使用 AD FS 和 Web 应用程序代理部署工作文件夹:步骤 2,AD FS 后期配置工作Deploy Work Folders with AD FS and Web Application Proxy: Step 2, AD FS Post-Configuration Work

适用于:Windows Server(半年频道)、Windows Server 2016Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016

本主题介绍使用 Active Directory 联合身份验证服务 (AD FS) 和 Web 应用程序代理部署工作文件夹的第二个步骤。This topic describes the second step in deploying Work Folders with Active Directory Federation Services (AD FS) and Web Application Proxy. 你可以在这些主题中查找这一过程的其他步骤:You can find the other steps in this process in these topics:

备注

本部分中所述的说明适用于 Windows Server 2019 或 Windows Server 2016 环境。The instructions covered in this section are for a Windows Server 2019 or Windows Server 2016 environment. 如果你使用的是 Windows Server 2012 R2,请遵循 Windows Server 2012 R2 说明If you're using Windows Server 2012 R2, follow the Windows Server 2012 R2 instructions.

在步骤 1 中,你安装并配置了 AD FS。In step 1, you installed and configured AD FS. 现在,你需要对 AD FS 执行以下配置后步骤。Now, you need to perform the following post-configuration steps for AD FS.

配置 DNS 条目Configure DNS entries

你必须为 AD FS 创建两个 DNS 条目。You must create two DNS entries for AD FS. 这些条目就是你在创建使用者备用名称 (SAN) 证书时在预安装步骤中使用的两个条目。These are the same two entries that were used in the pre-installation steps when you created the subject alternative name (SAN) certificate.

DNS 条目的格式如下:The DNS entries are in the form:

  • AD FS service name.domainAD FS service name.domain

  • enterpriseregistration.domainenterpriseregistration.domain

  • AD FS server name.domain (DNS 条目应该已经存在。AD FS server name.domain (DNS entry should already exist. 例如,2016-ADFS.contoso.com)e.g., 2016-ADFS.contoso.com)

在测试示例中,这些值为:In the test example, the values are:

  • blueadfs.contoso.comblueadfs.contoso.com

  • enterpriseregistration.contoso.comenterpriseregistration.contoso.com

为 AD FS 创建 A 和 CNAME 记录Create the A and CNAME records for AD FS

要为 AD FS 创建 A 和 CNAME 记录,请遵循下列步骤:To create A and CNAME records for AD FS, follow these steps:

  1. 在域控制器上,打开 DNS 管理器。On your domain controller, open DNS Manager.

  2. 展开“正向查找区域”文件夹,右键单击你的域,然后选择新建主机 (A)Expand the Forward Lookup Zones folder, right-click on your domain, and select New Host (A).

  3. 新建主机窗口随即打开。The New Host window opens. 名称字段中,输入 AD FS 服务名称的别名。In the Name field, enter the alias for the AD FS service name. 在测验示例中,别名为 blueadfsIn the test example, this is blueadfs.

    别名必须与用于 AD FS 的证书中的主题相同。The alias must be the same as the subject in the certificate that was used for AD FS. 例如,如果主题是 adfs.contoso.com,则此处输入的别名将为 adfsFor example, if the subject was adfs.contoso.com, then the alias entered here would be adfs.

    重要

    使用 Windows Server 用户界面 (UI) 而不是 Windows PowerShell 设置 AD FS 时,必须为 AD FS 创建 A 记录而不是 CNAME 记录。When you set up AD FS by using the Windows Server user interface (UI) instead of Windows PowerShell, you must create an A record instead of a CNAME record for AD FS. 原因是通过 UI 创建的服务主体名称 (SPN) 仅包含用于将 AD FS 服务设置为主机的别名。The reason is that the service principal name (SPN) that is created via the UI contains only the alias that is used to set up the AD FS service as the host.

  4. IP 地址中,输入 AD FS 服务器上的 IP 地址。In IP address, enter the IP address for the AD FS server. 在测试示例中,这是 192.168.0.160In the test example, this is 192.168.0.160. 单击 “添加主机”Click Add Host.

  5. 在“正向查找区域”文件夹中,再次右键单击你的域,然后选择新别名 (CNAME)In the Forward Lookup Zones folder, right-click on your domain again, and select New Alias (CNAME).

  6. 新资源记录窗口中添加别名 enterpriseregistration 并输入 AD FS 服务器的 FQDN。In the New Resource Record window, add the alias name enterpriseregistration and enter the FQDN for the AD FS server. 此别名用于 Device Join,必须称为 enterpriseregistrationThis alias is used for Device Join and must be called enterpriseregistration.

  7. 单击“确定”。Click OK.

要通过 Windows PowerShell 完成相同的步骤,请使用以下命令。To accomplish the equivalent steps via Windows PowerShell, use the following command. 该命令必须在域控制器上执行。The command must be executed on the domain controller.

Add-DnsServerResourceRecord  -ZoneName "contoso.com" -Name blueadfs -A -IPv4Address 192.168.0.160
Add-DnsServerResourceRecord  -ZoneName "contoso.com" -Name enterpriseregistration -CName  -HostNameAlias 2016-ADFS.contoso.com

为工作文件夹设置 AD FS 信赖方信任Set up the AD FS relying party trust for Work Folders

即使工作文件夹尚未设置,也可以设置和配置工作文件夹的信赖方信任。You can set up and configure the relying party trust for Work Folders, even though Work Folders hasn't been set up yet. 必须设置信赖方信任,以使工作文件夹能够使用 AD FS。The relying party trust must be set up to enable Work Folders to use AD FS. 因为你正在设置 AD FS,因此,现在是执行这个步骤的好时机。Because you're in the process of setting up AD FS, now is a good time to do this step.

若要设置信赖方信任:To set up the relying party trust:

  1. 打开服务器管理器,在工具菜单上,选择 AD FS 管理Open Server Manager, on the Tools menu, select AD FS Management.

  2. 在右侧窗格的操作下,单击添加信赖方信任In the right-hand pane, under Actions, click Add Relying Party Trust.

  3. 欢迎页上,选择声明感知,然后单击开始On the Welcome page, select Claims aware and click Start.

  4. 选择数据源页上,选择手动输入信赖方数据,然后单击下一步On the Select Data Source page, select Enter data about the relying party manually, and then click Next.

  5. 显示名称字段中,输入 WorkFolders,然后单击下一步In the Display name field, enter WorkFolders, and then click Next.

  6. 配置证书页上,单击下一步On the Configure Certificate page, click Next. 令牌加密证书是可选的,并且不需要测试配置。The token encryption certificates are optional, and are not needed for the test configuration.

  7. 配置 URL 页上,单击下一步On the Configure URL page, click Next.

  8. 在 "配置标识符" 页上,添加以下标识符: https://windows-server-work-folders/V1On the Configure Identifiers page, add the following identifier: https://windows-server-work-folders/V1. 此标识符是工作文件夹使用的硬编码值,并在与 AD FS 通信时由工作文件夹服务发送。This identifier is a hard-coded value used by Work Folders, and is sent by the Work Folders service when it is communicating with AD FS. 单击“下一步”。Click Next.

  9. 在“选择访问控制策略”页上,选择允许所有人,然后单击下一步On the Choose Access Control Policy page, select Permit Everyone, and then click Next.

  10. 在“准备好添加信任”**** 页面上,单击“下一步”****。On the Ready to Add Trust page, click Next.

  11. 配置完成后,向导的最后一页会指示配置成功。After the configuration is finished, the last page of the wizard indicates that the configuration was successful. 选中用于编辑声明规则的复选框,然后单击关闭Select the checkbox for editing the claims rules, and click Close.

  12. 在 AD FS 管理单元中,选择 WorkFolders 信赖方信任,然后单击“操作”下的编辑声明颁发策略In the AD FS snap-in, select the WorkFolders relying party trust and click Edit Claim Issuance Policy under Actions.

  13. 编辑 WorkFolders 的声明颁发策略窗口随即打开。The Edit Claim Issuance Policy for WorkFolders window opens. 单击 "添加规则"。Click Add rule.

  14. 声明规则模板下拉列表中,选择以声明方式发送 LDAP 特性,然后单击下一步In the Claim rule template drop-down list, select Send LDAP Attributes as Claims, and click Next.

  15. 配置声明规则页上,在声明规则名称字段中,输入 WorkFoldersOn the Configure Claim Rule page, in the Claim rule name field, enter WorkFolders.

  16. 属性存储下拉列表中,选择 Active DirectoryIn the Attribute store drop-down list, select Active Directory.

  17. 在映射表中,输入以下值:In the mapping table, enter these values:

    • 用户主体名称:UPNUser-Principal-Name: UPN

    • 显示名称:名称Display Name: Name

    • 姓氏:姓氏Surname: Surname

    • 名字:名字Given-Name: Given Name

  18. 单击“完成”。Click Finish. 你将在“颁发转换规则”选项卡上看到 WorkFolders 规则,然后单击确定You'll see the WorkFolders rule listed on the Issuance Transform Rules tab and click OK.

设置信赖方信任选项Set relying part trust options

在为 AD FS 设置信赖方信任之后,必须在 Windows PowerShell 中运行五个命令来完成配置。After the relying party trust has been set up for AD FS, you must finish the configuration by running five commands in Windows PowerShell. 这些命令设置工作文件夹与 AD FS 成功通信所需的选项,无法通过 UI 进行设置。These commands set options that are needed for Work Folders to communicate successfully with AD FS, and can't be set through the UI. 这些选项包括:These options are:

  • 支持使用 JSON Web 令牌 (JWT)Enable the use of JSON web tokens (JWTs)

  • 禁用加密声明Disable encrypted claims

  • 启用自动更新Enable auto-update

  • 为所有设备设置颁发 Oauth 刷新令牌。Set the issuing of Oauth refresh tokens to All Devices.

  • 将客户端访问权限授予信赖方信任Grant clients access to the relying party trust

若要设置这些选项,请使用以下命令:To set these options, use the following commands:

Set-ADFSRelyingPartyTrust -TargetIdentifier "https://windows-server-work-folders/V1" -EnableJWT $true
Set-ADFSRelyingPartyTrust -TargetIdentifier "https://windows-server-work-folders/V1" -Encryptclaims $false
Set-ADFSRelyingPartyTrust -TargetIdentifier "https://windows-server-work-folders/V1" -AutoupdateEnabled $true
Set-ADFSRelyingPartyTrust -TargetIdentifier "https://windows-server-work-folders/V1" -IssueOAuthRefreshTokensTo AllDevices
Grant-AdfsApplicationPermission -ServerRoleIdentifier "https://windows-server-work-folders/V1" -AllowAllRegisteredClients -ScopeNames openid,profile

启用 Workplace JoinEnable Workplace Join

启用 Workplace Join 是可选的,但是当你希望用户能够使用其个人设备访问工作区资源时,这可能十分有用。Enabling Workplace Join is optional, but can be useful when you want users to be able to use their personal devices to access workplace resources.

要为 Workplace Join 启用设备注册,必须运行以下 Windows PowerShell 命令,这些命令将配置设备注册并设置全局身份验证策略:To enable device registration for Workplace Join, you must run the following Windows PowerShell commands, which will configure device registration and set the global authentication policy:

Initialize-ADDeviceRegistration -ServiceAccountName <your AD FS service account>
    Example: Initialize-ADDeviceRegistration -ServiceAccountName contoso\adfsservice$
Set-ADFSGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true

导出 AD FS 证书Export the AD FS certificate

接下来,导出自签名证书,以便它可以安装在测试环境中的以下机器上:Next, export the self-signed AD FS certificate so that it can be installed on the following machines in the test environment:

  • 用于工作文件夹的服务器The server that is used for Work Folders

  • 用于 Web 应用程序代理的服务器The server that is used for Web Application Proxy

  • 加入域的 Windows 客户端The domain-joined Windows client

  • 未加入域的 Windows 客户端The non-domain-joined Windows client

要导出证书,请按照下列步骤操作:To export the certificate, follow these steps:

  1. 单击 “启动” ,再单击 “运行”Click Start, and then click Run.

  2. 键入 MMCType MMC.

  3. 在“文件” 菜单上,单击“添加/删除管理单元” 。On the File menu, click Add/Remove Snap-in.

  4. 可用的管理单元列表中,单击证书,然后单击添加In the Available snap-ins list, select Certificates, and then click Add. 证书管理单元向导启动。The Certificates Snap-in Wizard starts.

  5. 选择“计算机帐户”****,然后单击“下一步”****。Select Computer account, and then click Next.

  6. 选择本地计算机:(运行此控制台的计算机),然后单击完成Select Local computer: (the computer this console is running on), and then click Finish.

  7. 单击“确定”。Click OK.

  8. 展开文件夹*控制台 "Root\Certificates ( 本地计算机) *"。Expand the folder Console Root\Certificates(Local Computer)\Personal\Certificates.

  9. 右键单击 AD FS 证书,单击所有任务,然后单击导出...Right-click the AD FS certificate, click All Tasks, and then click Export....

  10. 此时会打开“证书导出向导”。The Certificate Export Wizard opens. 选择是,导出私钥Select Yes, export the private key.

  11. 导出文件格式页上,选择默认选项,然后单击下一步On the Export File Format page, leave the default options selected, and click Next.

  12. 为证书创建密码。Create a password for the certificate. 这是以后在将证书导入其他设备时使用的密码。This is the password that you'll use later when you import the certificate to other devices. 单击“下一步”。Click Next.

  13. 输入证书的位置和名称,然后单击完成Enter a location and name for the certificate, and then click Finish.

将在后面的部署过程中介绍证书的安装。Installation of the certificate is covered later in the deployment procedure.

管理私钥设置Manage the private key setting

你必须授予 AD FS 服务帐户权限才能访问新证书的私钥。You must give the AD FS service account permission to access the private key of the new certificate. 当更换已过期的通信证书时,你需要再次授予此权限。You will need to grant this permission again when you replace the communication certificate after it expires. 若要授予权限,请遵循下列步骤:To grant permission, follow these steps:

  1. 单击 “启动” ,再单击 “运行”Click Start, and then click Run.

  2. 键入 MMCType MMC.

  3. 在“文件” 菜单上,单击“添加/删除管理单元” 。On the File menu, click Add/Remove Snap-in.

  4. 可用的管理单元列表中,单击证书,然后单击添加In the Available snap-ins list, select Certificates, and then click Add. 证书管理单元向导启动。The Certificates Snap-in Wizard starts.

  5. 选择“计算机帐户”****,然后单击“下一步”****。Select Computer account, and then click Next.

  6. 选择本地计算机:(运行此控制台的计算机),然后单击完成Select Local computer: (the computer this console is running on), and then click Finish.

  7. 单击“确定”。Click OK.

  8. 展开文件夹*控制台 "Root\Certificates ( 本地计算机) *"。Expand the folder Console Root\Certificates(Local Computer)\Personal\Certificates.

  9. 右键单击 AD FS 证书,单击所有任务,然后单击管理私钥Right-click the AD FS certificate, click All Tasks, and then click Manage Private Keys.

  10. 权限窗口中,单击添加In the Permissions window, click Add.

  11. 对象类型上,选择服务帐户,然后单击确定In the Object Types window, select Service Accounts, and then click OK.

  12. 键入运行 AD FS 的帐户的名称。Type the name of the account that is running AD FS. 在测验示例中,名称为 ADFSService。In the test example, this is ADFSService. 单击“确定”。Click OK.

  13. 权限窗口中,至少将读取权限给予帐户,然后单击确定In the Permissions window, give the account at least read permissions, and click OK.

如果你没有管理私钥的选项,可能需要运行以下命令:certutil -repairstore my *If you don't have the option to manage private keys, you might need to run the following command: certutil -repairstore my *

验证 AD FS 是否可运行Verify that AD FS is operational

若要验证 AD FS 是否可操作,请打开浏览器窗口,并 https://blueadfs.contoso.com/federationmetadata/2007-06/federationmetadata.xml 根据环境更改 URL。To verify that AD FS is operational, open a browser window and go to https://blueadfs.contoso.com/federationmetadata/2007-06/federationmetadata.xml, changing the URL to match your environment.

浏览器窗口将显示联合服务器元数据,而不进行任何格式化。The browser window will display the federation server metadata without any formatting. 如果你可以看到数据没有任何 SSL 错误或警告,则你的联合服务器可以运行。If you can see the data without any SSL errors or warnings, your federation server is operational.

下一步:使用 AD FS 和 Web 应用程序代理部署工作文件夹:步骤 3,设置工作文件夹Next step: Deploy Work Folders with AD FS and Web Application Proxy: Step 3, Set Up Work Folders

另请参阅See Also

工作文件夹概述Work Folders Overview