如何設定 Exchange Server 內部部署以使用混合式新式驗證How to configure Exchange Server on-premises to use Hybrid Modern Authentication

本文適用於 Microsoft 365 企業版和 Office 365 企業版。This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.

混合式新式驗證 (HMA) 是一種提供更安全的使用者驗證和授權方法,可供 Exchange server 內部部署混合式部署使用。Hybrid Modern Authentication (HMA) is a method of identity management that offers more secure user authentication and authorization, and is available for Exchange server on-premises hybrid deployments.

僅供參考FYI

開始之前,我會致電:Before we begin, I call:

  • 混合式新式驗證 > HMAHybrid Modern Authentication > HMA

  • Exchange 內部部署 > nm-exch-um-2ndExchange on-premises > EXCH

  • Exchange Online > EXOExchange Online > EXO

此外, 如果本文中的圖形具有 ' 變暗」或「暗灰色」的物件,表示以灰色顯示的元素不會包含在 HMA 特定 的設定中。Also, if a graphic in this article has an object that's 'grayed-out' or 'dimmed' that means the element shown in gray is not included in HMA-specific configuration.

啟用混合式新式驗證Enabling Hybrid Modern Authentication

開啟 HMA 表示:Turning on HMA means:

  1. 在您開始之前,請確定您已符合必要條件。Being sure you meet the prereqs before you begin.

  2. 由於商務用 Skype 和 Exchange 皆是許多 必要條件 ,所以 混合新式驗證概述和必要條件搭配內部部署商務用 Skype 和 Exchange 伺服器使用它Since many prerequisites are common for both Skype for Business and Exchange, Hybrid Modern Authentication overview and prerequisites for using it with on-premises Skype for Business and Exchange servers. 在您開始進行本文中的任何步驟之前,請先執行此動作。Do this before you begin any of the steps in this article.

  3. 將內部部署 web 服務 URLs 新增為 服務主體名稱 ( Azure AD 中的 spn) 。Adding on-premises web service URLs as Service Principal Names (SPNs) in Azure AD.

  4. 確保所有虛擬目錄都已啟用 HMAEnsuring all Virtual Directories are enabled for HMA

  5. 檢查 EvoSTS 驗證服務器物件Checking for the EvoSTS Auth Server object

  6. 啟用 NM-EXCH-UM-2ND 中的 HMA。Enabling HMA in EXCH.

記事 您的 Office 版本是否支援 MA?Note Does your version of Office support MA? 請參閱 如何在 office 2013 和 office 2016 用戶端應用程式中運作新式驗證See How modern authentication works for Office 2013 and Office 2016 client apps.

請確認您符合所有必要條件Make sure you meet all the prerequisites

由於商務用 Skype 和 Exchange 一般都有許多必要條件,所以請參閱 混合式新式驗證概述和使用內部部署商務用 skype 和 Exchange 伺服器的必要條件Since many prerequisites are common for both Skype for Business and Exchange, review Hybrid Modern Authentication overview and prerequisites for using it with on-premises Skype for Business and Exchange servers. 在您開始進行本文中的任何步驟之前,請 執行此動作。Do this before you begin any of the steps in this article.

在 Azure AD 中將內部部署 web 服務 URLs 當做 Spn 新增Add on-premises web service URLs as SPNs in Azure AD

執行將您的內部部署 web 服務 URLs 指派為 Azure AD Spn 的命令。Run the commands that assign your on-premises web service URLs as Azure AD SPNs. 在驗證和授權期間,用戶端機器和裝置會使用 Spn。SPNs are used by client machines and devices during authentication and authorization. 所有可能用來從內部部署至 Azure Active Directory (Azure AD) 的 URLs,都必須在 Azure AD 中註冊, (這包括內部及外部命名空間) 。All the URLs that might be used to connect from on-premises to Azure Active Directory (Azure AD) must be registered in Azure AD (this includes both internal and external namespaces).

首先,請收集您需要在 AAD 中新增的所有 URLs。First, gather all the URLs that you need to add in AAD. 在內部部署執行下列命令:Run these commands on-premises:

Get-MapiVirtualDirectory | FL server,*url*
Get-WebServicesVirtualDirectory | FL server,*url*
Get-ClientAccessServer | fl Name, AutodiscoverServiceInternalUri
Get-OABVirtualDirectory | FL server,*url*
Get-AutodiscoverVirtualDirectory | FL server,*url*
Get-OutlookAnywhere | FL server,*url*

確定用戶端可以連線的 URLs 已列為 AAD 中的 HTTPS 服務主體名稱。Ensure the URLs clients may connect to are listed as HTTPS service principal names in AAD.

  1. 首先,使用 這些指示連接至 AAD。First, connect to AAD with these instructions.

    記事 您必須使用此頁面上的 Connect-MsolService 選項,才能使用下列命令。Note You need to use the Connect-MsolService option from this page to be able to use the command below.

  2. 若為 Exchange 相關的 URLs,請輸入下列命令:For your Exchange-related URLs, type the following command:

    Get-MsolServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000 | select -ExpandProperty ServicePrincipalNames
    

    記下 (和螢幕擷取畫面,以供稍後比較) 此命令的輸出應包含 HTTPs:// autodiscover.yourdomain.com 和 Https:// mail.yourdomain.com URL,但通常是由以 00000002-0000-0Ff1-ce00-000000000000/開頭的 spn 所組成。Take note of (and screenshot for later comparison) the output of this command, which should include an https:// autodiscover.yourdomain.com and https:// mail.yourdomain.com URL, but mostly consist of SPNs that begin with 00000002-0000-0ff1-ce00-000000000000/. 如果從您的內部部署 HTTPs://URLs,我們需要將這些特定記錄新增至此清單。If there are https:// URLs from your on-premises that are missing, we will need to add those specific records to this list.

  3. 如果您未在此清單中看到您的內部及外部 MAPI/HTTP、EWS、ActiveSync、OAB 及自動探索記錄,您必須使用下列命令新增這些記錄, (範例 URLs 是 ' mail.corp.contoso.com ' 和 ' ' owa.contoso.com ,但是您會 以您自己的 URLs 取代範例)If you don't see your internal and external MAPI/HTTP, EWS, ActiveSync, OAB, and Autodiscover records in this list, you must add them using the command below (the example URLs are 'mail.corp.contoso.com' and 'owa.contoso.com', but you'd replace the example URLs with your own):

    $x= Get-MsolServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000
    $x.ServicePrincipalnames.Add("https://mail.corp.contoso.com/")
    $x.ServicePrincipalnames.Add("https://owa.contoso.com/")
    Set-MSOLServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000 -ServicePrincipalNames $x.ServicePrincipalNames
    
  4. 再次執行步驟2的 Get-MsolServicePrincipal 命令,然後查看輸出,以確認新增的記錄已新增。Verify your new records were added by running the Get-MsolServicePrincipal command from step 2 again, and looking through the output. 將清單/螢幕擷取畫面與新的 Spn 清單進行比較。Compare the list / screenshot from before to the new list of SPNs. 您也可以取得記錄的新清單的螢幕擷取畫面。You might also take a screenshot of the new list for your records. 如果您成功,您會在清單中看到兩個新的 URLs。If you were successful, you will see the two new URLs in the list. 接下來的範例,Spn 清單現在會包含特定的 URLs https://mail.corp.contoso.comhttps://owa.contoso.comGoing by our example, the list of SPNs will now include the specific URLs https://mail.corp.contoso.com and https://owa.contoso.com.

確認已正確設定虛擬目錄Verify Virtual Directories are Properly Configured

現在,請執行下列命令,確認已在 Exchange 上針對所有可用的虛擬目錄,確認是否已在 Exchange 上正確啟用 OAuth:Now verify OAuth is properly enabled in Exchange on all of the Virtual Directories Outlook might use by running the following commands:

Get-MapiVirtualDirectory | FL server,*url*,*auth*
Get-WebServicesVirtualDirectory | FL server,*url*,*oauth*
Get-OABVirtualDirectory | FL server,*url*,*oauth*
Get-AutoDiscoverVirtualDirectory | FL server,*oauth*

檢查輸出,確定每個 VDirs 都已啟用 OAuth ,它看起來像這樣 (,而要查看的關鍵事項是「OAuth ' ) :Check the output to make sure OAuth is enabled on each of these VDirs, it will look something like this (and the key thing to look at is 'OAuth'):

Get-MapiVirtualDirectory | fl server,*url*,*auth*

Server                        : EX1
InternalUrl                   : https://mail.contoso.com/mapi
ExternalUrl                   : https://mail.contoso.com/mapi
IISAuthenticationMethods      : {Ntlm, OAuth, Negotiate}
InternalAuthenticationMethods : {Ntlm, OAuth, Negotiate}
ExternalAuthenticationMethods : {Ntlm, OAuth, Negotiate}

如果任何伺服器和任何四個虛擬目錄中的 OAuth 都缺失,您必須使用相關命令新增它,才能繼續 (設定 MapiVirtualDirectorySet-WebServicesVirtualDirectorySet-OABVirtualDirectorySet-AutodiscoverVirtualDirectory) 。If OAuth is missing from any server and any of the four virtual directories, you need to add it using the relevant commands before proceeding (Set-MapiVirtualDirectory, Set-WebServicesVirtualDirectory, Set-OABVirtualDirectory, and Set-AutodiscoverVirtualDirectory).

確認 EvoSTS 驗證服務器物件存在Confirm the EvoSTS Auth Server Object is Present

回到此最後一個命令的內部部署 Exchange 管理命令介面。Return to the on-premises Exchange Management Shell for this last command. 現在,您可以驗證您的內部部署是否具有 evoSTS 驗證提供者的專案:Now you can validate that your on-premises has an entry for the evoSTS authentication provider:

Get-AuthServer | where {$_.Name -eq "EvoSts"}

您的輸出應顯示名稱為 EvoSts 的 Set-authserver,且 [Enabled] 狀態應該為 True。Your output should show an AuthServer of the Name EvoSts and the 'Enabled' state should be True. 如果您未看到此內容,您應該下載並執行最新版本的混合式設定向導。If you don't see this, you should download and run the most recent version of the Hybrid Configuration Wizard.

重要事項 如果您正在環境中執行 Exchange 2010,將不會建立 EvoSTS 驗證提供者。Important If you're running Exchange 2010 in your environment, the EvoSTS authentication provider won't be created.

啟用 HMAEnable HMA

在 Exchange 管理命令介面內部部署中執行下列命令:Run the following command in the Exchange Management Shell, on-premises:

Set-AuthServer -Identity EvoSTS -IsDefaultAuthorizationEndpoint $true
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

驗證Verify

一旦您啟用 HMA,用戶端的下一個登入將會使用新的驗證流程。Once you enable HMA, a client's next login will use the new auth flow. 請注意,只要開啟 HMA,就不會對任何用戶端觸發重新驗證。Note that just turning on HMA won't trigger a reauthentication for any client. 用戶端會根據驗證權杖和/或憑證的存留時間來驗證。The clients reauthenticate based on the lifetime of the auth tokens and/or certs they have.

您也應該同時按住 CTRL 鍵,以滑鼠右鍵按一下 Outlook 用戶端 (圖示,也可以在 Windows 通知託盤) 中,然後按一下 [線上狀態]。You should also hold down the CTRL key at the same time you right-click the icon for the Outlook client (also in the Windows Notifications tray) and click 'Connection Status'. 根據 ' Authn ' 類型的 ' 載體 ' 尋找用戶端的 SMTP 位址 * ,它代表 OAuth 中使用的持有者權杖。Look for the client's SMTP address against an 'Authn' type of 'Bearer*', which represents the bearer token used in OAuth.

記事 需要使用 HMA 設定商務用 Skype?Note Need to configure Skype for Business with HMA? 您將需要兩個文章:一個會列出 支援的拓撲,另一個說明 如何進行設定。You'll need two articles: One that lists supported topologies, and one that shows you how to do the configuration.

對 Outlook for iOS 和 Android 使用混合新式驗證Using hybrid Modern Authentication with Outlook for iOS and Android

如果您是使用 TCP 443 上 Exchange server 的內部部署客戶,請略過下列 IP 範圍的流量處理:If you are an on-premises customer using Exchange server on TCP 443, bypass traffic processing for the following IP ranges:

52.125.128.0/20
52.127.96.0/23

從 Office 365 專屬/ITAR 轉換為 vNext 的新式驗證設定需求Modern Authentication configuration requirements for transition from Office 365 dedicated/ITAR to vNext