在 SharePoint Server 中建立宣告式 web 應用程式Create claims-based web applications in SharePoint Server

摘要:說明如何建立使用宣告式驗證或傳統模式驗證的 SharePoint Server 2016 與 SharePoint Server 2013 web 應用程式。Summary: Illustrates how to create SharePoint Server 2016 and SharePoint Server 2013 web applications that use claims-based authentication or classic-mode authentication.

宣告式驗證才可啟用 SharePoint Server 的進階的功能。本文說明如何使用管理中心或 PowerShell 建立使用宣告式驗證的 SharePoint Server web 應用程式。宣告式驗證是在支援伺服器對伺服器驗證及應用程式驗證的案例中部署的 web 應用程式的需求。不過,本文章也提供使用 PowerShell 建立傳統模式 web 應用程式如果您有特定案例不支援宣告式驗證的指導。請注意此版本中已被取代傳統模式驗證並不會適用於下一版。如需詳細資訊,請參閱 < Plan for SharePoint Server 中的伺服器對伺服器驗證Claims-based authentication is a requirement to enable the advanced functionality of SharePoint Server. This article explains how to use either Central Administration or PowerShell to create a SharePoint Server web application that uses claims-based authentication. Claims-based authentication is a requirement for web applications that are deployed in scenarios that support server-to-server authentication and app authentication. However, this article also provides guidance for using PowerShell to create classic-mode web applications if you have a specific scenario that cannot support claims-based authentication. Be aware that classic-mode authentication is deprecated in this release, and it will not be available in the next version. For more information, see Plan for server-to-server authentication in SharePoint Server

重要

[!重要事項] 在支援伺服器對伺服器驗證和應用程式驗證的案例中部署 Web 應用程式時,需要 Secure Sockets Layer (SSL)。Secure Sockets Layer (SSL) is a requirement for web applications that are deployed in scenarios that support server-to-server authentication and app authentication.

您可以使用 SharePoint 管理中心網站或 PowerShell 建立 web 應用程式。您通常會使用 PowerShell 建立 web 應用程式。如果您想要自動化工作建立 web 應用程式,也就是一般在企業中,使用 PowerShell。完成此程序之後,您可以建立一或多個網站集合。You can create a web application by using the SharePoint Central Administration website or PowerShell. You typically use PowerShell to create a web application. If you want to automate the task of creating a web application, which is common in enterprises, use PowerShell. After you complete the procedure, you can create one or several site collections.

使用管理中心建立宣告式 web 應用程式Create a claims-based web application by using Central Administration

使用本節所述的程序建立新宣告式 SharePoint Server web 應用程式使用中央系統管理。Use the procedure described in this section to create a new claims-based SharePoint Server web application using the Central Administration.

使用管理中心建立宣告式 web 應用程式To create a claims-based web application by using Central Administration

  1. 確認是否具備下列系統管理認證:Verify that you have the following administrative credentials:

    • 若要建立 Web 應用程式,您必須是 SharePoint Farm Administrators 群組的成員。To create a web application, you must be a member of the Farm Administrators SharePoint group.
  2. 啟動 SharePoint 2016 管理中心。Start SharePoint 2016 Central Administration.

  3. 在管理中心首頁上,按一下 [應用程式管理]。On the Central Administration Home page, click Application Management.

  4. 按一下 [應用程式管理] 頁面上的 [ Web 應用程式] 區段中的 [管理 web 應用程式]。On the Application Management page, in the Web Applications section, click Manage web applications.

  5. 在功能區的 [參與] 群組中,按一下 [新增]In the Contribute group of the ribbon, click New.

  6. 在 [建立新的 Web 應用程式] 頁面上 [ IIS 網站] 區段中您可以設定新 web 應用程式選取下列兩個選項之一:On the Create New Web Application page, in the IIS Web Site section, you can configure the settings for your new web application by selecting one of the following two options:

    • 按一下 [使用現有的 IIS 網站],然後選取 [在要安裝新的 web 應用程式的網站。Click Use an existing IIS web site, and then select the web site on which to install your new web application.

    • 按一下 [建立新的 IIS 網站],然後在 [名稱] 方塊中輸入網站的名稱。Click Create a new IIS web site, and then type the name of the web site in the Name box.

    • 在 [連接埠] 方塊中輸入您想要用以存取 web 應用程式的連接埠號碼。如果您使用現有的 iis 網站,此欄位會包含目前的連接埠號碼。In the Port box, type the port number you want to use to access the web application. If you are using an existing web site, this field contains the current port number.

      注意

      [!附註] HTTP 存取的預設連接埠號碼為 80,而 HTTPS 存取的預設連接埠號碼為 443。The default port number for HTTP access is 80, and the default port number for HTTPS access is 443.

    • 選用: 在 [ IIS 網站] 區段的 [主機標頭] 方塊中輸入您想要用以存取 web 應用程式的主機名稱 (例如 www.contoso.com)。Optional: In the IIS Web Site section, in the Host Header box, type the host name (for example, www.contoso.com) that you want to use to access the web application.

      注意

      除非您想要設定兩部或多部 IIS 網站在同一伺服器上共用相同的連接埠號碼,且已設定 DNS 將要求路由傳送至同一伺服器,否則不需要填入此欄位。You do not need to populate this field unless you want to configure two or more IIS web sites that share the same port number on the same server, and DNS has been configured to route requests to the same server.

    • 在 [路徑] 方塊中輸入路徑的 IIS 網站的主目錄伺服器上。如果您要建立新的網站,此欄位會包含建議的路徑。如果您使用現有的 iis 網站,此欄位會包含目前該網站的路徑。In the Path box, type the path to the IIS web site home directory on the server. If you are creating a new web site, this field contains a suggested path. If you are using an existing web site, this field contains the current path of that web site.

  7. 在 [安全性設定] 區段中,選擇允許匿名存取以及使用 Secure Sockets Layer (SSL)In the Security Configuration section, choose whether or not to Allow Anonymous access and whether or not to Use Secure Sockets Layer (SSL).

    重要

    在支援伺服器對伺服器驗證和應用程式驗證的案例中部署 Web 應用程式時,需要 Secure Sockets Layer (SSL)。一般而言,強烈建議您為 Web 應用程式使用 SSL。Secure Sockets Layer (SSL) is a requirement for web applications that are deployed in scenarios that support server-to-server authentication and app authentication. In general, we strongly recommend using SSL for web applications.

    • [安全性設定] 區段中按一下 [] 或 [否]的 [允許匿名] 選項。如果您選擇[是]、 訪客可用於電腦特定的匿名存取帳戶 (亦即 IIS_IUSRS) 存取網站。In the Security Configuration section, click Yes or No for the Allow Anonymous options. If you choose to Yes, visitors can use the computer-specific anonymous access account (that is, IIS_IUSRS) to access the web site.

      注意

      如果您希望使用者能夠以匿名方式存取所有網站內容,您必須啟用整個 web 應用程式區域的匿名都存取之前您啟用 SharePoint Server 網站層級的匿名都存取。稍後,網站擁有者可以設定其網站的匿名存取。如果您不要啟用匿名存取 web 應用程式層級、 網站擁有者無法啟用匿名存取網站層級。If you want users to be able to access any site content anonymously, you must enable anonymous access for the entire web application zone before you enable anonymous access at the SharePoint Server site level. Later, site owners can configure anonymous access for their sites. If you do not enable anonymous access at the web application level, site owners cannot enable anonymous access at the site level.

    • 在 [安全性設定] 區段中按一下[是]或 [否]使用 Secure Sockets Layer (SSL)選項。如果您選擇[是],您必須要求並安裝 SSL 憑證來設定 SSL。In the Security Configuration section, click Yes or No for the Use Secure Sockets Layer (SSL) options. If you choose Yes, you must request and install an SSL certificate to configure SSL.

  8. 在 [宣告驗證類型] 區段中,選取您想要用於 web 應用程式的驗證方法。In the Claims Authentication Types section, select the authentication method that you want to use for the web application.

    • 若要啟用 Windows 驗證,選取 [啟用 Windows 驗證] 和 [下拉式清單] 功能表中選取 [ NTLM ] 或 [交涉 (Kerberos)。我們建議使用交涉 (Kerberos)。To enable Windows authentication, select Enable Windows Authentication and, in the drop-down menu, select NTLM or Negotiate (Kerberos). We recommend using Negotiate (Kerberos).

      如果您不想使用整合式 Windows 驗證,請清除 [整合式 Windows 驗證If you do not want to use Integrated Windows authentication, clear Integrated Windows authentication.

      注意

      如果沒有為此 Web 應用程式中至少一個區域選取 Windows 驗證,將會停用編目此 Web 應用程式的功能。If you do not select Windows Authentication for at least one zone of this web application, crawling for this web application will be disabled.

    • 若要透過網路以未加密的格式傳送使用者認證,請選取 [基本驗證 (認證以純文字傳送)If you want users' credentials to be sent over a network in a nonencrypted form, select Basic authentication (credentials are sent in clear text).

      注意

      您可以選取 [基本驗證] 或 [整合式的 Windows 驗證] 或兩者。如果您選取 [兩者]、 SharePoint Server 會提供用戶端 web 瀏覽器這兩種驗證類型。用戶端網頁瀏覽器然後決定要使用驗證的類型。如果您只選取 [基本驗證,請確定已啟用 SSL。否則請惡意使用者可攔截認證。You can select basic authentication or integrated Windows authentication, or both. If you select both, SharePoint Server offers both authentication types to the client web browser. The client web browser then determines which type of authentication to use. If you only select Basic authentication, ensure that SSL is enabled. Otherwise, a malicious user can intercept credentials.

    • 若要啟用表單型驗證,請選取 [啟用表單型驗證 (fba) (英文),並再輸入 [ ASP.NET 成員資格提供者名稱ASP.NET 角色管理員名稱To enable forms-based authentication, select Enable Forms Based Authentication (FBA), and then enter the ASP.NET Membership provider name and the ASP.NET Role manager name.

      注意

      如果選取此選項,請確定已啟用 SSL,否則惡意使用者可以攔截認證。If you select this option, ensure that SSL is enabled. Otherwise, a malicious user can intercept credentials.

    • 如果您已使用 PowerShell 來設定信任的身分識別提供者驗證,已選取 [信任的身分識別提供者] 核取方塊。If you have set up Trusted Identity Provider authentication by using PowerShell, the Trusted Identity provider check box is selected.

  9. 在 [登入頁面 URL ] 區段中,選擇其中一個下列選項以登入 SharePoint Server:In the Sign In Page URL section, choose one of the following options to sign into SharePoint Server:

    • 選取 [預設登入頁面 URL ,以將使用者重新導向至預設登入網站以進行宣告式驗證。Select Default Sign In Page URL to redirect users to a default sign-in web site for claims-based authentication.

    • 選取 [自訂登入頁面 URL ,然後輸入登入 URL 重新導向至自訂登入網站以進行宣告式驗證的使用者。Select Custom Sign In page URL and then type the sign-in URL to redirect users to a customized sign-in web site for claims-based authentication.

  10. 在 [公用 URL ] 區段中,輸入網域名稱的使用者會存取此 web 應用程式中的所有網站的 URL。此 URL 會用為基底 URL 中會顯示在 web 應用程式頁面的連結。預設 URL 是目前的伺服器名稱及連接埠,並會自動更新以反映目前 SSL、 主機標頭及連接埠號碼] 頁面上的設定。如果您部署 SharePoint Server 背後的負載平衡器或 proxy 伺服器時,此 URL 可能需要為不同於 SSL、 主機標頭及連接埠設定此頁面上。In the Public URL section, type the URL for the domain name for all sites that users will access in this web application. This URL will be used as the base URL in links that are shown on pages within the web application. The default URL is the current server name and port, and it is automatically updated to reflect the current SSL, host header, and port number settings on the page. If you deploy SharePoint Server behind a load balancer or proxy server, then this URL may need to be different than the SSL, host header, and port settings on this page.

    [區域] 值會自動設定為預設值為新的 web 應用程式。您可以變更區域時擴充 web 應用程式。The Zone value is automatically set to Default for a new web application. You can change the zone when you extend a web application.

  11. 在 [應用程式集區] 區段中,執行下列其中一項動作:In the Application Pool section, do one of the following:

    • 按一下 [使用現有的應用程式集區],然後選取 [您想要使用從下拉式功能表上的應用程式集區。Click Use existing application pool, and then select the application pool that you want to use from the drop-down menu.

    • 按一下 [建立新的應用程式集區],然後輸入新應用程式集區的名稱或保留預設名稱。Click Create a new application pool, and then type the name of the new application pool, or keep the default name.

    • 按一下 [預先定義的預先定義的安全性帳戶用於此應用程式集區,然後從下拉式功能表中選取安全性帳戶。Click Predefined to use a predefined security account for this application pool, and then select the security account from the drop-down menu.

    • 按一下 [可設定為] 以指定要使用現有的應用程式集區的新安全性帳戶。Click Configurable to specify a new security account to be used for an existing application pool.

    注意

    若要建立新的帳戶,請按一下 [註冊新的受管理的帳戶] 連結。To create a new account, click the Register new managed account link.

  12. 在 [資料庫名稱與驗證] 區段中選擇的資料庫伺服器、 資料庫名稱與新的 web 應用程式的驗證方法,如下表所述。In the Database Name and Authentication section, choose the database server, database name, and authentication method for your new web application, as described in the following table.

項目Item 動作Action
資料庫伺服器Database Server
輸入資料庫伺服器與您想要使用的格式的 SQL Server 執行個體名稱 < SERVERNAME\ 執行個體>。您也可以使用預設項目。Type the name of the database server and SQL Server instance you want to use in the format < SERVERNAME\ instance>. You can also use the default entry.
資料庫名稱Database Name
輸入資料庫的名稱,或使用預設項目。Type the name of the database, or use the default entry.
資料庫驗證Database Authentication
執行下列其中一項來選取要使用的資料庫驗證:Select the database authentication to use by doing one of the following:
若要使用 Windows 驗證,請維持選取此選項。我們建議採用此選項因為 Windows 驗證自動加密密碼時連線到 SQL Server。To use Windows authentication, leave this option selected. We recommend this option because Windows authentication automatically encrypts the password when it connects to SQL Server.
若要使用 SQL 驗證,請按一下 [ SQL 驗證。在 [帳戶] 方塊中輸入您想要用以驗證 SQL Server 資料庫,並接著在 [密碼] 方塊中輸入密碼 web 應用程式的帳戶名稱。To use SQL authentication, click SQL authentication. In the Account box, type the name of the account that you want the web application to use to authenticate to the SQL Server database, and then type the password in the Password box.
> [!NOTE]> SQL 驗證會以未加密的格式傳送至 SQL Server 的 SQL 驗證密碼。我們建議您僅使用 SQL 驗證,若您強制使用 IPsec 來加密您的網路流量的 SQL server 通訊協定加密。> [!NOTE]> SQL authentication sends the SQL authentication password to SQL Server in an unencrypted format. We recommend that you only use SQL authentication if you force protocol encryption to SQL Server to encrypt your network traffic by using IPsec.
  1. 如果您使用資料庫鏡像,在 [容錯移轉伺服器] 區段中 [容錯移轉資料庫伺服器] 方塊中輸入您想要將內容資料庫建立關聯的特定容錯移轉資料庫伺服器的名稱If you use database mirroring, in the Failover Server section, in the Failover Database Server box, type the name of a specific failover database server that you want to associate with a content database

  2. 在 [服務應用程式連線] 區段中,選取要用於 web 應用程式的服務應用程式連線。在下拉式功能表中,按一下 [預設[自訂]。您可以使用[自訂]選項來選擇您想要用於 web 應用程式的服務應用程式連線。In the Service Application Connections section, select the service application connections that will be available to the web application. In the drop-down menu, click default or [custom]. You use the [custom] option to choose the service application connections that you want to use for the web application.

  3. 在 [客戶經驗改進計畫] 區段中,按一下 [是] 或 [否]。In the Customer Experience Improvement Program section, click Yes or No.

  4. 按一下 [確定] 建立新的 Web 應用程式。Click OK to create the new web application.

使用 PowerShell 建立宣告式 web 應用程式Create a claims-based web application by using PowerShell

使用本節中的程序來建立新宣告式 SharePoint Server web 應用程式使用 PowerShell。Use the procedure in this section to create a new claims-based SharePoint Server web application using PowerShell.

使用 PowerShell 建立宣告式 web 應用程式To create a claims-based web application by using PowerShell

  1. 確認您具備下列成員資格:Verify that you have the following memberships:

    • SQL Server 執行個體上的 securityadmin 固定伺服器角色。securityadmin fixed server role on the SQL Server instance.

    • 所有要更新之資料庫上的 db_owner 固定資料庫角色。db_owner fixed database role on all databases that are to be updated.

    • 正在執行 PowerShell Cmdlet 之所在伺服器上的系統管理員群組。Administrators group on the server on which you are running PowerShell cmdlets.

    • 您必須閱讀 about_Execution_PoliciesYou must read about_Execution_Policies.

      系統管理員可使用 Add-SPShellAdmin Cmdlet 以授權使用 SharePoint 15 產品 Cmdlet。An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 15 Products cmdlets.

      注意

      [!附註] 如果您不具備上述權限,請連絡安裝程式系統管理員或 SQL Server 系統管理員要求權限。如需 PowerShell 權限的其他資訊,請參閱<權限>與<Add-SPShellAdmin>。If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see Permissions and Add-SPShellAdmin.

  2. 若要建立宣告式驗證提供者,請在 PowerShell 命令提示字元處輸入下列命令:To create a claims-based authentication provider, from the PowerShell command prompt, type the following:

    $ap = New-SPAuthenticationProvider
    
  3. 若要建立宣告式 web 應用程式,請在 PowerShell 命令提示字元處輸入下列命令:To create a claims-based web application, from the PowerShell command prompt, type the following:

    New-SPWebApplication -Name <Name> 
    -ApplicationPool <ApplicationPool> 
    -ApplicationPoolAccount <ApplicationPoolAccount> 
    -URL <URL> -Port <Port> -AuthenticationProvider $ap
    

    其中:Where:

    • <名稱>_是使用宣告式驗證的新 web 應用程式的名稱。<Name>_ is the name of the new web application that uses claims-based authentication.

    • <ApplicationPool> 是應用程式集區的名稱。<ApplicationPool> is the name of the application pool.

    • <ApplicationPoolAccount> 是這個應用程式集區所用執行身分的使用者帳戶。<ApplicationPoolAccount> is the user account that this application pool will run as.

    • <URL>_是此 web 應用程式的公用 URL。<URL>_ is the public URL for this web application.

    • <Port> 是在 IIS 內建立 Web 應用程式的地方。<Port> is the port on which the web application will be created in IIS.

      注意

      [!附註] 如需詳細資訊,請參閱<New-SPWebApplication>。For more information, see New-SPWebApplication.

      下面的範例會建立一個 HTTPS 宣告式 Web 應用程式,使用目前的使用者認證及目前的電腦名稱:The following example creates an https claims-based web application, using the current user credentials and the current machine name:

    $ap = New-SPAuthenticationProvider
    New-SPWebApplication -Name "Contoso Internet Site" -URL "https://www.contoso.com"  -Port 80 
    -ApplicationPool "ContosoAppPool" 
    -ApplicationPoolAccount (Get-SPManagedAccount "DOMAIN\jdoe") 
    -AuthenticationProvider $ap -SecureSocketsLayer
    

    注意

    建立網站之後,您必須在 IIS 中設定 SSL 至此新建立的網站。After you have created the web site, you must configure SSL in IIS for this newly created web site.

使用 PowerShell 建立傳統模式 web 應用程式Create a classic-mode web application by using PowerShell

使用本節中的程序來建立新傳統模式 SharePoint Server web 應用程式使用 PowerShell。Use the procedure in this section to create a new classic-mode SharePoint Server web application using PowerShell.

使用 PowerShell 建立傳統模式 web 應用程式To create a classic-mode web application by using PowerShell

  1. 確認您具備下列成員資格:Verify that you have the following memberships:

    • SQL Server 執行個體上的 securityadmin 固定伺服器角色。securityadmin fixed server role on the SQL Server instance.

    • 所有要更新之資料庫上的 db_owner 固定資料庫角色。db_owner fixed database role on all databases that are to be updated.

    • 正在執行 PowerShell Cmdlet 之所在伺服器上的系統管理員群組。Administrators group on the server on which you are running PowerShell cmdlets.

    • 您必須閱讀 about_Execution_PoliciesYou must read about_Execution_Policies.

  2. 在 PowerShell 命令提示字元處,輸入下列項目:From the PowerShell command prompt, type the following:

    New-SPWebApplication -Name <Name> 
    -ApplicationPool <ApplicationPool>
    -AuthenticationMethod <WindowsAuthType>
    -ApplicationPoolAccount <ApplicationPoolAccount>
    -Port <Port> -URL <URL>
    

    其中:Where:

    • <Name> 是使用傳統模式驗證的新 Web 應用程式名稱。<Name> is the name of the new web application that uses classic-mode authentication.

    • <ApplicationPool> 是應用程式集區的名稱。<ApplicationPool> is the name of the application pool.

    • <WindowsAuthType> 是 "NTLM" 或 "Kerberos"。建議使用 Kerberos。<WindowsAuthType> is either "NTLM" or "Kerberos". Kerberos is recommended.

    • <ApplicationPoolAccount> 是這個應用程式集區所用執行身分的使用者帳戶。<ApplicationPoolAccount> is the user account that this application pool will run as.

    • <Port> 是在 IIS 內建立 Web 應用程式的地方。<Port> is the port on which the web application will be created in IIS.

    • <URL> 是 Web 應用程式的公用 URL。<URL> is the public URL for the web application.

      注意

      [!附註] 如需詳細資訊,請參閱<New-SPWebApplication>。For more information, see New-SPWebApplication.

      注意

      [!附註] 成功建立 Web 應用程式後,開啟「管理中心」網頁時會看見狀況規則警告,說明傳統驗證模式已啟用一個以上的 Web 應用程式。這就是為什麼我們建議使用宣告式驗證,不要使用傳統驗證模式。After you successfully create the web application, when you open the Central Administration page, you see a health rule warning that indicates that one or more web applications is enabled with classic authentication mode. This is a reflection of our recommendation to use claims-based authentication instead of classic mode authentication.

另請參閱See also

概念Concepts

建立 SharePoint 2013 中使用傳統模式驗證的 Web 應用程式Create a Web application that uses classic mode authentication in SharePoint 2013