在 SharePoint Server 中交換伺服器陣列之間的信任憑證Exchange trust certificates between farms in SharePoint Server

摘要: 了解如何在 SharePoint Server 2016 和 SharePoint 2013 中的發佈伺服器陣列及使用伺服器陣列之間交換信任憑證。Summary: Learn how to exchange trust certificates between the publishing farm and the consuming farm in SharePoint Server 2016 and SharePoint 2013.

在 SharePoint Server 中,伺服器陣列可以連線並使用在其他 SharePoint Server 伺服器陣列上發佈的服務應用程式。為此,伺服器陣列必須交換信任憑證。In SharePoint Server, a farm can connect to and consume a service application that is published on another SharePoint Server farm. For this to occur, the farms must exchange trust certificates.

這兩個伺服器陣列必須都參與此交換,服務應用程式共用才能運作。Both farms must participate in this exchange for service application sharing to work.

如需如何跨伺服器陣列共用服務應用程式的詳細資訊,請參閱<跨 SharePoint Server 伺服器陣列共用服務應用程式>。For more information about how to share service applications across farms see Share service applications across farms in SharePoint Server.

您必須使用 Microsoft PowerShell 命令以在伺服器陣列之間匯出並複製憑證。匯出並複製憑證後,您可以使用 PowerShell 命令或管理中心在伺服器陣列內管理信任。You must use Microsoft PowerShell commands to export and copy the certificates between farms. After the certificates are exported and copied, you can use either PowerShell commands or Central Administration to manage the trusts within the farm.

此處的指示假設下列條件成立:The instructions here assume the following criteria:

  • 用於下列程序的伺服器正在執行 PowerShell。That the servers that are used for these procedures are running PowerShell.

  • 在程序的所有步驟中,管理員在每個伺服器陣列中都將選取並使用相同的伺服器。That the administrator will select and use the same server in each farm for all steps in the process.

  • 如果開啟了使用者帳戶控制 (UAC),則必須使用提升的權限執行 PowerShell 命令。If User Account Control (UAC) is turned on, you must run the PowerShell commands with elevated privileges.

在您開始作業之前,請檢閱跨 SharePoint Server 伺服器陣列共用服務應用程式,以取得必要條件的詳細資訊。Before you begin this operation, review Share service applications across farms in SharePoint Server for information about prerequisites.

匯出並複製憑證Exporting and copying certificates

使用伺服器陣列的管理員必須提供兩個信任憑證給發佈伺服器陣列:根憑證與 Security Token Service (STS) 憑證。發佈伺服器陣列的管理員必須提供根憑證給使用伺服器陣列。An administrator of the consuming farm must provide two trust certificates to the publishing farm: a root certificate and a security token service (STS) certificate. An administrator of the publishing farm must provide a root certificate to the consuming farm.

您只能使用 Windows PowerShell 3.0 或更新版本匯出和複製憑證。You can only export and copy certificates by using Windows PowerShell 3.0 or later.

從使用伺服器陣列中匯出根憑證To export the root certificate from the consuming farm

  1. 在使用伺服器陣列中執行 SharePoint Server 的伺服器上,確認您具備下列成員資格:On a server that is running SharePoint Server on the consuming farm, verify that you have the following memberships:

    • SQL Server 執行個體上的 securityadmin 固定伺服器角色。securityadmin fixed server role on the SQL Server instance.

    • 所有要更新之資料庫上的 db_owner 固定資料庫角色。db_owner fixed database role on all databases that are to be updated.

    • 正在執行 PowerShell Cmdlet 之所在伺服器上的系統管理員群組。Administrators group on the server on which you are running the PowerShell cmdlets.

    • 請以高於上述基本要求新增必要的成員資格。Add memberships that are required beyond the minimums above.

      系統管理員可以使用 Add-SPShellAdmin Cmdlet 授與使用 SharePoint Server Cmdlet 的權限。An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server cmdlets.

      注意

      如果您不具備上述權限,請連絡安裝程式系統管理員或 SQL Server 系統管理員要求權限。如需 PowerShell 權限的其他資訊,請參閱 Add-SPShellAdminIf you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see Add-SPShellAdmin.

  2. 啟動 SharePoint 管理命令介面。Start the SharePoint Management Shell.

  3. 在 PowerShell 命令提示字元中,輸入下列命令:At the PowerShell command prompt, type the following command:

    $rootCert = (Get-SPCertificateAuthority).RootCertificate
    
    $rootCert.Export("Cert") | Set-Content <C:\ConsumingFarmRoot.cer> -Encoding byte
    

    其中, <C:\ConsumingFarmRoot.cer> 是根憑證的路徑。Where <C:\ConsumingFarmRoot.cer> is the path of the root certificate.

從使用伺服器陣列中匯出 STS 憑證To export the STS certificate from the consuming farm

  1. 確認您具備下列成員身分:Verify that you have the following memberships:

    • SQL Server 執行個體上的 securityadmin 固定伺服器角色。securityadmin fixed server role on the SQL Server instance.

    • 所有要更新之資料庫上的 db_owner 固定資料庫角色。db_owner fixed database role on all databases that are to be updated.

    • 正在執行 PowerShell Cmdlet 之所在伺服器上的系統管理員群組。Administrators group on the server on which you are running the PowerShell cmdlets.

    • 請以高於上述基本要求新增必要的成員資格。Add memberships that are required beyond the minimums above.

      系統管理員可以使用 Add-SPShellAdmin Cmdlet 授與使用 SharePoint Server Cmdlet 的權限。An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server cmdlets.

      注意

      如果您不具備上述權限,請連絡安裝程式系統管理員或 SQL Server 系統管理員要求權限。如需 PowerShell 權限的其他資訊,請參閱 Add-SPShellAdminIf you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see Add-SPShellAdmin.

  2. 啟動 SharePoint 管理命令介面。Start the SharePoint Management Shell.

  3. 在 PowerShell 命令提示字元中,輸入下列命令:At the PowerShell command prompt, type the following command:

    $stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
    
    $stsCert.Export("Cert") | Set-Content <C:\ConsumingFarmSTS.cer> -Encoding byte
    

    其中, <C:\ConsumingFarmSTS.cer> 是 STS 憑證的路徑。Where <C:\ConsumingFarmSTS.cer> is the path of the STS certificate.

從發佈伺服器陣列中匯出根憑證To export the root certificate from the publishing farm

  1. 在發佈伺服器陣列中執行 SharePoint Server 的伺服器上,確認您具備下列成員資格:On a server that is running SharePoint Server on the publishing farm, verify that you have the following memberships:

    • SQL Server 執行個體上的 securityadmin 固定伺服器角色。securityadmin fixed server role on the SQL Server instance.

    • 所有要更新之資料庫上的 db_owner 固定資料庫角色。db_owner fixed database role on all databases that are to be updated.

    • 正在執行 PowerShell Cmdlet 之所在伺服器上的系統管理員群組。Administrators group on the server on which you are running the PowerShell cmdlets.

    • 請以高於上述基本要求新增必要的成員資格。Add memberships that are required beyond the minimums above.

      系統管理員可以使用 Add-SPShellAdmin Cmdlet 授與使用 SharePoint Server Cmdlet 的權限。An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server cmdlets.

      注意

      如果您不具備上述權限,請連絡安裝程式系統管理員或 SQL Server 系統管理員要求權限。如需 PowerShell 權限的其他資訊,請參閱 Add-SPShellAdminIf you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see Add-SPShellAdmin.

  2. 啟動 SharePoint 管理命令介面。Start the SharePoint Management Shell.

  3. 在 PowerShell 命令提示字元中,輸入下列命令:At the PowerShell command prompt, type the following command:

    $rootCert = (Get-SPCertificateAuthority).RootCertificate
    
    $rootCert.Export("Cert") | Set-Content <C:\PublishingFarmRoot.cer> -Encoding byte
    

    其中, <C:\PublishingFarmRoot.cer> 是根憑證的路徑。Where <C:\PublishingFarmRoot.cer> is the path of the root certificate.

複製憑證To copy the certificates

  1. 將根憑證與 STS 憑證從使用伺服器陣列中的伺服器複製至發佈伺服器陣列中的伺服器。Copy the root certificate and the STS certificate from the server in the consuming farm to the server in the publishing farm.

  2. 將根憑證從發佈伺服器陣列中的伺服器複製至使用伺服器陣列中的伺服器。Copy the root certificate from the server in the publishing farm to a server in the consuming farm.

使用 PowerShell 管理信任憑證Managing trust certificates by using PowerShell

在伺服器陣列中管理信任憑證涉及到建立信任。本節說明如何使用 PowerShell 命令,在使用伺服器陣列及發佈伺服器陣列上建立信任。Managing trust certificates in a farm involves establishing trust. This section describes how to establish trust on both the consuming and publishing farms by using PowerShell commands.

在使用伺服器陣列上建立信任Establishing trust on the consuming farm

若要在使用伺服器陣列上建立信任,您必須匯入從發佈伺服器陣列複製的根憑證,然後建立受信任的根授權單位。To establish trust on the consuming farm, you must import the root certificate that was copied from the publisher farm and create a trusted root authority.

在使用伺服器陣列上匯入根憑證並建立受信任的根授權單位To import the root certificate and create a trusted root authority on the consuming farm

  1. 確認您具備下列成員身分:Verify that you have the following memberships:

    • SQL Server 執行個體上的 securityadmin 固定伺服器角色。securityadmin fixed server role on the SQL Server instance.

    • 所有要更新之資料庫上的 db_owner 固定資料庫角色。db_owner fixed database role on all databases that are to be updated.

    • 正在執行 PowerShell Cmdlet 之所在伺服器上的系統管理員群組。Administrators group on the server on which you are running the PowerShell cmdlets.

    • 請以高於上述基本要求新增必要的成員資格。Add memberships that are required beyond the minimums above.

      系統管理員可以使用 Add-SPShellAdmin Cmdlet 授與使用 SharePoint Server Cmdlet 的權限。An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server cmdlets.

      注意

      如果您不具備上述權限,請連絡安裝程式系統管理員或 SQL Server 系統管理員要求權限。如需 PowerShell 權限的其他資訊,請參閱 Add-SPShellAdminIf you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see Add-SPShellAdmin.

  2. 啟動 SharePoint 管理命令介面。Start the SharePoint Management Shell.

  3. 在 PowerShell 命令提示字元中,輸入下列命令:At the PowerShell command prompt, type the following command:

    $trustCert = Get-PfxCertificate <C:\PublishingFarmRoot.cer>
    
    New-SPTrustedRootAuthority <PublishingFarm> -Certificate $trustCert
    

    其中:Where:

    • <C:\PublishingFarmRoot.cer> 是您從發佈伺服器陣列複製到使用伺服器陣列的根憑證的路徑。<C:\PublishingFarmRoot.cer> is the path of the root certificate that you copied to the consuming farm from the publishing farm.

    • <PublishingFarm> 是識別發佈伺服器陣列的唯一名稱。每個受信任的根授權單位都必須有唯一的名稱。<PublishingFarm> is a unique name that identifies the publishing farm. Each trusted root authority must have a unique name.

建立發佈伺服器陣列上的信任Establishing trust on the publishing farm

若要在發佈伺服器陣列上建立信任,必須匯入從使用伺服器陣列複製的根憑證並建立受信任的根授權單位。然後必須匯入從使用伺服器陣列複製的 STS 憑證並建立受信任的服務 Token 發行者。To establish trust on the publishing farm, you must import the root certificate that was copied from the consuming farm and create a trusted root authority. You must then import the STS certificate that was copied from the consuming farm and create a trusted service token issuer.

在發佈伺服器陣列上匯入根憑證並建立受信任的根授權單位To import the root certificate and create a trusted root authority on the publishing farm

  1. 確認您具備下列成員身分:Verify that you have the following memberships:

    • SQL Server 執行個體上的 securityadmin 固定伺服器角色。securityadmin fixed server role on the SQL Server instance.

    • 所有要更新之資料庫上的 db_owner 固定資料庫角色。db_owner fixed database role on all databases that are to be updated.

    • 正在執行 PowerShell Cmdlet 之所在伺服器上的系統管理員群組。Administrators group on the server on which you are running the PowerShell cmdlets.

    • 請以高於上述基本要求新增必要的成員資格。Add memberships that are required beyond the minimums above.

      系統管理員可以使用 Add-SPShellAdmin Cmdlet 授與使用 SharePoint Server Cmdlet 的權限。An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server cmdlets.

      注意

      如果您不具備上述權限,請連絡安裝程式系統管理員或 SQL Server 系統管理員要求權限。如需 PowerShell 權限的其他資訊,請參閱 Add-SPShellAdminIf you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see Add-SPShellAdmin.

  2. 啟動 SharePoint 管理命令介面。Start the SharePoint Management Shell.

  3. 在 PowerShell 命令提示字元中,輸入下列命令:At the PowerShell command prompt, type the following command:

    $trustCert = Get-PfxCertificate <C:\ConsumingFarmRoot.cer>
    
    New-SPTrustedRootAuthority <ConsumingFarm> -Certificate $trustCert
    

    其中:Where:

    • <C:\ConsumingFarmRoot.cer> 為從使用伺服器陣列複製到發佈伺服器陣列之根憑證的名稱及位置。<C:\ConsumingFarmRoot.cer> is the name and location of the root certificate that you copied to the publishing farm from the consuming farm.

    • <ConsumingFarm> 是識別使用伺服器陣列的唯一名稱。每個受信任根授權單位都必須有唯一名稱。<ConsumingFarm> is a unique name that identifies the consuming farm. Each trusted root authority must have a unique name.

在發佈伺服器陣列上匯入 STS 憑證並建立受信任的服務 Token 發行者To import the STS certificate and create a trusted service token issuer on the publishing farm

  1. 確認您具備下列成員身分:Verify that you have the following memberships:

    • SQL Server 執行個體上的 securityadmin 固定伺服器角色。securityadmin fixed server role on the SQL Server instance.

    • 所有要更新之資料庫上的 db_owner 固定資料庫角色。db_owner fixed database role on all databases that are to be updated.

    • 正在執行 PowerShell Cmdlet 之所在伺服器上的系統管理員群組。Administrators group on the server on which you are running the PowerShell cmdlets.

    • 請以高於上述基本要求新增必要的成員資格。Add memberships that are required beyond the minimums above.

      系統管理員可以使用 Add-SPShellAdmin Cmdlet 授與使用 SharePoint Server Cmdlet 的權限。An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server cmdlets.

      注意

      如果您不具備上述權限,請連絡安裝程式系統管理員或 SQL Server 系統管理員要求權限。如需 PowerShell 權限的其他資訊,請參閱 Add-SPShellAdminIf you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see Add-SPShellAdmin.

  2. 啟動 SharePoint 管理命令介面。Start the SharePoint Management Shell.

  3. 在 PowerShell 命令提示字元中,輸入下列命令:At the PowerShell command prompt, type the following command:

    $stsCert = Get-PfxCertificate 
    <c:\ConsumingFarmSTS.cer>
    
    New-SPTrustedServiceTokenIssuer <ConsumingFarm> -Certificate $stsCert
    

    其中:Where:

    • <C:\ConsumingFarmSTS.cer> 是從使用伺服器陣列複製到發佈伺服器陣列之 STS 憑證的路徑。<C:\ConsumingFarmSTS.cer> is the path of the STS certificate that you copied to the publishing farm from the consuming farm.

    • <ConsumingFarm> 是識別使用伺服器陣列的唯一名稱。每個受信任的服務 Token 發行者都必須有唯一名稱。<ConsumingFarm> is a unique name that identifies the consuming farm. Each trusted service token issuer must have a unique name.

如需這些 PowerShell Cmdlet 的詳細資訊,請參閱下列文章:For more information about these PowerShell cmdlets, see the following articles:

如需如何使用指令碼來自動化部分此程序的詳細資訊,請參閱<交換伺服器陣列之間的信任憑證>。For information about how to use a script to automate part of this process, see Exchange trust certificates between farms.

使用管理中心管理信任憑證Managing trust certificates by using Central Administration

只有將相關憑證匯出並複製到某個伺服器陣列之後,才可以在該伺服器陣列上管理信任。You can manage trusts on a farm only after the relevant certificates have already been exported and copied to the farm.

使用管理中心建立信任To establish trust by using Central Administration

  1. 確認執行此程序的使用者帳戶為 SharePoint 伺服器陣列管理員群組的成員。Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.

  2. 在 SharePoint 管理中心網站上,按一下 [安全性]*On the SharePoint Central Administration website, click *Application Management.

  3. 在 [安全性] 頁面上,按一下 [一般安全性]**** 區段中的 [管理信任]*On the Security page, in the *General Security section, click Manage trust.

  4. 在 [信任關係] 頁面的功能區上,按一下 [新增]*On the Trust Relationship page, on the ribbon, click *New.

  5. 在 [建立信任關係] 頁面上,執行下列步驟:On the Establish Trust Relationship page, do the following steps:

    • 提供描述信任關係的用途名稱。Supply a name that describes the purpose of the trust relationship.

    • 瀏覽至信任關係的根授權單位並且將其選取。根授權單位必須使用 Microsoft PowerShell 從另一個伺服器陣列匯出的根授權單位,例如<匯出並複製憑證>中所述。Browse to and select the Root Authority Certificate for the trust relationship. This must be the Root Authority Certificate that was exported from the other farm by using Microsoft PowerShell, as described in Exporting and copying certificates.

    • 如果您執行的是發佈伺服器陣列的工作,請選取 [提供信任關係]**** 核取方塊。輸入 Token 發行者的描述性名稱,然後瀏覽至從使用伺服器陣列複製的 STS 憑證並且將其選取,例如匯出並複製憑證中所述。If you are performing this task on the publishing farm, select the check box for Provide Trust Relationship. Type in a descriptive name for the token issuer and browse to and select the STS certificate that was copied from the consuming farm, as described in Exporting and copying certificates.

    • 按一下 [確定]*Click *OK.

      建立信任關係後,按一下 [信任],然後再按一下 [編輯]*,您就可以修改 Token 發行者描述或所使用的憑證。按一下 [信任],然後再按一下 [刪除],即可刪除信任。After a trust relationship is established, you can modify the Token Issuer description or the certificates that are used by clicking the trust, and then clicking **Edit. You can delete a trust by clicking it, and then clicking **Delete*.

另請參閱See also

概念Concepts

在 SharePoint Server 中規劃使用者驗證方法Plan for user authentication methods in SharePoint Server

其他資源Other Resources

在 SharePoint Server 中建立 Web 應用程式Create a web application in SharePoint Server

在 SharePoint Server 中使用 AD FS 設定 SAML 型宣告驗證Configure SAML-based claims authentication with AD FS in SharePoint Server