設定從 SharePoint Server 到 SharePoint Online 之間的伺服器對伺服器驗證Configure server-to-server authentication from SharePoint Server to SharePoint Online

摘要: 了解如何在 SharePoint Server 和 SharePoint Online 之間建立伺服器對伺服器的信任關係。Summary: Learn how to build a server-to server trust between SharePoint Server and SharePoint Online.

本文是設定 SharePoint 混合式解決方案程序藍圖的一部分。當您執行本文中的程序時,請務必遵循藍圖This article is part of a roadmap of procedures for configuring SharePoint hybrid solutions. Be sure you're following a roadmap when you do the procedures in this article.

設定伺服器對伺服器的驗證Configure server-to-server authentication

本文針對整合 SharePoint Server 和 SharePoint Online 的 SharePoint 混合式環境部署程序提供指引。This article provides guidance for the SharePoint hybrid environment deployment process, which integrates SharePoint Server and SharePoint Online.

提示

請依本文中顯示的順序完成程序,以獲得最可靠的結果。For the most reliable outcome, complete the procedures in the order they are shown in this article.

驗證 Web 應用程式設定Verify web application settings

在 SharePoint 混合式架構中,同盟使用者可以將要求從任何 SharePoint Server Web 應用程式傳送至 SharePoint Online,而 Web 應用程式設定成搭配使用整合式 Windows 驗證與 NTLM。In SharePoint hybrid, federated users can send requests to SharePoint Online from any SharePoint Server web application that's configured to use Integrated Windows authentication with NTLM.

例如,您需要確定想要用於方案的內部部署搜尋中心網站設定成搭配使用整合式 Windows 驗證與 NTLM。如果不是,則需要重新設定 Web 應用程式使用 Windows 驗證與 NTLM 或在 Web 應用程式上使用符合要求的搜尋中心網站。您也需要確定預期從 SharePoint Online 傳回搜尋結果的使用者是同盟使用者。For example, you have to make sure that the on-premises search center site(s) that you want to use in your solution are configured to use Integrated Windows authentication with NTLM. If they're not, you have to either reconfigure the web application to use Windows authentication with NTLM or use a search center site on a web application that meets this requirement. You also have to make sure that the users who expect search results to be returned from SharePoint Online are federated users.

驗證 Web 應用程式是否符合需求To verify that a web application meets the requirement

  1. 確認將執行此程序的使用者帳戶為 SharePoint 伺服器陣列管理員群組的成員。Confirm that the user account that will do this procedure is a member of the Farm Administrators SharePoint group.

  2. 在管理中心中,按一下 [應用程式管理]**** > [管理 Web 應用程式]*In Central Administration, click *Application Management > Manage web applications.

  3. 在 [名稱] 欄中,選取您要驗證的 Web 應用程式,然後按一下功能區上的 [驗證提供者]。In the Name column, select the web application that you want to verify, and then on the ribbon, click Authentication Providers.

  4. 在 [驗證提供者] 對話方塊的 [區域] 欄中,按一下與搜尋中心網站相關聯的區域。In the Authentication Providers dialog box, in the Zone column, click the zone the search center site is associated with.

  5. 在 [編輯驗證] 對話方塊中,驗證已選取 [整合式 Windows 驗證] 和 NTLMIn the Edit Authentication dialog box, verify that Integrated Windows authentication and NTLM are selected as shown in the following picture.

    此圖說明 Web 應用程式的驗證規則設定

設定 HTTP 上的 OAuth (如有必要)Configure OAuth over HTTP (if it is required)

依預設,SharePoint Server 中的 OAuth 需要 HTTPS 。如果您將主要 Web 應用程式設定為使用 HTTP ,而不是 SSL,您必須透過 SharePoint Server 伺服器陣列中每個網頁伺服器上的 HTTP 來啟用 OAuth。By default, OAuth in SharePoint Server requires HTTPS. If you configured your primary web application to use HTTP instead of SSL, you have to enable OAuth over HTTP on every web server in your SharePoint Server farm.

注意

如果您將主要 Web 應用程式設定成使用 SSL,則不需要此步驟,因此可以跳到OBSOLETE Configure a two-way hybrid topologyIf you configured your primary web application to use SSL, this step is not required, and you can skip ahead to OBSOLETE Configure a two-way hybrid topology.

若要在 HTTP 上啟用 OAuth,請在 SharePoint Server 伺服器陣列的每部網頁伺服器上,使用伺服器陣列管理員帳戶從 SharePoint 2016 管理命令介面 命令提示字元執行下列命令。To enable OAuth over HTTP, run the following commands as a farm administrator account from the SharePoint 2016 Management Shell command prompt on each web server in your SharePoint Server farm.

$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $true
$serviceConfig.Update()

如果已在 HTTP 上啟用 OAuth 進行測試,但想要重新設定環境來使用 SSL,您可以在 SharePoint Server 伺服器陣列的每部網頁伺服器上,使用伺服器陣列管理員帳戶從 SharePoint 2016 管理命令介面 命令提示字元執行下列命令,以便在 HTTP 上停用 OAuth。If you have enabled OAuth over HTTP for testing but want to reconfigure your environment to use SSL, you can disable OAuth over HTTP by running the following commands as a farm administrator account from the SharePoint 2016 Management Shell command prompt on each web server in your SharePoint Server farm.

$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $false
$serviceConfig.Update()

設定內部部署 SharePoint Server 與 SharePoint Online 之間的伺服器對伺服器驗證Configure server-to-server authentication between on-premises SharePoint Server and SharePoint Online

本節將協助您設定下列兩者之間的伺服器對伺服器驗證:This section will help you set up server-to-server authentication among:

  • SharePoint ServerSharePoint Server

  • SharePoint OnlineSharePoint Online

  • Azure Active DirectoryAzure Active Directory

設定混合式環境的伺服器對伺服器驗證時,請建立 on-premises SharePoint farmSharePoint Online tenant 之間的 trust relationship (使用 Azure Active Directory 作為信任 Token 簽署服務)。新增必要 PowerShell模組和嵌入式管理單元,此程序可以發生於內部部署 SharePoint 網頁伺服器的單一 PowerShell 視窗中。When you set up server-to-server authentication for hybrid environments, you create a trust relationship between your on-premises SharePoint farm and your SharePoint Online tenant, which uses Azure Active Directory as a trusted token signing service. By adding the required PowerShell modules and snap-ins, this process can occur in a single PowerShell window on an on-premises SharePoint web server.

提示

您將記錄步驟、執行的 PowerShell Cmdlet,以及任何可能發生的錯誤。您應在完成時擷取 PowerShell 緩衝區的所有內容,再關閉視窗。這樣可提供您所採取步驟的歷程記錄,這在您必須疑難排解程序或向其他人說明程序時十分有用。這也適用於在各階段設定時重新整理記憶體。You'll want to keep a record of your steps, the PowerShell cmdlets you run, and any errors that you might encounter. You should capture all the contents of the PowerShell buffer when you have finished and before you close the window. This will give you a history of the steps that you took, which will be helpful if you have to troubleshoot or explain the process to others. This can also be useful to refresh your memory if the setup happens in stages.

以下是本節中您必須完成之程序的高階檢視:Here's a high-level view of the procedures you have to complete in this section:

  1. 在 SharePoint Server 中設定 Security Token Service (STS):Configure the Security Token Service (STS) in SharePoint Server:

    • 建立新的 STS 憑證。Create a new STS certificate.

    • 取代 SharePoint Server 伺服器陣列中的各個伺服器上的預設 STS 憑證。Replace the default STS certificate on each server in your SharePoint Server farm.

  2. 在 SharePoint Server 伺服器陣列的網頁伺服器上安裝線上服務管理工具。Install online service management tools on a web server in your SharePoint Server farm.

  3. 設定伺服器對伺服器的驗證:Configure server-to-server authentication:

    • 設定您將在稍後步驟使用的變數。Set variables you'll be using in later steps.

    • 將新的內部部署 STS 憑證上傳至 SharePoint Online。Upload the new on-premises STS certificate to SharePoint Online.

    • 將服務主體名稱 (SPN) 新增至 Azure。Add a Service Principal Name (SPN) to Azure.

    • 向內部部署 SharePoint Server 登錄 SharePoint Online 應用程式主體物件識別碼。Register the SharePoint Online application principal object ID with on-premises SharePoint Server.

    • 設定內部部署 SharePoint Server 伺服器陣列與 SharePoint Online 之間的一般驗證領域。Configure a common authentication realm between your on-premises SharePoint Server farm and SharePoint Online.

    • 設定 Azure Active Directory 應用程式 Proxy 內部部署。Configure an Azure Active Directory application proxy on-premises.

安裝線上服務管理工具並設定 Windows PowerShell 視窗Install online service management tools and configure the Windows PowerShell window

若要繼續,您需要在內部部署 SharePoint Server 網頁伺服器上安裝這些工具:To continue, you need to install these tools on an on-premises SharePoint Server web server:

  • Microsoft Online Services 登入小幫手The Microsoft Online Services Sign-In Assistant

  • Windows PowerShell 的 Azure Active Directory 模組The Azure Active Directory Module for Windows PowerShell

  • SharePoint Online 管理命令介面The SharePoint Online Management Shell

這在 SharePoint 伺服器陣列的網頁伺服器上十分常見,因為在網頁伺服器上載入 Microsoft.SharePoint.PowerShell 嵌入式管理單元,會比在未安裝 SharePoint Server 的伺服器上簡單。This is most easily accomplished on a web server in your SharePoint farm because it's easier to load the Microsoft.SharePoint.PowerShell snap-in on the web servers than on servers that don't have SharePoint Server installed.

SharePoint Server、SharePoint Online和 Azure Active Directory 的驗證需要不同使用者帳戶。如需如何判斷要使用哪一個帳戶的資訊,請參閱<混合式設定和測試所需的帳戶>。Authentication to SharePoint Server, SharePoint Online, and Azure Active Directory requires different user accounts. For information about how to determine which account to use, see Accounts needed for hybrid configuration and testing.

注意

為了讓您輕鬆完成此節中的步驟,我們將在 SharePoint Server 網頁伺服器上開啟 PowerShell 命令提示字元視窗,並新增模組和嵌入式管理單元,讓您可以與 SharePoint Server、SharePoint Online和 Azure Active Directory連線。(我們將在本文稍後提供您執行此操作的詳細步驟。)接著我們會讓此視窗維持開啟狀態,以用於本文中所有其餘的 PowerShell 步驟。To make it easier to complete the steps in this section, we'll open a PowerShell Command Prompt window on a SharePoint Server web server and add the modules and snap-ins that let you connect to SharePoint Server, SharePoint Online, and Azure Active Directory. (We'll give you detailed steps on how to do this later in this article.) We'll then keep this window open to use for all the remaining PowerShell steps in this article.

安裝線上服務管理工具並設定 PowerShell 視窗:To install the online service management tools and configure the PowerShell window:

  1. 安裝線上服務管理工具:Install the online service management tools:

  2. 安裝 Microsoft Online Services 登入小幫手:Install the Microsoft Online Services Sign-In Assistant:

    適用於 IT 專業人員的 Microsoft Online Services 登入小幫手 BETA (64 位元版本) (https://go.microsoft.com/fwlink/?LinkId=391943)Microsoft Online Services Sign-In Assistant for IT Professionals BETA (64 bit version) (https://go.microsoft.com/fwlink/?LinkId=391943)

    如需詳細資訊,請參閱用於 IT 專業人員的 Microsoft Online Services 登入小幫手 RTW (https://go.microsoft.com/fwlink/?LinkId=392322)。For additional information, see Microsoft Online Services Sign-In Assistant for IT Professionals RTW (https://go.microsoft.com/fwlink/?LinkId=392322).

  3. 安裝適用於 Windows PowerShell 的 Azure Active Directory 模組的最新版本Install the 64-bit version of the Microsoft Azure Active Directory Module for Windows PowerShell with these steps:

  4. 安裝 SharePoint Online 管理命令介面:Install the SharePoint Online Management Shell:

    SharePoint Online 管理命令介面 (64 位元版本) (https://go.microsoft.com/fwlink/?LinkId=392323)SharePoint Online Management Shell (64 bit version) (https://go.microsoft.com/fwlink/?LinkId=392323)

    如需詳細資訊,請參閱 SharePoint Online 管理命令介面簡介 (https://go.microsoft.com/fwlink/?LinkId=392324)。For additional information, see Introduction to the SharePoint Online management shell (https://go.microsoft.com/fwlink/?LinkId=392324).

  5. 開啟 PowerShell 視窗。Open a PowerShell window.

  6. 為了協助確保您未填滿緩衝區以及未遺失任何命令歷程記錄,請增加 PowerShell 視窗的緩衝區大小:To help ensure that you don't fill the buffer and lose any of your command history, increase the buffer size of the PowerShell window:

  7. 按一下 PowerShell 視窗的左上角,然後按一下 [屬性]*Click the upper-left corner of the Windows PowerShell window, and then click *Properties.

  8. 在 PowerShell [屬性] 視窗中,按一下 [版面配置]**** 索引標籤。In the Windows PowerShell Properties window, click the Layout tab.

  9. 在 [螢幕緩衝區大小] 下,將 [高度]**** 欄位設定為 [9999]*,然後按一下 [確定]Under Screen Buffer Size, set the **Height* field to 9999, and then click OK.

  10. 此步驟會載入您已下載的模組,以在 PowerShell 工作階段中使用它們。請將下列命令複製到 PowerShell 工作階段,然後按 Enter 鍵。This step loads the modules you downloaded so you can use them in your PowerShell session. Copy the following commands into your PowerShell session, and press Enter.

    Add-PSSnapin Microsoft.SharePoint.PowerShell
    Import-Module Microsoft.PowerShell.Utility
    Import-Module MSOnline -force
    Import-Module MSOnlineExtended -force
    Import-Module Microsoft.Online.SharePoint.PowerShell -force
    

    如果您稍後需要再次執行任何設定步驟,請一定要再次執行這些命令,以在 PowerShell 中載入所需的模組和嵌入式管理單元。If you need to run any of the configuration steps again later, remember to run these commands again to load the required modules and snap-ins in PowerShell.

  11. 設定 Microsoft PowerShell 的遠端處理:Configure remoting in Microsoft PowerShell:

    在 PowerShell 命令提示字元處,輸入下列命令。From the PowerShell command prompt, type the following commands.

    enable-psremoting
    new-pssession
    

    如需詳細資訊,請參閱<about_Remote_Requirements (https://go.microsoft.com/fwlink/?LinkId=392326)>。For more information, see about_Remote_Requirements (https://go.microsoft.com/fwlink/?LinkId=392326).

  12. 若要登入 SharePoint Online 承租人,請在 PowerShell 命令提示字元處,輸入下列命令。To log on to your SharePoint Online tenant, from the PowerShell command prompt, type the following commands.

    $cred=Get-Credential
    Connect-MsolService -Credential $cred
    

    系統會提示您登入。您需要使用 Office 365 全域管理員帳戶登入。You are prompted to log on. You need to log on using an Office 365 global administrator account.

    讓 PowerShell 視窗保持開啟,直到您已經完成本文中的所有步驟。您將會需要此視窗以完成以下章節中的各種程序。Leave the PowerShell window open until you've completed all the steps in this article. You need it for a variety of procedures in the following sections.

設定伺服器對伺服器 (S2S) 驗證Configure server-to-server (S2S) authentication

現在,您已安裝工具可遠端管理 Azure Active Directory 和 SharePoint Online,並準備好設定伺服器對伺服器驗證。Now that you installed the tools to enable you to remotely administer Azure Active Directory and SharePoint Online, you're ready to set up server-to-server authentication.

關於將建立的變數About the variables you'll create

本節說明將在下面程序中設定的變數。這些變數包含許多其餘設定步驟中使用的重要資訊。This section describes the variables you will set in the procedure that follows. These variables contain important information used in many of the remaining configuration steps.

VariableVariable
註解Comments
$spcn$spcn
公用網域的根網域名稱。這個值不應該使用 URL 的格式,應該是沒有通訊協定的網域名稱。The root domain name of your public domain. This value should not be in the form of a URL; it should be the domain name only, with no protocol.
例如,adventureworks.com。An example is adventureworks.com.
$spsite$spsite
內部部署主要 Web 應用程式的內部 URL,例如 http://sharepointhttps://sharepoint.adventureworks.com 。這個值是使用正確通訊協定 ( http: // 或 https:// ) 的完整 URL。 The internal URL of your on-premises primary web application, such as http://sharepoint or https://sharepoint.adventureworks.com. This value is a full URL using the proper protocol (either http: // or https:// ).
這是用於混合式功能的 Web 應用程式的內部 URL。This is the internal URL of the web application that you are using for hybrid functionality.
例如,http://sharepointhttps://sharepoint.adventureworks.com。An example is http://sharepoint or https://sharepoint.adventureworks.com.
$site$site
內部部署主要 Web 應用程式的物件。填入此變數的命令會取得 $spsite 變數中所指定網站的物件。The object of your on-premises primary web application. The command that populates this variable gets the object of the site you specified in the $spsite variable.
會自動填入此變數。This variable is automatically populated.
$spoappid$spoappid
SharePoint Online 應用程式主體識別碼一律是 00000003-0000-0ff1-ce00-000000000000。這個一般值會識別 Office 365 承租人中的 SharePoint Online 物件。The SharePoint Online application principal ID is always 00000003-0000-0ff1-ce00-000000000000. This generic value identifies SharePoint Online objects in an Office 365 tenant.
$spocontextID$spocontextID
SharePoint Online 承租人的內容識別碼 (ObjectID)。這個值是可識別 SharePoint Online 承租人的唯一 GUID。The context ID (ObjectID) of your SharePoint Online tenant. This value is a unique GUID that identifies your SharePoint Online tenant.
執行命令來設定變數時,會自動偵測這個值。This value is automatically detected when you run the command to set the variable.
$metadataEndpoint$metadataEndpoint
Azure Active Directory Proxy 用來與您Azure Active Directory 租用連線的 URL。The URL that is used by your Azure Active Directory proxy to connect to your Azure Active Directory tenancy.
您不需要輸入此變數的值。You don't need to input a value for this variable.

步驟 1:設定變數Step 1: Set variables

現在,您已識別需要設定的變數,請使用這些指示來設定它們。預先填入最常用的變數,應該可協助您更快速地執行其餘步驟。只要未關閉 PowerShell 工作階段,就會持續填入這些變數。看到角括弧 (< >) 時,請小心地提供精確資訊,而且一律先移除角括弧,再執行命令。請不要變更角括弧 外部 的程式碼。Now that you identified the variables that you need to set, use these instructions to set them. Pre-populating the most commonly used variables should help you do the remaining steps faster. These variables remain populated as long as you don't close the PowerShell session. Be careful to provide accurate information wherever you see angle brackets (< >), and always remove the angle brackets before you run the command. Don't alter the code outside of the angle brackets.

注意

如果您稍後必須重新執行其中的任何設定步驟,則應該在此步驟中執行下列 PowerShell 命令,以重新填入重要變數。If you have to do any of these configuration steps again later, you should begin by running the following PowerShell commands in this step to repopulate the important variables.

複製下列變數宣告,並將它們貼到文字編輯器 (例如 [記事本])。請設定您組織特有的輸入值。從使用線上服務管理工具設定的 PowerShell 命令提示字元中,執行命令。Copy the following variable declarations and paste them into a text editor like Notepad. Set the input values specific to your organization. From the PowerShell command prompt you configured with the online service management tools, run the commands.

$spcn="*.<public_root_domain_name>.com"
$spsite=Get-Spsite <principal_web_application_URL>
$site=Get-Spsite $spsite
$spoappid="00000003-0000-0ff1-ce00-000000000000"
$spocontextID = (Get-MsolCompanyInformation).ObjectID
$metadataEndpoint = "https://accounts.accesscontrol.windows.net/" + $spocontextID + "/metadata/json/1"

填入這些變數之後,只要在 PowerShell 視窗中輸入變數名稱,即可檢視其值。例如,輸入 $metadataEndpoint 會傳回與下面類似的值:After you populate these variables, you can view their values by entering the variable name in the PowerShell window. For example, entering $metadataEndpoint returns a value similar to the following:

https://accounts.accesscontrol.windows.net/00fceb75-246c-4ac4-a0ad-7124xxxxxxxx/metadata/json/1

步驟 2:將 STS 憑證上傳到 SharePoint OnlineStep 2: Upload the STS certificate to SharePoint Online

在此步驟中,您會將 SharePoint Server 伺服器陣列的 STS 憑證上傳到 SharePoint Online 承租人,以讓 SharePoint Server 和 SharePoint Online 連線以及使用彼此的服務應用程式。In this step, you upload the STS certificate for your SharePoint Server farm to your SharePoint Online tenant, which enables SharePoint Server and SharePoint Online to connect to and consume each other's service applications.

此圖說明將 STS 憑證上傳至 SharePoint Online 時所牽涉的架構

此步驟中的命令會將新的內部部署 STS 憑證 (僅限公開金鑰) 新增至您 Office 365 租用的 SharePoint Online 主體物件The commands in this step add the new on-premises STS certificate (public key only) to the SharePoint Online principal object of your Office 365 tenancy.

在 PowerShell 命令提示字元處,輸入下列命令。From the PowerShell command prompt, type the following commands.

$stsCert=(Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
$binCert = $stsCert.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert);
New-MsolServicePrincipalCredential -AppPrincipalId $spoappid -Type asymmetric -Usage Verify -Value $credValue

步驟 3:將公用網域名稱的 SPN 新增至 Azure Active DirectoryStep 3: Add an SPN for your public domain name to Azure Active Directory

在此步驟中,您需要將服務主體名稱 (SPN) 新增至 Azure Active Directory 承租人。SPN 包含 SharePoint Online 主體物件以及您公司的公用 DNS 命名空間。In this step, you add a service principal name (SPN) to your Azure Active Directory tenant. The SPN is comprised of the SharePoint Online principal object and your company's public DNS namespace.

就像 SPN 在 Active Directory 中的運作一樣,建立此 SPN 時會在 Azure Active Directory 中登錄物件,以用來支援 SharePoint Server 與 SharePoint Online 承租人之間的相互驗證。SPN 的基本語法如下:Just like SPNs function in Active Directory, creating this SPN registers an object in Azure Active Directory that is used to support mutual authentication between SharePoint Server and your SharePoint Online tenant. The basic syntax for the SPN is:

<服務類型>/<執行個體名稱><service type>/<instance name>

其中:where:

  • <服務類型> 是 SharePoint Online 主體物件,這對於所有 SharePoint Online 承租人來說都一樣。<service type> is the SharePoint Online principal object, which is the same for all SharePoint Online tenants.

  • <執行個體名稱> 是您公司之公用 DNS 網域命名空間的 URL,一律以萬用字元表示,即使安全通道 SSL 憑證是 SAN 憑證也是一樣。<instance name> is the URL of your company's public DNS domain namespace, which is always expressed as a wildcard, even if the Secure Channel SSL Certificate is a SAN certificate.

以下為範例:Here's an example:

00000003-0000-0ff1-ce00-000000000000/*.<public domain name>.com

如果您的憑證中的一般名稱是 sharepoint.adventureworks.com,則 SPN 的語法看起來像這樣:If the common name in your certificate is sharepoint.adventureworks.com, the syntax of the SPN will look like this:

00000003-0000-0ff1-ce00-000000000000/*.adventureworks.com

使用萬用字元值可讓 SharePoint Online 驗證與該網域中任何主機的連線。如果您未來需要變更外部端點 (如果您的拓撲包括外部端點) 的主機名稱或想要變更 SharePoint Server Web 應用程式,這相當實用。Using a wildcard value lets SharePoint Online validate connections with any host in that domain. This is useful if you ever need to change the host name of the external endpoint (if your topology includes one) or if you want to change your SharePoint Server 2013 web application, in the future.

若要將 SPN 新增至 Azure Active Directory,請在 [適用於 Windows PowerShell 的 Microsoft Azure Active Directory 模組] 命令視窗中輸入下列命令。To add the SPN to Azure Active Directory, enter the following commands in the Azure Active Directory Module for Windows PowerShell command prompt.

$msp = Get-MsolServicePrincipal -AppPrincipalId $spoappid
$spns = $msp.ServicePrincipalNames
$spns.Add("$spoappid/$spcn") 
Set-MsolServicePrincipal -AppPrincipalId $spoappid -ServicePrincipalNames $spns

若要驗證已設定的 SPN,請在 Windows PowerShell 的 Azure Active Directory 模組 命令提示字元處輸入下列命令。To validate that the SPN was set, enter the following commands in the Azure Active Directory Module for Windows PowerShell command prompt.

$msp = Get-MsolServicePrincipal -AppPrincipalId $spoappid
$spns = $msp.ServicePrincipalNames 
$spns

您應該會看到 Office 365 租用中 SharePoint Online 的目前 SPN 清單,而且其中一個 SPN 應該包括您的公用根網域名稱 (前面會加上 SharePoint Online 應用程式主體識別碼)。此登錄是萬用字元登錄,而且應該如下例所示:You should see a current list of SPNs for SharePoint Online in your Office 365 tenancy, and one of the SPNs should include your public root domain name, prefaced by the SharePoint Online application principal ID. This registration is a wildcard registration and should look like the following example:

00000003-0000-0ff1-ce00-000000000000/*..com00000003-0000-0ff1-ce00-000000000000/*..com

這應該是含有公用根網域名稱的清單中「唯一」的 SPN。This should be the only SPN in the list that includes your public root domain name.

步驟 4:向 SharePoint Server 登錄 SharePoint Online 應用程式主體物件 IDStep 4: Register the SharePoint Online application principal object ID with SharePoint Server

這個步驟將向內部部署 SharePoint 應用程式管理服務登錄 SharePoint Online 應用程式主體物件 ID,這允許使用 OAuth 向 SharePoint Online 驗證 SharePoint Server。This step registers the SharePoint Online application principal object ID with the on-premises SharePoint Application Management Service, which allows SharePoint Server to authenticate to SharePoint Online using OAuth.

在 PowerShell 命令提示字元處,輸入下列命令。From the PowerShell command prompt, type the following commands.

$spoappprincipalID = (Get-MsolServicePrincipal -ServicePrincipalName $spoappid).ObjectID
$sponameidentifier = "$spoappprincipalID@$spocontextID"
$appPrincipal = Register-SPAppPrincipal -site $site.rootweb -nameIdentifier $sponameidentifier -displayName "SharePoint Online"

若要驗證這個步驟,請在 PowerShell 命令提示字元處輸入 $appPrincipal 變數。To validate this step, from the PowerShell command prompt, type the $appPrincipal variable:

$appPrincipal | fl

預期的輸出是名稱為 SharePoint Online 的登錄應用程式主體描述,與下面類似。The expected output is a description of the registered application principal with the name SharePoint Online, which should look something like this.

此圖說明 SharePoint Online 的已登錄應用程式主體

步驟 5:設定 SharePoint 驗證領域Step 5: Set the SharePoint authentication realm

這個步驟會將 SharePoint Server 伺服器陣列的驗證領域設定為組織 Office 365 租用的內容 ID。This step sets the authentication realm of your SharePoint Server farm to the context ID of the organization's Office 365 tenancy.

在 PowerShell 命令提示字元處,輸入下列命令。From the PowerShell command prompt, type the following command.

Set-SPAuthenticationRealm -realm $spocontextID

若要驗證這個步驟,請在 PowerShell 命令提示字元處輸入下列命令。To validate this step, from the PowerShell command prompt, type the following commands.

$spocontextID
 Get-SPAuthenticationRealm

各個命令的輸出是代表 SharePoint Online 租用內容識別碼的 GUID。這些 GUID 應該相同。The output of each of these commands is the GUID that represents the context ID of the SharePoint Online tenancy. These GUIDs should be identical.

重要

如果所設定的伺服器陣列設定指令碼指定伺服器陣列驗證領域值,則應該將設定指令碼更新為新的值。 > 如需伺服器陣列設定指令碼領域值需求的詳細資訊,請參閱在 SharePoint Server 中規劃伺服器對伺服器的驗證。因為您此時已經設定這個 SharePoint 伺服器陣列參與混合式設定,所以 SharePoint 伺服器陣列驗證領域值必須一律符合租用內容識別碼。如果您變更這個值,伺服器陣列將無法再參與混合式功能。If you have configured farm setup scripts that specify the farm authentication realm value, you should update the setup scripts with this new value before you run them again. > For more information about the requirements for realm values in farm setup scripts, see Plan for server-to-server authentication in SharePoint Server. Because you have now configured this SharePoint farm to participate in the hybrid configuration, the SharePoint farm authentication realm value must always match the tenant context identifier. If you change this value, the farm will no longer participate in hybrid functionality.

步驟 6:設定 Azure Active Directory 的內部部署 ProxyStep 6: Configure an on-premises proxy for Azure Active Directory

在此步驟中,您會在 SharePoint Server 伺服器陣列中建立 Azure Active Directory Proxy 服務。這會啟用 Azure Active Directory 作為 受信任的 Token 發行者 ,而 SharePoint Server 會將其用來簽署和驗證來自 SharePoint Online 的宣告 Token。In this step, you create an Azure Active Directory proxy service in the SharePoint Server farm. This enables Azure Active Directory as a trusted token issuer that SharePoint Server will use to sign and authenticate claims tokens from SharePoint Online.

在 PowerShell 命令提示字元中,輸入下列命令。From the PowerShell command prompt, type the following commands.

New-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri $metadataEndpoint -DefaultProxyGroup
New-SPTrustedSecurityTokenIssuer -MetadataEndpoint $metadataEndpoint -IsTrustBroker:$true -Name "ACS"

若要驗證 New-SPAzureAccessControlServiceApplicationProxy 命令:To validate the New-SPAzureAccessControlServiceApplicationProxy command:

  1. 瀏覽 SharePoint 2016 管理中心網站,然後按一下[安全性]**** > [一般安全性]**** > [管理信任]*Browse the SharePoint 2016 Central Administration website, and click *Security > General Security > Manage trust.

  2. 確定具有名稱開頭為 ACS 且類型為 [受信任服務取用者]**** 的項目。Make sure you have an entry with a name that begins with ACS and the type Trusted Service Consumer.

若要驗證這個步驟,請在 PowerShell 命令提示字元處輸入下列命令。To validate this step, from the PowerShell command prompt, type the following command.

Get-SPTrustedSecurityTokenIssuer

預期的輸出是伺服器陣列受信任權杖發行者的描述,其中 RegisteredIssuerName 屬性的值如下:The output that's expected is a description of the farm's trusted token issuer, where the value of the RegisteredIssuerName property is the following:

00000001-0000-0000-c000-000000000000@其中,<內容識別碼> 是 SharePoint Online 租用的內容識別碼,這是 $spocontextID 變數中的值。where is the context ID of your MO_SharePointOnline_1st tenancy, which is the value in the $spocontextID variable.

驗證和後續步驟Validation and next steps

完成此主題中的工作和其驗證步驟後,您應檢查 SSO 和「目錄同步處理」設定。After finishing the tasks in this topic and its validation steps, you should check your SSO and Directory Synchronization setup by using the validation steps in Validate your SSO configuration.

因此,您會有所採取步驟的歷程記錄,而且應該將 PowerShell 緩衝區的整個內容擷取至檔案。如果您因疑難排解或任何其他原因而需要參照設定歷程記錄,則這十分重要。如果設定跨多天或牽涉多人,則這也可協助您從中斷之處繼續。So that you have a history of the steps you've taken, you should capture the entire contents of the PowerShell buffer into a file. This will be crucial if you need to reference your configuration history to troubleshoot, or for any other reasons. This will also help you pick up where you left off if the configuration spans multiple days or involves multiple people.

完成且驗證此主題中的設定工作後,請繼續執行您的設定藍圖After you have completed and validated the configuration tasks in this topic, continue with your configuration roadmap.

另請參閱See also

SharePoint Server 的混合Hybrid for SharePoint Server

安裝及設定混合式 SharePoint ServerInstall and configure SharePoint Server hybrid