為 Lync Server 2013 設定 Active Directory Federation Services (AD FS 2.0) Configuring Active Directory Federation Services (AD FS 2.0) for Lync Server 2013

 

主題上次修改日期: 2013-07-03Topic Last Modified: 2013-07-03

下列章節說明如何設定 Active Directory Federation Services (AD FS 2.0) 以支援多重要素驗證。The following section describes how to configure Active Directory Federation Services (AD FS 2.0) to support multi-factor authentication. 如需如何安裝 AD FS 2.0 的詳細資訊,請參閱《 AD FS 2.0 逐步逐步說明》 https://go.microsoft.com/fwlink/p/?LinkId=313374For information on how to install AD FS 2.0, see AD FS 2.0 Step-by-Step and How To Guides at https://go.microsoft.com/fwlink/p/?LinkId=313374.

注意

安裝 AD FS 2.0 時,請勿使用 Windows Server 管理員來新增 Active Directory Federation Services 角色。When installing AD FS 2.0, do not use the Windows Server Manager to add the Active Directory Federation Services role. 請改為在上下載並安裝 Active Directory Federation Services 2.0 幫手 RTW 套件 https://go.microsoft.com/fwlink/p/?LinkId=313375Instead, download and install the Active Directory Federation Services 2.0 RTW package at https://go.microsoft.com/fwlink/p/?LinkId=313375.

設定用於雙因素驗證的 AD FSTo configure AD FS for two-factor Authentication

  1. 使用網域系統管理員帳戶登入 AD FS 2.0 電腦。Log in to the AD FS 2.0 computer using a Domain Admin account.

  2. 啟動 Windows PowerShell。Start Windows PowerShell.

  3. 在 [Windows PowerShell] 命令列中,執行下列命令:From the Windows PowerShell command-line, run the following command:

    add-pssnapin Microsoft.Adfs.PowerShell
    
  4. 使用 Lync Server 2013 的累計更新,建立與每個 Lync Server 2013 的合作關係:7月 2013 Director、Enterprise Pool 和 Standard Edition Server,可執行下列命令取代專用於您的部署的伺服器名稱,以供啟用被動驗證:Establish a partnership with each Lync Server 2013 with Cumulative Updates for Lync Server 2013: July 2013 Director, Enterprise Pool, and Standard Edition server that will be enabled for passive authentication by running the following command, replacing the server name specific to your deployment:

    Add-ADFSRelyingPartyTrust -Name LyncPool01-PassiveAuth -MetadataURL https://lyncpool01.contoso.com/passiveauth/federationmetadata/2007-06/federationmetadata.xml
    
  5. 在 [系統管理工具] 功能表中,啟動 [AD FS 2.0 管理主控台]。From the Administrative Tools menu, launch the AD FS 2.0 Management console.

  6. 展開 [ 信任關係 > 信賴憑證者信任]。Expand Trust Relationships > Relying Party Trusts.

  7. 請確認已為您的 Lync Server 2013 建立新的信任,其具有 Lync Server 2013 的累計更新:7月 2013 Enterprise Pool 或 Standard Edition Server。Verify that a new trust has been created for your Lync Server 2013 with Cumulative Updates for Lync Server 2013: July 2013 Enterprise Pool or Standard Edition server.

  8. 執行下列命令,為使用 Windows PowerShell 的信賴憑證者信任建立並指派發行授權規則:Create and assign an Issuance Authorization Rule for your relying party trust using Windows PowerShell by running the following commands:

     $IssuanceAuthorizationRules = '@RuleTemplate = "AllowAllAuthzRule" => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");'
    
     Set-ADFSRelyingPartyTrust -TargetName LyncPool01-PassiveAuth 
     -IssuanceAuthorizationRules $IssuanceAuthorizationRules
    
  9. 執行下列命令,為您使用 Windows PowerShell 建立並指派「信賴憑證方信任」的發行轉換規則:Create and assign an Issuance Transform Rule for your relying party trust using Windows PowerShell by running the following commands:

     $IssuanceTransformRules = '@RuleTemplate = "PassThroughClaims" @RuleName = "Sid" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"]=> issue(claim = c);'
    
     Set-ADFSRelyingPartyTrust -TargetName LyncPool01-PassiveAuth -IssuanceTransformRules $IssuanceTransformRules
    
  10. 在 AD FS 2.0 管理主控台中,以滑鼠右鍵按一下您的信賴憑證者信任,然後選取 [ 編輯宣告規則]。From the AD FS 2.0 Management console, right click on your relying party trust and select Edit Claim Rules.

  11. 選取 [ 發行授權規則 ] 索引標籤,並確認已成功建立新的授權規則。Select the Issuance Authorization Rules tab and verify that the new authorization rule was created successfully.

  12. 選取 [ 發行轉換規則 ] 索引標籤,並確認已成功建立新的轉換規則。Select the Issuance Transform Rules tab and verify that the new transform rule was created successfully.