加入權杖簽署的憑證Add a Token-Signing Certificate

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

在 Active Directory 同盟服務 (AD FS) 聯盟伺服器需要 token\ 簽署的憑證,以避免攻擊者變更或仿冒的安全性權杖嘗試聯盟資源未經授權的存取。Federation servers in Active Directory Federation Services (AD FS) require token-signing certificates to prevent attackers from altering or counterfeiting security tokens in an attempt to gain unauthorized access to federated resources. 每個 token\ 簽署的憑證包含密碼編譯私人和公開鍵是用來簽署 \(藉由私人 key) 的安全性權杖。Every token-signing certificate contains cryptographic private keys and public keys that are used to digitally sign (by means of the private key) a security token. 之後,合作夥伴聯盟伺服器收到這些按鍵之後,他們驗證真確性 \(藉由公用 key) 加密的安全性權杖。Later, after these keys are received by a partner federation server, they validate the authenticity (by means of the public key) of the encrypted security token.

警告

用於 token\ 簽署的憑證的重大同盟服務的穩定性。Certificates used for token-signing are critical to the stability of the Federation Service. 因為遺失或計畫的移除之任何設定為這個項目的的憑證可能會服務中斷,您應該備份設定為這個項目的任何憑證。Because loss or unplanned removal of any certificates configured for this purpose can disrupt service, you should backup any certificates configured for this purpose.

信任的根同盟服務中應該鏈結 token\ 簽署的憑證。The token-signing certificate should chain to a trusted root in the Federation Service. 您可以使用下列程序,AD FS 管理 snap\ 中將檔案,您將匯出 token\ 簽署的憑證。You can use the following procedure to add the token-signing certificate to the AD FS Management snap-in from a file that you have exported.

資格在系統管理員,或相當於、在本機電腦上的最低需求完成此程序。Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. 檢視詳細資料使用適當的帳號,並群組成員資格,本機和網域預設群組\ (go.microsoft.com\ fwlink\ 方式 http://// # / 嗎?LinkId\ = 83477)。Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

若要新增的 token\ 簽署的憑證To add a token-signing certificate

  1. [開始]畫面中,輸入AD FS 管理,然後按 ENTER 鍵。On the Start screen, typeAD FS Management, and then press ENTER.

  2. 主控台中 double\ 按一下服務,然後按一下 [的憑證In the console tree, double-click Service, and then click Certificates.

  3. 動作窗格中,按新增 Token\ 簽署的憑證連結。In the Actions pane, click the Add Token-Signing Certificate link.

  4. 瀏覽憑證檔案對話方塊中,瀏覽至您想要新增、選取憑證檔案,然後再按憑證檔案開放In the Browse for Certificate file dialog box, navigate to the certificate file that you want to add, select the certificate file, and then click Open.

其他參考資料Additional references

檢查清單︰ 設定聯盟伺服器Checklist: Setting Up a Federation Server

聯盟伺服器的憑證需求Certificate Requirements for Federation Servers