雲端管理閘道的權杖型驗證Token-based authentication for cloud management gateway

適用於:Configuration Manager (最新分支)Applies to: Configuration Manager (current branch)

雲端管理閘道 (CMG) 支援許多類型的用戶端,但即便使用增強 HTTP,這些用戶端還是需要用戶端驗證憑證The cloud management gateway (CMG) supports many types of clients, but even with Enhanced HTTP, these clients require a client authentication certificate. 對於以網際網路為基礎的用戶端而言,若不常連線至內部網路、則無法加入 Azure Active Directory (Azure AD),且沒有方法可安裝 PKI 發行憑證,則可能難以佈建此憑證需求。This certificate requirement can be challenging to provision on internet-based clients that don't often connect to the internal network, aren't able to join Azure Active Directory (Azure AD), and don't have a method to install a PKI-issued certificate.

為了克服這些挑戰,從 2002 版開始,Configuration Manager 會透過向裝置發出自己的驗證權杖來延伸其裝置支援。To overcome these challenges, starting in version 2002, Configuration Manager extends its device support by issuing its own authentication tokens to devices. 若要充分利用此功能,請在更新站台之後,也將用戶端更新為最新版本。To take full advantage of this feature, after you update the site, also update clients to the latest version. 除非用戶端版本也是最新版本,否則此完整案例無法運作。The complete scenario isn't functional until the client version is also the latest. 如有必要,請確定將新的用戶端版本升級為生產環境If necessary, make sure you promote the new client version to production.

用戶端一開始會使用下列兩種方法的其中一種來註冊這些權杖:Clients initially register for these tokens using one of the following two methods:

  • 內部網路Internal network

  • 大量註冊Bulk registration

Configuration Manager 用戶端會與管理點一起管理此權杖,因此不會有 OS 版本相依性。The Configuration Manager client together with the management point manage this token, so there's no OS version dependency. 這項功能適用於任何支援的用戶端 OS 版本This feature is available for any supported client OS version.

注意

這些方法僅支援以裝置為主的管理案例。These methods only support device-centric management scenarios.

Microsoft 建議將裝置加入至 Azure AD。Microsoft recommends joining devices to Azure AD. 以網際網路為基礎的裝置可以使用 Azure AD 向 Configuration Manager 進行驗證。Internet-based devices can use Azure AD to authenticate with Configuration Manager. 無論該裝置是在網際網路上,或與內部網路連線,Azure AD 都會同時啟用裝置與使用者案例。It also enables both device and user scenarios whether the device is on the internet or connected to the internal network. 如需詳細資訊,請參閱使用 Azure AD 身分識別安裝和註冊用戶端For more information, see Install and register the client using Azure AD identity.

內部網路註冊Internal network registration

此方法需要用戶端先於內部網路的管理點進行註冊。This method requires the client to first register with the management point on the internal network. 您通常可以在安裝後立即進行用戶端註冊。Client registration typically happens right after installation. 管理點會為用戶端提供唯一權杖,其會顯示正在使用自我簽署憑證。The management point gives the client a unique token that shows it's using a self-signed certificate. 當用戶端於網際網路漫遊時,若要與 CMG 通訊,則會將其自我簽署憑證與管理點發行的權杖配對。When the client roams onto the internet, to communicate with the CMG it pairs its self-signed certificate with the management point-issued token.

根據預設,網站會啟用此行為。The site enables this behavior by default.

大量註冊權杖Bulk registration token

如果無法在內部網路安裝並註冊用戶端,請建立大量註冊權杖。If you can't install and register clients on the internal network, create a bulk registration token. 當用戶端安裝在以網際網路為基礎的裝置上,並透過 CMG 註冊時,請使用此權杖。Use this token when the client installs on an internet-based device, and registers through the CMG. 大量註冊權杖的有效期很短,且不會儲存在用戶端或網站上。The bulk registration token has a short-validity period, and isn't stored on the client or the site. 其可讓用戶端產生與自我簽署憑證配對的唯一權杖,讓該權杖能夠使用 CMG 進行驗證。It allows the client to generate a unique token, which paired with its self-signed certificate, lets it authenticate with the CMG.

注意

請勿將大量註冊權杖與 Configuration Manager 簽發給個別用戶端的那些權杖搞混。Don't confuse bulk registration tokens with those that Configuration Manager issues to individual clients. 大量註冊權杖可讓用戶端一開始就安裝並與網站通訊。The bulk registration token enables the client to initially install and communicate with the site. 此初始通訊時間夠長,足以讓網站對用戶端簽發自己的唯一用戶端驗證權杖。This initial communication is long enough for the site to issue the client its own, unique client authentication token. 接著,當用戶端在網際網路上時,其會使用驗證權杖與網站進行所有通訊。The client then uses its authentication token for all communication with the site while it's on the internet. 在初始註冊之後,用戶端不會使用或儲存大量註冊權杖。Beyond the initial registration, the client doesn't use or store the bulk registration token.

若要建立大量註冊權杖以在於網際網路型裝置上安裝用戶端期間使用,請完成下列動作:To create a bulk registration token for use during client installation on internet-based devices, complete the following actions:

  1. 以本機系統管理員權限登入階層中的頂層站台伺服器。Sign in to the top-level site server in the hierarchy with local administrator privileges.

  2. 以系統管理員身分開啟命令提示字元。Open a command prompt as an administrator.

  3. 在站台伺服器上 Configuration Manager 安裝目錄的 \bin\X64 資料夾中執行此工具:BulkRegistrationTokenTool.exeRun the tool from the \bin\X64 folder of the Configuration Manager installation directory on the site server: BulkRegistrationTokenTool.exe. 使用 /new 參數建立新的權杖。Create a new token with the /new parameter. 例如 BulkRegistrationTokenTool.exe /newFor example, BulkRegistrationTokenTool.exe /new. 如需詳細資訊,請參閱大量註冊權杖工具使用方式For more information, see Bulk registration token tool usage.

  4. 複製權杖,並將其儲存在安全的位置。Copy the token and save it in a secure location.

  5. 在以網際網路為基礎的裝置上安裝 Configuration Manager 用戶端。Install the Configuration Manager client on an internet-based device. 包含用戶端安裝參數: /regtokenInclude the client installation parameter: /regtoken. 下列範例命令列包含其他必要的安裝程式參數和屬性:The following example command line includes the other required setup parameters and properties:

    ccmsetup.exe /mp:https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500 CCMHOSTNAME=CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500 SMSSiteCode=ABC /regtoken:eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik9Tbzh2Tmd5VldRUjlDYVh5T2lacHFlMDlXNCJ9.eyJTQ0NNVG9rZW5DYXRlZ29yeSI6IlN7Q01QcmVBdXRoVG9rZW4iLCJBdXRob3JpdHkiOiJTQ0NNIiwiTGljZW5zZSI6IlNDQ00iLCJUeXBlIjoiQnVsa1JlZ2lzdHJhdGlvbiIsIlRlbmFudElkIjoiQ0RDQzVFOTEtMEFERi00QTI0LTgyRDAtMTk2NjY3RjFDMDgxIiwiVW5pcXVlSWQiOiJkYjU5MWUzMy1wNmZkLTRjNWItODJmMy1iZjY3M2U1YmQwYTIiLCJpc3MiOiJ1cm46c2NjbTpvYXV0aDI6Y2RjYzVlOTEtMGFkZi00YTI0LTgyZDAtMTk2NjY3ZjFjMDgxIiwiYXVkIjoidXJuOnNjY206c2VydmljZSIsImV4cCI6MTU4MDQxNbUwNSwibmJmIjoxNTgwMTU2MzA1fQ.ZUJkxCX6lxHUZhMH_WhYXFm_tbXenEdpgnbIqI1h8hYIJw7xDk3wv625SCfNfsqxhAwRwJByfkXdVGgIpAcFshzArXUVPPvmiUGaxlbB83etUTQjrLIk-gvQQZiE5NSgJ63LCp5KtqFCZe8vlZxnOloErFIrebjFikxqAgwOO4i5ukJdl3KQ07YPRhwpuXmwxRf1vsiawXBvTMhy40SOeZ3mAyCRypQpQNa7NM3adCBwUtYKwHqiX3r1jQU0y57LvU_brBfLUL6JUpk3ri-LSpwPFarRXzZPJUu4-mQFIgrMmKCYbFk3AaEvvrJienfWSvFYLpIYA7lg-6EVYRcCAA

    提示

    如需此命令列的詳細資訊,請參閱使用 Azure AD 身分識別安裝和註冊用戶端。For more information on this command line, see Install and register the client using Azure AD identity. 此流程與上述流程很類似,只是不會使用 Azure AD 的屬性。This process is similar, just doesn't use the Azure AD properties.

若要驗證,請檢查下列記錄檔中是否有類似的項目:To verify, review the following log file for a similar entry:

Rotating internet management point, new management point [1] is: https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500 (0) with capabilities: <Capabilities SchemaVersion ="1.0"><Property Name="SSL" Version="1" /></Capabilities>

若要對安裝進行疑難排解,請檢閱用戶端上的 %WinDir%\ccmsetup\logs\ccmsetup.logTo troubleshoot installation, review %WinDir%\ccmsetup\logs\ccmsetup.log on the client. 安裝後,請檢閱 %WinDir%\ccm\logs\ClientIDManagerStartup.logAfter installation, review %WinDir%\ccm\logs\ClientIDManagerStartup.log.

在伺服器上,請檢閱下列記錄:On the server, review the following logs:

  • CMG 記錄CMG logs
  • 管理點Management point
    • CCM_STS.logCCM_STS.log
    • MP_RegistrationManager.logMP_RegistrationManager.log
    • ClientAuth.logClientAuth.log

已知問題Known issues

無法在所含站台伺服器處於被動模式的站台上建立大量註冊權杖。You can't create a bulk registration token on a site that has a site server in passive mode.

大量註冊權杖工具使用方式Bulk registration token tool usage

BulkRegistrationTokenTool.exe 工具位於站台伺服器上 Configuration Manager 安裝目錄的 \bin\X64 資料夾中。The BulkRegistrationTokenTool.exe tool is in the \bin\X64 folder of the Configuration Manager installation directory on the site server. 登入站台伺服器,然後以系統管理員身分執行。Sign in to the site server, and run it as an administrator. 其支援下列命令列參數:It supports the following command-line parameters:

  • /?
  • /new
  • /lifetime

/?/?

顯示此使用方式資訊。Display this usage information.

範例:BulkRegistrationTokenTool.exe /?Example: BulkRegistrationTokenTool.exe /?

/new/new

建立新的大量註冊權杖。Create a new bulk registration token.

範例:BulkRegistrationTokenTool.exe /newExample: BulkRegistrationTokenTool.exe /new

此工具會顯示下列資訊:The tool displays the following information:

  • 網站用來追蹤已發行權杖的 GUIDA GUID that the site uses to track issued tokens
  • 權杖有效期間,預設為三天。The token validity period, which is three days by default.
  • 大量註冊權杖。The bulk registration token.

權杖不會儲存在用戶端或站台上。The token isn't stored on the client or the site. 請務必從命令提示字元複製權杖,並將其儲存在安全的位置。Make sure to copy the token from the command prompt, and store in a secure location.

/lifetime/lifetime

搭配使用 /new 參數來指定權杖的權杖有效期間。Use with /new parameter to specify the token validity period of the token. 指定整數值 (以分鐘為單位)。Specify an integer value in minutes. 預設值為 4,320 (3 天)。The default value is 4,320 (three days). 最大值為 10,080 (7 天)。The maximum value is 10,080 (seven days).

範例:BulkRegistrationTokenTool.exe /lifetime 4320Example: BulkRegistrationTokenTool.exe /lifetime 4320

大量註冊權杖管理Bulk registration token management

如有需要,您可以在 Configuration Manager 主控台中查看先前建立的大量註冊權杖與其存留期,並封鎖其使用方式。You can see previously created bulk registration tokens and their lifetimes in the Configuration Manager console and block their usage if necessary. 不過,站台資料庫不會儲存大量註冊權杖。The site database doesn't, however, store bulk registration tokens.

檢閱大量註冊權杖Review a bulk registration token

  1. 在 Configuration Manager 主控台中,移至 [系統管理] 工作區。In the Configuration Manager console, go to the Administration workspace.

  2. 展開 [安全性],然後選取 [憑證] 節點。Expand Security, and select the Certificates node. 主控台會在詳細資料窗格中列出所有與站台相關的憑證與大量註冊權杖。The console lists all site-related certificates and bulk registration tokens in the details pane.

  3. 選取要檢閱的大量註冊權杖。Select the bulk registration token to review.

您也可以篩選或排序 [類型] 資料行。You can filter or sort on the Type column. 根據其 GUID 識別特定的大量註冊權杖。Identify specific bulk registration tokens based on their GUID. 當您建立大量註冊權杖時,此工具會顯示 GUID。When you create a bulk registration token, the tool displays the GUID.

封鎖大量註冊權杖Block a bulk registration token

  1. 在 Configuration Manager 主控台中,移至 [系統管理] 工作區。In the Configuration Manager console, go to the Administration workspace.

  2. 展開 [安全性],選取 [憑證] 節點,然後選取要封鎖的大量註冊權杖。Expand Security, select the Certificates node, and select the bulk registration token to block.

  3. 在功能區列的 [常用] 索引標籤上或滑鼠右鍵內容功能表中,選取 [封鎖]。On the Home tab of the ribbon bar or the right-click context menu, select Block. 若要解除封鎖之前已封鎖的大量註冊權杖,請選取 [解除封鎖] 動作。To unblock previously blocked bulk registration tokens, select the Unblock action.

權杖更新Token renewal

用戶端每月會更新唯一、Configuration Manager 簽發的權杖,且其有效期為 90 天。The client renews its unique, Configuration Manager-issued token once a month, and it's valid for 90 days. 用戶端不需要連線到內部網路來更新其權杖。A client doesn't need to connect to the internal network to renew its token. 只要權杖仍然有效,使用 CMG 連線到網站就已足夠。As long as the token is still valid, connecting to the site using a CMG is sufficient. 如果未在 90 天內更新權杖,用戶端就必須直接連線到內部網路上的管理點,才能接收新權杖。If the token isn't renewed within 90 days, the client must directly connect to a management point on an internal network to receive a new token.

您無法更新大量註冊權杖。You can't renew a bulk registration token. 大量註冊權杖到期後,請使用 CMG 為網際網路型裝置註冊產生新權杖。Once a bulk registration token expires, generate a new one for internet-based device registration using a CMG.

請參閱See also