使用 AD FS 和 Web 应用程序代理部署工作文件夹:步骤 1,设置 AD FSDeploy Work Folders with AD FS and Web Application Proxy: Step 1, Set-up AD FS

适用于:Windows Server(半年频道)、Windows Server 2016Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016

本主题介绍了使用 Active Directory 联合身份验证服务 (AD FS) 和 Web 应用程序代理部署工作文件夹的第一步。This topic describes the first step in deploying Work Folders with Active Directory Federation Services (AD FS) and Web Application Proxy. 你可以在这些主题中查找这一过程的其他步骤:You can find the other steps in this process in these topics:

备注

本部分中所述的说明适用于 Windows Server 2019 或 Windows Server 2016 环境。The instructions covered in this section are for a Windows Server 2019 or Windows Server 2016 environment. 如果你使用的是 Windows Server 2012 R2,请遵循 Windows Server 2012 R2 说明If you're using Windows Server 2012 R2, follow the Windows Server 2012 R2 instructions.

若要设置 AD FS 以用于工作文件夹,请使用以下过程。To set up AD FS for use with Work Folders, use the following procedures.

预安装工作Pre-installment work

如果要将使用这些说明设置的测试环境转换为生产环境,你可能希望在开始之前完成以下两处操作:If you intend to convert the test environment that you're setting up with these instructions to production, there are two things that you might want to do before you start:

  • 设置 Active Directory 域管理员帐户以用于运行 AD FS 服务。Set up an Active Directory domain administrator account to use to run the AD FS service.

  • 获取用于服务器验证的安全套接字层 (SSL) 使用者可选名称 (SAN) 证书。Obtain a Secure Sockets Layer (SSL) subject alternative name (SAN) certificate for server authentication. 对于测试示例,你将使用自签名的证书,但对于生产,应使用公共可信证书。For the test example, you will use a self-signed certificate but for production you should use a publicly trusted certificate.

获得这些项目可能需要一些时间,具体取决于公司策略,因此在开始创建测试环境前开始项目请求过程是非常有用的。Obtaining these items can take some time, depending on your company's policies, so it can be beneficial to start the request process for the items before you begin to create the test environment.

你可以从多家商业证书颁发机构 (CA) 购买此证书。There are many commercial certificate authorities (CAs) from which you can purchase the certificate. 你可以在知识库文章 931125 中找到 Microsoft 信任的 CA 列表。You can find a list of the CAs that are trusted by Microsoft in KB article 931125. 另一个方法是从公司的企业 CA 获取证书。Another alternative is to get a certificate from your company's enterprise CA.

对于测试环境,你将使用由提供的脚本之一创建的自签名证书。For the test environment, you will use a self-signed certificate that is created by one of the provided scripts.

备注

AD FS 不支持下一代加密技术 (CNG) 证书,这意味着你无法通过使用 Windows PowerShell cmdlet New-SelfSignedCertificate 创建自签名证书。AD FS does not support Cryptography Next Generation (CNG) certificates, which means that you cannot create the self-signed certificate by using the Windows PowerShell cmdlet New-SelfSignedCertificate. 但是,你可以使用使用 AD FS 和 Web 应用程序代理部署工作文件夹博客文章中的 makecert.ps1 脚本。You can, however, use the makecert.ps1 script included in the Deploying Work Folders with AD FS and Web Application Proxy blog post. 此脚本会创建适用于 AD FS 的自签名证书并提示创建证书所需的 SAN 名称。This script creates a self-signed certificated that works with AD FS and prompts for the SAN names that will be needed to create the certificate.

接下来,请执行以下部分中所述的预安装工作。Next, do the additional pre-installment work described in the following sections.

创建 AD FS 自签名证书Create an AD FS self-signed certificate

若要创建 AD FS 自签名证书,请执行以下步骤:To create an AD FS self-signed certificate, follow these steps:

  1. 下载使用 AD FS 和 Web 应用程序代理部署工作文件夹博客文章中提供的脚本,然后将文件 makecert.ps1 复制到 AD FS 计算机。Download the scripts provided in the Deploying Work Folders with AD FS and Web Application Proxy blog post and then copy the file makecert.ps1 to the AD FS machine.

  2. 使用管理员权限打开 Windows PowerShell 窗口。Open a Windows PowerShell window with admin privileges.

  3. 将执行策略设置为无限制:Set the execution policy to unrestricted:

    Set-ExecutionPolicy –ExecutionPolicy Unrestricted
    
  4. 更改为从中复制脚本的目录。Change to the directory where you copied the script.

  5. 执行 makecert 脚本:Execute the makecert script:

    .\makecert.ps1
    
  6. 当提示更改主题证书时,请为主题输入新值。When you are prompted to change the subject certificate, enter the new value for the subject. 在此示例中,值为 blueadfs.contoso.comIn this example, the value is blueadfs.contoso.com.

  7. 当提示输入 SAN 名称时,按 Y,然后一次输入一个 SAN 名称。When you are prompted to enter SAN names, press Y and then enter the SAN names, one at a time.

    对于此示例,键入 blueadfs.contoso.com,按 Enter,然后键入 2016-adfs.contoso.com,再按 Enter,最后键入 enterpriseregistration.contoso.com 并按 Enter。For this example, type blueadfs.contoso.com and press Enter, then type 2016-adfs.contoso.com and press Enter, then type enterpriseregistration.contoso.com and press Enter.

    当所有 SAN 名称输入完毕后,请在空行上按 Enter。When all of the SAN names have been entered, press Enter on an empty line.

  8. 当提示将证书安装至受信任的根证书机构存储时,按 Y。When you are prompted to install the certificates to the Trusted Root Certification Authority store, press Y.

AD FS 证书必须为使用下列值的 SAN 证书:The AD FS certificate must be a SAN certificate with the following values:

  • AD FS service name.domainAD FS service name.domain

  • enterpriseregistration.domainenterpriseregistration.domain

  • AD FS server name.domainAD FS server name.domain

在测试示例中,这些值为:In the test example, the values are:

  • blueadfs.contoso.comblueadfs.contoso.com

  • enterpriseregistration.contoso.comenterpriseregistration.contoso.com

  • 2016-adfs.contoso.com2016-adfs.contoso.com

Workplace Join 需要 enterpriseregistration SAN。The enterpriseregistration SAN is needed for Workplace Join.

设置服务器的 IP 地址Set the server IP address

将服务器的 IP 地址更改为静态 IP 地址。Change your server IP address to a static IP address. 对于测试示例,使用 A 类 IP,即 192.168.0.160/子网掩码:255.255.0.0/默认网关:192.168.0.1/首选 DNS:192.168.0.150(域控制器的 IP 地址)。For the test example, use IP class A, which is 192.168.0.160 / subnet mask: 255.255.0.0 / Default Gateway: 192.168.0.1 / Preferred DNS: 192.168.0.150 (the IP address of your domain controller).

安装 AD FS 角色服务Install the AD FS role service

按照下列步骤安装 AD FS:To install AD FS, follow these steps:

  1. 登录到计划安装 AD FS 的物理或者虚拟机,打开服务器管理器,并启动“添加角色和功能向导”。Log on to the physical or virtual machine on which you plan to install AD FS, open Server Manager, and start the Add Roles and Features Wizard.

  2. 服务器角色页面上,选择 Active Directory 联合身份验证服务角色,然后单击下一步On the Server Roles page, select the Active Directory Federation Services role, and then click Next.

  3. Active Directory 联合身份验证服务 (AD FS) 页面上,你将看到一条消息,这条消息指出无法在同一台计算机上将 Web 应用程序代理角色作为 AD FS 安装。On the Active Directory Federation Services (AD FS) page, you will see a message that states that the Web Application Proxy role cannot be installed on the same computer as AD FS. 单击“下一步”。Click Next.

  4. 在“确认”页上,单击安装Click Install on the confirmation page.

若要通过 Windows PowerShell 完成 AD FS 的等效安装,请使用以下命令:To accomplish the equivalent installation of AD FS via Windows PowerShell, use these commands:

Add-WindowsFeature RSAT-AD-Tools
Add-WindowsFeature ADFS-Federation –IncludeManagementTools

配置 AD FSConfigure AD FS

接下来,通过使用服务器管理器或 Windows PowerShell 配置 AD FS。Next, configure AD FS by using either Server Manager or Windows PowerShell.

使用服务器管理器配置 AD FSConfigure AD FS by using Server Manager

若要使用服务器管理器配置 AD FS,请执行以下步骤:To configure AD FS by using Server Manager, follow these steps:

  1. 打开服务器管理器。Open Server Manager.

  2. 在服务器管理器窗口顶部,单击通知标志,然后单击在此服务器上配置联合身份验证服务Click the Notifications flag at the top of the Server Manager window, and then click Configure the federation service on this server.

  3. 启动“Active Directory 联合身份验证服务配置向导”。The Active Directory Federation Services Configuration Wizard launches. 连接到 AD DS 页面上,输入你想要用作 AD FS 帐户的域管理员帐户,然后单击下一步On the Connect to AD DS page, enter the domain administrator account that you want to use as the AD FS account, and click Next.

  4. 指定服务属性页面上,输入用于 AD FS 通信的 SSL 证书使用者名称。On the Specify Service Properties page, enter the subject name of the SSL certificate to use for AD FS communication. 在测试示例中,此为 blueadfs.contoso.comIn the test example, this is blueadfs.contoso.com.

  5. 输入联合身份验证服务名称。Enter the Federation Service name. 在测试示例中,此为 blueadfs.contoso.comIn the test example, this is blueadfs.contoso.com. 单击“下一步”。Click Next.

    备注

    联合身份验证服务名称不得使用环境中现有服务器的名称。The Federation Service name must not use the name of an existing server in the environment. 一旦使用现有服务器的名称,AD FS 安装将失败,并且必须重启。If you do use the name of an existing server, the AD FS installation will fail and must be restarted.

  6. 指定服务帐户页面上,输入你想要用于托管服务帐户的名称。On the Specify Service Account page, enter the name that you would like to use for the managed service account. 对于测试示例,请选择创建组托管服务帐户,并在帐户名称中输入 ADFSServiceFor the test example, select Create a Group Managed Service Account, and in Account Name, enter ADFSService. 单击“下一步”。Click Next.

  7. 在 "指定配置数据库" 页上,选择 "使用 Windows 内部数据库在此服务器上创建数据库",然后单击 "下一步"。On the Specify Configuration Database page, select Create a database on this server using Windows Internal Database, and click Next.

  8. 查看选项页面会显示所选选项的概述。The Review Options page shows you an overview of the options you have selected. 单击“下一步”。Click Next.

  9. 先决条件检查页面会指示所有先决条件是否都成功通过检查。The Pre-requisite Checks page indicates whether all the prerequisite checks passed successfully. 如果没有任何问题,请单击配置If there are no issues, click Configure.

    备注

    如果你使用 AD FS 服务器或其他任何现有计算机的名称作为联合身份验证服务名称,则将显示一条错误消息。If you used the name of the AD FS server or any other existing machine for the Federation Service Name, an error message is displayed. 你必须重新安装,并选择除现有计算机名称以外的名称。You must start the installation over and choose a name other than the name of an existing machine.

  10. 配置成功完成后,结果页面确认 AD FS 已配置成功。When the configuration completes successfully, the Results page confirms that AD FS was successfully configured.

使用 PowerShell 配置 AD FSConfigure AD FS by using PowerShell

若要通过 Windows PowerShell 完成 AD FS 的等效配置,请使用以下命令。To accomplish the equivalent configuration of AD FS via Windows PowerShell, use the following commands.

若要安装 AD FS:To install AD FS:

Add-WindowsFeature RSAT-AD-Tools
Add-WindowsFeature ADFS-Federation -IncludeManagementTools

若要创建托管服务帐户:To create the managed service account:

New-ADServiceAccount "ADFSService"-Server 2016-DC.contoso.com -Path "CN=Managed Service Accounts,DC=Contoso,DC=COM" -DNSHostName 2016-ADFS.contoso.com -ServicePrincipalNames HTTP/2016-ADFS,HTTP/2016-ADFS.contoso.com

配置 AD FS 后,你必须使用在上一步中创建的托管服务帐户和在预配置步骤中创建的证书设置 AD FS 场。After you configure AD FS, you must set up an AD FS farm by using the managed service account that you created in the previous step and the certificate you created in the pre-configuration steps.

若要设置 AD FS 场:To set up an AD FS farm:

$cert = Get-ChildItem CERT:\LocalMachine\My |where {$_.Subject -match blueadfs.contoso.com} | sort $_.NotAfter -Descending | select -first 1 
$thumbprint = $cert.Thumbprint
Install-ADFSFarm -CertificateThumbprint $thumbprint -FederationServiceDisplayName "Contoso Corporation" –FederationServiceName blueadfs.contoso.com -GroupServiceAccountIdentifier contoso\ADFSService$ -OverwriteConfiguration -ErrorAction Stop

下一步:使用 AD FS 和 Web 应用程序代理部署工作文件夹:步骤 2,AD FS 后期配置工作Next step: Deploy Work Folders with AD FS and Web Application Proxy: Step 2, AD FS Post-Configuration Work

另请参阅See Also

工作文件夹概述Work Folders Overview