"。Right-click My Computer, and click Properties.

  2. “系统属性” 对话框中的 “计算机名” 选项卡上,单击 “更改”In the System Properties dialog box, on the Computer Name tab, click Change.

  3. 在 "计算机名" 中,键入RSAIn Computer Name, type RSA. 在 "成员" 中,单击 "",键入Corp.contoso.com,然后单击 "确定"In Member of, click Domain, type corp.contoso.com, and click OK.

  4. 当系统提示你输入用户名和密码时,请键入User1和密码,然后单击 "确定"When you are prompted for a user name and password, type User1 and its password, and click OK.

  5. 在 "域对话" 对话框中,单击 "确定"On the domain welcoming dialog box click OK.

  6. 当系统提示你必须重新启动计算机时,请单击“确定”****。When you are prompted that you must restart the computer, click OK.

  7. 在“系统属性”**** 对话框中单击“关闭”****。On the System Properties dialog box, click Close.

  8. 当系统提示你重新启动计算机时,请单击“立即重新启动”****。When you are prompted to restart the computer, click Restart Now.

  9. 重新启动计算机后,键入User1和密码,在 "登录到: " 下拉列表中选择 "公司",然后单击 "确定"After the computer has restarted, type User1 and the password, select CORP in the Log on to: drop down list, and click OK.

在 RSA 上禁用 Windows 防火墙Disable Windows Firewall on RSA

  1. 依次单击 "开始"、 "控制面板"、"系统和安全",然后单击 " Windows 防火墙"。Click Start, click Control Panel, click System and Security, and click Windows Firewall.

  2. 单击 "打开或关闭 Windows 防火墙"Click Turn Windows Firewall on or off.

  3. 关闭所有设置的Windows 防火墙Turn off Windows Firewall for all settings.

  4. 单击 "确定" 并关闭 Windows 防火墙。Click OK and close Windows Firewall.

在 RSA server 上安装 RSA 身份验证管理器Install RSA Authentication Manager on the RSA server

  1. 如果在此过程中的任何时间出现安全警告消息,请单击 "运行" 以继续。If the Security Warning message appears at any time during this process, click Run to continue.

  2. 打开 C:\RSA 安装文件夹,然后双击autorun.exe"。Open the C:\RSA Installation folder and double-click autorun.exe.

  3. 单击 "立即安装",单击 "下一步",选择美洲的顶层选项,然后单击 "下一步"。Click Install Now, click Next, select the top option for the Americas, and click Next.

  4. 选择 "我接受许可协议的条款",然后单击 "下一步"。Select I accept the terms of the license agreement, and click Next.

  5. 选择 "主实例",然后单击 "下一步"。Select Primary Instance, and click Next.

  6. 在 "目录名称: " 字段中键入C:\RSA,然后单击 "下一步"。In the Directory Name: field type C:\RSA, and click Next.

  7. 验证服务器名称 (RSA.corp.contoso.com) 和 IP 地址是否正确,然后单击 "下一步"。Verify that the server name (RSA.corp.contoso.com) and IP address are correct, and click Next.

  8. 浏览到 C:\RSA Installation\License and Token,并单击 "下一步"。Browse to C:\RSA Installation\License and Token, and click Next.

  9. 在 "验证许可证文件" 页上,单击 "下一步"。On the Verify license file page, click Next.

  10. 在 "用户 ID " 字段中,键入 "管理员",然后在 "密码" 和 "确认密码" 字段中键入强密码。In the User ID field type Administrator, and in the Password and Confirm Password fields type a strong password. 单击“下一步”。Click Next.

  11. 在 "日志选择" 屏幕上,接受默认值,然后单击 "下一步"。On the log selection screen, accept the defaults and click Next.

  12. 在 "摘要" 屏幕上,单击 "安装"。On the summary screen, click Install.

  13. 安装完成后,单击 "完成"。After installation is complete, click Finish.

配置 RSA 身份验证管理器Configure RSA Authentication Manager

  1. 如果 RSA 安全控制台未自动打开,则在 RSA 计算机桌面上双击 "RSA Security Console"。If the RSA Security Console does not open automatically, then on the RSA computer desktop double-click "RSA Security Console".

  2. 如果出现 "安全证书警告/安全警报",请单击 "继续浏览此网站" 或单击 "是" 以继续操作,并将此站点添加到受信任的站点(如果请求)。If the security certificate warning / security alert appears, click Continue to this website or click Yes to proceed, and add this site to trusted sites, if requested.

  3. 在 "用户 ID " 字段中,键入管理员,然后单击 "确定"In the User ID field type Administrator and click OK.

  4. 在 "密码" 字段中,键入管理员帐户的密码,并单击 "登录"。In the Password field type the password for the Administrator account and click Log On.

  5. 插入令牌信息。Insert Token information.

    1. RSA Security Console中,单击 "身份验证",然后单击 " SecurID 令牌"。In the RSA Security Console click Authentication and click SecurID Tokens.

    2. 单击 "导入令牌作业",然后单击 "新建"。Click Import Tokens Job, and then click Add New.

    3. 在 "导入选项" 部分,单击 "浏览"。In the Import Options section click Browse. 浏览到并选择 C:\ 中的标记 XML 文件RSA Installation\License 和 Token 文件夹,然后单击 "打开"。Browse to and select the tokens XML file in the C:\ RSA Installation\License and Token folder and click Open.

    4. 单击页面底部的 "提交作业"。Click Submit Job on the bottom of the page.

  6. 创建 OTP 新用户。Create OTP new user.

    1. RSA Security Console中,单击 "标识" 选项卡,单击 "用户",然后单击 "添加新项"。In the RSA Security Console click the Identity tab, click Users, and click Add New.

    2. 在 "姓氏: 节类型" "用户" 中,在 "用户 ID: " 部分键入User1 (USERID 必须与用于此实验室) 的 AD 用户名相同。In the Last Name: section type User, and in the User ID: section type User1 (UserID must be the same as the AD username used for this lab). 在 "密码: " 和 "确认密码: " 部分键入强密码。In the Password: and Confirm Password: sections type a strong password. 清除 "要求用户在下次登录时更改密码" 复选框,并单击 "保存"。Clear the 'Require user to change password at next logon' check box and click Save.

  7. 将 User1 分配到导入的一个令牌。Assign User1 to one of the imported tokens.

    1. 在 "用户" 页上,单击User1 ,然后单击 " SecurID 标记"。On the Users page click User1 and click SecurID Tokens.

    2. 单击 " SecurID 令牌",然后单击 "分配令牌"。Click SecurID Tokens and click Assign Token.

    3. 序列号标题下,单击列出的第一个数字,然后单击 "分配"。Under the Serial Number heading click the first number listed, and click Assign.

    4. 单击已分配的令牌,然后单击 "编辑"。Click the assigned token, and click Edit. 在 " SECURID Pin 管理" 部分中的 "用户身份验证要求" 中,选择 "**不要求 PIN (仅限令牌) **。In the SecurID PIN Management section for User Authentication Requirement, select Do not require PIN (only tokencode).

    5. 单击 "保存并分发令牌"。Click Save and Distribute Token.

    6. 在 "基本信息" 部分的 "分发软件令牌" 页上,单击 "**颁发令牌文件 (SDTID) **"。On the Distribute Software Token page in the Basics section, click Issue Token File (SDTID).

    7. 在 "令牌文件选项" 部分的 "分发软件令牌" 页上,清除 "启用复制保护" 复选框。On the Distribute Software Token page in the Token File Options section, clear the Enable copy protection check box. 单击 "无密码" 和 "下一步"。Click No Password and Next.

    8. 在 "下载文件" 部分的 "分发软件令牌" 页上,单击 "立即下载"。On the Distribute Software Token page in the Download File section, click Download Now. 单击“保存” 。Click Save. 浏览到 C:\RSA 安装,并单击 "保存关闭"。Browse to C:\RSA Installation and click Save and Close.

    9. 最大程度地减少RSA Security Console ,以备日后使用。Minimize the RSA Security Console for use later.

  8. 将身份验证管理器配置为 RADIUS 服务器。Configure Authentication Manager as RADIUS server.

    1. 在 RSA 计算机桌面上,双击 "Rsa 安全操作控制台"On the RSA computer desktop double-click "RSA Security Operations Console".

    2. 如果出现 "安全证书警告/安全警报",请单击 "继续浏览此网站" 或单击 "是" 以继续操作,并将此站点添加到受信任的站点(如果请求)。If the security certificate warning / security alert appears, click Continue to this website or click Yes to proceed, and add this site to trusted sites if requested.

    3. 输入用户 ID 和密码,并单击 "登录"Enter the User ID and Password and click Log On.

    4. 单击 "部署配置-RADIUS-配置服务器"。Click Deployment Configuration - RADIUS - Configure Server.

    5. 在 "需要其他凭据" 页上,输入管理员用户 ID 和密码,然后单击 "确定"On the Additional Credentials Required page enter the administrator User ID and Password and click OK.

    6. 在 "配置 RADIUS 服务器" 页上,输入用于管理员用户的密码和主密码的相同密码。On the Configure RADIUS Server page enter the same password used for the administrator user for the Secrets and Master Password. 输入管理员用户 ID 和密码,然后单击 "配置"。Enter the Administrator User ID and Password, and click Configure.

    7. 验证是否显示 "已成功配置 RADIUS 服务器" 消息。Verify that the message 'Successfully configured RADIUS server' is displayed. 单击“Done”(完成) 。Click Done. 关闭RSA 操作控制台Close the RSA Operations Console.

    8. 切换回 "RSA Security Console"Switch back to the "RSA Security Console".

    9. 在 " radius " 选项卡上,单击 " radius 服务器"。On the RADIUS tab click RADIUS Servers. 验证是否列出了 rsa.corp.contoso.com。Verify that rsa.corp.contoso.com is listed.

  9. 将 RSA server 配置为 RSA Authentication 客户端。Configure RSA server as RSA Authentication Client.

    1. 在 " radius " 选项卡上,单击 " radius 客户端" 并添加新On the RADIUS tab, click RADIUS Clients and Add New.

    2. 单击 "任何 RADIUS 客户端" 复选框。Click the ANY RADIUS Client check box.

    3. 在 "共享机密" 字段中键入所选的强密码。Type a strong password of your choice in the Shared Secret field. 稍后,将 EDGE1 配置为 OTP 时,将使用此相同的密码。You will use this same password later when configuring EDGE1 for OTP.

    4. 将 " IP 地址" 字段留空,并将 "品牌/型号" 项保留为标准半径Leave the IP Address field blank, and the Make / Model entry as Standard RADIUS.

    5. 单击 "保存但不包含 RSA 代理"。Click Save without RSA Agent.

  10. 创建将 EDGE1 配置为 RSA 身份验证代理所需的文件。Create files required for configuring EDGE1 as a RSA Authentication Agent.

    1. 在 "访问" 选项卡上,突出显示 "身份验证代理",然后单击 "新建"。On the Access tab, highlight Authentication Agents, and click Add New.

    2. 在 "主机名" 字段中键入EDGE1 ,并单击 "解析 IP"。Type EDGE1 in the Hostname field, and click Resolve IP.

    3. 请注意,EDGE1 的 IP 地址现在显示在 " Ip 地址" 字段中。Notice that the IP address for EDGE1 is now displayed in the IP Address field. 单击“保存” 。Click Save.

  11. ( # A0) 为 EDGE1 服务器生成配置文件。Generate a configuration file for the EDGE1 server (AM_Config.zip).

    1. 在 "访问" 选项卡上,突出显示 "身份验证代理" 并单击 "生成配置文件"。On the Access tab, highlight Authentication Agents, and click Generate Configuration File.

    2. 在 "生成配置文件" 页上,单击 "生成配置文件",然后单击 "立即下载"。On the Generate Configuration File page click Generate Config File, and then click Download Now.

    3. 单击 "保存",浏览到 C:\RSA 安装,然后单击 "保存"。Click Save, browse to C:\ RSA Installation, and click Save.

    4. 单击 "下载完成" 对话框上的 "关闭"。Click Close on the Download Complete dialog.

  12. ( # A0) 为 EDGE1 服务器生成节点机密文件。Generate a node secret file for the EDGE1 server (EDGE1_NodeSecret.zip).

    1. 在 "访问" 选项卡上,突出显示 "身份验证代理" 并单击 "管理现有"。On the Access tab, highlight Authentication Agents, and click Manage Existing.

    2. 单击当前配置的节点 EDGE1,并单击 "管理节点机密"。Click the current configured node EDGE1, and click Manage Node Secret.

    3. 选中 "创建新的随机节点密码",然后选中 "将节点机密导出到文件" 复选框。Check the Create a new random node secret, and export the node secret to a file check box.

    4. 在 "加密密码" 和 "确认加密密码" 字段中输入用于管理员用户的相同密码,然后单击 "保存"。Enter the same password used for the administrator user in the Encryption Password and Confirm Encryption Password fields, and click Save.

    5. 在 "节点密钥文件生成" 页上,单击 "立即下载"。On the Node Secret File Generated page click Download Now.

    6. 在 "文件下载" 对话框中,单击 "保存",浏览到 C:\RSA 安装,并单击 "保存"。On the File Download dialog click Save, browse to C:\RSA Installation, and click Save. 单击 "下载完成" 对话框上的 "关闭"。Click Close on the Download Complete dialog.

    7. 从 RSA Authentication Manager 媒体副本 \auth_mgr\windows-x86_64\am\rsa-ace_nsload\win32-5.0-x86\agent_nsload.exe 到 C:\RSA 安装。From the RSA Authentication Manager media copy \auth_mgr\windows-x86_64\am\rsa-ace_nsload\win32-5.0-x86\agent_nsload.exe to C:\RSA Installation.

创建 DAProbeUserCreate DAProbeUser

  1. RSA Security Console中,单击 "标识" 选项卡,单击 "用户",然后单击 "添加新项"。In the RSA Security Console click the Identity tab, click Users, and click Add New.

  2. 在 "姓氏: 节类型"探测器中,在 "用户 ID: " 节中键入DAProbeUserIn the Last Name: section type Probe, and in the User ID: section type DAProbeUser. 在 "密码: " 和 "确认密码: " 部分键入强密码。In the Password: and Confirm Password: sections type a strong password. 清除 "要求用户在下次登录时更改密码" 复选框,并单击 "保存"。Clear the 'Require user to change password at next logon' check box and click Save.

在 CLIENT1 上安装 RSA SecurID 软件令牌Install RSA SecurID software token on CLIENT1

使用此过程在 CLIENT1 上安装 SecurID 软件令牌。Use this procedure to install SecurID software token on CLIENT1.

安装 SecurID 软件令牌Install SecurID software token

  1. 在 CLIENT1 计算机上创建文件夹 C:\RSA Files。On the CLIENT1 computer, create the folder C:\RSA Files. 将 Software_Tokens.zip 从 RSA 计算机上的 C:\RSA 安装中的文件复制到 C:\RSA 文件。Copy the file Software_Tokens.zip from C:\RSA Installation on the RSA computer to C:\RSA Files. 将 SDTID User1_000031701832 文件提取到 CLIENT1 上的 C:\RSA 文件中。Extract the file User1_000031701832.SDTID to C:\RSA Files on CLIENT1.

  2. 访问 RSA SecurID 软件令牌媒体源,并在SecurID SoftwareToken 客户端应用文件夹中双击 "RSASECURIDTOKEN410" 以启动 RSA SecurID 安装。Access the RSA SecurID software token media source, and double-click RSASECURIDTOKEN410 in the SecurID SoftwareToken client app folder to start the RSA SecurID installation. 如果显示 "打开文件-安全警告" 消息,则单击 "运行"。If the Open File - Security Warning message appears, then click Run.

  3. RSA SecurID Software InstallShield 向导对话框上,单击 "下一步" 两次。On the RSA SecurID Software Token - InstallShield Wizard dialog click Next twice.

  4. 接受许可协议,然后单击 "下一步"。Accept the license agreement, and click Next.

  5. 在 "安装类型" 对话框中,依次选择 "****下一步" 和 "安装"。On the Setup Type dialog select Typical, click Next, and click Install.

  6. 如果出现了“用户帐户控制”**** 对话框,请确认其所显示的操作是你要采取的操作,然后单击“是”****。If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  7. 选中 "启动 RSA SecurID 软件令牌" 复选框,然后单击 "完成"。Select the Launch RSA SecurID Software Token check box, and click Finish.

  8. 单击 "从文件导入"。Click Import from File.

  9. 单击 "浏览",选择 "C:\RSA Files \ USER1_000031701832. SDTID",然后单击 "打开"。Click Browse, select C:\RSA Files\User1_000031701832.SDTID, and click Open.

  10. 单击“确定”两次****。Click OK twice.

将 EDGE1 配置为 RSA 身份验证代理Configure EDGE1 as an RSA Authentication Agent

使用此过程配置 EDGE1 以执行 RSA 身份验证。Use this procedure to configure EDGE1 to perform RSA authentication.

配置 RSA 身份验证代理Configure the RSA Authentication Agent

  1. 在 EDGE1 上打开 Windows 资源管理器并创建文件夹 C:\RSA Files。On EDGE1 open Windows Explorer and create the folder C:\RSA Files. 浏览到 RSA ACE 安装介质。Browse to the RSA ACE Installation media.

  2. 将文件 agent_nsload.exe、AM_Config.zip 和 EDGE1_NodeSecret.zip 从 RSA media 复制到 C:\RSA 文件。Copy the files agent_nsload.exe, AM_Config.zip and EDGE1_NodeSecret.zip from the RSA media to C:\RSA Files.

  3. 将两个 zip 文件的内容提取到以下位置:Extract the contents of both zip files to the following locations:

    1. C:\Windows\system32C:\Windows\system32</span>

    2. C:\Windows\SysWOW64C:\Windows\SysWOW64</span>

  4. 将 agent_nsload.exe 复制到 C:\Windows\SysWOW64 \ 。Copy agent_nsload.exe to C:\Windows\SysWOW64\.

  5. 打开提升的命令提示符并导航到 C:\windows\syswow64。Open an elevated command prompt and navigate to C:\Windows\SysWOW64.

  6. 键入**agent_nsload.exe-f nodesecret-p ** ,其中是在 初始 RSA 配置过程中创建的强密码。Type agent_nsload.exe -f nodesecret.rec -p where is the strong password that you created during the initial RSA configuration. 按 Enter。Press Enter.

  7. 将 C:\Windows\SysWOW64\securid 复制到 C:\Windows\System32。Copy C:\Windows\SysWOW64\securid to C:\Windows\System32.

配置 EDGE1 以支持 OTP 身份验证Configure EDGE1 to support OTP authentication

使用此过程为 DirectAccess 配置 OTP,并验证配置。Use this procedure to configure OTP for DirectAccess, and verify the configuration.

为 DirectAccess 配置 OTPConfigure OTP for DirectAccess

  1. 在 EDGE1 上,打开服务器管理器,然后在左窗格中单击 "远程访问"。On EDGE1, open Server Manager, and click REMOTE ACCESS in the left pane.

  2. 右键单击 "服务器" 窗格中的 " EDGE1 ",然后选择 "远程访问管理"。Right-click EDGE1 in the SERVERS pane, and select Remote Access Management.

  3. 单击“配置”。Click Configuration.

  4. 在 " DirectAccess 设置" 窗口中的 "步骤 2-远程访问服务器" 下,单击 "编辑"。In the DirectAccess Setup window, under Step 2 - Remote Access Server, click Edit.

  5. 单击 "下一步" 三次,然后在 "身份验证" 部分中选择 "双重身份验证" 和 "使用 OTP",并确保选中 "使用计算机证书"。Click Next three times, and in the Authentication section select Two factor authentication and Use OTP, and ensure that Use computer certificates is checked. 验证根 CA 是否设置为CN = APP1-caVerify that the root CA is set to CN=corp-APP1-CA. 单击“下一步”。Click Next.

  6. 在 " OTP RADIUS 服务器" 部分中,双击 "空白服务器名称" 字段。In the OTP RADIUS Server section, double-click the blank Server Name field.

  7. 在 "添加 RADIUS 服务器" 对话框中,在 "服务器名称" 字段中键入RSAIn the Add a RADIUS Server dialog, type RSA in the Server name field. 单击 "共享机密" 字段旁边的 "更改",然后键入在密码中的 RSA 服务器上配置 RADIUS 客户端时使用的相同密码,并确认新的机密字段。Click Change next to the Shared secret field, and type the same password that you used when configuring the RADIUS clients on the RSA server in the New secret and Confirm new secret fields. 单击 "确定" 两次,然后单击 "下一步"。Click OK twice, and click Next.

    备注

    如果 RADIUS 服务器所在的域不同于远程访问服务器,则 "服务器名称" 字段必须指定 RADIUS 服务器的 FQDN。If the RADIUS server is in a domain that is different than the Remote Access server, then the Server Name field must specify the FQDN of the RADIUS server.

  8. 在 " OTP CA 服务器" 部分中,选择 "APP1.corp.contoso.com",然后单击 "添加"。In the OTP CA Servers section select APP1.corp.contoso.com, and click Add. 单击“下一步”。Click Next.

  9. 在 " OTP 证书模板" 页上,单击 "浏览" 选择用于注册用于 OTP 身份验证的证书的证书模板,然后在 "证书模板" 对话框中选择 " DAOTPLogon"。On the OTP Certificate Templates page click Browse to select a certificate template used for the enrollment of certificates that are issued for OTP authentication, and on the Certificate Templates dialog box select DAOTPLogon. 单击“确定”。Click OK. 单击 "浏览" 选择用于注册远程访问服务器用于签署 OTP 证书注册请求的证书的证书模板,然后在 "证书模板" 对话框中选择 " DAOTPRA"。Click Browse to select a certificate template used to enroll the certificate used by the Remote Access server to sign OTP certificate enrollment requests, and on the Certificate Templates dialog box select DAOTPRA. 单击“确定” 。Click Ok. 单击“下一步”。 Click Next.

  10. 在 "远程访问服务器设置" 页上,单击 "完成",然后单击 " DirectAccess 专家向导" 上的 "完成"。On the Remote Access Server Setup page click Finish, and click Finish on the DirectAccess Expert Wizard.

  11. 在 "远程访问查看" 对话框中,单击 "应用",等待 DirectAccess 策略更新,然后单击 "关闭"。On the Remote Access Review dialog box click Apply, wait for the DirectAccess policy to be updated, and click Close.

  12. 在 "开始" 屏幕上,键入 "powershell.exe",右键单击 " Powershell",单击 "高级",然后单击 "以管理员身份运行"。On the Start screen, typepowershell.exe, right-click powershell, click Advanced, and click Run as administrator. 如果出现了“用户帐户控制”**** 对话框,请确认其所显示的操作是你要采取的操作,然后单击“是”****。If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  13. 在 Windows PowerShell 窗口中,键入gpupdate/force ,然后按 enter。In the Windows PowerShell window, type gpupdate /force and press ENTER.

  14. 关闭并重新打开远程访问管理控制台,并验证所有 OTP 设置是否正确。Close and reopen the Remote Access Management Console and verify that all OTP settings are correct.