在 SharePoint Server 中限制或啟用服務應用程式的存取Restrict or enable access to a service application in SharePoint Server

摘要: 了解如何透過新增及移除服務帳戶限制存取服務應用程式,以及如何在 SharePoint Server 2016 和 SharePoint 2013 重新建立存取服務應用程式的本機全伺服器陣列。Summary: Learn how to restrict access to a service application by adding and removing services accounts and reestablish local farm-wide access to a service application in SharePoint Server 2016 and SharePoint 2013.

在 SharePoint Server 中,您可以限制存取服務應用程式,以便於僅允許指定的 Web 應用程式存取服務應用程式。In SharePoint Server, you can restrict the access to a service application so that the service application is available to only specified web applications.

根據預設,在本機伺服器陣列上的所有服務應用程式,均適用於本機伺服器陣列上的所有 Web 應用程式。如果您在相同的伺服器陣列中主控多個客戶,而且想要將某個客戶的服務應用程式與另一個客戶的 Web 應用程式隔離,您可能會想要限制存取服務應用程式。By default, all service applications on the local farm are available to all web applications on the local farm. You might want to restrict access to a service application if you host multiple customers on the same farm, and you want to isolate one customer's service applications from another customer's web application.

如果您限制存取服務應用程式,但後來決定讓這個服務應用程式可用於整個伺服器陣列,則可以將此限制取消。If you restrict access to a service application and you later decide that you want to make it available to the whole farm, you can remove the restriction.

限制存取服務應用程式Restrict access to a service application

若要限制存取服務應用程式,可移除服務應用程式的服務帳戶。相反地,若要啟用存取服務應用程式,可在服務應用程式中新增服務帳戶。您可以使用管理中心或 PowerShell 執行這些工作。To restrict access to a service application, remove service accounts from the service application. Conversely, to enable access to a service application, add service accounts to the service application. You can perform these tasks by using Central Administration or by using PowerShell.

若要限制存取服務應用程式,必須完成下列工作:To restrict access to a service application, you must complete the following tasks:

  1. 新增特定的服務帳戶至服務應用程式。Add a specific service account to the service application.

  2. 移除服務應用程式的本機伺服器陣列識別碼。Remove the local farm ID from the service application.

本文中的步驟說明如何限制或還原存取服務應用程式。不過,您可以遵循程序中的步驟新增任何服務帳戶至任何的服務應用程式,或者刪除任何服務應用程式的任何服務帳戶。The procedures in this article describe how to restrict or restore access to a service application. However, you can follow the steps in the procedures to add any service account to any service application or to remove any service account from any service application.

例如,使用管理中心還原服務應用程式的本機全伺服器陣列存取權這一程序清楚地說明如何新增服務應用程式的本機伺服器陣列識別碼。同樣的程序也可用來新增服務應用程式的任何其他服務帳戶。為達成此目的,您必須提供適當的服務帳戶而非本機伺服器陣列識別碼。For example, the To restore local farm-wide access to a service application by using Central Administration procedure explicitly describes how to add the local farm ID to a service application. You can use the same procedure to add any other service account to a service application. To do this, you provide the appropriate service account instead of the local farm ID.

因為本機伺服器陣列識別碼預設會提供服務應用程式之本機全伺服器陣列的存取權限,如果再明確為服務應用程授與本機 Web 應用程式權限,將會顯得多餘,除非您也移除了本機伺服器陣列識別碼。Because the local farm ID provides local farm-wide access to the service application by default, it is redundant to also grant explicit local web application permissions to a service application unless you also remove the local farm ID.

若要授與服務應用程式權限,您必須取得並提供適當的服務帳戶。對於 Web 應用程式,此帳戶也稱為「應用程式集區識別帳戶」。To grant permissions to a service application, you must retrieve and supply the appropriate service account. For a web application, this account is also known as an application pool identity account.

在您授與權限至服務帳戶,並移除服務應用程式的本機伺服器陣列識別碼後,只有指派服務帳戶管理的 Web 應用程式才能存取服務應用程式。透過重複這些步驟,並將不同的 Web 應用程式服務帳戶新增至服務應用程式中,您可以指派多個 Web 應用程式 (具有不同的管理服務帳戶)。After you grant permissions to a service account and remove the local farm ID from a service application, only web applications that are managed by the assigned service account can access the service application. You can assign multiple web applications (that have different managing service accounts) to the same service application by repeating these procedures and adding the various web application service accounts to the service application.

警告

如果您移除服務應用程式的本機伺服器陣列識別碼,並且沒有為服務應用程式指派任何其他的服務帳戶,則服務應用程式對於所有 Web 應用程式都將不可使用。If you remove the local farm ID from a service application and do not assign any other service account to that service application, the service application becomes unavailable to all web applications.

使用管理中心限制存取服務應用程式Restrict access to a service application by using Central Administration

若要使用 SharePoint 管理中心網站限制存取服務應用程式,請遵循下列步驟:To restrict access to a service application by using the SharePoint Central Administration website, follow these steps:

  1. 擷取 Web 應用程式服務帳戶。Retrieve the web application service account.

  2. 新增 Web 應用程式服務帳戶至服務應用程式。Add the web application service account to the service application.

  3. 移除服務應用程式的本機伺服器陣列識別碼。Remove the local farm ID from the service application.

若要使用管理中心擷取 Web 應用程式服務帳戶To retrieve a web application service account by using Central Administration

  1. 確認執行此程序的使用者帳戶為 SharePoint 伺服器陣列管理員群組的成員。Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.

  2. 在管理中心首頁上,按一下 [安全性]**** 區段中的 [設定服務帳戶]*On the Central Administration Home page, in the *Security section, click Configure service accounts.

  3. 在 [服務帳戶]**** 頁面上,選取第一個下拉式清單中的服務和 Web 應用程式元件。On the Service Accounts page, select the services and web application component from the first drop-down list.

    服務帳戶會顯示在 [選取此元件的帳戶]**** 清單中。請記錄此服務帳戶的名稱,因為您將在下一步驟中使用此名稱。The service account is shown in the Select an account for this component list. Record the service account name because you'll use it in the next procedure.

  4. 按一下 [取消]*,結束 [服務帳戶]* 頁面,但不進行任何變更。Click Cancel to exit the Service Accounts page without making any changes.

使用管理中心授與或移除服務帳戶對服務應用程式的存取權限To grant and remove permissions for service accounts to access a service application by using Central Administration

  1. 確認執行此程序的使用者帳戶為 SharePoint 伺服器陣列管理員群組的成員。Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.

  2. 在管理中心首頁上,按一下 [應用程式管理]**** 區段中的 [管理服務應用程式]*On the Central Administration Home page, in the *Application Management section, click Manage service applications.

  3. 在 [管理服務應用程式]**** 頁面上,按一下包含要授與權限之服務應用程式的列。On the Manage Service Applications page, click the row that contains the service application for which you want to assign permissions.

    功能區隨即變為可用。The ribbon becomes available.

  4. 在功能區的 [共用]**** 群組中,按一下 [權限]*In the *Sharing group of the ribbon, click Permissions.

  5. 在 [連線權限]**** 對話方塊中,輸入您在前一步驟取得的服務帳戶名稱,然後按一下 [新增]*In the *Connection Permissions dialog box, type the service account name that you retrieved in the previous procedure, and then click Add.

  6. 請確定已選取中央窗格中,剛新增的服務帳戶名稱,然後在下方窗格中按一下適當的核取方塊,以提供所需的權限層級。Ensure that the newly-added service account name is selected in the middle pane, and then click the appropriate check box in the bottom pane to supply the required permission level.

  7. 在中央窗格中,按一下 [本機伺服器陣列]*,然後再按一下 [移除]In the middle pane, click **Local Farm, and then click **Remove*.

  8. 確認 [連線權限]**** 頁面現在僅列出您希望可以存取服務應用程式的服務帳戶,而且服務帳戶在服務應用程式上具備所需的權限。按一下 [確定]**** 變更權限,或者按一下 [取消]**** 結束工作,但不進行任何變更。Verify that the Connection Permissions page now lists only the service account that you want to access the service application, and that the service account has the required permissions on the service application. Click OK to change the permissions, or click Cancel to end the task without making changes.

您可以使用此程序來授與或移除任何服務帳戶對服務應用程式的存取權限。若要使用 CentralAdmin_2nd 將本機伺服器陣列識別碼還原至服務應用程式,還需要一個額外的步驟,此步驟不適用於其他服務帳戶。如需如何執行這項操作的資訊,請參閱本文稍後的<還原存取服務應用程式的全伺服器陣列>。You can grant and remove permissions for any service account by using this procedure. To restore the local farm ID to the service application by using CentralAdmin_2nd requires an additional step that does not apply to other service accounts. For information about how to do this, see Restore farm-wide access to a service application later in this article.

使用 Microsoft PowerShell 限制存取服務應用程式Restrict access to a service application by using Microsoft PowerShell

本節中的所有步驟都假設您具備適當的權限,並且已開啟 PowerShell 命令提示字元視窗,如本節稍後的<啟動 Windows PowerShell 工作階段>程序中所述。All procedures in this section assume that you have the appropriate permissions and have opened the PowerShell Command Prompt window, as described in the To start a Windows PowerShell session procedure later in this section.

與使用管理中心限制對服務應用程式的存取相比,使用 PowerShell 執行相同的工作的程序更加複雜。在 PowerShell 中,您將使用一些程序來收集與儲存用於輸入至稍後程序中的資訊。The process that restricts access to a service application by using PowerShell is more complex than performing the same task by using Central Administration. In PowerShell, you'll use some procedures to collect and store information for input into later procedures.

啟動 PowerShell 後,限制存取服務應用程式的其餘步驟如下所示:After you have started PowerShell, the remaining steps to restrict access to a service application are as follows:

  1. 取得本機伺服器陣列識別碼。Retrieve the local farm ID.

  2. 擷取 Web 應用程式服務帳戶。Retrieve the web application service account.

  3. 建立包含 Web 應用程式服務帳戶的新宣告主體。Create a new claims principal that contains the web application service account.

  4. 取得服務應用程式安全性物件。Retrieve the security object of the service application.

  5. 新增 Web 應用程式服務帳戶至服務應用程式的安全性物件中。Add the web application service account to the security object of the service application.

  6. 移除服務應用程式安全性物件中的本機伺服器陣列識別碼。Remove the local farm ID from the security object of the service application.

  7. 指派服務應用程式更新的安全性物件。Assign the updated security object to the service application.

  8. 顯示並檢閱更新的權限Display and review updated permissions

若要啟動 Microsoft PowerShell 工作階段To start a Microsoft PowerShell session

  1. 確認您具備下列成員身分:Verify that you have the following memberships:

    • SQL Server 執行個體上的 securityadmin 固定伺服器角色。securityadmin fixed server role on the SQL Server instance.

    • 所有要更新之資料庫上的 db_owner 固定資料庫角色。db_owner fixed database role on all databases that are to be updated.

    • 正在執行 PowerShell Cmdlet 之所在伺服器上的系統管理員群組。Administrators group on the server on which you are running the PowerShell cmdlets.

      系統管理員可以使用 Add-SPShellAdmin Cmdlet 授與使用 SharePoint Server Cmdlet 的權限。An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server cmdlets.

      注意

      如果您不具備上述權限,請連絡安裝程式系統管理員或 SQL Server 系統管理員要求權限。如需 PowerShell 權限的其他資訊,請參閱 Add-SPShellAdminIf you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see Add-SPShellAdmin.

  2. 啟動 SharePoint 管理命令介面。Start the SharePoint Management Shell.

使用 Microsoft PowerShell 擷取 Web 應用程式服務帳戶並建立新的宣告主體To retrieve a web application service account and create a new claims principal by using Microsoft PowerShell

  1. 在 PowerShell 命令提示字元處,輸入下列命令以擷取 Web 應用程式的服務帳戶 (也就是應用程式集區識別帳戶):At the PowerShell command prompt, type the following command to retrieve the service account (that is, the application pool identity account) of a web application:

    $webapp = Get-SPWebApplication <http://WebApplication>
    $webApp.ApplicationPool.UserName
    

    其中, <http://WebApplication> 是 Web 應用程式的 URL。Where <http://WebApplication> is the web application URL.

    Web 應用程式服務帳戶名稱在命令提示字元後顯示。The web application service account name displays at the command prompt.

  2. 若要建立新的宣告主體,請輸入下列命令:To create a new claims principal, type the following command:

    $principal = New-SPClaimsPrincipal <ServiceAccount> -IdentityType WindowsSamAccountName
    

    其中 <服務帳戶> 是執行前述命令後擷取到的使用者名稱 (形式為 jane@contoso.com 或 contoso\jane)。 $principal 變數將包含新的宣告主體。Where <ServiceAccount> is the user name (in the form of jane@contoso.com or contoso\jane) that was retrieved by running the previous command. The $principal variable will contain the new claims principal.

若要擷取服務應用程式的安全性物件To retrieve the security object of the service application

  1. 若要擷取服務應用程式的安全性物件,請輸入下列命令。$security 變數將會儲存服務應用程式安全性物件。To retrieve the security object of the service application, type the following commands. The $security variable will store the service application security object.

    $spapp = Get-SPServiceApplication -Name "<ServiceApplicationDisplayName>"
    $spguid = $spapp.id
    $security = Get-SPServiceApplicationSecurity $spguid
    

    其中,<ServiceApplicationDisplayName> 是服務應用程式的顯示名稱。Where <>is the display name of the service application.

    重要事項:Important:

    顯示名稱必須括在引號內,而且必須完全與服務應用程式的顯示名稱相符,包括大小寫格式。如果您有多個服務應用程式具備相同的顯示名稱 (不建議),您可以執行不帶引數的 Get-SPServiceApplication Cmdlet 檢視所有服務應用程式,然後可以直接透過服務應用程式的 GUID 識別。例如:You must enclose the display name in quotation marks, and it must exactly match the service application display name. This includes capitalization. If you have more than one service application that has the same display name (we do not recommend this), you can run the Get-SPServiceApplication cmdlet without arguments to view all service applications. You can then identify the service application directly by its GUID. For example:

    Get-SpServiceApplication

    所有服務應用程式已列出。All service applications are listed.

    $spapp = Get-SpserviceApplication -Identity <GUID>

    $spguid = $spapp.id

    其中, <GUID> 是您要更新權限的服務應用程式 GUID。Where <GUID> is the GUID for the service application for which you want to update permissions.

使用喜好的權限更新服務應用程式安全性物件To update the service application security object by using the preferred permissions

  1. 若要更新服務應用程式安全性物件,第一步是將新的宣告主體 $principal 新增至服務應用程式安全性物件 $security 中。若要執行此項作業,請輸入下列命令:The first step to update the service application security object is to add the new claims principal $principal to the service application security object $security. To do this, type the following command:

    Grant-SPObjectSecurity $security $principal -Rights "<Rights>"
    

    其中, <Rights> 是您要授與的權限。通常此處為「完全控制」。可用的權限可能因服務應用程式不同而異。Where <Rights> is the permissions that you want to grant. Typically, this will be Full Control. The available permissions can vary between service applications.

    如果您不要授與「完全控制」權限,而且不知道可以為服務應用程式授與哪種權限,則可以執行下列命令,傳回可用的權限字串:If you do not want to grant Full Control permissions, and you do not know what permissions can be granted to the service application, you can run the following commands to return the available permissions strings:

    $rightslist = Get-SPServiceApplicationSecurity $spapp

    $rightslist.NamedAccessRights

  2. 若要移除服務應用程式安全性物件 $security 的本機伺服器陣列識別碼 (儲存在 $farmID 變數中),請輸入下列命令:To remove the local farm ID (that is stored in the $farmID variable) from the service application security object $security, type the following command:

    Revoke-SPObjectSecurity $security $farmID
    
  3. 若要指派更新的 $security 安全性物件至服務應用程式,並確認服務應用程式的安全性物件已得到適當的更新,請輸入下列命令:To assign the updated $security security object to the service application and confirm that the security object for the service application is appropriately updated, type the following commands:

    Set-SPServiceApplicationSecurity $spapp -ObjectSecurity $security (Get-SPServiceApplicationSecurity $spapp).AccessRules
    

使用這些步驟可以在服務應用程式中新增或移除服務帳戶。You can add or remove any service account to a service application by using these procedures.

還原存取服務應用程式的全伺服器陣列Restore farm-wide access to a service application

新增本機伺服器陣列識別碼至服務應用程式中,您可以還原存取服務應用程式的全伺服器陣列。您可以使用管理中心或 PowerShell 命令執行此作業。不過,您必須使用 PowerShell 取得本機伺服器陣列識別碼。You can restore farm-wide access to a service application by adding the local farm ID to the service application. You can do this by using Central Administration or by using PowerShell commands. However, you must use PowerShell to obtain the local farm ID.

若要使用 PowerShell 擷取本機伺服器陣列識別碼To retrieve the local farm ID by using PowerShell

  1. 此程序在<若要啟動 Microsoft PowerShell 工作階段>程序的步驟 4 之後開始。This procedure starts after step 4 of the To start a Microsoft PowerShell session procedure.

  2. 下列命令可擷取本機伺服器陣列識別碼,將其儲存在 $farmID 變數中,並在命令提示字元後顯示此識別碼:The following command retrieves the local farm ID, stores it in the $farmID variable, and displays the ID at the command prompt:

    $farmID = Get-SPFarm | select id
    

    如果您要使用管理中心還原存取全伺服器陣列,請將此值複製至剪貼簿,以供後面的步驟使用。If you want to restore farm-wide access by using Central Administration, copy this value into the clipboard for use in the following procedure.

    如果您要使用 PowerShell 還原存取服務應用程式的全伺服器陣列,請在 PowerShell 命令提示字元處輸入下面其他命令。擷取的資訊將在後續程序中使用。If you want to restore farm-wide access to the service application by using PowerShell, type the following additional commands at the PowerShell command prompt. You'll use the retrieved information in the following procedure.

    $claimProvider = (Get-SPClaimProvider System).ClaimProvider 
    $principal = New-SPClaimsPrincipal -ClaimType "http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid" -ClaimProvider $claimProvider -ClaimValue $farmid
    

若要使用管理中心還原存取服務應用程式的本機全伺服器陣列To restore local farm-wide access to a service application by using Central Administration

  1. 執行使用管理中心授與並移除服務帳戶存取服務應用程式的權限此一程序中的第 1 至 3 步驟。Perform steps 1 through 3 of the procedure To grant and remove permissions for service accounts to access a service application by using Central Administration.

  2. 在 [連線權限]**** 對話方塊中,複製您在前面程序中擷取的本機伺服器陣列識別碼,然後按一下 [新增]*In the *Connection Permissions dialog box, copy the local farm ID that you retrieved in the previous procedure, and then click Add.

  3. 確定已在中央窗格中選取本機伺服器陣列識別碼。按一下下方窗格中的 [完全控制]**** 核取方塊。Ensure that the local farm ID is selected in the middle pane. Click the Full Control check box in the bottom pane.

  4. 按一下 [確定]**** 還原存取服務應用程式的全伺服器陣列,或者按一下 [取消]**** 結束工作,但不進行任何變更。Click OK to restore farm-wide access to the service application, or click Cancel to end the task without making changes.

使用 Microsoft PowerShell 還原存取服務應用程式的本機全伺服器陣列To restore local farm-wide access to a service application by using Microsoft PowerShell

  1. 此程序在<使用 Windows Powershell 擷取本機伺服器陣列識別碼>程序的步驟 2 之後開始。This procedure starts after step 2 of the procedure To retrieve the local farm ID by using Windows Powershell .

  2. 若要還原擷取的本機伺服器陣列識別碼至服務應用程式安全性物件 $security,請輸入下列命令;To restore the retrieved local farm ID to the service application security object $security, type the following commands:

    $spapp = Get-SPServiceApplication -Name "<ServiceApplicationDisplayName>"
    $spguid = $spapp.id
    $security = Get-SPServiceApplicationSecurity $spguid
    Grant-SPObjectSecurity -Identity $security -Principal $Principal -Rights "Full Control"
    Set-SPServiceApplicationSecurity $spguid -ObjectSecurity $security
    

    其中,<ServiceApplicationDisplayName> 是服務應用程式的顯示名稱。Where <>is the display name of the service application.

    重要

    顯示名稱必須括在引號內,而且必須與服務應用程式的顯示名稱完全相符,包括大小寫格式。如果您有多個服務應用程式具備相同的顯示名稱 (不建議),您可以執行不帶引數的 Get-SPServiceApplication Cmdlet 檢視所有服務應用程式,然後可以直接透過服務應用程式的 GUID 識別服務應用程式。You must enclose the display name in quotation marks, and it must exactly match the service application display name. This includes capitalization. If you have more than one service application that has the same display name (we do not recommend this), you can run the Get-SPServiceApplication cmdlet without arguments to view all service applications. You can then identify the service application directly by its GUID.

Microsoft PowerShell 程式碼範例Microsoft PowerShell code examples

在下列範例中,管理員想要將對 "Contoso BDC" 服務應用程式的存取限定於 http://contoso/hawaii Web 應用程式,這個應用程式是由服務帳戶 "contoso\jane" 管理。透過新增 "contoso\jane" 並移除服務應用程式中的本機伺服器陣列服務帳戶,可將 "Contoso BDC" 限定於只能由服務帳戶 "contoso\jane" (在此範例中為 http://contoso/hawaii 管理的 Web 應用程式存取。In the following example, the administrator wants to restrict access to the "Contoso BDC" service application to the http://contoso/hawaii web application, which is managed by the service account "contoso\jane." By adding "contoso\jane" and removing the local farm service account from the service application, "Contoso BDC" is restricted to only those web applications that are managed by the service account "contoso\jane" - in this case, http://contoso/hawaii.

$farmid = Get-SPFarm | select id
$claimProvider = (Get-SPClaimProvider System).ClaimProvider 
$farmappId = New-SPClaimsPrincipal -ClaimType "http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid" -ClaimProvider $claimProvider -ClaimValue $farmid 
webapp = get-spwebapplication http://contoso
$webapp.applicationpool
$principal = New-SPClaimsPrincipal contoso/jane -IdentityType WindowsSamAccountName
$spapp = Get-SPServiceApplication -Name "Contoso BDC"
$spguid = $spapp.id
$security = Get-SPServiceApplicationSecurity $spguid
Grant-SPObjectSecurity $security $principal -Rights "Full Control"
Revoke-SPObjectSecurity $security $farmappId
Set-SPServiceApplicationSecurity $spguid -ObjectSecurity $security
(Get-SPServiceApplicationSecurity $spguid).AccessRules

在下列範例中,存取服務應用程式 "Contoso BDC" 會還原為可供本機伺服器陣列中所有 Web 應用程式存取。In the following example, access to the service application "Contoso BDC" is restored to all web applications in the local farm.

$farmid = Get-SPFarm | select id
$claimProvider = (Get-SPClaimProvider System).ClaimProvider 
$farmappId = New-SPClaimsPrincipal -ClaimType "http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid" -ClaimProvider $claimProvider -ClaimValue $farmid 
$spapp = Get-SPServiceApplication -Name "Contoso BDC"
$spguid = $spapp.id
$security = Get-SPServiceApplicationSecurity $spguid
Grant-SPObjectSecurity -Identity $security -Principal $farmappId -Rights "Full Control"
Set-SPServiceApplicationSecurity $spguid -ObjectSecurity $security
(Get-SPServiceApplicationSecurity $spguid).AccessRules

另請參閱See also

概念Concepts

從 SharePoint Server 的 Web 應用程式新增或移除服務應用程式連線Add or remove service application connections from a web application in SharePoint Server

SharePoint Server 2016 中的帳戶權限及安全性設定Account permissions and security settings in SharePoint Server 2016

其他資源Other Resources

在 SharePoint Server 中建立 Web 應用程式Create a web application in SharePoint Server

Get-SPWebApplicationGet-SPWebApplication

New-SPClaimsPrincipalNew-SPClaimsPrincipal

Get-SPServiceApplicationGet-SPServiceApplication

Get-SPServiceApplicationSecurityGet-SPServiceApplicationSecurity

Grant-SPObjectSecurityGrant-SPObjectSecurity

Revoke-SPObjectSecurityRevoke-SPObjectSecurity

Set-SPServiceApplicationSecuritySet-SPServiceApplicationSecurity

Get-SPFarmGet-SPFarm

Get-SPClaimProviderGet-SPClaimProvider