設定 Web 主控台的驗證Configure authentication with the Web console

重要

已不再支援此版本的 Operations Manager,建議升級至 Operations Manager 2019This version of Operations Manager has reached the end of support, we recommend you to upgrade to Operations Manager 2019.

設定 SSL 加密Configure SSL encryption

在 Internet Information Services (IIS) 7.0 和更新版的 Web 伺服器上安裝 Operations Manager Web 主控台伺服器之後,必須採取下列步驟以設定安全通訊端層 (SSL) 加密。The following steps are necessary to configure Secure Sockets Layer (SSL) encryption after the Operations Manager Web console server has been installed on an Internet Information Services (IIS) 7.0 and higher web server. 執行這些步驟之前,您應該先檢閱在 IIS 7 設定安全通訊端層並設定 IIS,以為裝載 Web 主控台的 Web 伺服器啟用 SSL。Before performing these steps, you should first review Configuring Secure Sockets Layer in IIS 7 and configure IIS to enable SSL for the web server hosting the Web console.

注意

建立憑證時,您必須在 [一般名稱] 欄位中提供主機的完整網域名稱 (FQDN) 和網域名稱,以比對使用者為存取 Web 主控台會在網頁瀏覽器中輸入的地址。When creating the certificate, you must provide the fully qualified domain name (FQDN) of the host and domain name in the Common name field to match the address users would enter in their web browser to access the Web console.

如果在嘗試存取 Web 主控台時遇到驗證提示的問題,請檢查 Internet Explorer 中的本機內部網路網站是否包含完整網域名稱 (FQDN) URL。If you are experiencing issues with authentication prompts when attempting to access the Web console, check that the fully qualified domain name (FQDN) URL is included in Local Intranet Sites in Internet Explorer.

  1. 請確定已在管理伺服器上安裝並設定 SSL 憑證。Ensure that the SSL certificates are installed and configured on the management server.

  2. 不論 Operations Manager Web 主控台的安裝位置在哪,都在 IIS 網站中新增 HTTPS 繫結。Add a https binding in the IIS website wherever the Operations Manager Web console is installed.

  3. 完成上述步驟之後,重設裝載 Operations Manager Web 主控台的網站。After completing the above steps, reset the Web site hosting the Operations Manager Web console.

注意

只有當您使用 Web 主控台的 HTTPS 繫結時,才啟用安裝程式中的 [SSL] 核取方塊。Enable SSL check box in the installer only works if you are using a https binding for the web console. 如需詳細資訊,請參閱如何在 IIS 7 上設定 SSL 7 (英文)。For more information, see How to set up SSL on IIS 7.

  1. 使用純文字編輯器開啟 <PATH>:\Program Files\Microsoft System Center 2016\Operations Manager\WebConsole\WebHost 中的 web.configUse a plain text editor to open the web.config in <PATH>:\Program Files\Microsoft System Center 2016\Operations Manager\WebConsole\WebHost.

  2. <services> 根項目中,修改位於 <!– Logon Service –> 項目中的下列內容︰In the <services> root element, modify the following in the <!– Logon Service –>element:

    <endpoint address=”” binding=”customBinding” contract=”Microsoft.EnterpriseManagement.Presentation.Security.Services.ILogonService” bindingConfiguration=”DefaultHttpsBinding”/>
    
  3. <services> 根項目中,修改位於 <!– Data Access service –> 項目中的下列內容︰In the <services> root element, modify the following in the <!– Data Access service –> element:

     <endpoint address=”” binding=”customBinding” contract=”Microsoft.EnterpriseManagement.Presentation.DataAccess.Server.IDataAccessService” bindingConfiguration=”DefaultHttpsBinding”/>
    
  4. 完成後,請儲存並關閉檔案。Save and close the file when finished.

  5. 依序按一下 [開始]、[執行],輸入 regedit& ,然後按一下 [確定]。Click Start, click Run, type regedit, and then click OK.

  6. HKEY_LOCAL_MACHINE\Software\Microsoft\System Center Operations Manager\12\Setup\WebConsole\ 下,按兩下值 HTTP_GET_ENABLED,將其值變更為 falseUnder HKEY_LOCAL_MACHINE\Software\Microsoft\System Center Operations Manager\12\Setup\WebConsole\, double-click the value HTTP_GET_ENABLED and change its value to false. 按兩下值 BINDING_CONFIGURATION,將其值變更為 DefaultHttpsBindingDouble-click the value BINDING_CONFIGURATION and change its value to DefaultHttpsBinding.

  7. 完成上述步驟之後,重設裝載 Operations Manager Web 主控台的網站。After completing the above steps, reset the Web site hosting the Operations Manager Web console.

設定符合 FIPS 規範Configure FIPS compliance

請遵循 Operations Manager Web 主控台伺服器元件的這些步驟,使用符合美國聯邦資訊處理標準 (FIPS) 的演算法。Follow these steps for the Operations Manager Web console server component to use algorithms that are compliant with Federal Information Processing Standards (FIPS). 若要確保 System Center - Operations Manager 的 FIPS 合規性,您必須使用也符合 FIPS 規範的底層基礎結構 (伺服器 OS 與 Active Directory 等)。Enabling FIPS compliance for System Center - Operations Manager requires that the underlying infrastructure used (Server OS, Active Directory, etc.), also be FIPS compliant.

安裝密碼編譯 DLLTo install the cryptography DLL

  1. 在裝載 Web 主控台的系統上,使用 [以系統管理員身分執行] 選項開啟命令提示字元視窗。On the system hosting the Web console, use the Run as Administrator option to open a Command Prompt window.
  2. 將目錄切換到安裝媒體所在的 SupportTools 目錄,然後將目錄切換到 AMD64Change directories to the SupportTools directory of your installation media, and then change directory to AMD64.
  3. 執行下列 gacutil命令:gacutil.exe –i Microsoft.EnterpriseManagement.Cryptography.dllRun the following gacutil command: gacutil.exe –i Microsoft.EnterpriseManagement.Cryptography.dll.

編輯 machine.config 檔案To edit the machine.config files

  1. 使用純文字編輯器開啟 %WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\ 中的 machine.configUse a plain text editor to open the machine.config file in %WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\.

  2. 如果下列內容不存在 <Configuration> 根元素中,請依下列方式新增︰If the following content does not exist within the <Configuration> root element, add as follows:

     <mscorlib>
      <cryptographySettings>
        <cryptoNameMapping>
            <cryptoClasses>
                <cryptoClass
    SHA256CSP="System.Security.Cryptography.SHA256CryptoServiceProvider, System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                <cryptoClass HMACSHA256CSP
    ="Microsoft.EnterpriseManagement.Cryptography.HMACSHA256, Microsoft.EnterpriseManagement.Cryptography, Version=7.0.5000.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
            </cryptoClasses>
            <nameEntry name="SHA256" class="SHA256CSP"/>
            <nameEntry name="HMACSHA256" class="HMACSHA256CSP"/>  
        </cryptoNameMapping>
      </cryptographySettings>
     </mscorlib>
    
  3. 完成後,請儲存並關閉檔案。Save and close the file when finished.

針對下列檔案重複先前的步驟︰Repeat the preceding step on the following files:

  • %WinDir%\Microsoft.NET\Framework\v4.0.30319\Config\machine.config%WinDir%\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
  • %WinDir%\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config%WinDir%\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config

若要編輯 WebHost 資料夾中的 web.config 檔案To edit the web.config file in WebHost folder

  1. 使用純文字編輯器開啟 <Path>:\Program Files\System Center 2016\Operations Manager\WebConsole\WebHost\web.config 中的 web.config 檔案。Use a plain text editor to open the web.config file in <Path>:\Program Files\System Center 2016\Operations Manager\WebConsole\WebHost\web.config.

  2. 在 <encryption> 項目中新增下列項目 (如果該項目不存在)︰<symmetricAlgorithm iv="SHA256"/>In the <encryption> element, add the following element if it does not exist: <symmetricAlgorithm iv="SHA256"/>

  3. <connection autoSignIn="true" autoSignOutInterval="30"> 項目的 <session> 標記中新增下列屬性 (如果該屬性不存在的話)︰tokenAlgorithm ="SHA256"In the <connection autoSignIn="true" autoSignOutInterval="30"> element, in the <session> tag, add the following attribute if it does not exist: tokenAlgorithm="SHA256"

    <connection autoSignIn="True" autoSignOutInterval="30">  
    <session encryptionKey="SessionEncryptionKey" tokenAlgorithm="SHA256">  
    
  4. 將下列項目的值由 true 修改為 false︰<serviceMetadata httpGetEnabled="false"/>Modify the following element by changing its value from true to false: <serviceMetadata httpGetEnabled="false"/>

  5. 將下列兩個項目的值由 DefaultHttpBinding 變更為 DefaultHttpsBindingModify the following two elements by changing their values from DefaultHttpBinding to DefaultHttpsBinding:

    <endpoint address="" binding="customBinding" contract="Microsoft.EnterpriseManagement.Presentation.Security.Services.ILogonService" bindingConfiguration="DefaultHttpsBinding"/>
    <endpoint address="" binding="customBinding" contract="Microsoft.EnterpriseManagement.Presentation.DataAccess.Server.IDataAccessService" bindingConfiguration="DefaultHttpsBinding"/>
    
  6. 儲存並關閉檔案。Save and close the file.

若要編輯 MonitoringView 資料夾中的 web.config 檔案:To edit the web.config file in MonitoringView folder

  1. 使用純文字編輯器開啟 <PATH>:\Program Files\System Center 2012\Operations Manager\WebConsole\MonitoringView\web.config 中的 web.config 檔案。Use a plain text editor to open the web.config file in <PATH>:\Program Files\System Center 2012\Operations Manager\WebConsole\MonitoringView\web.config.

  2. <encryption> 項目中新增下列項目 (如果該項目不存在的話)︰<symmetricAlgorithm iv="SHA256"/>In the <encryption> element, add the following element if it does not exist: <symmetricAlgorithm iv="SHA256"/>.

  3. <connection> 項目的 <connection autoSignIn="true" autoSignOutInterval="30"> 項目中,於 <session> 標記新增下列屬性 (如果該屬性不存在的話)︰tokenAlgorithm="SHA256"In the <connection> element, In the <connection autoSignIn="true" autoSignOutInterval="30"> element, in the <session> tag, add the following attribute if it does not exist: tokenAlgorithm="SHA256"

    <connection autoSignIn="True" autoSignOutInterval="30">
    <session encryptionKey="SessionEncryptionKey" tokenAlgorithm="SHA256">
    
  4. <system.web> 項目中新增下列項目 (如果該項目不存在的話)︰In the <system.web> element, add the following element if it does not exist:

    <machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>
    
  5. 儲存並關閉檔案。Save and close the file.

設定登入工作階段Configure login session

注意

根據預設,Web 主控台會使用 Windows 驗證 (如果有的話) 來登入網站。The web console uses windows authentication by default, if available to login into the website. Web 主控台的預設工作階段逾時間隔為 1 天,而這是最大值。The default session timeout interval for web console is 1 day and this is the maximum value.

  1. 若要編輯該值,請使用純文字編輯器開啟 <PATH>:\Program Files\Microsoft System Center\Operations Manager\WebConsole\Dashboard 中的 web.config。To edit the value, use a plain text editor to open the web.config in <PATH>:\Program Files\Microsoft System Center\Operations Manager\WebConsole\Dashboard.
  2. <appSettings> 根元素中,以分鐘為單位修改下列工作階段逾時值。In the <appSettings> root element, modify the following session time out value in minutes.
      <add key="SessionTimeout" value="1440"/>
    
  3. 完成上述步驟之後,重設裝載 Operations Manager Web 主控台的網站。After completing the above steps, reset the Web site hosting the Operations Manager Web console.

後續步驟Next steps