SharePoint Server 的驗證概觀Authentication overview for SharePoint Server

摘要: 了解使用者驗證、應用程式驗證,以及伺服器對伺服器驗證如何在 SharePoint Server 2013 和 SharePoint Server 2016 中運作。Summary: Learn about how user authentication, app authentication, and server-to-server authentication work in SharePoint Server 2013 and SharePoint Server 2016 .

SharePoint Server 針對下列互動類型需要驗證:SharePoint Server requires authentication for the following types of interactions:

  • 使用者存取內部部署 SharePoint 資源Users who access on-premises SharePoint resources

  • 應用程式存取內部部署 SharePoint 資源Apps that access on-premises SharePoint resources

  • 內部部署伺服器存取內部部署 SharePoint 資源,或內部部署 SharePoint 資源存取內部部署伺服器On-premises servers that access on-premises SharePoint resources, or vice versa

SharePoint Server 中的使用者驗證User authentication in SharePoint Server

使用者驗證是根據驗證提供者對使用者身分識別進行的驗證,驗證提供者是包含使用者認證並可驗證使用者正確提交認證的目錄或資料庫。當使用者嘗試存取 SharePoint 資源時,會進行使用者驗證。User authentication is the validation of a user's identity against an authentication provider, which is a directory or database that contains the user's credentials and can verify that the user submitted them correctly. User authentication occurs when a user attempts to access a SharePoint resource.

SharePoint Server 支援宣告型驗證。SharePoint Server supports claims-based authentication.

宣告型驗證的結果是由 SharePoint Security Token Service (STS) 所產生的宣告型安全性權杖。The result of a claims-based authentication is a claims-based security token, which the SharePoint Security Token Service (STS) generates.

SharePoint Server 支援 Windows 驗證、表單型驗證和以安全性聲明標記語言 (SAML) 為基礎的宣告式驗證。如需這三種驗證方法之運作方式的資訊,請參考以下影片。SharePoint Server supports Windows, forms-based, and Security Assertion Markup Language (SAML)-based claims authentication. For information about how these three authentication methods work, see the following videos.

注意

影片中的資訊適用於 SharePoint Server 2013 和 SharePoint Server 2016。The information in the videos applies to SharePoint Server 2013 and SharePoint Server 2016.

SharePoint Server 2013 和 2016 中的 Windows 宣告驗證影片Windows claims authentication in SharePoint Server 2013 and 2016 video

如需詳細資訊,請參閱在 SharePoint Server 中規劃使用者驗證方法For more information, see Plan for user authentication methods in SharePoint Server.

SharePoint Server 中的應用程式驗證App authentication in SharePoint Server

應用程式驗證會驗證遠端 SharePoint 應用程式識別,並授權安全 SharePoint 資源的應用程式及相關聯使用者。當 SharePoint 市集 應用程式或應用程式目錄應用程式的外部元件 (例如位在內部網路或網際網路上的網頁伺服器) 嘗試存取安全的 SharePoint 資源時,會進行應用程式驗證。App authentication is the validation of a remote SharePoint app's identity and the authorization of the app and an associated user of a secured SharePoint resource request. App authentication occurs when an external component of a SharePoint Store app or an App Catalog app, such as a web server that is located on the intranet or the Internet, attempts to access a secured SharePoint resource.

例如,假設使用者開啟包含 SharePoint 應用程式之 IFRAME 的 SharePoint 頁面,且該 IFRAME 需要外部元件 (例如內部網路或網際網路上的伺服器),才能存取安全的 SharePoint 資源以轉譯頁面。您必須驗證及授權 SharePoint 應用程式的外部元件,SharePoint 才能提供要求的資訊,且應用程式才能為使用者轉譯頁面。For example, suppose that a user opens a SharePoint page that contains an IFRAME of a SharePoint app, and that IFRAME needs an external component, such as a server on the intranet or the Internet, to access a secured SharePoint resource in order to render the page. The external component of the SharePoint app must be authenticated and authorized so that SharePoint provides the requested information and the app can render the page for the user.

請注意,如果 SharePoint 應用程式不需要安全的 SharePoint 資源來為使用者轉譯頁面,則不需要應用程式驗證。例如,提供氣象預測資訊並只能存取網際網路上之氣象資訊伺服器的 SharePoint 應用程式不需要使用應用程式驗證。Note that if the SharePoint app does not require a SharePoint secured resource to render the page for the user, app authentication is not needed. For example, a SharePoint app that provides weather forecast information and only has to access a weather information server on the Internet does not have to use app authentication.

應用程式驗證包含兩個程序:App authentication is a combination of two processes:

  • 驗證Authentication

    驗證應用程式已向一般信任的身分識別代理正確登錄Verifying that the application has registered correctly with a commonly trusted identity broker

  • 授權Authorization

    驗證要求的應用程式及相關聯使用者具有執行其作業的適當權限,例如存取資料夾或清單,或執行查詢Verifying that the application and the associated user for the request has the appropriate permissions to perform its operation, such as accessing a folder or list or executing a query

為了執行應用程式驗證,應用程式會從 Microsoft Azure 存取控制服務 (ACS) 取得存取權杖,或透過使用 SharePoint Server 信任的憑證自我簽署存取權杖來取得存取權杖。存取權杖宣告要求可存取特定 SharePoint 資源,並包含可識別應用程式及相關聯使用者的資訊,而不是驗證使用者的認證。存取權杖不是登入權杖。To perform app authentication, the application obtains an access token either from the Microsoft Azure Access Control Service (ACS) or by self-signing an access token using a certificate that SharePoint Server trusts. The access token asserts a request for access to a specific SharePoint resource and contains information that identifies the app and the associated user, instead of the validation of the user's credentials. The access token is not a logon token.

SharePoint 市集應用程式的驗證程序範例如下:For SharePoint Store apps, an example of the authentication process is as follows:

  1. 使用者開啟包含 IFRAME 的 SharePoint 網頁並需要透過 SharePoint 市集應用程式轉譯,此應用程式位於網際網路上,並使用 ACS 作為其信任代理。SharePoint 市集應用程式必須存取 SharePoint 資源,才能為使用者轉譯 IFRAME。A user opens a SharePoint web page that contains an IFRAME that has to be rendered by a SharePoint Store app, which is hosted on the Internet and uses ACS as its trust broker. To render the IFRAME for the user, the SharePoint Store app must access a SharePoint resource.

  2. SharePoint STS 從 ACS 要求及接收內容權杖。The SharePoint STS requests and receives a context token from ACS.

  3. SharePoint 將要求的網頁及內容權杖傳送至使用者的網頁瀏覽器。SharePoint sends the requested web page together with the context token to the user's web browser.

  4. 使用者的網頁瀏覽器將 IFRAME 的內容要求及內容權杖傳送至網際網路上的 SharePoint 市集應用程式伺服器。The user's web browser sends a request for the IFRAME's content and the context token to the SharePoint Store app server on the Internet.

  5. SharePoint 市集應用程式伺服器從 ACS 要求及接收存取權杖。The SharePoint Store app server requests and receives an access token from ACS.

  6. SharePoint 市集應用程式伺服器將 SharePoint 資源要求及存取權杖傳送至 SharePoint 伺服器。The SharePoint Store app server sends the SharePoint resource request and the access token to the SharePoint server.

  7. SharePoint 伺服器授權存取,並檢查應用程式的權限 (在安裝應用程式時指定) 及相關聯使用者的權限。The SharePoint server authorizes the access, checking both the app's permissions, which were specified when the app was installed, and the associated user's permissions.

  8. 如果允許,SharePoint 會將要求的資料傳送至網際網路上的 SharePoint 市集應用程式伺服器。If permitted, SharePoint sends the requested data to the SharePoint Store app server on the Internet.

  9. 網際網路上的 SharePoint 市集應用程式伺服器將 IFRAME 結果傳送至網頁瀏覽器,再由網頁瀏覽器為使用者轉譯頁面的 IFRAME 部分。The SharePoint Store app server on the Internet sends the IFRAME results to the web browser, which renders the IFRAME portion of the page for the user.

請注意,SharePoint 市集 應用程式不需要取得使用者的認證即可存取 SharePoint 伺服器資源。此存取已透過執行 SharePoint Server 之伺服器信任的 ACS 驗證,並透過一組應用程式和使用者權限授權。Notice how the SharePoint Store app has accessed SharePoint server resources without having to obtain the user's credentials. The access was authenticated through ACS, which is trusted by the server running SharePoint Server, and authorized through the set of app and user permissions.

SharePoint App Catalog 應用程式的驗證程序範例如下:For SharePoint App Catalog apps, an example of the authentication process is as follows:

  1. 使用者開啟包含 IFRAME 的 SharePoint 網頁並需要透過應用程式目錄應用程式轉譯,此應用程式位於內部網路上,並針對其存取權杖使用自我簽署的憑證。應用程式目錄應用程式必須存取 SharePoint 資源,才能為使用者轉譯 IFRAME。A user opens a SharePoint web page that contains an IFRAME that has to be rendered by an App Catalog app that is hosted on the intranet and uses a self-signed certificate for its access tokens. To render the IFRAME for the user, the App Catalog app must access a SharePoint resource.

  2. SharePoint 將要求的頁面及 IFRAME 傳送至使用者的網頁瀏覽器。SharePoint sends the requested page along with the IFRAME to the user's web browser.

  3. 使用者的網頁瀏覽器將 IFRAME 的內容要求傳送至內部網路上的應用程式目錄應用程式伺服器。The user's web browser sends a request for the IFRAME's content to the App Catalog app server on the intranet.

  4. 應用程式目錄應用程式伺服器驗證使用者,並產生以自我簽署憑證簽署的存取權杖。The App Catalog app server authenticates the user and generates an access token, signed with its self-signed certificate.

  5. 應用程式目錄應用程式伺服器將 SharePoint 資源要求及存取權杖傳送至 SharePoint 伺服器。The App Catalog app server sends the SharePoint resource request and the access token to the SharePoint server.

  6. SharePoint 伺服器授權存取,並檢查應用程式的權限 (在安裝應用程式時指定) 及相關聯使用者的權限。The SharePoint server authorizes the access, checking both the app's permissions, which were specified when the app was installed, and the associated user's permissions.

  7. 如果允許,SharePoint 伺服器會將要求的資料傳送至內部網路上的應用程式目錄應用程式伺服器。If permitted, the SharePoint server sends the requested data to the App Catalog app server on the intranet.

  8. 應用程式目錄應用程式伺服器將 IFRAME 結果傳送至網頁瀏覽器,再由網頁瀏覽器為使用者轉譯頁面的 IFRAME 部分。The App Catalog app server sends the IFRAME results to the web browser, which renders the IFRAME portion of the page for the user.

注意

應用程式目錄應用程式可以針對其存取權杖使用 ACS 或自我簽署的憑證。App Catalog apps can use either ACS or a self-signed certificate for their access tokens.

如需詳細資訊,請參閱<Plan for app authentication in SharePoint 2013 Preview>。For more information, see Plan for app authentication in SharePoint 2013 Preview.

SharePoint Server 中伺服器對伺服器的驗證Server-to-server authentication in SharePoint Server

伺服器對伺服器驗證會根據執行 SharePoint Server 之伺服器的 STS 與支援 OAuth 伺服器對伺服器通訊協定之另一部伺服器的 STS (例如內部執行的 SharePoint Server、Exchange Server 2016、商務用 Skype 2016 或 Azure 工作流程服務,以及在 Office 365 中執行的 SharePoint Server) 之間建立的信任關係,來驗證伺服器對資源的要求。根據此信任關係,要求的伺服器可以根據伺服器和使用者權限,代表指定的使用者帳戶存取 SharePoint 伺服器上的安全資源。Server-to-server authentication is the validation of a server's request for resources that is based on a trust relationship established between the STS of the server that runs SharePoint Server and the STS of another server that supports the OAuth server-to-server protocol, such as on-premises running SharePoint Server, Exchange Server 2016, Skype for Business 2016, or Azure Workflow Service, and SharePoint Server running in Office 365. Based on this trust relationship, a requesting server can access secured resources on the SharePoint server on behalf of a specified user account, subject to server and user permissions.

例如,執行 Exchange Server 2016 的伺服器可以要求特定使用者帳戶之執行 SharePoint Server 的伺服器資源。這與應用程式驗證相反,在應用程式驗證中,應用程式無法存取使用者帳戶認證資訊。使用者目前是否可以登入伺服器並提出資源要求,取決於服務和要求。For example, a server running Exchange Server 2016 can request resources of a server running SharePoint Server for a specific user account. This contrasts with app authentication, in which the app does not have access to user account credential information. The user can be currently signed in to the server making the resource request or not, depending on the service and the request.

當執行 SharePoint Server 的伺服器嘗試存取另一部伺服器上的資源,或另一部伺服器嘗試存取執行 SharePoint Server 之伺服器上的資源時,必須驗證傳入存取要求,伺服器才可接受傳入存取要求及後續資料。伺服器對伺服器驗證會驗證是否信任執行 SharePoint Server 的伺服器及其代表的使用者。When a server running SharePoint Server attempts to access a resource on a server or a server attempts to access a resource on a server running SharePoint Server, the incoming access request must be authenticated so that the server accepts the incoming access request and subsequent data. Server-to-server authentication verifies that the server running SharePoint Server and the user whom it is representing are trusted.

伺服器對伺服器驗證所使用的權杖是伺服器對伺服器權杖,而不是登入權杖。伺服器對伺服器權杖包含要求存取之伺服器及伺服器所代表之使用者帳戶的資訊。The token that is used for a server-to-server authentication is a server-to-server token, not a logon token. The server-to-server token contains information about the server that requests access and the user account on whose behalf the server is acting.

內部部署伺服器的基本程序範例如下:For on-premises servers, an example basic process is as follows:

  1. 使用者開啟需要另一部伺服器資訊的 SharePoint 網頁 (例如,顯示 SharePoint Server 和 Exchange Server 2016 的工作清單)。A user opens a SharePoint web page that requires information from another server (for example, display the list of tasks from both SharePoint Server and Exchange Server 2016).

  2. SharePoint Server 產生伺服器對伺服器權杖。SharePoint Server generates a server-to-server token.

  3. SharePoint Server 將伺服器對伺服器權杖傳送至另一部伺服器。SharePoint Server sends the server-to-server token to the other server.

  4. 另一部伺服器驗證 SharePoint 伺服器對伺服器權杖。The other server validates the SharePoint server-to-server token.

  5. 另一部伺服器將訊息傳送至 SharePoint Server,指出所傳送的伺服器對伺服器權杖有效。The other server sends a message to SharePoint Server to indicate that the sent server-to-server token was valid.

  6. 執行 SharePoint Server 之伺服器上的服務存取伺服器上的資料。The service on the server running SharePoint Server accesses the data on the server.

  7. 執行 SharePoint Server 之伺服器上的服務為使用者轉譯頁面。The service on the server running SharePoint Server renders the page for the user.

當兩部伺服器都執行 Office 365 時,程序範例如下:When both servers are running in Office 365, an example process is as follows:

  1. 使用者開啟需要另一部伺服器資訊的 SharePoint 網頁 (例如,顯示 SharePoint Online 和 Exchange Online 的工作清單)。A user opens a SharePoint web page that requires information from another server (for example, display the list of tasks from both SharePoint Online and Exchange Online).

  2. SharePoint Online 從 ACS 要求及接收伺服器對伺服器權杖。SharePoint Online requests and receives a server-to-server token from ACS.

  3. SharePoint Online 將伺服器對伺服器權杖傳送至 Office 365 伺服器。SharePoint Online sends the server-to-server token to the Office 365 server.

  4. Office 365 伺服器向 ACS 驗證伺服器對伺服器權杖中的使用者身分識別。The Office 365 server verifies the user identity in the server-to-server token with ACS.

  5. Office 365 伺服器將訊息傳送至 SharePoint Online,指出所傳送的伺服器對伺服器權杖有效。The Office 365 server sends a message to SharePoint Online to indicate that the sent server-to-server token was valid.

  6. SharePoint Online 上的服務存取 Office 365 伺服器上的資料。The service on SharePoint Online accesses the data on the Office 365 server.

  7. SharePoint Online 上的服務為使用者轉譯頁面。The service on SharePoint Online renders the page for the user.

如需詳細資訊,請參閱<在 SharePoint Server 中規劃伺服器對伺服器的驗證>。For more information, see Plan for server-to-server authentication in SharePoint Server.