在 SharePoint Server 中規劃伺服器對伺服器的驗證Plan for server-to-server authentication in SharePoint Server

摘要: 了解如何在 SharePoint Server 2013 和 SharePoint Server 2016 中規劃伺服器對伺服器的驗證。Summary: Learn how to plan for server-to-server authentication in SharePoint Server 2013 and SharePoint Server 2016.

伺服器對伺服器驗證可讓具備伺服器對伺服器驗證功能的伺服器,代表使用者互相存取及要求資源。具備伺服器對伺服器驗證功能的伺服器執行 SharePoint Server、Exchange Server 2016、商務用 Skype Server 2015、Azure 工作流程服務,或其他支援 Microsoft 伺服器對伺服器通訊協定的軟體。伺服器對伺服器驗證啟用一組可透過跨伺服器資源共用及存取達成的新功能和案例。Server-to-server authentication enables servers that are capable of server-to-server authentication to access and request resources from one another on behalf of users. Servers that are capable of server-to-server authentication run SharePoint Server, Exchange Server 2016, Skype for Business Server 2015, Azure Workflow Service, or other software that supports the Microsoft server-to-server protocol. Server-to-server authentication enables a new set of functionality and scenarios that can be achieved through cross-server resource sharing and access.

若要從另一部可執行伺服器對伺服器驗證的伺服器提供要求的資源,執行 SharePoint Server 的伺服器必須執行下列動作:To provide the requested resources from another server that can perform server-to-server authentication, the server that runs SharePoint Server must do the following:

  • 確認信任要求伺服器。若要驗證要求伺服器,您必須設定執行 SharePoint Server 的伺服器信任傳送要求的伺服器。這是單向信任關係。Verify that the requesting server is trusted. To authenticate the requesting server, you must configure the server that runs SharePoint Server to trust the server that is sending it requests. This is a one-way trust relationship.

  • 確認已授權伺服器要求的存取類型。若要授權存取,您必須針對所要求之資源的一組適當權限,設定執行 SharePoint Server 的伺服器。Verify that the type of access that the server is requesting is authorized. To authorize the access, you must configure the server that runs SharePoint Server for the appropriate set of permissions for the requested resources.

請注意,SharePoint Server 的伺服器對伺服器驗證通訊協定與使用者驗證不同,且不可做為 SharePoint 使用者的登入驗證通訊協定。此伺服器對伺服器驗證通訊協定 (使用 Open Authorization (OAuth) 2.0 通訊協定) 不會新增至使用者登入通訊協定集,例如 WS-同盟。SharePoint Server 中沒有新的使用者驗證通訊協定。此伺服器對伺服器驗證通訊協定不會顯示在身分識別提供者清單中。Note that the server-to-server authentication protocol in SharePoint Server is separate from user authentication and is not used as a sign-in authentication protocol by SharePoint users. The server-to-server authentication protocol, which uses the Open Authorization (OAuth) 2.0 protocol, does not add to the set of user sign-on protocols, such as WS-Federation. There are no new user authentication protocols in SharePoint Server. The server-to-server authentication protocol does not appear in the list of identity providers.

如需如何規劃使用者設定檔應用程式服務以進行伺服器對伺服器驗證的資訊,請參閱<SharePoint Server 的伺服器對伺服器驗證及使用者設定檔>。For information about how to plan for the User Profile application service for server-to-server authentication, see Server-to-server authentication and user profiles in SharePoint Server.

簡介Introduction

規劃伺服器對伺服器驗證包含下列工作:Planning for server-to-server authentication consists of the following tasks:

重要

Web 應用程式若包含伺服器對伺服器驗證端點 (用於傳入伺服器對伺服器要求),或對其他伺服器提出傳出伺服器對伺服器要求,則必須設定 Web 應用程式使用 Secure Sockets Layer (SSL)。The web applications that include server-to-server authentication endpoints (for incoming server-to-server requests) or that make outgoing server-to-server requests to other servers must be configured to use Secure Sockets Layer (SSL).

注意

如果要設定需使用 SharePoint Server 的一或多個伺服器對伺服器案例,只需要在執行 SharePoint Server 的伺服器上規劃伺服器對伺服器驗證。You only have to plan for server-to-server authentication on a server that runs SharePoint Server if you are configuring one or more server-to-server scenarios that require its use.

識別一組信任關係Identify the set of trust relationships

從執行 SharePoint Server 的伺服器觀點來看,與另一部可執行伺服器對伺服器驗證之伺服器的信任關係包括:From the perspective of a server that runs SharePoint Server, a trust relationship with another server that can perform server-to-server authentication consists of the following:

  • 執行 SharePoint Server 的伺服器信任來自可執行伺服器對伺服器驗證之伺服器的要求 (傳入執行 SharePoint Server 的伺服器)。The server that runs SharePoint Server trusts requests from a server that can perform server-to-server authentication (incoming to the server that runs SharePoint Server).

    您必須在執行 SharePoint Server 的伺服器上進行設定,以讓此伺服器信任要求伺服器。This requires configuration on the server that runs SharePoint Server so that it trusts the requesting server.

  • 可執行伺服器對伺服器驗證的伺服器信任來自執行 SharePoint Server 之伺服器的要求 (從執行 SharePoint Server 的伺服器傳出)。The server that can perform server-to-server authentication trusts requests from a server that runs SharePoint Server (outgoing from the server that runs SharePoint Server).

    您必須在可執行伺服器對伺服器驗證的伺服器上進行設定,以讓此伺服器信任執行 SharePoint Server 的要求伺服器。This requires configuration on the server that can perform server-to-server authentication so that it trusts the requesting server that runs SharePoint Server.

為執行 SharePoint Server 的每個伺服器陣列建立伺服器清單,清單中的伺服器不僅具備伺服器對伺服器驗證功能,也會根據呼叫伺服器陣列的伺服器對伺服器案例接收傳入要求。請檢查兩個伺服器對伺服器驗證關係案例。For each farm that runs SharePoint Server, make a list of servers that are capable server-to-server authentication and that will be receiving incoming requests based on the server-to-server scenarios that involve the farm. There are two cases of server-to-server authentication relationships to examine.

案例 1:伺服器陣列為內部部署Case 1: Farms are on-premises

如果可執行伺服器對伺服器驗證的伺服器陣列為內部部署,您必須設定伺服器陣列執行 SharePoint Server。請使用 New-SPTrustedSecurityTokenIssuer PowerShell Cmdlet,將可執行伺服器對伺服器驗證之伺服器的 JavaScript 物件標記法 (JSON) 中繼資料端點,新增至執行 SharePoint Server 的伺服器。如果可執行伺服器對伺服器驗證的伺服器是另一部執行 SharePoint Server 的伺服器,JSON 中繼資料端點的格式如下:https:///_layouts/15/metadata/json/1。If the farm that can perform server-to-server authentication is on-premises, you must configure the farm that runs SharePoint Server. Use the New-SPTrustedSecurityTokenIssuer PowerShell_2nd_NoVer cmdlet to add a JavaScript Object Notation (JSON) metadata endpoint of the server that can perform server-to-server authentication to the server that runs SharePoint Server. If the server that can perform server-to-server authentication is another server that runs SharePoint Server, the JSON metadata endpoint is in the format: https:///_layouts/15/metadata/json/1.

案例 2:伺服器陣列是 Office 365 租用的一部分Case 2: Farms are part of an Office 365 tenancy

如果執行 SharePoint Server 的伺服器陣列與另一部可執行伺服器對伺服器驗證的伺服器都是 Office 365 租用的一部分,則不需要伺服器對伺服器驗證的其他設定。If the farm that runs SharePoint Server and the other server that can perform server-to-server authentication are both part of an Office 365 tenancy, no additional configuration for server-to-server authentication is needed.

在您確定一組需要伺服器對伺服器驗證的伺服器之後,請參閱<Configure server-to-server authentication in SharePoint Server>,以設定伺服器對伺服器信任關係。After you determine the set of servers that require server-to-server authentication, see Configure server-to-server authentication in SharePoint Server to configure the server-to-server trust relationships.

另請參閱See also

概念Concepts

SharePoint Server 的驗證概觀Authentication overview for SharePoint Server

SharePoint Server 的伺服器對伺服器驗證及使用者設定檔Server-to-server authentication and user profiles in SharePoint Server