設定 SharePoint server 的用戶端憑證驗證Configure client certificate authentication for SharePoint Server

摘要:了解如何設定 SharePoint 2013 和 SharePoint Server 2016 來支援使用用戶端憑證的使用者驗證。Summary: Learn how to configure SharePoint 2013 and SharePoint Server 2016 to support user authentication using a client certificate.

用戶端憑證驗證可讓 web 用戶端使用數位憑證,提供使用者驗證的其他安全性建立其身分識別的伺服器。SharePoint Server 不提供內建支援的用戶端憑證驗證,但可透過安全性聲明標記語言 SAML 型宣告驗證用戶端憑證驗證。您可以使用 Active Directory Federation Services (AD FS) 2.0 作為您 security token service (STS) SAML 宣告或支援等 WS-WS-同盟信任 SAML 1.1 的標準安全性通訊協定及 SAML 2.0 任何協力廠商身分識別管理系統。Client certificate authentication enables web-based clients to establish their identity to a server by using a digital certificate, which provides additional security for user authentication. SharePoint Server does not provide built-in support for client certificate authentication, but client certificate authentication is available through Security Assertion Markup Language (SAML)-based claims authentication. You can use Active Directory Federation Services (AD FS) 2.0 as your security token service (STS) for SAML claims or any third-party identity management system that supports standard security protocols such as WS-Trust, WS-Federation, SAML 1.1, and SAML 2.0.

注意

如需 SharePoint Server 通訊協定需求的詳細資訊,請參閱SharePoint 前端通訊協定For more information about SharePoint Server protocol requirements, see SharePoint Front-End Protocols.

在 SharePoint Server 中的宣告式驗證可讓您可以使用不同的 Sts。如果您設定 AD FS 作為您的 STS 時,SharePoint 伺服器可支援任何身分識別提供者] 或 [驗證方法的 AD FS 支援,包括用戶端憑證驗證。Claims-based authentication in SharePoint Server allows you to use different STSs. If you configure AD FS as your STS, SharePoint Server can support any identity provider or authentication method that AD FS supports, which includes client certificate authentication.

注意

如需 AD FS 的詳細資訊,請參閱Active Directory Federation Services 概觀AD FS 2016For more information about AD FS, see Active Directory Federation Services Overview and AD FS 2016.

其他概觀 (英文) SharePoint 中的驗證的詳細資訊,請參閱規劃 SharePoint Server 中的使用者驗證方法For additional information on an overview of authentication in SharePoint, please see Plan for user authentication methods in SharePoint Server.

下圖會套用至 SharePoint Server 2013 及 SharePoint Server 2016、 SharePoint Server 設定為以 AD FS 為基礎之 STS 的信賴夥伴。The following figure applies to SharePoint Server 2013 and SharePoint Server 2016, SharePoint Server is configured as a relying partner for an AD FS-based STS.

SharePoint Server 2010 搭配 ADFS 2.0

AD FS 可以驗證的驗證方法,例如表單型驗證、 Active Directory 網域服務 (AD DS)、 用戶端憑證和智慧卡數種不同類型的使用者帳戶。當您為 ADFS 的信賴夥伴設定 SharePoint Server 時、 SharePoint Server 伺服器信任之帳戶的 AD FS 驗證與 AD FS 來驗證這些帳戶使用的驗證方法。這是 SharePoint Server 支援用戶端憑證驗證的方式。AD FS can authenticate user accounts for several different types of authentication methods, such as forms-based authentication, Active Directory Domain Services (AD DS), client certificates, and smart cards. When you configure SharePoint Server as a relying partner of AD FS, SharePoint Server trusts the accounts that AD FS validates and the authentication methods that AD FS uses to validate those accounts. This is how SharePoint Server supports client certificate authentication.

設定用戶端憑證驗證Configure client certificate authentication

下列主題說明如何使用用戶端憑證驗證或智慧卡驗證設定 SharePoint Server 使用 AD FS 作為您的 STS 時:The following topics explain how to configure SharePoint Server with client certificate authentication or smart card authentication when you use AD FS as your STS:

  1. 設定 AD FS 以支援宣告式驗證。Configure AD FS to support claims-based authentication.

    如需詳細資訊,請參閱AD FS 2.0-如何變更本機驗證類型For more information, see AD FS 2.0 - How to change the local authentication type.

  2. 設定 SharePoint Server 以支援 SAML 型宣告驗證使用 AD FS。Configure SharePoint Server to support SAML-based claims authentication using AD FS.

    如需詳細資訊,請參閱設定 SAML 型宣告驗證與 AD FS in SharePoint Server改善 interiperability 搭配 SAML 2.0For more information, see Configure SAML-based claims authentication with AD FS in SharePoint Server and Improved interiperability with SAML 2.0.

  3. 建立使用 SAML 型宣告驗證的 Web 應用程式。Create a web application that uses SAML-based claims authentication.

    如需詳細資訊,請參閱在 SharePoint Server 中建立宣告式 web 應用程式For more information, see Create claims-based web applications in SharePoint Server.

注意

步驟與協力廠商 STS 類似。These steps will be similar for a third-party STS.

另請參閱See also

其他資源Other Resources

Configure SAML-based claims authentication with AD FS in SharePoint ServerConfigure SAML-based claims authentication with AD FS in SharePoint Server

規劃與架構: AD FS 2.0Planning and Architecture: AD FS 2.0

AD FS 2.0 部署指南AD FS 2.0 Deployment Guide

使用身分識別解決方案中的 Active Directory Federation Services 2.0Using Active Directory Federation Services 2.0 in Identity Solutions