設定 SharePoint Server 從 Office 365 的連線Configure connectivity from Office 365 to SharePoint Server

摘要:了解如何設定 SharePoint 混合式的輸入的連線。Summary: Learn how to configure inbound connectivity for SharePoint hybrid.

* * 本文是藍圖的用於設定 SharePoint 混合式解決方案的程序的一部分。請確定您是遵循程當您執行本文中的程序。This article is part of a roadmap of procedures for configuring SharePoint hybrid solutions. Be sure you're following a roadmap when you do the procedures in this article. **

本文包含的 SharePoint 混合式環境部署程序,是有關整合 SharePoint Server 與 SharePoint Online 的指引。This article contains guidance the SharePoint hybrid environment deployment process, which integrates SharePoint Server and SharePoint Online.

開始之前Before you begin

協助工具附註:SharePoint Server 支援可協助您管理部署及存取網站的常見瀏覽器的協助工具功能。如需詳細資訊,請參閱 < SharePoint 2013 的協助工具Accessibility note:SharePoint Server supports the accessibility features of common browsers to help you administer deployments and access sites. For more information, see Accessibility for SharePoint 2013.

如果您尚未完成此、 之前,先閱讀規劃從 Office 365 至 SharePoint Server 的連線在開始設定的任何項目。規劃文章可協助您做出重要決策和其記錄在SharePoint 混合式部署工作表、 作為工作表本文的其餘部分中所提及因為這是重要的。接下來這會告知使用和您可以略過本文中的程序。If you haven't already done this, read Plan connectivity from Office 365 to SharePoint Server before you start to configure anything.This is important because the planning article helps you make important decisions and record them on the SharePoint hybrid deployment worksheet, referred to in the rest of this article as the worksheet. This in turn informs which procedures in this article to use and which you can skip over.

如果您已閱讀規劃文章,則應該已執行下列:If you've read the planning article, you should have already done the following:

  • 決定針對混合式設定的網站集合策略。Decided which site collection strategy you'll configure for hybrid.

  • 決定針對混合式使用現有 Web 應用程式,還是建立一個 Web 應用程式。Decided whether to use an existing web application or create one for hybrid.

編輯圖示 這些決策記錄在工作表的表格 2 中。如果不使用,請返回讀取規劃從 Office 365 至 SharePoint Server 的連線和與之前任何進一步進行這些決策。These decisions are recorded in Table 2 of the worksheet. If not, go back and read Plan connectivity from Office 365 to SharePoint Server and make these decisions before you go any further.

工作表秘訣Worksheet tips

預期的事項更加容易如果所有適用的資訊在SharePoint 混合式工作表上輸入再開始設定的任何項目。在最低限度下,您需要知道才能使用本文的下列事項。Things will go a lot easier if all of the applicable information is entered on the SharePoint hybrid worksheet before you start to configure anything. At a minimum, you need to know the following things to use this article.

表: 應該已記錄在 SharePoint 混合式工作表上的決策Table: Decisions that should already be recorded on the SharePoint hybrid worksheet

決策Decision 工作表上的位置Location on the worksheet
針對混合式使用現有 Web 應用程式還是建立 Web 應用程式?Will you use an existing web application for hybrid or create one?
表 2 的 [新增或現有 web 應用程式New or existing web application row of Table 2
您將使用哪種網站集合策略?What site collection strategy will you use?
表 2 的 [網站集合策略] 列Site collection strategy row of Table 2
什麼是外部 URL?What's the External URL?
表 3 的 [外部 URL ] 列External URL row of Table 3
什麼是外部 URL 相關聯的反向 proxy 裝置上網際網路對向端點的 IP 位址?What's the IP address of the Internet-facing endpoint on the reverse proxy device that the external URL is associated with?
表 3 的 [外部端點的 IP 位址IP address of the external endpoint row of Table 3

請確認已在工作表上輸入這些決策,再繼續。Verify that these decisions are entered on the worksheet before you continue.

設定階段Configuration phases

若要設定環境基礎結構,您將需要兩個 SharePoint Server 介面,例如 SharePoint 管理中心] 網站和 SharePoint Online 中的 [管理] 頁面。若要防止您具有多個需要這些介面之間切換,我們已設定步驟組成下列階段:In order to configure the environment infrastructure, you'll need both SharePoint Server interfaces, such as the SharePoint Central Administration website, and the Administration pages in SharePoint Online. To prevent you from having to switch between these interfaces more than necessary, we've organized the configuration steps into the following phases:

請依本文中顯示的順序,完成每個設定步驟。Please complete each configuration step in the order shown in this article.

重要

建議您完整記錄您的部署策略,並在混合式環境設定程序期間維護詳細的工作記錄。在任何複雜的實作專案中,每項設計決策、伺服器設定、程序和輸出對疑難排解、支援和察覺都是非常重要的參考。It is recommended that you thoroughly document your deployment strategy and that you maintain detailed work logs during the hybrid environment configuration process. In any complex implementation project, a detailed record of every design decision, server configuration, procedure, and output is a very important reference for troubleshooting, support, and awareness.

準備公用網域Prepare your public domain

為了讓將要求傳送至您的反向 proxy 裝置之外部端點的 Office 365,您需要具有下列事項:In order for Office 365 to send requests to the external endpoint of your reverse proxy device, you need to have the following things:

  • 公用網域是向反向 Proxy 裝置的外部端點 URL 與之相關聯的網域註冊機構 (例如 GoDaddy.com) 登錄。A public domain registered with a domain registrar, such as GoDaddy.com, that the URL of the external endpoint of the reverse proxy device is associated with.

  • 具有相關聯的已發佈的 SharePoint 網站 (這是外部 URL,例如 spexternal.adventureworks.com) 的公用網域的 DNS 區域中的記錄。這可讓 Office 365 將要求傳送至上針對混合式設定反向 proxy 裝置的外部端點。此 A 記錄將外部 URL 對應至反向 proxy 裝置的網際網路對向端點的 IP 位址。如需詳細資訊,請參閱規劃從 Office 365 至 SharePoint Server 的連線An A record in your public domain's DNS zone that's associated with the published SharePoint site (which is the External URL, such as spexternal.adventureworks.com). This enables Office 365 to send requests to the external endpoint on the reverse proxy device that's configured for hybrid. This A record maps the External URL to the IP address of the Internet-facing endpoint of the reverse proxy device. For more information, see Plan connectivity from Office 365 to SharePoint Server.

如果您沒有尚未有您想要使用達到這個目的 (例如 adventureworks.com) 公用網域,取得一個現在,然後再建立 [此 A 記錄。如果您已經所需注意此期間的規劃階段、 公用網域和您需要建立此記錄的 IP 位址的名稱會記錄在工作表的表 3。If you don't yet have a public domain that you want to use for this purpose (such as adventureworks.com), get one now, and then create this A record. If you already took care of this during the planning phase, the name of your public domain and the IP address that you need to create this A Record are recorded in Table 3 of the worksheet.

您必須完成將公用網域的主機名稱新增至 Office 365新增網域至 Office 365文章中的步驟。You have to complete the steps in the Add your domain to Office 365 article to add the host name of your public domain to Office 365.

設定 SharePoint ServerConfigure SharePoint Server

本節將告訴您如何輸入混合式方案中設定使用 SharePoint Server 伺服器陣列。我們已將此] 區段中的步驟組成下列階段。最可靠的結果,完成程序顯示的順序。This section tells you how to configure the SharePoint Server farm for use in an inbound hybrid solution. We've organized the steps for this section into the following phases. For the most reliable outcome, complete the procedures in the order shown.

  • 設定網站集合策略Configure a site collection strategy

  • 指派 UPN 網域尾碼Assign a UPN domain suffix

  • 同步處理使用者設定檔Synchronize user profiles

  • 設定 HTTP 上的 OAuth (如有必要)Configure OAuth over HTTP (if it's required)

注意

本節中的程序假設您已在現有的 SharePoint 伺服器陣列您想要用於混合式功能。The procedures in this section assume that you have an existing SharePoint Server farm that you intend to use for hybrid functionality.

設定網站集合策略Configure a site collection strategy

在混合環境中,SharePoint Online 中的根網站集合與特定的 web 應用程式中已針對混合式內部部署 SharePoint 伺服器陣列之間交換資料。我們會呼叫這主要 web 應用程式。此 web 應用程式是在其設定網站集合策略的焦點。In a hybrid environment, data is exchanged between the root site collection in SharePoint Online and a specific web application in the on-premises SharePoint farm that's configured for hybrid. We call this the primary web application. This web application is the focal point on which your site collection strategy is configured.

規劃階段期間,您應該已決定是否要使用現有的 web 應用程式或建立設定的其中一個且哪一個網站集合策略。若是如此,在工作表的表 2 的 [網站集合策略] 列中列出的決策。如果您尚未決定尚未,請先檢閱下列規劃連線至 SharePoint Server 的 Office 365 中的文章和之前任何進一步進行這些決策。During the planning phase, you should have decided whether you'll use an existing web application or create one and which site collection strategy you'll configure. If so, your decisions are listed in the Site collection strategy row of Table 2 of the worksheet. If you haven't decided yet, review the Plan connectivity from Office 365 to SharePoint Server article and make these decisions before you go any further.

選擇下列其中一個網站集合策略進行設定:Choose one of the following site collection strategies to configure:

使用主機命名型網站集合設定網站集合策略Configure a site collection strategy by using a host-named site collection

如果您想要使用 SharePoint 混合式環境的主機命名型網站集合來設定網站集合策略,請依顯示的順序完成這些步驟:If you want to configure a site collection strategy by using a host-named site collection for the SharePoint hybrid environment, complete these steps in the order shown:

  1. 確定 Web 應用程式和根網站集合存在。Ensure that the web application and root site collection exist.

  2. 確定 SSL 繫結存在於主要 Web 應用程式上。Ensure that an SSL binding exists on the primary web application.

  3. 建立主機命名型網站集合。Create the host-named site collection.

  4. 設定分割 DNS。Configure split DNS.

  5. 在內部部署 DNS 中建立 A 記錄。Create an A record in the on-premises DNS.

如需網站集合策略決策的詳細資訊,請參閱 <選擇網站集合策略] 區段中的規劃從 Office 365 至 SharePoint Server 的連線For more information about site collection strategy decisions, see the Choose a site collection strategy section of Plan connectivity from Office 365 to SharePoint Server.

確定主要 Web 應用程式和根網站集合存在Ensure that the primary web application and root site collection exist

要建立 web 應用程式設定為使用下列程式碼中有您將在稍後建立主機命名型網站集合:The host-named site collection that you'll create a bit later has to be created in a web application that's configured to use the following:

  • 整合式 Windows 驗證 (含 NTLM)Integrated Windows Authentication with NTLM

  • https 通訊協定 (安全通訊端層)https protocol (Secure Sockets Layer)

您也需要路徑型網站集合作為此 Web 應用程式中的根網站集合。You also need a path-based site collection to use as the root site collection in this web application.

編輯圖示 如果您已識別想要在規劃期間使用的 web 應用程式,它應該列在工作表之表 5a 的 [主要 web 應用程式 URL ] 列中。If you identified a web application that you want to use during planning, it should be listed in the Primary web application URL row of Table 5a of the worksheet.

若不存在的 web 應用程式和根網站集合,您必須加以建立。您可以使用管理中心或 SharePoint 2016 管理命令介面來這麼做。若尚未存在,移至SSL 繫結存在於主要 web 應用程式的確定If the web application and root site collection don't exist, you'll have to create them. You can do this by using either Central Administration or the SharePoint 2016 Management Shell. If they already exist, go to Ensure that an SSL binding exists on the primary web application.

以下是如何使用 SharePoint 2016 管理命令介面來建立 web 應用程式的範例。Here's an example for how to create a web application by using SharePoint 2016 Management Shell.

New-SPWebApplication -Name 'Adventureworks Web app' -SecureSocketsLayer -port 443 -ApplicationPool AdventureworksAppPool -ApplicationPoolAccount (Get-SPManagedAccount 'adventureworks\abarr') -AuthenticationProvider (New-SPAuthenticationProvider -UseWindowsIntegratedAuthentication)

其中:Where:

  • Web 應用程式的名稱是 Adventureworks Web 應用程式。The name of the web application is Adventureworks Web app.

  • Web 應用程式的連接埠號碼是 443。The port number of the web application is 443.

編輯圖示 記錄在工作表之表 5a 的 [ web 應用程式的連接埠號碼] 列中選擇的連接埠號碼。Record the port number that you chose in the Port number of the web application row of Table 5a of the worksheet.
  • 新的 web 應用程式會使用名稱為 AdventureworksAppPool 的 web 應用程式集區。The new web application uses a web application pool named AdventureworksAppPool.

  • 受管理的帳戶 adventureworks\abarr 身分執行的 web 應用程式。The web application runs as the managed account adventureworks\abarr.

  • Web 應用程式是使用 Windows 整合式驗證 (含 NTLM) 所建立。The web application is created by using Windows Integrated Authentication with NTLM.

    以下是如何使用 SharePoint 2016 管理命令介面來建立根網站集合的範例。Here's an example for how to create the root site collection by using the SharePoint 2016 Management Shell.

New-SPSite 'https://sharepoint' -Name 'Portal' -Description 'Adventureworks Root site collection' -OwnerAlias 'adventureworks\abarr' -language 1033 -Template 'STS#0'

其中:Where:

  • SharePoint 伺服器陣列的主機名稱是 "sharepoint"。The host name of the SharePoint farm is "sharepoint".

  • 主要管理員是 adventureworks\abarr。The primary administrator is adventureworks\abarr.

  • 網站範本使用英文 (1033)。The site template uses the English language (1033).

  • 範本 (STS#0) 是「小組網站」範本。The template (STS#0) is the Team Site template.

如需如何建立 web 應用程式與主機命名型網站集合的根網站集合的詳細資訊,請參閱SharePoint Server 中的建立宣告式 web 應用程式主機命名型網站集合架構與部署SharePoint ServerFor more information about how to create a web application and root site collection for a host-named site collection, see Create claims-based web applications in SharePoint Server and Host-named site collection architecture and deployment in SharePoint Server.

確定 SSL 繫結存在於主要 Web 應用程式上Ensure that an SSL binding exists on the primary web application

因為此 web 應用程式設定為使用 SSL,您必須確定 SSL 憑證繫結至主要 web 應用程式。實際執行環境中,此憑證應該公用憑證授權單位 (CA) 所發行。測試與開發環境中,這可以是自我簽署的憑證。我們會呼叫這內部 SharePoint SSL 憑證。Because this web application is configured to use SSL, you have to ensure that an SSL certificate is bound to the primary web application. For production environments, this certificate should be issued by a public certification authority (CA). For test and development environments, this can be a self-signed certificate. We call this the on-premises SharePoint SSL certificate.

提示

這通常是來自您稍後將安裝在反向 proxy 裝置的個別憑證。如需這些憑證的詳細資訊,請參閱 <規劃 SSL 憑證] 區段中的規劃從 Office 365 至 SharePoint Server 的連線This is typically a separate certificate from the one that you'll later install on the reverse proxy device. For more information about these certificates, see the Plan SSL certificates section of Plan connectivity from Office 365 to SharePoint Server.

憑證繫結至 web 應用程式之後,您將能看到此在網際網路資訊服務 (IIS) 中 [伺服器憑證] 對話方塊的 [發行給] 欄位中的主機名稱。如需詳細資訊,請參閱如何設定 SSL 在 IIS 7.0 上After the certificate is bound to the web application, you'll be able to see this host name in the Issued To field in the Server Certificates dialog box in Internet Information Services (IIS). For more information, see How to Set Up SSL on IIS 7.0.

建立主機命名型網站集合Create the host-named site collection

Web 應用程式和根網站集合就緒之後,下一步是在主要 Web 應用程式內建立主機命名型網站集合。此網站集合的公用 URL 必須與外部端點 URL 相同。After the web application and root site collection are in place, the next step is to create a host-named site collection within the primary web application. The public URL of this site collection must be identical to the external endpoint URL.

注意

必須使用 SharePoint 2016 管理命令介面來建立主機命名型網站集合。您無法使用管理中心建立這種類型的網站集合。Host-named site collections must be created by using the SharePoint 2016 Management Shell. You can't use Central Administration for creating this type of site collection.

以下是如何使用 SharePoint 2016 管理命令介面來建立主機命名型網站集合的範例。Here's an example of how to create a host-named site collection by using the SharePoint 2016 Management Shell.

New-SPSite 'https://spexternal.adventureworks.com' -HostHeaderWebApplication 'https://sharepoint' -Name 'https://spexternal.adventureworks.com' -Description 'Site collection for hybrid' -OwnerAlias 'adventureworks\abarr' -language 1033 -Template 'STS#0'

其中:Where:

如需詳細資訊,請參閱主機命名型網站集合架構與部署 SharePoint Server 中For more information, see Host-named site collection architecture and deployment in SharePoint Server.

設定分割 DNSConfigure split DNS

您必須設定分割 DNS。這是用來協助確保內部部署用戶端電腦解析內部 IP 位址的伺服器名稱即使公用 DNS 解析名稱解析為相同服務完全不同的公用 IP 位址的通用設定。這可讓使用者重新導向至驗證,請使用標準 SharePoint 安全性強化機制端點,但可透過反向 proxy 設定為使用憑證驗證導向來自 Office 365 的查詢。You have to configure split DNS. This is a common configuration that's used to help ensure that on-premises client computers resolve a server name to internal IP addresses, even though public DNS resolution resolves the same service name to a completely different public IP address. This enables users to be redirected to an endpoint that uses standard SharePoint security-enhanced mechanisms for authentication, but queries from Office 365 can be directed through a reverse proxy configured to use certificate authentication.

如需關於如何使用分割 DNS 之混合式拓撲,請參閱SharePoint 2013 混合式搜尋功能的架構設計建議。如需如何設定分割 DNS 資訊,請參閱無效的 split-brain DNS 組態可防止順暢 SSO 登入經驗For more information about how to use split DNS in a hybrid topology, see Architecture Design Recommendation for SharePoint 2013 Hybrid Search Features. For information about how to configure a split DNS, see A faulty split-brain DNS configuration can prevent a seamless SSO sign-in experience.

在內部部署 DNS 中建立 A 記錄Create an A record in the on-premises DNS

反向 proxy 裝置必須能夠解析內部 URL 的主機命名型網站集合。您可以在想要在內部 DNS 命名空間中建立 A 記錄。這不必須位於相同的命名空間為反向 proxy 裝置。不過,反向 proxy 裝置必須能夠解析此命名空間。此 A 記錄會對應至內部部署 SharePoint 伺服器陣列的 IP 位址的外部 URL 的主機名稱。以下是外部 URL 所在的記錄的範例https://spexternal.adventureworks.com,及 SharePoint 伺服器陣列是 10.0.0.13 負載平衡器網路的 IP 位址。The reverse proxy device must be able to resolve the internal URL of the host-named site collection. You can do this by creating an A record in the desired on-premises DNS namespace. This doesn't have to be in the same namespace as the reverse proxy device. However, the reverse proxy device must be able to resolve this namespace. This A record maps the host name of the External URL to the IP address of the on-premises SharePoint farm. Here's an example of an A record where the External URL is https://spexternal.adventureworks.com, and the IP address of the network load balancer for the SharePoint farm is 10.0.0.13.

此圖說明 A 記錄的範例

編輯圖示 外部 URL 會記錄在工作表表格 3 的 [外部 URL ] 列中。The External URL is recorded in the External URL row of Table 3 of the worksheet.

您已完成的混合使用主機命名型網站集合設定網站集合策略。現在,跳至_指派 UPN 網域尾碼_。You have finished configuring the site collection strategy by using a host-named site collection for hybrid. Now, skip ahead to Assign a UPN domain suffix.

使用路徑型 Web 應用程式 (沒有 AAM) 設定網站集合策略Configure a site collection strategy by using a path-based web application without AAM

如果您想要使用 SharePoint 混合式環境的路徑型 Web 應用程式來設定網站集合策略,而不需要建立備用存取對應 (AAM),請依顯示的順序完成這些步驟:If you want to configure a site collection strategy by using a path-based web application without the need to create an Alternate Access Mapping (AAM) for the SharePoint hybrid environment, complete these steps in the order shown:

  1. 確定 Web 應用程式存在。Ensure that the web application exists.

  2. 確定 SSL 繫結存在於主要 Web 應用程式上。Ensure that an SSL binding exists on the primary web application.

  3. 設定分割 DNS。Configure split DNS.

  4. 在內部部署 DNS 中建立 A 記錄。Create an A record in the on-premises DNS.

注意

在沒有 AAM 的情況下設定網站集合策略時,主要 Web 應用程式的公用 URL 必須與外部 URL 相同。When you configure a site collection strategy without AAM, the public URL of the primary web application must be identical to the External URL.

如需詳細資訊,請參閱 <選擇網站集合策略] 區段中的規劃從 Office 365 至 SharePoint Server 的連線For more information, see the Choose a site collection strategy section of Plan connectivity from Office 365 to SharePoint Server.

確定主要 Web 應用程式存在Ensure that the primary web application exists

您可以使用現有的 web 應用程式作為主要 web 應用程式,或是您可以建立 web 應用程式。您應該由在規劃期間此決策,記錄在工作表的表 2 的 [新增或現有 web 應用程式] 列。如果您未進行此決策尚未,規劃從 Office 365 至 SharePoint Server 的連線,請參閱並決定之前任何進一步。請記住設定時沒有 AAM 的網站集合策略,主要 web 應用程式的公用 URL 必須是與外部 URL 相同。You can use an existing web application as the primary web application, or you can create one. You should have made this decision during planning and recorded it in the New or existing web application row of Table 2 of the worksheet. If you haven't made this decision yet, refer to Plan connectivity from Office 365 to SharePoint Server and decide before you go any further. Remember that when you configure a site collection strategy without AAM, the public URL of the primary web application must be identical to the External URL.

如果在規劃期間,您可以決定哪個現有的 web 應用程式以做為主要 web 應用程式,其 URL 應該記錄在工作表之表 5b 的 [主要 web 應用程式 URL ] 列中。若是如此,跳至SSL 繫結存在於主要 web 應用程式的確定。否則,來作為主要 web 應用程式的 web 應用程式使用建立程序在SharePoint Server 中建立宣告式 web 應用程式中。If during planning, you decided which existing web application to use as the primary web application, its URL should be recorded in the Primary web application URL row of Table 5b of the worksheet. If so, skip ahead to Ensure that an SSL binding exists on the primary web application. Otherwise, to create a web application to use as the primary web application, use the procedures in Create claims-based web applications in SharePoint Server.

您一般應該使用預設設定。不過,下列是必要的組態設定。In general, you should use the default settings. However, the following configuration settings are required.

必要的組態設定Required configuration settings

位置Location 描述Description
在 [ IIS 網站] 區段的 [連接埠] 方塊In the IIS Web Site section, in the Port box
輸入想要此 Web 應用程式使用的連接埠號碼。例如,443。Type the port number that you want this web application to use—for example, 443.
在 [安全性設定] 區段In the Security Configuration section
確定允許匿名設為 [否]Ensure that Allow Anonymous is set to No.
在 [安全性設定] 區段In the Security Configuration section
確定使用 Secure Sockets Layer (SSL)設為[是]。您必須將 SSL 憑證繫結至 web 應用程式在我們討論更下一節。Ensure that Use Secure Sockets Layer (SSL) is set to Yes. You'll have to bind an SSL certificate to the web application, which we discuss more in the next section.
在 [宣告驗證類型] 區段In the Claims Authentication Types section
選取 [啟用 Windows 驗證] 核取方塊、 選取整合式 Windows 驗證] 核取方塊,並在下拉式功能表中,選取 [ NTLM]。Select the Enable Windows Authentication check box, select the Integrated Windows authentication check box, and in the drop-down menu, select NTLM.
在 [公用 URL ] 區段的 [ URL ] 方塊中In the Public URL section, in the URL box
輸入外部 URL — 例如https://spexternal.adventureworks.com。Type the External URL—for example, https://spexternal.adventureworks.com.
根據預設,SharePoint 會附加至其建議讓此欄位的預設 URL 的連接埠號碼。當您使用的外部 URL 來取代該 URL 時、 未附加的連接埠號碼。By default, SharePoint appends the port number to the default URL that it recommends for this field. When you replace that URL with the external URL, don't append the port number.

若要讓您在稍後的程序中更輕鬆地進行,建議您執行下列動作。To make things easier for yourself in later procedures, we recommend that you do the following.

編輯圖示 在管理中心的 [建立新的 Web 應用程式] 頁面上的 [公用 URL ] 區段中取得 URL 並將其記錄在工作表之表 5b 的 [主要 web 應用程式 URL ] 列中。Get the URL from the Public URL section of the Create New Web Application page in Central Administration, and record it in the Primary web application URL row of Table 5b of the worksheet.

確定 SSL 繫結存在於主要 Web 應用程式上Ensure that an SSL binding exists on the primary web application

您必須確定 SSL 憑證繫結至主要 Web 應用程式。在實際執行環境中,此憑證應該由公用憑證授權單位 (CA) 所發出。在測試和開發環境中,這可以是自我簽署憑證。我們將它稱為「內部部署 SharePoint SSL 憑證」。You have to ensure that an SSL certificate is bound to the primary web application. For production environments, this certificate should be issued by a public certification authority (CA). For test and development environments, this can be a self-signed certificate. We call this the on-premises SharePoint SSL certificate.

提示

這通常是來自您稍後將安裝在反向 proxy 裝置的個別憑證,但您可以使用安全通道 SSL 憑證這,如果您想要。如需這些憑證的詳細資訊,請參閱 <規劃 SSL 憑證] 區段中的規劃從 Office 365 至 SharePoint Server 的連線This is typically a separate certificate from the one that you'll later install on the reverse proxy device, but you can use the Secure Channel SSL certificate for this if you want to. For more information about these certificates, see the Plan SSL certificates section of Plan connectivity from Office 365 to SharePoint Server.

Web 應用程式的主機名稱必須是在 SSL 憑證的 [主旨] 欄位。憑證繫結至 web 應用程式之後,您可以看到此主機名稱在網際網路資訊服務 (IIS) 中 [伺服器憑證] 對話方塊中的 [發行給] 欄位。如需詳細資訊,請參閱如何設定 SSL 在 IIS 7.0 上The host name of the web application must be in the Subject field of the SSL certificate. After the certificate is bound to the web application, you can see this host name in the Issued To field in the Server Certificates dialog box in Internet Information Services (IIS). For more information, see How to Set Up SSL on IIS 7.0.

設定分割 DNSConfigure split DNS

您必須設定分割 DNS。這是用來協助確保內部部署用戶端電腦解析內部 IP 位址的伺服器名稱即使公用 DNS 解析名稱解析為相同服務完全不同的公用 IP 位址的通用設定。這可讓使用者重新導向至驗證,請使用標準 SharePoint 安全性強化機制端點,但可以透過設定為使用憑證驗證的反向 proxy 導向來自 Office 365 的查詢。You have to configure split DNS. This is a common configuration that's used to help ensure that on-premises client computers resolve a server name to internal IP addresses, even though public DNS resolution resolves the same service name to a completely different public IP address. This enables users to be redirected to an endpoint that uses standard SharePoint security-enhanced mechanisms for authentication, but queries from Office 365 can be directed through a reverse proxy that's configured to use certificate authentication.

如需關於如何使用分割 DNS 之混合式拓撲,請參閱SharePoint 2013 混合式搜尋功能的架構設計建議。如需如何設定分割 DNS 資訊,請參閱無效的 split-brain DNS 組態可防止順暢 SSO 登入經驗For more information about how to use split DNS in a hybrid topology, see Architecture Design Recommendation for SharePoint 2013 Hybrid Search Features. For information about how to configure a split DNS, see A faulty split-brain DNS configuration can prevent a seamless SSO sign-in experience.

在內部部署 DNS 中建立 A 記錄Create an A record in the on-premises DNS

反向 proxy 裝置必須能夠解析內部 URL 的主機命名型網站集合。您可以在想要在內部 DNS 命名空間中建立 A 記錄。這不必須位於相同的命名空間為反向 proxy 裝置。不過,反向 proxy 裝置必須能夠解析此命名空間。此 A 記錄會對應至內部部署 SharePoint 伺服器陣列的 IP 位址的外部 URL 的主機名稱。以下是外部 URL 所在的記錄的範例https://spexternal.adventureworks.com和負載平衡器的 SharePoint 伺服器陣列是 10.0.0.13 網路的 IP 位址。The reverse proxy device must be able to resolve the internal URL of the host-named site collection. You can do this by creating an A record in the desired on-premises DNS namespace. This doesn't have to be in the same namespace as the reverse proxy device. However, the reverse proxy device must be able to resolve this namespace. This A record maps the host name of the External URL to the IP address of the on-premises SharePoint farm. Here's an example of an A record where the External URL is https://spexternal.adventureworks.com and the IP address of the network load balancer for the SharePoint farm is 10.0.0.13.

此圖說明 A 記錄的範例

編輯圖示 外部 URL 會記錄在工作表表格 3 的 [外部 URL ] 列中。The External URL is recorded in the External URL row of Table 3 of the worksheet.

您已完成的混合式使用路徑型網站集合沒有 AAM 設定網站集合策略。現在,跳至_指派 UPN 網域尾碼_。You have finished configuring the site collection strategy by using a path-based site collection without AAM for hybrid. Now, skip ahead to Assign a UPN domain suffix.

使用路徑型 Web 應用程式 (具有 AAM) 設定網站集合策略Configure a site collection strategy by using a path-based web application with AAM

如果您想要針對網站集合策略搭配使用路徑型 Web 應用程式與備用存取對應 (AAM),請依顯示的順序完成這些步驟:If you want to use a path-based web application with Alternate Access Mapping (AAM) for your site collection strategy, complete these steps in the order shown:

  1. 確定主要 Web 應用程式確實存在。Ensure that the primary web application exists.

  2. 擴充主要 Web 應用程式以及設定 AAM。Extend the primary web application, and configure AAM.

  3. 確定 SSL 繫結存在於主要 Web 應用程式上 (如果需要)。Ensure that an SSL binding exists on the primary web application (if it is needed).

  4. 設定 AAM。Configure AAM.

  5. 建立 CNAME 記錄。Create a CNAME record.

如果您已設定不同名稱對應類型,請移至_指派 UPN 網域尾碼_。If you've already configured a different name mapping type, go to Assign a UPN domain suffix.

下列影片示範網站集合策略如何與路徑型 Web 應用程式 (具有 AAM) 搭配運作。The following video demonstrates how a site collection strategy works with a path-based web application with AAM.

影片: 了解 Url 和主機名稱Video: Understanding URLs and host names

您可以使用現有的 web 應用程式作為主要 web 應用程式,或是您可以建立 web 應用程式。如果您未進行此決策尚未,規劃從 Office 365 至 SharePoint Server 的連線,請參閱並決定之前任何進一步。You can use an existing web application as the primary web application, or you can create one. If you haven't made this decision yet, refer to Plan connectivity from Office 365 to SharePoint Server and decide before you go any further.

如果在規劃期間,您可以決定哪個現有的 web 應用程式以做為主要 web 應用程式,其 URL 應該記錄之表 5c 的工作表的 [主要 web 應用程式 URL ] 列中。若是如此,跳到擴充主要 web 應用程式。否則,來作為主要 web 應用程式的 web 應用程式使用建立程序在SharePoint Server 中建立宣告式 web 應用程式中。SharePoint 混合式設定是不會受到此 web 應用程式的初始設定當您設定此網站集合策略。這是因為您將會套用當您擴充稍後的 web 應用程式時所需的混合式的設定。因此您可以使用您希望當您建立 web 應用程式的任何設定。If during planning, you decided which existing web application to use as the primary web application, its URL should be recorded in the Primary web application URL row of Table 5c of the worksheet. If so, skip ahead to Extend the primary web application. Otherwise, to create a web application to use as the primary web application, use the procedures in Create claims-based web applications in SharePoint Server. The SharePoint hybrid configuration is not affected by the initial configuration of this web application when you configure this site collection strategy. This is because you'll apply the settings that you need for hybrid when you extend the web application a bit later. So you can use any settings that you want when you create a web application.

編輯圖示 若要讓您在稍後的程序中更輕鬆地進行,建議您在建立 Web 應用程式時記錄此資訊:To make things easier for yourself in later procedures, we recommend that you record this information when you create the web application:
在管理中心的 [建立新的 Web 應用程式] 頁面上的 [公用 URL ] 區段中取得 URL 並將其記錄之表 5c 的工作表的 [主要 web 應用程式 URL ] 列中。Get the URL from the Public URL section of the Create New Web Application page in Central Administration, and record it in the Primary web application URL row of Table 5c of the worksheet.

擴充主要 Web 應用程式Extend the primary web application

本節說明如何擴充 web 應用程式。擴充的 web 應用程式會建立新的 IIS 網站,您將會指派要為公用 URL 的外部 URL。This section explains how to extend your web application. Extending the web application creates a new IIS website that you'll assign the External URL to as the public URL.

完成本節中的程序之後,需要兩個 IIS 網站。兩者會連線到相同的內容資料庫。原始的 IIS 網站會是不變,而且可以繼續以供內部使用者存取。擴充的 web 應用程式會使用不同的區域,例如 [網際網路] 區域中並將設定為使用外部 URL 為公用 URL。此擴充的 web 應用程式僅用於服務 SharePoint 混合式要求。When you've completed the procedures in this section, you'll have two IIS websites. Both are connected to the same content database. The original IIS website will be unchanged and can continue to be accessed by internal users. The extended web application will use a different zone, such as the Internet zone, and will be configured to use the External URL as the public URL. This extended web application is used only for servicing SharePoint hybrid requests.

重要

請確定您在您想要作為主要 web 應用程式的 SharePoint 混合式解決方案的特定 web 應用程式上執行這些程序。您需要延伸此 web 應用程式的 URL 會記錄在表 5c 的工作表的 [主要 web 應用程式 URL ] 列。Ensure that you perform these procedures on the specific web applications that you intend to use as the primary web application for SharePoint hybrid solutions. The URL of this web application that you have to extend is recorded in the Primary web application URL row of Table 5c of the worksheet.

若要擴充的 web 應用程式,使用在 SharePoint 中的擴充宣告式 web 應用程式的程序。一般而言,您應該使用的預設設定。但是,下列的組態設定所需。To extend the web application, use the procedures in Extend claims-based web applications in SharePoint. In general, you should use the default settings. But, the following configuration settings are required.

必要的組態設定Required configuration settings

位置Location 描述Description
在 [ IIS 網站] 區段的 [連接埠] 方塊In the IIS Web Site section, in the Port box
確定值設定為下列其中一項的適當連接埠號碼:Ensure that the value is set to the appropriate port number for one of the following:
如果您決定要擴充主要 web 應用程式之未加密的HTTP連線,使用連接埠80或設定反向 proxy 裝置的網路管理員所指定的 HTTP 連接埠。所有內送的服務連線從反向 proxy 裝置的 web 應用程式的網站集合必須使用HTTPIf you decide to extend the primary web application for unencrypted HTTP connections, use port 80 or the HTTP port specified by the network administrator who configures the reverse proxy device. All inbound service connections from the reverse proxy device to the web application's site collection have to use HTTP.
如果您決定要設定的加密HTTPS連線的主要 web 應用程式,使用連接埠443或設定反向 proxy 裝置的網路管理員所指定的 SSL 連接埠。所有內送的服務連線從反向 proxy 裝置的 web 應用程式的網站集合必須使用HTTPSIf you decide to configure the primary web application for encrypted HTTPS connections, use port 443 or the SSL port specified by the network administrator who configures the reverse proxy device. All inbound service connections from the reverse proxy device to the web application's site collection have to use HTTPS.
在 [安全性設定] 區段In the Security Configuration section
確定允許匿名設為 [否]Ensure that Allow Anonymous is set to No.
在 [安全性設定] 區段In the Security Configuration section
使用 Secure Sockets Layer (SSL)的選擇適當的值。如果您選擇 [] 時,web 應用程式會使用未加密的HTTP。如果您選擇[是]、 web 應用程式會使用加密的HTTPS,而您必須將 SSL 憑證繫結至擴充的 web 應用程式。在我們討論詳細一節中此憑證。Choose the appropriate value for Use Secure Sockets Layer (SSL). If you choose No, the web application will use unencrypted HTTP. If you choose Yes, the web application will use encrypted HTTPS, and you must bind an SSL certificate to the extended web application. We discuss this certificate more in the next section.
在 [宣告驗證類型] 區段In the Claims Authentication Types section
選取 [啟用 Windows 驗證] 核取方塊、 選取整合式 Windows 驗證] 核取方塊,並在下拉式功能表中,選取 [ NTLM]。Select the Enable Windows Authentication check box, select the Integrated Windows authentication check box, and in the drop-down menu, select NTLM.
在 [公用 URL ] 區段的 [ URL ] 方塊中In the Public URL section, in the URL box
輸入外部 URL — 例如https://spexternal.adventureworks.com。Type the External URL—for example, https://spexternal.adventureworks.com.
請注意根據預設,SharePoint 附加的連接埠號碼至其建議讓此欄位的預設 URL。當您使用的外部 URL 來取代該 URL 時、 未附加的連接埠號碼。Note that by default, SharePoint appends the port number to the default URL that it recommends for this field. When you replace that URL with the external URL, don't append the port number.
在 [公用 URL ] 區段的 [區域] 清單中In the Public URL section, in the Zone list
選取您想要指派給此擴充的 web 應用程式的區域。我們建議您設定到網際網路區域] 值若可用的話。Select the zone that you want to assign to this extended web application. We recommend that you set the Zone value to Internet if it's available.

確定 SSL 繫結存在於主要 Web 應用程式上 (如果需要)Ensure that an SSL binding exists on the primary web application (if it's needed)

如果您設定要使用 SSL 的擴充的 web 應用程式,您必須確定 SSL 憑證繫結至您在前一節中擴充的 web 應用程式。否則,如果您設定HTTP (未加密) 的擴充的 web 應用程式,請略過事先以設定 AAMIf you configured the extended web application to use SSL, you'll have to ensure that an SSL certificate is bound to the web application that you extended in the previous section. Otherwise, if you configured the extended web application for HTTP (unencrypted), skip ahead to Configure AAM.

實際執行環境中,應該是公用或企業憑證授權單位 (CA) 所發出此憑證。測試與開發環境中,這可以是自我簽署的憑證。我們會呼叫這內部 SharePoint SSL 憑證。For production environments, this certificate should be issued either by a public or an enterprise certification authority (CA). For test and development environments, this can be a self-signed certificate. We call this the on-premises SharePoint SSL certificate.

重要

此憑證必須具備橋接主機名稱的 URL 中 [主旨] 欄位。例如,如果橋接 URL https://bridge、 憑證的 [主旨] 欄位必須包含橋接。因此,不能使用 IIS 建立此憑證。但是您可用來建立該憑證建立之類的 MakeCert.exe。憑證繫結至 web 應用程式之後,您可以看到此主機名稱在網際網路資訊服務 (IIS) 中 [伺服器憑證] 對話方塊中的 [發行給] 欄位。This certificate must have the bridging host name of the URL in the Subject field. For example, if the bridging URL is https://bridge, the Subject field of the certificate must contain bridge. Therefore, this certificate can't be created by using IIS. But you can use a certificate creation tool such as MakeCert.exe to create it. After the certificate is bound to the web application, you can see this host name in the Issued To field in the Server Certificates dialog box in Internet Information Services (IIS).

提示

這通常是來自您稍後將安裝在反向 proxy 裝置的個別憑證。如需這些憑證的詳細資訊,請參閱 <規劃 SSL 憑證] 區段中的規劃從 Office 365 至 SharePoint Server 的連線This is typically a separate certificate from the one that you'll later install on the reverse proxy device. For more information about these certificates, see the Plan SSL certificates section of Plan connectivity from Office 365 to SharePoint Server.

如需如何設定 SSL 的詳細資訊,請參閱https 及安全通訊端階層 in SharePoint 2013 的指南For more information about how to set up SSL, see A guide to https and Secure Sockets Layer in SharePoint 2013.

設定 AAMConfigure AAM

若要啟用 SharePoint Server 以使用外部 URL 動態翻譯要求中的連結,請遵循下列步驟。To enable SharePoint Server to dynamically translate links in requests by using the External URL, follow these steps.

設定 AAMTo configure AAM

  1. 在管理中心的 [快速啟動] 中按一下 [應用程式管理]。In Central Administration, in the Quick Launch, click Application Management.

  2. 在 [ Web 應用程式] 區段中,按一下 [設定備用存取對應]。In the Web Applications section, click Configure alternate access mappings.

  3. 在 [備用存取對應] 頁面上,按一下 [新增內部 UrlOn the Alternate Access Mappings page, click Add Internal URLs.

  4. 在 [備用存取對應集合] 區段中,按一下向下箭號,和 [變更備用存取對應集合。在 [顯示] 對話方塊中選取您正在設定的混合式的主要 web 應用程式。In the Alternate Access Mapping Collection section, click the down arrow, and then click Change Alternate Access Mapping Collection. In the dialog box that is displayed, select the primary web application that you're configuring for hybrid.

編輯圖示 此 web 應用程式的 URL 會記錄在表 5c 的工作表的 [主要 web 應用程式 URL ] 列中。The URL of this web application is recorded in the Primary web application URL row of Table 5c of the worksheet.
  1. 在 [新增內部 URL ] 區段的 [ URL 通訊協定、 主機及連接埠] 方塊中輸入您要用作橋接 URL 的 URL。此 URL 必須具有相同的通訊協定為擴充的 web 應用程式、 httphttps。例如,如果您使用https來設定已擴充的 web 應用程式,URL 將會類似https://bridgeIn the Add Internal URL section, in the URL protocol, host and port box, type the URL you want to use as the bridging URL. This URL must have the same protocol as the extended web application, either http or https. For example, if you configured the extended web application by using https, the URL will resemble https://bridge.
編輯圖示
您所使用的通訊協定會記錄在表 5c 的工作表的已擴充的 web 應用程式列的通訊協定]。此 URL 記錄在表 5c 的工作表的 [橋接 URL] 列中。The protocol that you used is recorded in the Protocol of the extended web application row of Table 5c of the worksheet. Record this URL in the Bridging URL row of Table 5c of the worksheet.
  1. 區域下拉功能表中選取 [擴充 web 應用程式時所用的相同區域。In the Zone drop-down menu, select the same zone that you used when you extended the web application.
編輯圖示 此區域會記錄在表 5c 的工作表的擴充的 web 應用程式區域的This zone is recorded in the Zone of the extended web application row of Table 5c of the worksheet
  1. 按一下 [儲存]。Click Save.

    您在步驟 5 中指定的 URL 會出現在 [備用存取對應] 頁面上的 [內部 URL ] 欄中。The URL that you specified in step 5 appears in the Internal URL column of the Alternate Access Mappings page.

建立 CNAME 記錄Create a CNAME record

您需要在內部部署 DNS 中建立 CNAME 記錄。此記錄會將「橋接 URL」的主機名稱對應至內部部署 SharePoint 伺服器陣列的完整網域名稱。「橋接 URL」是上一節中指派給 AAM 的 URL。反向 Proxy 裝置必須可以查詢 DNS,以將別名解析為內部部署 SharePoint 伺服器陣列的 IP 位址。You need to create a CNAME record in the on-premises DNS. This record maps the host name of the Bridging URL to the fully qualified domain name of the on-premises SharePoint farm. The Bridging URL is the one that you assigned to the AAM in the previous section. The reverse proxy device must be able to query DNS to resolve the alias to the IP address of the on-premises SharePoint farm.

以下是範例 CNAME 記錄,其中主機名稱是Bridge,根據橋接 URL、 https://bridgeHere's an example CNAME record where the host name is Bridge, based on the bridging URL, https://bridge.

此圖說明 SharePoint Server 2013 的混合式環境中的 CName 記錄

若要驗證針對 CNAME 記錄選擇的別名名稱會解析為 SharePoint 伺服器陣列,請執行下列驗證步驟。To verify that the alias name you chose for your CNAME record is resolving to the SharePoint Server farm, do the following verification step.

驗證步驟Verification step

  1. 以系統管理員身分登入反向 Proxy 裝置,然後開啟 Windows 命令提示字元。Log on to the reverse proxy device as administrator and open a Windows command prompt.

  2. Ping CNAME 記錄中的別名。例如橋接的別名時,輸入下列命令然後按 Enter 鍵。Ping the alias name in the CNAME record. For example, if the alias name is Bridge, then type the following and press Enter.

    ping bridge
    

    在命令提示字元應傳回 SharePoint 伺服器陣列中的 CNAME 記錄所指定的 IP 位址。如果不使用,請確認 SharePoint 伺服器陣列的完整的網域名稱正確指定 CNAME 記錄,然後重複 [下列驗證步驟。The command prompt should return the IP address of the SharePoint farm that's specified in the CNAME record. If not, verify that the fully qualified domain name of the SharePoint farm is correctly specified in the CNAME record and then repeat these verification steps.

    注意

    如果ping網路上封鎖命令,嘗試使用下列任一tracert -4pathping -4改用命令。If the ping command is blocked on the network, try using either the tracert -4 or the pathping -4 command instead.

在 SharePoint Online 中建立和設定 SSL 憑證的目標應用程式Create and configure a target application for the SSL certificate in SharePoint Online

此區段中,您可以建立及 SharePoint Online 中設定安全認證儲存目標應用程式。此目標應用程式用來儲存安全通道 SSL 憑證與啟用方法,讓它可供使用 SharePoint Online 服務當使用者要求資料從內部部署 SharePoint 伺服器陣列。我們參照做為安全通道目標應用程式此目標應用程式。In this section, you create and configure a Secure Store target application in SharePoint Online. This target application is used to store the Secure Channel SSL certificate and enable it so that it can be used by SharePoint Online services when users request data from the on-premises SharePoint farm. We refer to this target application as the Secure Channel Target Application.

編輯圖示 若要遵循這些步驟,您需要工作表的表 4a 中所記錄的資訊。To follow these steps, you need the information recorded in Table 4a of the worksheet.

注意

您可以使用含有私密金鑰 (例如私人資訊交換 (.pfx) 檔案) 的憑證,也可以使用網際網路安全性憑證檔案 (.cer)。如果您使用 .pfx 檔案,則必須在此程序稍後提供私密金鑰的密碼。You can use either a certificate that contains a private key, such as a Private Information Exchange (.pfx) file or you can use an Internet Security Certificate File (.cer). If you use a .pfx file, you must provide a password for the private key later in this procedure.

當您設定 SharePoint 混合式解決方案在階段 4: 設定混合式解決方案,您將會提供您建立以便 SharePoint Online 搜尋與 Business Connectivity Services 可以取得安全通道 SSL 的目標應用程式的名稱具有反向 proxy 裝置進行驗證時所需的憑證。When you configure SharePoint hybrid solutions in Phase 4: Configure a hybrid solution, you'll provide the name of the target application that you created so that SharePoint Online Search and Business Connectivity Services can get the Secure Channel SSL certificate that's needed to authenticate with the reverse proxy device.

若要建立目標應用程式以儲存安全通道 SSL 憑證To create a target application to store the Secure Channel SSL certificate

  1. 確認您 Office 365 全域管理員身分登入。Verify that you're logged on to Office 365 as a global administrator.

  2. 在 SharePoint Online 系統管理中心的功能窗格] 中選擇 [ secure storeIn the SharePoint Online Administration Center, in the navigation pane, choose secure store.

  3. 在 [編輯] 索引標籤上選擇 [新增]。On the Edit tab, choose New.

  4. 在 [目標應用程式設定] 區段中,執行下列動作:In the Target Application Settings section, do the following:

  5. 在 [目標應用程式識別碼] 方塊中輸入名稱 (這會識別碼) 您要使用之目標應用程式 — 例如,我們建議您將命名為其SecureChannelTargetApplication。請勿使用此名稱的空格。In the Target Application ID box, type the name (which will be the ID) that you want to use for the target application—for example, we recommend that you name it SecureChannelTargetApplication. Do not use spaces in this name.

    注意

    您將在此步驟建立識別碼,您不會從其他位置接收到識別碼。此識別碼是無法變更的唯一目標應用程式名稱。You create the ID in this step—you do not receive the ID from elsewhere. This ID is a unique target application name that cannot be changed.

編輯圖示 此名稱記錄在工作表之表 6 的 [目標應用程式識別碼] 列中。Record this name in the Target Application ID row of Table 6 of the worksheet.
  1. 在 [顯示名稱] 方塊中輸入您想要作為新目標應用程式的顯示名稱的名稱。例如, Secure Channel Target AppIn the Display Name box, type the name that you want to use as the display name for the new target application. For example, Secure Channel Target App.
編輯圖示 此名稱記錄在工作表之表 6 的 [目標應用程式顯示名稱] 列中。Record this name in the Target Application Display Name row of Table 6 of the worksheet.
  1. 在 [連絡人電子郵件] 方塊中輸入此目標應用程式的主要連絡人的名稱。In the Contact E-mail box, type the name of the primary contact for this target application.

  2. 在 [認證欄位] 區段中,執行下列動作:In the Credential Fields section, do the following:

  3. 欄位名稱] 欄中的第一列,刪除已在] 方塊中的任何現有文字,然後輸入憑證In the Field Name column, in the first row, delete any existing text that is in the box, and then type Certificate.

  4. 在 [欄位類型] 欄的第一列,在下拉式清單中,選取憑證In the Field Type column, in the first row, in the drop-down list, select Certificate.

  5. 欄位名稱] 欄中的第二列,刪除已在] 方塊中的任何現有文字,然後輸入憑證密碼In the Field Name column, in the second row, delete any existing text that is in the box, and then type Certificate Password.

    注意

    只有從含有私密金鑰的憑證 (例如私人資訊交換 (.pfx) 檔案) 匯入憑證時,才必須遵循此步驟。You must follow this step only if you are importing the certificate from a certificate that contains a private key, such as a Private Information Exchange (.pfx) file.

  6. 在 [欄位類型] 欄中的第二列,在下拉式清單中,選取 [憑證密碼In the Field Type column, in the second row, in the drop-down list, select Certificate Password.

    認證區段應該與下圖類似。The credentials section should resemble the following illustration.

    此圖說明「Secure Store Service 目標應用程式」的認證設定

  7. 在 [目標應用程式管理員] 區段的方塊中,輸入將擁有此目標應用程式設定管理權的使用者名稱。請務必加入要測試的混合式設定,讓他們可以進行變更,如果需要任何使用者。In the Target Application Administrators section, in the box, type the names of users who will have access to manage the settings of this target application. Make sure to add any users who will test the hybrid configuration so that they can make changes, if it's needed.

  8. 在 [成員] 區段的方塊中,輸入的 Azure AD 使用者和群組想要讓其使用混合式解決方案的名稱。In the Members section, in the box, type the names of the Azure AD users and groups that you want to enable to use hybrid solutions.

    Office 365 全域管理員可以建立 Azure AD 群組。這些是網域群組,不是 SharePoint 群組。The Office 365 global administrator can create Azure AD groups. These are domain groups, not SharePoint groups.

編輯圖示 這些使用者或群組他們新增至清單會列在工作表表格 1 的 [同盟使用者] 列中。A list of these users, or the group they were added to, is listed in the Federated Users row of Table 1 of the worksheet.
  1. 按一下 [ OK ]。Click OK.

  2. 選取您所建立之目標應用程式識別碼旁的核取方塊 — 例如, SecureChannelTargetAppSelect the check box next to the ID of the target application that you created—for example, SecureChannelTargetApp.

編輯圖示 此名稱會列在工作表之表 6 的 [目標應用程式顯示名稱] 列中。This name is listed in the Target Application Display Name row of Table 6 of the worksheet.
  1. 在 [編輯] 索引標籤的 [認證] 群組中,按一下 [設定]。On the Edit tab, in the Credentials group, click Set.

  2. 在 [設定安全認證儲存目標應用程式的認證] 對話方塊中,執行下列動作:In the set credentials for secure store target application dialog box, do the following:

  3. 按一下 [憑證] 欄位旁的 [瀏覽]Next to the Certificate field, click Browse.

  4. 瀏覽至安全通道 SSL 憑證的位置、 選取憑證,並再按一下 [開啟Browse to the location of the Secure Channel SSL certificate, select the certificate, and then click Open.

編輯圖示 此憑證的位置與名稱會記錄在工作表的表 4b 的 [安全通道 SSL 憑證位置和檔案名稱] 列中。The name and location of this certificate is recorded in the Secure Channel SSL Certificate location and filename row of Table 4b of the worksheet.
  1. 如果您使用的憑證包含私密金鑰,例如私人資訊交換 (.pfx) 檔案,然後在 [憑證密碼] 欄位中輸入憑證的密碼。否則請前往步驟 12。If the certificate you're using contains a private key, such as a Private Information Exchange (.pfx) file, then in the Certificate Password field, type the password of the certificate. Otherwise, go to step 12.
編輯圖示 密碼會記錄在工作表的表 4b 的 [安全通道 SSL 憑證密碼] 列中。The password is recorded in the Secure Channel SSL Certificate password row of Table 4b of the worksheet.
  1. 在 [確認憑證密碼] 欄位中,再次輸入憑證的密碼。In the Confirm Certificate Password field, retype the password of the certificate.

  2. 按一下 [ OK ]。Click OK.

如需詳細資訊,請參閱 <設定 Secure Store Service in SharePoint ServerFor more information, see Configure the Secure Store Service in SharePoint Server.

驗證和後續步驟Validation and next steps

完成此主題的設定工作之後,您應該驗證下列項目:After you complete the configuration tasks in this topic, you should validate the following items:

  • 確認您的公用網際網路網域名稱可在 DNS 中獲得解析Verify that your public Internet domain name can be resolved in DNS.

  • 確認您可以使用內部和外部 URL 來連線至主要 Web 應用程式。Verify that you can connect to the primary web application by using both the internal and external URLs.

  • 確認您可以使用反向 Proxy 端點的外部 URL,從網際網路順利存取主要 Web 應用程式內的內部部署網站集合。使用於此驗證步驟的電腦必須在電腦帳戶的個人憑證存放區中安裝安全通道 SSL 憑證。Verify that you can successfully access an on-premises site collection within the primary web application from the Internet by using the external URL of your reverse proxy endpoint. The computer that you use for this validation step must have the Secure Channel SSL certificate installed in the Personal certificate store of the computer account.

在完成並驗證本主題中的設定工作之後,會傳回您設定藍圖After you have completed and validated the configuration tasks in this topic, return to your configuration roadmap.