使用 AD FS 和 Web 应用程序代理部署工作文件夹:步骤 3,设置工作文件夹Deploy Work Folders with AD FS and Web Application Proxy: Step 3, Set-up Work Folders

适用于:Windows Server(半年频道)、Windows Server 2016Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016

本主题介绍使用 Active Directory 联合身份验证服务 (AD FS) 和 Web 应用程序代理部署工作文件夹的第三个步骤。This topic describes the third step in deploying Work Folders with Active Directory Federation Services (AD FS) and Web Application Proxy. 你可以在这些主题中查找这一过程的其他步骤:You can find the other steps in this process in these topics:

备注

本部分中所述的说明适用于 Windows Server 2019 或 Windows Server 2016 环境。The instructions covered in this section are for a Windows Server 2019 or Windows Server 2016 environment. 如果你使用的是 Windows Server 2012 R2,请遵循 Windows Server 2012 R2 说明If you're using Windows Server 2012 R2, follow the Windows Server 2012 R2 instructions.

若要设置工作文件夹,请使用以下步骤。To set up Work Folders, use the following procedures.

预安装工作Pre-installment work

为了安装工作文件夹,必须拥有一个已加入域并运行 Windows Server 2016 的服务器。In order to install Work Folders, you must have a server that is joined to the domain and running Windows Server 2016. 服务器必须具有有效的网络配置。The server must have a valid network configuration.

对于测试示例,将运行工作文件夹的计算机加入到 Contoso 域,并按以下各节的描述设置网络接口。For the test example, join the machine that will run Work Folders to the Contoso domain and set up the network interface as described in the following sections.

设置服务器的 IP 地址Set the server IP address

将服务器的 IP 地址更改为静态 IP 地址。Change your server IP address to a static IP address. 对于测试示例,使用 IP 类 A,即 192.168.0.170 /子网掩码:255.255.0.0 /默认网关:192.168.0.1 /首选 DNS:192.168.0.150(域控制器的 IP 地址)。For the test example, use IP class A, which is 192.168.0.170 / subnet mask: 255.255.0.0 / Default Gateway: 192.168.0.1 / Preferred DNS: 192.168.0.150 (the IP address of your domain controller).

为工作文件夹创建 CNAME 记录Create the CNAME record for Work Folders

要为工作文件夹创建 CNAME 记录,请遵循下列步骤:To create the CNAME record for Work Folders, follow these steps:

  1. 在域控制器上,打开 DNS 管理器On your domain controller, open DNS Manager.

  2. 展开“正向查找区域”文件夹,右键单击你的域,并单击新别名 (CNAME)Expand the Forward Lookup Zones folder, right-click on your domain, and click New Alias (CNAME).

  3. 新资源记录窗口的别名字段中,输入工作文件夹的别名。In the New Resource Record window, in the Alias name field, enter the alias for Work Folders. 在测试示例中,别名为 workfoldersIn the test example, this is workfolders.

  4. 完全限定的域名字段中,该值应为 workfolders.contoso.comIn the Fully qualified domain name field, the value should be workfolders.contoso.com.

  5. 目标主机的完全限定的域名字段中,输入工作文件夹服务器的 FQDN。In the Fully qualified domain name for target host field, enter the FQDN for the Work Folders server. 在测试示例中,FQDN 为 2016-WF.contoso.comIn the test example, this is 2016-WF.contoso.com.

  6. 单击“确定”。Click OK.

要通过 Windows PowerShell 完成相同的步骤,请使用以下命令。To accomplish the equivalent steps via Windows PowerShell, use the following command. 该命令必须在域控制器上执行。The command must be executed on the domain controller.

Add-DnsServerResourceRecord  -ZoneName "contoso.com" -Name workfolders -CName  -HostNameAlias 2016-wf.contoso.com

安装 AD FS 证书Install the AD FS certificate

使用以下步骤将 AD FS 设置期间创建的 AD FS 证书安装到本地计算机证书存储中:Install the AD FS certificate that was created during AD FS setup into the local computer certificate store, using these steps:

  1. 单击 “启动” ,再单击 “运行”Click Start, and then click Run.

  2. 键入 MMCType MMC.

  3. 在“文件” 菜单上,单击“添加/删除管理单元” 。On the File menu, click Add/Remove Snap-in.

  4. 可用的管理单元列表中,单击证书,然后单击添加In the Available snap-ins list, select Certificates, and then click Add. 证书管理单元向导启动。The Certificates Snap-in Wizard starts.

  5. 选择“计算机帐户”****,然后单击“下一步”****。Select Computer account, and then click Next.

  6. 选择本地计算机:(运行此控制台的计算机),然后单击完成Select Local computer: (the computer this console is running on), and then click Finish.

  7. 单击“确定”。Click OK.

  8. 展开文件夹*控制台 "Root\Certificates ( 本地计算机) *"。Expand the folder Console Root\Certificates(Local Computer)\Personal\Certificates.

  9. 右键单击证书,单击所有任务,然后单击导入Right-click Certificates, click All Tasks, and then click Import.

  10. 浏览到包含 AD FS 证书的文件夹,然后遵循向导中的说明导入文件,并将其放置在证书存储中。Browse to the folder that contains the AD FS certificate, and follow the instructions in the wizard to import the file and place it in the certificate store.

  11. 展开文件夹控制台 "Root\Certificates ( 本地计算机) \Trusted 根证书" "机构 "。Expand the folder Console Root\Certificates(Local Computer)\Trusted Root Certification Authorities\Certificates.

  12. 右键单击证书,单击所有任务,然后单击导入Right-click Certificates, click All Tasks, and then click Import.

  13. 浏览到包含 AD FS 证书的文件夹,然后遵循向导中的说明导入文件,并将其放置在受信任的根证书颁发机构存储中。Browse to the folder that contains the AD FS certificate, and follow the instructions in the wizard to import the file and place it in the Trusted Root Certification Authorities store.

创建工作文件夹自签名证书Create the Work Folders self-signed certificate

要创建工作文件夹自签名证书,请遵循下列步骤:To create the Work Folders self-signed certificate, follow these steps:

  1. 下载使用 AD FS 和 Web 应用程序代理部署工作文件夹博客文章中提供的脚本,然后将文件 makecert.ps1 复制到工作文件夹计算机。Download the scripts provided in the Deploying Work Folders with AD FS and Web Application Proxy blog post and then copy the file makecert.ps1 to the Work Folders machine.

  2. 使用管理员权限打开 Windows PowerShell 窗口。Open a Windows PowerShell window with admin privileges.

  3. 将执行策略设置为无限制:Set the execution policy to unrestricted:

    PS C:\temp\scripts> Set-ExecutionPolicy -ExecutionPolicy Unrestricted
    
  4. 更改为从中复制脚本的目录。Change to the directory where you copied the script.

  5. 执行 makeCert 脚本:Execute the makeCert script:

    PS C:\temp\scripts> .\makecert.ps1
    
  6. 当提示更改主题证书时,请为主题输入新值。When you are prompted to change the subject certificate, enter the new value for the subject. 在此示例中,该值为 workfolders.contoso.comIn this example, the value is workfolders.contoso.com.

  7. 当系统提示你输入使用者可选名称 (SAN) 名称时,按 Y ,然后一次输入一个 SAN 名称。When you are prompted to enter subject alternative name (SAN) names, press Y and then enter the SAN names, one at a time.

    对于此示例,键入 workfolders.contoso.com,然后按 Enter 键。For this example, type workfolders.contoso.com, and press Enter. 键入 2016-WF.contoso.com,然后按 Enter 键。Then type 2016-WF.contoso.com and press Enter.

    当所有 SAN 名称输入完毕后,请在空行上按 Enter。When all of the SAN names have been entered, press Enter on an empty line.

  8. 当提示将证书安装至受信任的根证书机构存储时,按 Y。When you are prompted to install the certificates to the Trusted Root Certification Authority store, press Y.

工作文件夹证书必须是具有以下值的 SAN 证书:The Work Folders certificate must be a SAN certificate with the following values:

  • workfoldersworkfolders.domain

  • machine name.domainmachine name.domain

在测试示例中,这些值为:In the test example, the values are:

  • workfolders.contoso.comworkfolders.contoso.com

  • 2016-WF.contoso.com2016-WF.contoso.com

安装工作文件夹Install Work Folders

要安装工作文件夹角色,请遵循下列步骤:To install the Work Folders role, follow these steps:

  1. 打开服务器管理器,单击添加角色和功能,然后单击下一步Open Server Manager, click Add roles and features, and click Next.

  2. 在 "安装类型" 页上,选择 "基于角色或基于功能的安装",然后单击 "下一步"。On the Installation Type page, select Role-based or feature-based installation, and click Next.

  3. 服务器选择页上,选择当前服务器,然后单击下一步On the Server Selection page, select the current server, and click Next.

  4. 服务器角色页上,依次展开文件和存储服务文件和 iSCSI 服务,然后选择工作文件夹On the Server Roles page, expand File and Storage Services, expand File and iSCSI Services, and then select Work Folders.

  5. 添加角色和功能向导页上,单击添加功能,然后单击下一步On the Add Roles and Feature Wizard page, click Add Features, and click Next.

  6. 在 "功能" 页上,单击 "下一步"。On the Features page, click Next.

  7. 在“确认”**** 页上,单击“安装”****。On the Confirmation page, click Install.

配置工作文件夹Configure Work Folders

要配置工作文件夹,请遵循下列步骤:To configure Work Folders, follow these steps:

  1. 打开“服务器管理器”。 Open Server Manager.

  2. 选择文件和存储服务,然后选择工作文件夹Select File and Storage Services, and then select Work Folders.

  3. 工作文件夹页上,启动新同步共享向导,然后单击下一步On the Work Folders page, start the New Sync Share Wizard, and click Next.

  4. 服务器和路径页上,选择要创建同步共享的服务器,输入存储工作文件夹数据的本地路径,然后单击下一步On the Server and Path page, select the server where the sync share will be created, enter a local path where the Work Folders data will be stored, and click Next.

    如果路径不存在,系统将提示你创建该路径。If the path doesn't exist, you'll be prompted to create it. 单击“确定”。Click OK.

  5. 用户文件夹结构页上,选择用户别名,然后单击下一步On the User Folder Structure page, select User alias, and then click Next.

  6. 同步共享名称页中,输入同步共享的名称。On the Sync Share Name page, enter the name for the sync share. 对于测试示例,名称为 WorkFoldersFor the test example, this is WorkFolders. 单击“下一步”。Click Next.

  7. 同步访问权限页上,添加可以访问新同步共享的用户或组。On the Sync Access page, add the users or groups that will have access to the new sync share. 对于测试示例,授予对所有域用户的访问权限。For the test example, grant access to all domain users. 单击“下一步”。Click Next.

  8. 电脑的安全策略页上,选择加密工作文件夹自动锁定页面并需要密码On the PC Security Policies page, select Encrypt work folders and Automatically lock page and require a password. 单击“下一步”。Click Next.

  9. 确认页上,单击创建以完成配置过程。On the Confirmation page, click Create to finish the configuration process.

工作文件夹配置后工作Work Folders post-configuration work

要完成设置工作文件夹,请完成以下其他步骤:To finish setting up Work Folders, complete these additional steps:

  • 将工作文件夹证书绑定到 SSL 端口Bind the Work Folders certificate to the SSL port

  • 配置工作文件夹以使用 AD FS 身份验证Configure Work Folders to use AD FS authentication

  • 导出工作文件夹证书(如果你使用的是自签名证书)Export the Work Folders certificate (if you are using a self-signed certificate)

绑定证书Bind the certificate

工作文件夹仅通过 SSL 进行通信,并且必须将先前创建的自签名证书(或你的证书颁发机构颁发的证书)绑定到端口。Work Folders communicates only over SSL and must have the self-signed certificate that you created earlier (or that your certificate authority issued) bound to the port.

可使用两种方法通过 Windows PowerShell 将证书绑定到端口:IIS cmdlet 和 netsh。There are two methods that you can use to bind the certificate to the port via Windows PowerShell: IIS cmdlets and netsh.

使用 netsh 绑定证书Bind the certificate by using netsh

要在 Windows PowerShell 中使用 netsh 命令行脚本实用工具,必须通过管道将此命令传递给 netsh。To use the netsh command-line scripting utility in Windows PowerShell, you must pipe the command to netsh. 以下示例脚本查找具有 workfolders.contoso.com 主题的证书,并使用 netsh 将其绑定到端口 443:The following example script finds the certificate with the subject workfolders.contoso.com and binds it to port 443 by using netsh:

$subject = "workfolders.contoso.com"
Try
{
#In case there are multiple certificates with the same subject, get the latest version
$cert = Get-ChildItem CERT:\LocalMachine\My |where {$_.Subject -match $subject} | sort $_.NotAfter -Descending | select -first 1 
$thumbprint = $cert.Thumbprint
$Command = "http add sslcert ipport=0.0.0.0:443 certhash=$thumbprint appid={CE66697B-3AA0-49D1-BDBD-A25C8359FD5D} certstorename=MY"
$Command | netsh
}
Catch
{
"     Error: unable to locate certificate for $($subject)"
Exit
}

使用 IIS cmdlet 绑定证书Bind the certificate by using IIS cmdlets

你还可以使用 IIS 管理 cmdlet 将证书绑定到端口,如果安装了 IIS 管理工具和脚本,则可以使用该 cmdlet。You can also bind the certificate to the port by using IIS management cmdlets, which are available if you installed the IIS management tools and scripts.

备注

安装 IIS 管理工具不能在工作文件夹计算机上启用完整版本的 Internet 信息服务 (IIS);它只能启用管理 cmdlet。Installation of the IIS management tools doesn't enable the full version of Internet Information Services (IIS) on the Work Folders machine; it only enables the management cmdlets. 这个设置有一些可能的好处。There are some possible benefits to this setup. 例如,如果你正在寻找 cmdlet 来提供从 netsh 获得的功能。For example, if you're looking for cmdlets to provide the functionality that you get from netsh. 当证书通过 New-WebBinding cmdlet 绑定到端口时,绑定不以任何方式依赖于 IIS。When the certificate is bound to the port via the New-WebBinding cmdlet, the binding is not dependent on IIS in any way. 完成绑定后,你甚至可以删除 Web-Mgmt-Console 功能,证书仍将绑定到该端口。After you do the binding, you can even remove the Web-Mgmt-Console feature, and the certificate will still be bound to the port. 可以通过键入 netsh http show sslcert 验证通过 netsh 进行的绑定。You can verify the binding via netsh by typing netsh http show sslcert.

以下示例使用 New-WebBinding cmdlet 查找具有 workfolders.contoso.com 主题的证书,并将其绑定到端口 443:The following example uses the New-WebBinding cmdlet to find the certificate with the subject workfolders.contoso.com and bind it to port 443:

$subject = "workfolders.contoso.com"
Try
{
#In case there are multiple certificates with the same subject, get the latest version
$cert =Get-ChildItem CERT:\LocalMachine\My |where {$_.Subject -match $subject } | sort $_.NotAfter -Descending | select -first 1
$thumbprint = $cert.Thumbprint
New-WebBinding -Name "Default Web Site" -IP * -Port 443 -Protocol https
#The default IIS website name must be used for the binding. Because Work Folders uses Hostable Web Core and its own configuration file, its website name, 'ECSsite', will not work with the cmdlet. The workaround is to use the default IIS website name, even though IIS is not enabled, because the NewWebBinding cmdlet looks for a site in the default IIS configuration file.
Push-Location IIS:\SslBindings
Get-Item cert:\LocalMachine\MY\$thumbprint | new-item *!443
Pop-Location
}
Catch
{
"     Error: unable to locate certificate for $($subject)"
Exit
}

设置 AD FS 身份验证Set up AD FS authentication

要配置工作文件夹以使用 AD FS 进行身份验证,请遵循下列步骤:To configure Work Folders to use AD FS for authentication, follow these steps:

  1. 打开“服务器管理器”。 Open Server Manager.

  2. 单击服务器,然后在列表中选择你的工作文件夹服务器。Click Servers, and then select your Work Folders server in the list.

  3. 右键单击服务器名称,然后单击工作文件夹设置Right-click the server name, and click Work Folders Settings.

  4. 工作文件夹设置窗口中,选择Active Directory 联合身份验证服务,然后键入联合身份验证服务 URL。In the Work Folder Settings window, select Active Directory Federation Services, and type in the Federation Service URL. 单击“应用”。Click Apply.

    在测试示例中,URL 为 https://blueadfs.contoso.comIn the test example, the URL is https://blueadfs.contoso.com.

通过 Windows PowerShell 完成相同任务的 cmdlet 是:The cmdlet to accomplish the same task via Windows PowerShell is:

Set-SyncServerSetting -ADFSUrl "https://blueadfs.contoso.com"

如果你使用自签名证书设置 AD FS,则可能会收到一条错误消息,指出联合身份验证服务 URL 不正确、无法访问、或尚未设置信赖方信任。If you're setting up AD FS with self-signed certificates, you might receive an error message that says the Federation Service URL is incorrect, unreachable, or a relying party trust has not been set up.

如果工作文件夹服务器上未安装 AD FS 证书或 AD FS 的 CNAME 未正确设置,也可能会发生此错误。This error can also happen if the AD FS certificate was not installed on the Work Folders server or if the CNAME for AD FS was not set up correctly. 你必须纠正这些问题才能继续。You must correct these issues before proceeding.

导出工作文件夹证书Export the Work Folders certificate

必须导出自签名的工作文件夹证书,以便稍后将其安装在测试环境中的以下计算机上:The self-signed Work Folders certificate must be exported so that you can later install it on the following machines in the test environment:

  • 用于 Web 应用程序代理的服务器The server that is used for Web Application Proxy

  • 加入域的 Windows 客户端The domain-joined Windows client

  • 未加入域的 Windows 客户端The non-domain-joined Windows client

要导出证书,请遵循与之前用于导出 AD FS 证书的相同步骤进行操作(如使用 AD FS 和 Web 应用程序代理部署工作文件夹:步骤 2,AD FS 配置后工作中所述)导出 AD FS 证书。To export the certificate, follow the same steps you used to export the AD FS certificate earlier, as described in Deploy Work Folders with AD FS and Web Application Proxy: Step 2, AD FS Post-Configuration Work, Export the AD FS certificate.

下一步:使用 AD FS 和 Web 应用程序代理部署工作文件夹:步骤 4,设置 Web 应用程序代理Next step: Deploy Work Folders with AD FS and Web Application Proxy: Step 4, Set Up Web Application Proxy

另请参阅See Also

工作文件夹概述Work Folders Overview