在 SharePoint Server 中設定 Secure Store ServiceConfigure the Secure Store Service in SharePoint Server

摘要: 在 Secure Store Service 中設定授權憑證存放至 SharePoint Server 2013 或 SharePoint Server 2016 伺服器陣列。Summary: Configure storage of authorization credentials in Secure Store Service on a SharePoint Server 2013 or SharePoint Server 2016 farm.

本文說明如何在 SharePoint Server 伺服器陣列上設定 Secure Store Service。Secure Store 具有相關的重要規劃考量。請務必先閱讀<規劃 SharePoint Server 的 Secure Store Service>,再開始進行本文的程序。This article describes how to configure the Secure Store Service on a SharePoint Server farm. Secure Store has important planning considerations associated with it. Be sure to read Plan the Secure Store Service in SharePoint Server before you begin the procedures in this article.

在 SharePoint Server 中設定 Secure StoreConfigure Secure Store in SharePoint Server

Secure Store 服務會在應用程式和前端伺服器腳色下執行。當您建立 Secure Store 服務應用程式時,其會進行自動佈建。The Secure Store service runs under the Application and Front-end server roles. It is autoprovisioned when you create a Secure Store service application.

若要設定 Secure Store,請執行下列步驟:To configure Secure Store, you perform the following steps:

  1. 在 SharePoint Server 中註冊受管理帳戶,以執行 Secure Store 應用程式集區。Register a managed account in SharePoint Server to run the Secure Store application pool.

  2. 在伺服器陣列的應用程式伺服器上啟動 Secure Store Service。(僅限 SharePoint Server 2013)Start the Secure Store Service on an application server in the farm. (SharePoint Server 2013 only)

  3. 建立 Secure Store Service 服務應用程式。Create a Secure Store Service service application.

您必須具有標準網域帳戶,才能執行應用程式集區。此帳戶不需要任何特定權限。在 Active Directory 中建立帳戶之後,請執行下列步驟,使用 SharePoint Server 來註冊帳戶。To run the application pool, you must have a standard domain account. No specific permissions are required for this account. Once the account has been created in Active Directory, follow these steps to register it with SharePoint Server.

註冊受管理帳戶To register a managed account

  1. 在 SharePoint 管理中心網站首頁] 頁面的左導覽列中,按一下 [安全性]。On the SharePoint Central Administration Web site home page, in the left navigation, click Security.

  2. 在「安全性」頁面上,按一下 [一般安全性] 區段中的 [設定受管理帳戶]。On the Security page, in the General Security section, click Configure managed accounts.

  3. 在「受管理帳戶」頁面上,按一下 [註冊受管理帳戶]。On the Managed Accounts page, click Register Managed Account.

  4. 在 [使用者名稱] 方塊中輸入帳戶的名稱。In the User name box, type the name of the account.

  5. 在 [密碼] 方塊中輸入帳戶的密碼。In the Password box, type the password for the account.

  6. 若要讓 SharePoint Server 處理帳戶的密碼,請選取 [啟用自動變更密碼] 方塊中,並指定的密碼變更您要使用的參數。If you want SharePoint Server to handle changing the password for the account, select the Enable automatic password change box and specify the password change parameters that you want to use.

  7. 按一下 [ OK ]。Click OK.

如果您使用 SharePoint Server 2013,則必須在伺服器陣列中的應用程式伺服器上啟動 Secure Store Service。(如果您使用 SharePoint Server 2016,將由 MinRole 自動啟動服務。)If you are using SharePoint Server 2013, you must start the Secure Store Service on an application server in the farm. (If you are using SharePoint Server 2016, the service will be started automatically by MinRole.)

若要啟動 Secure Store Service (SharePoint Server 2013)To start the Secure Store Service (SharePoint Server 2013)

  1. 在管理中心主頁面上,按一下 [系統設定] 區段中的 [管理伺服器上的服務]。On the Central Administration home page, in the System Settings section, click Manage services on server.

  2. 在 [服務] 清單中按一下 [伺服器] 下拉式清單中,並再按一下 [變更伺服器Above the Service list, click the Server drop-down list, and then click Change Server.

  3. 選取您要執行 Secure Store Service 的應用程式伺服器。Select the application server where you want to run the Secure Store Service.

  4. 在 [服務] 清單中按一下 [ Secure Store Service] 旁的 [啟動]。In the Service list, click Start next to Secure Store Service.

下一步,您必須建立 Secure Store Service 服務應用程式。請使用下列程序來建立服務應用程式。Next, you must create a Secure Store Service service application. Use the following procedure to create the service application.

建立 Secure Store Service 服務應用程式To create a Secure Store Service service application

  1. 在管理中心首頁上,按一下 [應用程式管理] 區段中的 [管理服務應用程式]。On the Central Administration home page, in the Application Management section, click Manage service applications.

  2. 在 [管理服務應用程式] 頁面上按一下 [新增] 和 [ Secure Store ServiceOn the Manage Service Applications page, click New, and then click Secure Store Service.

  3. 在 [服務應用程式名稱] 方塊中輸入服務應用程式 (例如 Secure Store Service) 的名稱。In the Service Application Name box, type a name for the service application (for example, Secure Store Service).

  4. 在 [資料庫伺服器] 方塊中輸入您想要用來建立安全認證儲存資料庫的 SQL Server 執行個體。In the Database Server box, type the instance of SQL Server where you want to create the Secure Store database.

    注意

    [!附註] 由於 Secure Store 資料庫會包含機密資訊,因此建議您將 Secure Store 資料庫部署至和其餘 SharePoint Server 不同的 SQL Server 執行個體。Because the Secure Store database contains sensitive information, we recommend that you deploy the Secure Store database to a different instance of SQL Server from the rest of SharePoint Server.

  5. 選取 [建立新的應用程式集區] 選項,然後在文字方塊中輸入應用程式集區的名稱。Select the Create new application pool option and type a name for the application pool in the text box.

  6. 選取 [可設定] 選項,然後從下拉式清單中選取其您剛才受管理的帳戶的帳戶。Select the Configurable option, and, from the drop-down list, select the account for which you created the managed account earlier.

  7. 按一下 [ OK ]。Click OK.

現在即已設定 Secure Store Service。下一步是產生加密金鑰來加密 Secure Store 資料庫。The Secure Store Service has now been configured. The next step is to generate an encryption key for encrypting the Secure Store database.

使用 Secure Store 加密金鑰Work with Secure Store encryption keys

使用 Secure Store Service 之前,您必須產生加密金鑰。此金鑰可用來加密及解密儲存在 Secure Store Service 資料庫中的認證。Before using the Secure Store Service, you must generate an encryption key. The key is used to encrypt and decrypt the credentials that are stored in the Secure Store Service database.

產生加密金鑰Generate an encryption key

第一次存取 Secure Store Service 應用程式時,唯一的選項是產生新的加密金鑰。一旦產生金鑰之後,即可使用 Secure Store 的其餘功能。The first time that you access the Secure Store service application, your only option is to generate a new encryption key. Once the key has been generated, the rest of the Secure Store functionality becomes available.

產生新的加密金鑰To generate a new encryption key

  1. 在管理中心首頁上,按一下 [應用程式管理] 區段中的 [管理服務應用程式]。On the Central Administration home page, in the Application Management section, click Manage service applications.

  2. 按一下 [Secure Store Service 應用程式]。Click the Secure Store service application.

  3. 在 [金鑰管理] 群組中,按一下 [產生新的金鑰]。In the Key Management group, click Generate New Key.

  4. 在 [產生新的金鑰] 頁面上 [複雜密碼] 方塊中輸入複雜密碼字串並在 [確認複雜密碼] 方塊中輸入相同的字串。此複雜密碼用來加密 Secure Store 資料庫。On the Generate New Key page, type a pass phrase string in the Pass Phrase box, and type the same string in the Confirm Pass Phrase box. This pass phrase is used to encrypt the Secure Store database.

    重要

    [!重要事項] 複雜密碼字串至少必須要有八個字元,且至少必須包含下列四種元素的其中三項: > 大寫字元 > 小寫字元 > 數字 > 下列任一特殊字元 > "! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ ` { | } ~A pass phrase string must be at least eight characters and must have at least three of the following four elements: > Uppercase characters > Lowercase characters > Numerals > Any of the following special characters > "! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ ` { | } ~

    重要

    [!重要事項] 系統不會儲存您所輸入的複雜密碼,請務必將其寫下並置於安全之處。重新整理金鑰時將會需要它,例如當您新增應用程式伺服器至伺服器陣列時。The pass phrase that you enter is not stored. Make sure that you write this down and store it in a safe place. You must have it to refresh the key, such as when you add a new application server to the server farm.

  5. 按一下 [ OK ]。Click OK.

做為安全性預防措施或定期維護的一部分,您可能會決定產生新加密金鑰,並根據新金鑰將 Secure Store Service 強制重新加密。您可以使用此相同程序來執行此作業。For security precautions or as part of regular maintenance you may decide to generate a new encryption key and force the Secure Store Service to be re-encrypted based on the new key. You can use this same procedure to do this.

警告

您應該先備份 Secure Store Service 應用程式的資料庫,然後再產生新金鑰。You should back up the database of the Secure Store Service application before generating a new key.

重新整理 Secure Store 加密金鑰Refresh the Secure Store encryption key

重新整理加密金鑰會將金鑰傳播至伺服器陣列中的所有應用程式伺服器。如果發生下列任何情況,則您可能需要重新整理加密金鑰:Refreshing the encryption key propagates the key to all the application servers in the farm. You may be required to refresh the encryption key if any of the following things are true:

  • 將新的應用程式伺服器新增至伺服器陣列。You add a new application server to the server farm.

  • 還原先前備份的 Secure Store Service 資料庫,而且已變更加密金鑰。You restore a previously backed up Secure Store Service database and have since changed the encryption key.

  • 接收到「無法取得主要金鑰」錯誤訊息。You receive an "Unable to get master key" error message.

    重新整理加密金鑰To refresh the encryption key

  1. 在管理中心首頁上,按一下 [應用程式管理] 區段中的 [管理服務應用程式]。On the Central Administration home page, in the Application Management section, click Manage service applications.

  2. 按一下 [Secure Store Service 應用程式]。Click the Secure Store service application.

  3. 在 [金鑰管理] 群組中,按一下 [重新整理金鑰]。In the Key Management group, click Refresh Key.

  4. 在 [複雜密碼] 方塊中,輸入一開始用來產生加密金鑰的複雜密碼。In the ** Pass Phrase ** box, type the pass phrase that you first used to generate the encryption key.

    這個片語是初始化 Secure Store Service 服務應用程式時使用的複雜密碼或使用 [產生新的金鑰] 命令建立新的索引鍵時所使用的其中一個。This phrase is either the pass phrase that you used when you initialized the Secure Store Service service application or one that you used when you created a new key by using the Generate a New Key command.

  5. 按一下 [ OK ]。Click OK.

在 Secure Store 中儲存認證Store credentials in Secure Store

透過 Secure Store「目標應用程式」即可完成 Secure Store 中的認證儲存。目標應用程式會將使用者、群組或宣告的認證,對應至儲存在 Secure Store 資料庫中的一組加密認證。建立目標應用程式之後,就可以建立它與外部內容類型或應用程式模型的關聯,或是搭配 Excel Online 或 Visio Services 等商務智慧服務使用,以提供外部資料來源的存取。當 SharePoint Server 服務應用程式呼叫目標應用程式時,Secure Store 會確認提出要求的使用者是否為目標應用程式的授權使用者,然後再擷取加密認證。SharePoint Server 服務應用程式接著會代表使用者使用認證。Storing credentials in Secure Store is accomplished by using a Secure Store target application. A target application maps the credentials of a user, group, or claim to a set of encrypted credentials stored in the Secure Store database. After a target application is created, you can associate it with an external content type or application model, or use it with a business intelligence service such as Excel Online or Visio Services to provide access to an external data source. When a SharePoint Server service application calls the target application, Secure Store confirms that the user making the request is an authorized user of the target application and then retrieves the encrypted credentials. The credentials are then used on the user's behalf by the SharePoint Server service application.

若要建立目標應用程式,您必須執行下列動作:To create a target application, you must do the following:

  1. 建立目標應用程式本身,然後指定要儲存在 Secure Store 資料庫中的認證類型、目標應用程式的管理員及認證擁有者。Create the target application itself, specifying the type of credentials that you want to store in the Secure Store database, the administrators for the target application, and the credential owners.

  2. 指定要儲存的認證。Specify the credentials that you want to store.

建立目標應用程式Create a target application

目標應用程式是設定於管理中心的 [Secure Store Service 應用程式] 頁面上。請使用下列程序來建立目標應用程式。Target applications are configured on the Secure Store Service Application page in Central Administration. Use the following procedure to create a target application.

建立目標應用程式To create a target application

  1. 在管理中心首頁上,按一下 [應用程式管理] 區段中的 [管理服務應用程式]。On the Central Administration home page, in the Application Management section, click Manage service applications.

  2. 按一下 [Secure Store Service 應用程式]。Click the Secure Store service application.

  3. 在 [管理目標應用程式] 群組中,按一下 [新增]。In the Manage Target Applications group, click New.

  4. 在 [目標應用程式識別碼] 方塊中輸入文字字串。In the Target Application ID box, type a text string.

    這是您在外部用來識別此目標應用程式的唯一字串。This is the unique string that you will use externally to identify this target application.

  5. 在 [顯示名稱] 方塊中輸入文字字串將用來在使用者介面中顯示目標應用程式的識別碼。In the Display Name box, type a text string that will be used to display the identifier of the target application in the user interface.

  6. 在 [連絡人電子郵件] 方塊中輸入此目標應用程式的主要連絡人的電子郵件地址。In the Contact Email box, type the e-mail address of the primary contact for this target application.

    這可以是任何合法電子郵件地址,而且不需要是 Secure Store Service 應用程式管理員的身分識別。This can be any legitimate e-mail address and does not have to be the identity of an administrator of the Secure Store Service application.

  7. 當您建立目標應用程式的類型,可讓使用者個別 (請參閱下),您可以實作自訂的網頁上新增目的資料來源的個別的認證。這需要自訂程式碼來將認證傳送到的目標應用程式。如果您沒有,在 [目標應用程式頁面 URL ] 欄位中輸入此頁面上的完整 URL。有三個選項:When you create a target application of type Individual (see below), you can implement a custom Web page that lets users add individual credentials for the destination data source. This requires custom code to pass the credentials to the target application. If you did this, type the full URL of this page in the Target Application Page URL field. There are three options:

    • 使用預設值] 頁面上: 使用目標應用程式存取外部資料的任何網站會有自動新增個別註冊頁面。此頁面的 URL 會是 http://_layouts/SecureStoreSetCredentials.aspx?TargetAppId=,其中在 [目標應用程式識別碼] 方塊中輸入字串。由公佈此頁面的位置,您可以讓使用者新增外部資料來源的認證。Use default page: Any Web sites that use the target application to access external data will have an individual sign-up page that was added automatically. The URL of this page will be http://_layouts/SecureStoreSetCredentials.aspx?TargetAppId=, where is the string typed in the Target Application ID box. By publicizing the location of this page, you can enable users to add their credentials for the external data source.

    • 使用自訂頁面:您可以提供讓使用者提供個別認證的自訂網頁。請在此欄位中輸入自訂頁面的 URL。Use custom page: You provide a custom Web page that lets users provide individual credentials. Type the URL of the custom page in this field.

    • :沒有註冊頁面。只有 Secure Store Service 管理員才能使用 Secure Store Service 應用程式來新增個別認證。None: There is no sign-up page. Individual credentials are added only by a Secure Store Service administrator who is using the Secure Store Service application.

  8. 在 [目標應用程式類型] 下拉式清單中,選擇 [目標應用程式類型:群組個別,如果是要對應的唯一一組認證的外部資料來源上的每位使用者或群組認證。In the Target Application Type drop-down list, choose the target application type: Group, for group credentials, or Individual, if each user is to be mapped to a unique set of credentials on the external data source.

    注意

    [!附註] 有兩種主要類型可用來建立目標應用程式: > 群組,用來將一或多個群組的所有成員對應至外部資料來源上的單一一組認證。 > 個人,用於將每一位使用者對應至外部資料來源上的唯一一組認證。There are two primary types for creating a target application: > Group, for mapping all the members of one or more groups to a single set of credentials on the external data source. > Individual, for mapping each user to a unique set of credentials on the external data source.

  9. [下一步]Click Next.

  10. 使用 [指定安全認證儲存目標應用程式的認證欄位] 頁面上設定各種欄位可能需要提供給外部資料來源的認證。根據預設,會列出兩個欄位: Windows 使用者名稱Windows 密碼Use the Specify the credential fields for your Secure Store Target Application page to configure the various fields which may be required to provide credentials to the external data source. By default, two fields are listed: Windows User Name and Windows Password.

    若要新增用來提供外部資料來源,在 [指定安全認證儲存目標應用程式的認證欄位] 頁面上的認證的其他欄位按一下 [新增欄位]To add an additional field for supplying credentials to the external data source, on the Specify the credential fields for your Secure Store Target Application page, click Add Field.

    根據預設,新欄位的類型為一般。下列的欄位類型可用:By default, the type of the new field is Generic. The following field types are available:

欄位Field 描述Description
泛用Generic
無法放入任何其他類別的值。Values that do not fit in any of the other categories.
使用者名稱User Name
可識別使用者的使用者帳戶。A user account that identifies the user.
密碼Password
秘密文字或片語。A secret word or phrase.
PINPIN
個人識別碼。A personal identification number.
金鑰Key
可決定密碼編譯演算法或加密之功能輸出的參數。A parameter that determines the functional output of a cryptographic algorithm or cipher.
Windows 使用者名稱Windows User Name
可識別使用者的 Windows 使用者帳戶。A Windows user account that identifies the user.
Windows 密碼Windows Password
Windows 帳戶的秘密文字或片語。A secret word or phrase for a Windows account.
憑證Certificate
憑證。A certificate.
憑證密碼Certificate Password
憑證的密碼。The password for the certificate.
  • 若要變更新的或現有欄位的類型,請按一下出現在欄位類型旁的箭頭,然後選取新的欄位類型。To change the type of a new or existing field, click the arrow that appears next to the type of the field, and then select the new type of field.

    注意

    [!附註] 當您設定此目標應用程式的認證時,每個新增的欄位都必須內含資料。Every field that you add will be required to have data when you set the credentials for this target application.

  • 您可以變更使用者會看到時互動與欄位的名稱。在 [指定安全認證儲存目標應用程式的認證欄位] 頁面的 [欄位名稱] 欄中,變更的欄位名稱選取目前文字並輸入新的文字。You can change the name that a user sees when interacting with a field. In the Field Name column of the Specify the credential fields for your Secure Store Target Application page, change a field name by selecting the current text and typing new text.

  • 對欄位進行遮罩處理時,不會顯示使用者所輸入的每個字元,但會將它們取代為遮罩字元 (如星號 "*")。若要對欄位進行遮罩處理,請在頁面的 [已遮罩] 欄中按一下該欄位的核取方塊。When a field is masked, each character that a user types is not displayed but is replaced with a mask character such as the asterisk "\". To mask a field, click the check box for that field in the **Masked column of the page.

  • 若要刪除欄位,請按一下該頁面的 [刪除] 欄中的欄位的刪除圖示。To delete a field, click the delete icon for that field in the Delete column of the page.

    完成認證欄位的編輯之後,按一下 [下一步]。When you have finished editing the credential fields, click Next.

  1. 在 [指定成員資格設定] 頁面的目標應用程式管理員] 欄位中,列出所有具有目標應用程式設定管理權的使用者。In the Specify the membership settings page, in the Target Application Administrators Field, list all users who have access to manage the target application settings.

  2. 如果目標應用程式類型是群組,在 [成員] 欄位中,列出使用者群組,對應至一組此目標應用程式的認證。If the target application type is group, in the Members field, list the user groups to map to a set of credentials for this target application.

  3. 按一下[確定]以完成設定目標應用程式]。Click OK to complete configuring the target application.

設定 Secure Store 目標應用程式的認證Set credentials for a Secure Store target application

建立目標應用程式之後,該目標應用程式的管理員就可以設定它的認證。呼叫應用程式會使用這些認證,來提供外部資料來源的存取。如果目標應用程式的類型是 [個人],也可以讓使用者提供自己的認證。After creating a target application, an administrator of that target application can set credentials for it. These credentials are used by the calling application to provide access to an external data source. If the target application is of type Individual, you can also enable users to supply their own credentials.

設定目標應用程式的認證To set credentials for a target application

  1. 在管理中心首頁上,按一下 [應用程式管理] 區段中的 [管理服務應用程式]。On the Central Administration home page, in the Application Management section, click Manage service applications.

  2. 按一下 [Secure Store Service 應用程式]。Click the Secure Store service application.

  3. 在 [目標應用程式] 清單中,指向 [在您要設定認證且按一下出現箭號,然後] 功能表上按一下 [設定認證的目標應用程式]。In the target application list, point at the target application for which you want to set credentials, click the arrow that appears, and then, in the menu, click Set credentials.

    如果目標應用程式的類型是 [群組],請輸入外部資料來源的認證。根據外部資料來源所需要的資訊,用來設定認證的欄位也會不同。If the target application is of type Group, type the credentials for the external data source. Depending on the information that is required by the external data source, the fields for setting credentials will vary.

    如果目標應用程式的類型是 [個人],請輸入會對應至外部資料來源上這一組認證之個人的使用者名稱,並輸入外部資料來源的認證。根據外部資料來源所需要的資訊,用來設定認證的欄位也會不同。If the target application is of type Individual, type the user name of the individual who will be mapped to this set of credentials on the external data source, and type the credentials for the external data source. Depending on the information that is required by the external data source, the fields for setting credentials will vary.

  4. 按一下 [ OK ]。Click OK.

設定目標應用程式的認證之後,像是 Business Connectivity Services、Excel Services 或 Visio Services 等 SharePoint Server 服務即可使用此認證。Once you have set the credentials for the target application, it is ready to be used by a SharePoint Server service such as Business Connectivity Services, Excel Services, or Visio Services.

啟用 Secure Store Service 稽核記錄檔Enable the Secure Store audit log

Secure Store Service 的稽核項目會儲存在 Secure Store Service 資料庫中。預設為停用稽核記錄檔。Audit entries for the Secure Store service are stored in the Secure Store Service database. By default, the audit log file is disabled.

稽核記錄項目中儲存了 Secure Store Service 動作的相關資訊,例如,何時執行、是否成功、若未成功的話失敗原因為何、執行 Secure Store Service 的使用者,以及以何人名義執行的選用 Secure Store Service 使用者等相關資訊。因此,啟用稽核記錄檔的原因通常是要疑難排解驗證問題。An audit log entry stores information about a Secure Store Service action, such as when it was performed, whether it succeeded, why it failed if it didn't succeed, the Secure Store Service user who performed it, and optionally the Secure Store Service user on whose behalf it was performed. Therefore, a valid reason to enable an audit log file is to troubleshoot an authentication issue.

使用管理中心啟用稽核記錄To enable the audit log by using Central Administration

  1. 在管理中心首頁上,按一下 [應用程式管理] 區段中的 [管理服務應用程式]。On the Central Administration home page, in the Application Management section, click Manage service applications.

  2. 選取 Secure Store Service 應用程式 (也就是只選取服務應用程式,而不要按一下連結以移至 Secure Store Service 應用程式設定頁面)。Select the Secure Store service application. (That is, select the service application, but do not click the link to go to the Secure Store Service application settings page.)

  3. 在功能區] 上按一下 [內容]。On the ribbon, click Properties.

  4. 從 [啟用稽核] 區段中,按一下以選取 [啟用稽核記錄] 方塊中。From the Enable Audit section, click to select the Audit log enabled box.

  5. 若要變更的項目將會清除稽核記錄檔中的天數,指定天數數天之前清除] 欄位中。預設值為 30 天。To change the number of days that entries will be purged from the audit log file, specify a number in days in the Days Until Purge field. The default value is 30 days.

  6. 按一下 [ OK ]。Click OK.

另請參閱See also

其他資源Other Resources

Secure Store Service cmdlets in SharePoint 2013Secure Store Service cmdlets in SharePoint 2013