在跨部署環境中設定 Microsoft Lync Server 2013Configuring Microsoft Lync Server 2013 in a cross-premises environment

 

主題上次修改日期: 2017-02-21Topic Last Modified: 2017-02-21

在跨內部部署設定中,您的部分使用者是駐留在 Microsoft Lync Server 2013 的內部部署安裝,而其他使用者則位於 Microsoft 365 或 Office 365 版本的 Lync Server。In a cross-premise configuration, some of your users are homed on an on-premises installation of Microsoft Lync Server 2013 while other users are homed on the Microsoft 365 or Office 365 version of Lync Server. 為了在跨部署環境中設定伺服器對伺服器的驗證,您必須先將 Lync Server 2013 的內部部署安裝設定為信任 Microsoft 365 授權伺服器。In order to configure server-to-server authentication in a cross-premises environment, you must first configure your on-premises installation of Lync Server 2013 to trust the Microsoft 365 Authorization server. 您可以執行下列 Lync Server 管理命令介面腳本,以執行此程式的初始步驟:The initial step in this process can be carried out by running the following Lync Server Management Shell script:

$TenantID = (Get-CsTenant -Filter {DisplayName -eq "Fabrikam.com"}).TenantId

$sts = Get-CsOAuthServer microsoft.sts -ErrorAction SilentlyContinue
        
   if ($sts -eq $null)
      {
         New-CsOAuthServer microsoft.sts -MetadataUrl "https://accounts.accesscontrol.windows.net/$TenantId/metadata/json/1"
      }
   else
      {
         if ($sts.MetadataUrl -ne  "https://accounts.accesscontrol.windows.net/$TenantId/metadata/json/1")
            {
               Remove-CsOAuthServer microsoft.sts
               New-CsOAuthServer microsoft.sts -MetadataUrl "https://accounts.accesscontrol.windows.net/$TenantId/metadata/json/1"
            }
        }

$exch = Get-CsPartnerApplication microsoft.exchange -ErrorAction SilentlyContinue
        
if ($exch -eq $null)
   {
      New-CsPartnerApplication -Identity microsoft.exchange -ApplicationIdentifier 00000002-0000-0ff1-ce00-000000000000 -ApplicationTrustLevel Full -UseOAuthServer
    }
else
    {
       if ($exch.ApplicationIdentifier -ne "00000002-0000-0ff1-ce00-000000000000")
          {
             Remove-CsPartnerApplication microsoft.exchange
             New-CsPartnerApplication -Identity microsoft.exchange -ApplicationIdentifier 00000002-0000-0ff1-ce00-000000000000 -ApplicationTrustLevel Full -UseOAuthServer 
          }
       else
          {
             Set-CsPartnerApplication -Identity microsoft.exchange -ApplicationTrustLevel Full -UseOAuthServer
          }
   }

Set-CsOAuthConfiguration -ServiceName 00000004-0000-0ff1-ce00-000000000000

請記住,租用戶的領域名稱通常和組織名稱不同;事實上,領域名稱和租用戶 ID 幾乎相同。因此,指令碼第一行是用來為指定的租用戶傳回 TenantId 屬性值 (在這種情況下為 fabrikam.com),接著將該名稱指派至變數 $TenantId:Keep in mind that the realm name for a tenant is typically different than the organization name; in fact, the realm name is almost always the same as the tenant ID. Because of that, the first line in the script is used to return the value of the TenantId property for the specified tenant (in this case, fabrikam.com) and then assign that name to the variable $TenantId:

$TenantID = (Get-CsTenant -DisplayName "Fabrikam.com").TenantId

在腳本完成之後,您必須設定 Lync Server 2013 與授權伺服器之間的信任關係,以及 Exchange 2013 與授權伺服器之間的第二個信任關係。After the script completes you must then configure a trust relationship between Lync Server 2013 and the authorization server, and a second trust relationship between Exchange 2013 and the authorization server. 唯有使用 Microsoft Online Services Cmdlet 才能完成這項作業。This can only be done by using the Microsoft Online Services cmdlets.

注意

如果您尚未安裝 Microsoft Online Services Cmdlet,那麼,您必需先完成兩個動作才能繼續進行。If you have not installed the Microsoft Online Services cmdlets you will need to do two things before proceeding. 首先,下載及安裝 Microsoft Online Services 登入小幫手 64 位元版本。First, download and install the 64-bit version of the Microsoft Online Services Sign-in Assistant. 安裝完成後,請下載並安裝 Windows PowerShell 的64位版本的 Microsoft Online Services 模組。After installation is complete, download and install the 64-bit version of the Microsoft Online Services Module for Windows PowerShell. 有關安裝及使用 Microsoft Online Services 模組的詳細資訊,可在 Microsoft 365 或 Office 365 網站上找到。Detailed information for installing and using the Microsoft Online Services Module can be found on the Microsoft 365 or Office 365 web site. 這些指示也會告訴您如何在 Microsoft 365 或 Office 36 和 Active Directory 之間設定單一登入、同盟及同步處理。These instructions will also tell you how to configure single sign-on, federation, and synchronization between Microsoft 365 or Office 36 and Active Directory.
若尚未安裝這些 Cmdlet,您的腳本將會失敗,因為 Get-CsTenant Cmdlet 將無法使用。If you have not installed these cmdlets your script will fail because the Get-CsTenant cmdlet will not be available.

在您設定 Microsoft 365,並在您建立了 Lync Server 2013 和 Exchange 2013 的 Microsoft 365 或 Office 365 服務主體之後,您將需要使用這些服務主體註冊您的認證。After you have configured Microsoft 365, and after you have created Microsoft 365 or Office 365 service principals for Lync Server 2013 and Exchange 2013, you will then need to register your credentials with these service principals. 為了完成這項作業,您首先必須取得副檔名為 .CER 的 X.509 Base64 檔案。In order to do this, you must first obtain an X.509 Base64 saved as a .CER file. 然後將此憑證套用至 Microsoft 365 或 Office 365 服務主體。This certificate will then be applied to the Microsoft 365 or Office 365 service principals.

當您取得 x.509 憑證之後,請啟動 Microsoft Online Services 模組 (依序按一下 [ 開始]、[ 所有程式]、[ microsoft online 服務],然後按一下 [ Windows PowerShell) 的 microsoft online services 模組 ]。When you have obtained the X.509 certificate, start the Microsoft Online Services Module (click Start, click All Programs, click Microsoft Online Services, and then click Microsoft Online Services Module for Windows PowerShell). 在 [服務] 模組開啟之後,請輸入下列命令,以匯入 Microsoft Online Windows PowerShell 模組,其中包含可用於管理服務主體的 Cmdlet:After the Services Module opens, type the following to import the Microsoft Online Windows PowerShell module containing the cmdlets that can be used to manage service principals:

Import-Module MSOnlineExtended

在匯入模組之後,請輸入下列命令,然後按 ENTER 鍵,以連線至 Microsoft 365:When the module has been imported, type the following command and then press ENTER in order to connect to Microsoft 365:

Connect-MsolService

按下 ENTER 鍵後,將會出現認證對話方塊。After you press ENTER, a credentials dialog box will appear. 在對話方塊中輸入您的 Microsoft 365 或 Office 365 使用者名稱和密碼,然後按一下 [確定]。Enter your Microsoft 365 or Office 365 user name and password in the dialog box, and then click OK.

當您連線至 Microsoft 365 後,您就可以執行下列命令,以傳回服務主體的相關資訊:As soon as you are connected to Microsoft 365 you can then run the following command in order to return information about your service principals:

Get-MsolServicePrincipal

您能以類似的方式為所有服務主體取得資訊:You should get back information similar to this for all your service principals:

ExtensionData        : System.Runtime.Serialization.ExtensionDataObject
AccountEnabled       : True
Addresses            : {}
AppPrincipalId       : 00000004-0000-0ff1-ce00-000000000000
DisplayName          : Microsoft Lync Server
ObjectId             : aada5fbd-c0ae-442a-8c0b-36fec40602e2
ServicePrincipalName : LyncServer/litwareinc.com
TrustedForDelegation : True

下一個步驟為匯入、編碼以及指派 X.509 憑證。The next step is to import, encode, and assign the X.509 certificate. 若要匯入和編碼憑證,請使用下列 Windows PowerShell 命令,確定指定您的完整檔案路徑。CER 檔案當您呼叫 Import 方法時:To import and encode the certificate, use the following Windows PowerShell commands, being sure to specify the complete file path to your .CER file when you call the Import method:

$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
$certificate.Import("C:\Certificates\Office365.cer")
$binaryValue = $certificate.GetRawCertData()
$credentialsValue = [System.Convert]::ToBase64String($binaryValue)

在匯入並編碼憑證之後,您可以將憑證指派給您的 Microsoft 365 服務主體。After the certificate has been imported and encoded, you can then assign the certificate to your Microsoft 365 service principals. 若要執行該動作,首先,請使用 Get-MsolServicePrincipal 擷取 Lync Server 與 Microsoft Exchange 服務主體的 AppPrincipalId 屬性值;AppPrincipalId 屬性值將會用來識別指派憑證的服務主體。To do that, first use the Get-MsolServicePrincipal to retrieve the value of the AppPrincipalId property for both the Lync Server and the Microsoft Exchange service principals; the value of the AppPrincipalId property will be used to identify the service principal being assigned the certificate. 使用 Lync Server 2013 的 AppPrincipalId 屬性值,使用下列命令將憑證指派給 Microsoft 365 版本的 Lync Server (StartDate 及 EndDate 屬性應該對應至憑證) 的有效期限:With the AppPrincipalId property value for Lync Server 2013 in hand, use the following command to assign the certificate to the Microsoft 365 version of Lync Server (the StartDate and EndDate properties should correspond to the validity period for the certificate):

New-MsolServicePrincipalCredential -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 -Type Asymmetric -Usage Verify -Value $credentialsValue -StartDate 6/1/2012 -EndDate 5/31/2013

然後您應該重複執行此命令,這次使用 Exchange 2013 的 AppPrincipalId 屬性值。You should then repeat the command, this time using the AppPrincipalId property value for Exchange 2013.

日後如需刪除該憑證,您可透過先擷取憑證的 KeyId 來完成作業:If you later need to delete that certificate, you can do so by first retrieving the KeyId for the certificate:

Get-MsolServicePrincipalCredential -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000

該指令將會以這種方式傳回資料:That command will return data like this one:

Type      : Asymmetric
Value     : 
KeyId     : bc2795f3-2387-4543-a95d-f92c85c7a1b0
StartDate : 6/1/2012 8:00:00 AM
EndDate   : 5/31/2013 8:00:00 AM
Usage     : Verify

接著您可以用類似這樣的命令來刪除憑證:You can then delete the certificate by using a command similar to this:

Remove-MsolServicePrincipalCredential -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 -KeyId bc2795f3-2387-4543-a95d-f92c85c7a1b0

除了指派憑證之外,您還必須為您的 Lync Server 2013 的內部部署版本,新增伺服器主要名稱,以設定 Exchange Online 的 Microsoft 365 服務主體。In addition to assigning a certificate you must also configure the Microsoft 365 Service Principal for Exchange Online by adding the Server Principal Name for your on-premise version of Lync Server 2013. 若要執行此動作,可在 Microsoft Online Services PowerShell 會話中執行下列四行:This can be done by running the following four lines in a Microsoft Online Services PowerShell session:

Set-MSOLServicePrincipal -AppPrincipalID 00000002-0000-0ff1-ce00-000000000000 -AccountEnabled $true

$lyncSP = Get-MSOLServicePrincipal -AppPrincipalID 00000004-0000-0ff1-ce00-000000000000
$lyncSP.ServicePrincipalNames.Add("00000004-0000-0ff1-ce00-000000000000/lync.contoso.com")
Set-MSOLServicePrincipal -AppPrincipalID 00000004-0000-0ff1-ce00-000000000000 -ServicePrincipalNames $lyncSP.ServicePrincipalNames