檢查清單︰ 設定 Account 合作夥伴公司Checklist: Configuring the Account Partner Organization

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Account 合作夥伴公司包含會存取 Web\ 為基礎的資源協力廠商應用程式的使用者。The account partner organization contains the users that will access Web-based applications in the resource partner. 這個組織中的系統管理員必須使用 AD FS 管理 snap\ 中建立代表資源合作夥伴公司他們信任關係信賴廠商信任。Administrators in this organization must use the AD FS Management snap-in to create relying party trusts to represent their trust relationships with resource partner organizations. 接下來資源合作夥伴系統管理員必須建立宣告提供者信任針對每個 account 合作夥伴組織想要信任。In turn, the resource partner administrator must create claims provider trusts for each account partner organization that they want to trust.

檢查此清單會包含部署 Active Directory 同盟服務 (AD FS) account 合作夥伴組織中的工作。This checklist includes tasks for deploying Active Directory Federation Services (AD FS) in the account partner organization. 它也包含針對設定所需來建立 one\ 一半聯盟合作關係元件工作。It also includes tasks for configuring the components that are required to establish one-half of a federation partnership.

如果您要部署網站 SSO 設計,您不需要遵循此檢查清單。If you are deploying a Web SSO Design, you do not have to follow this checklist. 不過,您可以完成成功部署檢查清單中的工作的聯盟網路 SSO 設計However, you do have to complete the tasks in this checklist to successfully deploy a Federated Web SSO Design.

重要

請務必資源合作夥伴組織中的系統管理員遵循的指導方針檢查清單︰ 設定資源合作夥伴組織以確保所有所需部署工作,將會完成成功半部聯盟合作關係建立第二個。Make sure that the administrator in the resource partner organization follows the guidance in Checklist: Configuring the Resource Partner Organization to ensure that all necessary deployment tasks will be completed to successfully create the second half of the federation partnership.

注意

完成此訂單中的檢查清單中的工作。Complete the tasks in this checklist in order. 當參考連結可讓您的程序時,返回本主題之後在您完成該程序中的步驟操作,以便您可以繼續檢查清單中的其餘的工作。When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.

<span data-ttu-id="7be6d-114">設定 account 合作夥伴組織](media/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**檢查清單︰ 設定 account 合作夥伴公司**</span><span class="sxs-lookup"><span data-stu-id="7be6d-114">configure account partner orgChecklist: Configuring the account partner organization

工作Task 參考資料Reference
設定 account 合作夥伴組織 如果今天 production 環境中有 AD FS 1.0 或 1.1 現有的部署,看到資訊,了解如何從您目前的同盟服務的設定移轉到新的 AD FS 同盟服務的權限的連結。If you have an existing AD FS 1.0 or 1.1 deployment in your production environment today, see the link to the right for information about how to migrate settings from your current Federation Service to a new AD FS Federation Service. 如果您在組織中的第一次部署 AD FS 使用 AD FS,您可以略過此步驟後繼續到新的 account 合作夥伴公司所設定的相關資訊的檢查清單中的下一個工作。If you are deploying AD FS for the first time in your organization using AD FS, you can skip this step and continue to the next task in this checklist for information about how to set up a new account partner organization. <span data-ttu-id="7be6d-120">設定 account 合作夥伴組織移轉到 AD FS 2.0 計劃](https://technet.microsoft.com/library/ff678044.aspx)configure account partner orgPlanning a Migration to AD FS 2.0
設定 account 合作夥伴組織 根據您的部署目標,檢視元件所需的使用者提供聯盟應用程式存取的相關資訊。Based on your deployment goals, review information about the components that are required to provide users with access to the federated applications. <span data-ttu-id="7be6d-123">設定 account 合作夥伴組織提供您 Active Directory 使用者存取您宣告感知應用程式與服務](https://technet.microsoft.com/library/dd807071.aspx)configure account partner orgProvide Your Active Directory Users Access to Your Claims-Aware Applications and Services

<span data-ttu-id="7be6d-124">設定 account 合作夥伴組織提供您 Active Directory 使用者存取應用程式與其他公司的服務](https://technet.microsoft.com/library/dd807123.aspx)configure account partner orgProvide Your Active Directory Users Access to the Applications and Services of Other Organizations

<span data-ttu-id="7be6d-125">設定 account 合作夥伴組織提供使用者另一個組織存取您宣告感知應用程式與服務](https://technet.microsoft.com/library/dd807099.aspx)configure account partner orgProvide Users in Another Organization Access to Your Claims-Aware Applications and Services
設定 account 合作夥伴組織 判斷哪一個 AD FS 設計此 account 合作夥伴組織將會相關聯。Determine which AD FS design this account partner organization will be associated with. <span data-ttu-id="7be6d-128">設定 account 合作夥伴組織網站 SSO 設計](https://technet.microsoft.com/library/dd807033.aspx)configure account partner orgWeb SSO Design

<span data-ttu-id="7be6d-129">設定 account 合作夥伴組織的聯盟網路 SSO 設計](https://technet.microsoft.com/library/dd807050.aspx)configure account partner orgFederated Web SSO Design
設定 account 合作夥伴組織 部署 AD FS 伺服器在您開始之前,先檢視。1。) 優點和缺點選擇 [Windows 內部資料庫 (WID) 或 SQL Server 儲存 AD FS 設定資料庫 2。) AD FS 部署拓撲類型與他們相關聯的伺服器位置與網路的版面配置建議。Before you begin deploying your AD FS servers, review the; 1.) advantages and disadvantages of choosing either Windows Internal Database (WID) or SQL Server to store the AD FS configuration database 2.) AD FS deployment topology types and their associated server placement and network layout recommendations. <span data-ttu-id="7be6d-132">設定 account 合作夥伴組織判斷您 AD FS 部署拓撲](https://technet.microsoft.com/library/gg982491.aspx)configure account partner orgDetermine Your AD FS Deployment Topology

<span data-ttu-id="7be6d-133">設定 account 合作夥伴組織AD FS 部署拓撲注意事項](https://technet.microsoft.com/library/gg982489.aspx)configure account partner orgAD FS Deployment Topology Considerations
設定 account 合作夥伴組織 檢查 AD FS 容量計劃指導方針判斷聯盟伺服器和您應該 production 環境中使用聯盟 server proxy 伺服器的適當的數字。Review AD FS capacity planning guidance to determine the proper number of federation server and federation server proxy servers you should use in your production environment. <span data-ttu-id="7be6d-136">設定 account 合作夥伴組織AD FS 伺服器容量的計劃](https://technet.microsoft.com/library/gg749899.aspx)configure account partner orgPlanning for AD FS Server Capacity
設定 account 合作夥伴組織 有效規劃和實作實體拓撲 account 合作夥伴部署,判斷是否 AD FS 設計需要一或多個聯盟伺服器或聯盟的 proxy 伺服器。To effectively plan and implement the physical topology for the account partner deployment, determine whether your AD FS design requires one or more federation servers or federation server proxies. <span data-ttu-id="7be6d-139">設定 account 合作夥伴組織檢查清單︰ 設定好聯盟伺服器](Checklist--Setting-Up-a-Federation-Server.md)configure account partner orgChecklist: Setting Up a Federation Server

<span data-ttu-id="7be6d-140">設定 account 合作夥伴組織檢查清單︰ 設定好聯盟伺服器 Proxy](Checklist--Setting-Up-a-Federation-Server-Proxy.md)configure account partner orgChecklist: Setting Up a Federation Server Proxy
設定 account 合作夥伴組織 判斷您想要新增到 AD FS 屬性存放區類型。Determine the type of attribute store that you want to add to AD FS. 然後,新增屬性網上商店使用 AD FS 管理 snap\ 中。Then, add the attribute store using the AD FS Management snap-in. <span data-ttu-id="7be6d-144">設定 account 合作夥伴組織的屬性商店角色](../../ad-fs/technical-reference/The-Role-of-Attribute-Stores.md)configure account partner orgThe Role of Attribute Stores

<span data-ttu-id="7be6d-145">設定 account 合作夥伴組織新增屬性網上商店](../../ad-fs/operations/Add-an-Attribute-Store.md)configure account partner orgAdd an Attribute Store
設定 account 合作夥伴組織 如果您將需要傳送或使用宣告的資源合作夥伴是使用 AD FS 1.0 或 1.1 同盟服務,請查看連結以了解如何設定 AD FS 資訊的權限舊版 AD FS 交互操作宣告。If you will need to send claims to or consume claims from a resource partner who is using either an AD FS 1.0 or 1.1 Federation Service, see the link to the right for information about how to configure AD FS to interoperate with previous versions of AD FS. 如果資源合作夥伴組織也會使用 AD FS 傳送或使用您的組織宣告,您可以略過此步驟,並繼續進行下一個任務檢查清單中。If the resource partner organization is also using AD FS to send or consume claims to your organization, you can skip this step and continue with the next task in this checklist. <span data-ttu-id="7be6d-149">設定 account 合作夥伴組織規劃 AD FS 使用的跨平台 1.x](https://technet.microsoft.com/library/ff678040.aspx)configure account partner orgPlanning for Interoperability with AD FS 1.x
設定 account 合作夥伴組織 部署 account 合作夥伴組織中的第一個聯盟伺服器之後,建立信賴廠商信任關係使用 AD FS 管理 snap\ 中。After you deploy the first federation server in the account partner organization, create a relying party trust relationship using the AD FS Management snap-in. 輸入資源合作夥伴以手動方式的相關資料,或使用聯盟中繼資料 URL 資源合作夥伴公司的系統管理員提供給您,您可以建立信賴廠商信任。You can create a relying party trust by entering data about a resource partner manually or by using a federation metadata URL that the administrator of the resource partner organization provides to you. 您可以使用聯盟中繼資料來自動資源夥伴擷取的資料。You can use the federation metadata to retrieve the data for the resource partner automatically. 注意:如果資源合作夥伴發行其聯盟中繼資料,或可供您使用的檔案複本,我們建議您先自動擷取的資料就可以節省時間,因為。Note: If the resource partner publishes its federation metadata or can provide a file copy of it for you to use, we recommend that you retrieve the data automatically because it can save time. <span data-ttu-id="7be6d-155">設定 account 合作夥伴組織可以廠商信任手動建立](../../ad-fs/operations/Create-a-Relying-Party-Trust.md)configure account partner orgCreate a Relying Party Trust Manually

<span data-ttu-id="7be6d-156">設定 account 合作夥伴組織建立可以廠商信任使用聯盟中繼資料](../../ad-fs/operations/Create-a-Relying-Party-Trust.md)configure account partner orgCreate a Relying Party Trust Using Federation Metadata
設定 account 合作夥伴組織 根據您的組織的需求,建立一個或多個宣告規則集合宣告將會在適當發行 AD FS 管理 snap\ 中指定的每個信賴廠商信任。Depending on the needs of your organization, create one or more claim rule sets for each relying party trust that is specified in the AD FS Management snap-in so that claims will be issued appropriately. <span data-ttu-id="7be6d-159">設定 account 合作夥伴組織檢查清單︰ 建立理賠要求規則可以方信任](Checklist--Creating-Claim-Rules-for-a-Relying-Party-Trust.md)configure account partner orgChecklist: Creating Claim Rules for a Relying Party Trust
設定 account 合作夥伴組織 如果不存在,必須先建立宣告描述,將會滿足您組織的需求。A claim description must be created if one does not already exist that will fulfill the needs of your organization. AD FS 隨附宣告描述公開 AD FS 管理 snap\ 中的預設設定。AD FS ships with a default set of claim descriptions that are exposed in the AD FS Management snap-in. <span data-ttu-id="7be6d-163">設定 account 合作夥伴組織需要新增描述宣告](../../ad-fs/operations/Add-a-Claim-Description.md)configure account partner orgAdd a Claim Description
設定 account 合作夥伴組織 判斷是否需要您的組織使用身分委派授權或限制指定的 account「做為「或模擬其他使用者。Determine whether your organization will need to use identity delegation to authorize or constrain a specified account to "act as" or impersonate other users. 這通常是需求時 front\ 端 Web 應用程式必須互動 back\ 端網頁的服務。This is often a requirement when front-end Web applications must interact with back-end Web services. <span data-ttu-id="7be6d-167">設定 account 合作夥伴組織何時要使用的身分委派](https://technet.microsoft.com/library/dd807122.aspx)configure account partner orgWhen to Use Identity Delegation
設定 account 合作夥伴組織 藉由聯盟準備 client 電腦:Prepare client computers for federation by:

新增 account 合作夥伴聯盟伺服器的 URL client 瀏覽器的受信任的網站清單。- Adding the URL for the account partner federation server to the trusted sites list for the client browser.
-使用群組原則來推適當的安全通訊端層 (SSL) 憑證 client 的電腦。- Using Group Policy to push the appropriate Secure Sockets Layer (SSL) certificates to client computers.
<span data-ttu-id="7be6d-172">設定 account 合作夥伴組織在 Account 合作夥伴準備 Client 電腦](https://technet.microsoft.com/library/dd807114(v=ws.11).aspx)configure account partner orgPrepare Client Computers in the Account Partner

<span data-ttu-id="7be6d-173">設定 account 合作夥伴組織設定 Client 電腦信任 Account 聯盟伺服器](Configure-Client-Computers-to-Trust-the-Account-Federation-Server.md)configure account partner orgConfigure Client Computers to Trust the Account Federation Server

<span data-ttu-id="7be6d-174">設定 account 合作夥伴組織散發憑證 Client 電腦使用群組原則](Distribute-Certificates-to-Client-Computers-by-Using-Group-Policy.md)configure account partner orgDistribute Certificates to Client Computers by Using Group Policy