檢查清單︰ 設定聯盟伺服器Checklist: Setting Up a Federation Server

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

檢查此清單包含部署工作所需準備聯盟伺服器角色 Active Directory 同盟服務 (AD FS) 在執行 Windows Server® 2012 年的伺服器。This checklist includes the deployment tasks that are necessary to prepare a server running Windows Server® 2012 for the federation server role in Active Directory Federation Services (AD FS).

注意

完成此訂單中的檢查清單中的工作。Complete the tasks in this checklist in order. 當參考連結可讓您的程序時,返回本主題之後在您完成該程序中的步驟操作,以便您可以繼續檢查清單中的其餘的工作。When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.

<span data-ttu-id="a8880-107">設定聯盟伺服器](media/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**檢查清單︰ 設定聯盟伺服器**</span><span class="sxs-lookup"><span data-stu-id="a8880-107">setting up a federated serverChecklist: Setting up a federation server

工作Task 參考資料Reference
聯盟伺服器設定 部署 AD FS 聯盟伺服器在您開始之前,先檢視。1。) 優點和缺點選擇 [Windows 內部資料庫 (WID) 或 SQL Server 儲存 AD FS 設定資料庫 2。) AD FS 部署拓撲類型與他們相關聯的伺服器位置與網路的版面配置建議。Before you begin deploying your AD FS federation servers, review the; 1.) advantages and disadvantages of choosing either Windows Internal Database (WID) or SQL Server to store the AD FS configuration database 2.) AD FS deployment topology types and their associated server placement and network layout recommendations. <span data-ttu-id="a8880-112">設定聯盟伺服器判斷您 AD FS 部署拓撲](https://technet.microsoft.com/library/gg982491.aspx)setting up a federated serverDetermine Your AD FS Deployment Topology

<span data-ttu-id="a8880-113">設定聯盟伺服器AD FS 部署拓撲注意事項](https://technet.microsoft.com/library/gg982489.aspx)setting up a federated serverAD FS Deployment Topology Considerations
聯盟伺服器設定 檢查 AD FS 容量規劃指導方針,以判斷您應該 production 環境中使用聯盟伺服器的適當的數字。Review AD FS capacity planning guidance to determine the proper number of federation servers you should use in your production environment. <span data-ttu-id="a8880-116">設定聯盟伺服器聯盟伺服器容量的計劃](https://technet.microsoft.com/library/gg749917.aspx)setting up a federated serverPlanning for Federation Server Capacity
聯盟伺服器設定 檢查 AD FS 程式設計指南聯盟伺服器放置在組織中相關的資訊Review information in the AD FS Design Guide about where to place federation servers in your organization <span data-ttu-id="a8880-119">設定聯盟伺服器聯盟計畫伺服器位置](https://technet.microsoft.com/library/dd807069.aspx)setting up a federated serverPlanning Federation Server Placement

<span data-ttu-id="a8880-120">設定聯盟伺服器放置聯盟伺服器的位置](https://technet.microsoft.com/library/dd807127.aspx)setting up a federated serverWhere to Place a Federation Server
聯盟伺服器設定 只 stand\ 聯盟伺服器或聯盟伺服器陣列適合您的部署。Determine whether a stand-alone federation server or a federation server farm is better for your deployment. <span data-ttu-id="a8880-123">設定聯盟伺服器當建立聯盟伺服器](https://technet.microsoft.com/library/dd807101.aspx)setting up a federated serverWhen to Create a Federation Server

<span data-ttu-id="a8880-124">設定聯盟伺服器當建立聯盟伺服器陣列](https://technet.microsoft.com/library/dd807062.aspx)setting up a federated serverWhen to Create a Federation Server Farm
聯盟伺服器設定 判斷 account 合作夥伴公司或資源合作夥伴組織中是否要建立這個新的聯盟伺服器。Determine whether this new federation server will be created in the account partner organization or in the resource partner organization. <span data-ttu-id="a8880-127">設定聯盟伺服器檢視中 Account 合作夥伴聯盟伺服器角色](https://technet.microsoft.com/library/dd807117.aspx)setting up a federated serverReview the Role of the Federation Server in the Account Partner

<span data-ttu-id="a8880-128">設定聯盟伺服器檢視的資源合作夥伴聯盟伺服器角色](https://technet.microsoft.com/library/dd807065.aspx)setting up a federated serverReview the Role of the Federation Server in the Resource Partner
聯盟伺服器設定 檢視聯盟伺服器如何使用服務通訊憑證與 token\ 簽署憑證來安全驗證 client 和聯盟伺服器 proxy 要求的相關資訊。Review information about how federation servers use service communication certificates and token-signing certificates to securely authenticate client and federation server proxy requests. 注意:長已經常見主機不完整的名稱,例如 https://myserver 使用憑證的方式,但這些憑證不有任何安全性值和可以讓攻擊模擬企業戶端 AD FS 聯盟服務。Caution: Though it has long been common practice to use certificates with unqualified host names such as https://myserver, these certificates have no security value and can enable an attacker to impersonate the AD FS Federation Service to enterprise clients. 因此,建議您使用的完整的網域名稱 (FQDN) 例如 https://myserver.contoso.com 和只能使用 SSL 發給同盟服務的 FQDN。Therefore, it is recommended that you use a fully qualified domain name (FQDN) such as https://myserver.contoso.com and only use SSL certificates issued to the FQDN of your Federation Service. <span data-ttu-id="a8880-133">設定聯盟伺服器聯盟伺服器的憑證需求](https://technet.microsoft.com/library/dd807040.aspx)setting up a federated serverCertificate Requirements for Federation Servers
聯盟伺服器設定 檢視更新網域名稱系統 (DNS) 企業網路,使成功名稱解析聯盟伺服器可能會發生的方式的相關資訊。Review information about how to update the corporate network Domain Name System (DNS) so that successful name resolution to federation servers can occur. <span data-ttu-id="a8880-136">設定聯盟伺服器聯盟伺服器的名稱解析需求](https://technet.microsoft.com/library/dd807041.aspx)setting up a federated serverName Resolution Requirements for Federation Servers
聯盟伺服器設定 加入會成為聯盟伺服器中 account 合作夥伴樹系或是資源合作夥伴它用來驗證或來自信任的樹系的樹系的使用者網域的電腦。Join the computer that will become the federation server to a domain in the account partner forest or resource partner forest where it will be used to authenticate the users of that forest or from trusting forests. 注意:如果您想要聯盟伺服器 account 合作夥伴組織中設定,電腦必須先加入位置將會使用您的聯盟伺服器驗證使用者的樹系或來自信任的樹系森林中的任何網域。Note: If you want to set up a federation server in the account partner organization, the computer must first be joined to any domain in the forest where your federation server will be used to authenticate users from that forest or from trusting forests. <span data-ttu-id="a8880-140">設定聯盟伺服器加入網域的電腦](Join-a-Computer-to-a-Domain.md)setting up a federated serverJoin a Computer to a Domain
聯盟伺服器設定 建立新的資源記錄公司網路的 DNS 伺服器聯盟的 DNS 名稱主機指向聯盟伺服器的 IP 位址。Create a new resource record in the corporate network DNS that points the DNS host name of the federation server to the IP address of the federation server. <span data-ttu-id="a8880-143">設定聯盟伺服器新增主機和 #40;A 與 #41;企業的 DNS 伺服器聯盟資源記錄](Add-a-Host--A--Resource-Record-to-Corporate-DNS-for-a-Federation-Server.md)setting up a federated serverAdd a Host (A) Resource Record to Corporate DNS for a Federation Server
聯盟伺服器設定 如果您將加入聯盟伺服器聯盟伺服器陣列 (Optional),您可能需要先匯出現有 token\ 簽署的憑證的私密金鑰 \(farm\ 在第一次聯盟伺服器)上,您已準備好憑證的檔案格式時其他聯盟伺服器必須匯入相同的憑證。(Optional) If you will be adding a federation server to a federation server farm, you might have to first export the private key of the existing token-signing certificate (on the first federation server in the farm) so that you have a file format of the certificate ready when other federation servers must import the same certificate.

匯出私密金鑰時,不需要您發出的伺服器驗證憑證,即可重複使用多部電腦 \(而不需要 export\)或當您將會取得的唯一伺服器驗證憑證陣列中每個聯盟伺服器。Exporting the private key is not required when your issued server authentication certificate can be reused by multiple computers (without the need to export) or when you will be obtaining unique server authentication certificates for each federation server in the farm. 注意: AD FS 管理 snap\ 中指的是伺服器驗證憑證的同盟服務通訊的憑證以的伺服器。Note: The AD FS Management snap-in refers to server authentication certificates for federation servers as service communication certificates.
<span data-ttu-id="a8880-148">設定聯盟伺服器匯出伺服器驗證憑證的私人鍵部分](Export-the-Private-Key-Portion-of-a-Server-Authentication-Certificate.md)setting up a federated serverExport the Private Key Portion of a Server Authentication Certificate
聯盟伺服器設定 取得伺服器驗證憑證之後 (or private key) 憑證授權單位 (CA),您必須再匯入憑證檔案的每個聯盟伺服器的預設網站。After you obtain a server authentication certificate (or private key) from a certification authority (CA), you must then import the certificate file to the default Web site for each federation server. 注意:安裝這個憑證預設網站上,才能使用 AD FS 聯盟伺服器設定精靈是需求。Note: Installing this certificate on the default Web site is a requirement before you can use the AD FS Federation Server Configuration Wizard. <span data-ttu-id="a8880-152">設定聯盟伺服器匯入伺服器驗證憑證的預設網站](Import-a-Server-Authentication-Certificate-to-the-Default-Web-Site.md)setting up a federated serverImport a Server Authentication Certificate to the Default Web Site
聯盟伺服器設定 取得伺服器驗證憑證 CA 從另一種 (Optional),您可以使用網際網路資訊服務 (IIS) 聯盟伺服器建立範例憑證。(Optional) As an alternative to obtaining a server authentication certificate from a CA, you can use Internet Information Services (IIS) to create a sample certificate for your federation server. 注意:不安全的最佳做法部署聯盟伺服器 production 環境中的使用簽署 self\ 伺服器驗證憑證。Caution: It is not a security best practice to deploy a federation server in a production environment by using a self-signed server authentication certificate. <span data-ttu-id="a8880-156">設定聯盟伺服器IIS:建立 Self-Signed 伺服器的憑證,然後完成程序匯入伺服器驗證憑證的預設網站](Import-a-Server-Authentication-Certificate-to-the-Default-Web-Site.md)setting up a federated serverIIS: Create a Self-Signed Server Certificate and then complete the procedure Import a Server Authentication Certificate to the Default Web Site
聯盟伺服器設定 如果您將會 account 合作夥伴組織中設定伺服器聯盟農場環境,您必須建立和專用的服務 account 設定在 Active Directory Domain Services (AD DS) 位置發電廠會位於並設定每個聯盟伺服器中使用此帳號發電廠。If you will be configuring a federation server farm environment in an account partner organization, you must create and configure a dedicated service account in Active Directory Domain Services (AD DS) where the farm will reside and configure each federation server in the farm to use this account. 來執行這個程序,您將會向任何中使用 Windows 整合驗證發電廠聯盟伺服器的驗證的企業網路允許戶端。By performing this procedure, you will allow clients on the corporate network to authenticate to any of the federation servers in the farm using Windows Integrated Authentication. <span data-ttu-id="a8880-160">設定聯盟伺服器手動設定服務 Account 聯盟伺服器陣列](Manually-Configure-a-Service-Account-for-a-Federation-Server-Farm.md)setting up a federated serverManually Configure a Service Account for a Federation Server Farm
聯盟伺服器設定 在的電腦將會變成聯盟伺服器上安裝同盟服務角色。Install the Federation Service role service on the computer that will become the federation server. <span data-ttu-id="a8880-163">設定聯盟伺服器安裝同盟服務的角色](Install-the-Federation-Service-Role-Service.md)setting up a federated serverInstall the Federation Service Role Service
聯盟伺服器設定 AD FS 軟體的電腦上設定,請使用 AD FS 聯盟伺服器設定精靈做聯盟伺服器角色。Configure the AD FS software on the computer to act in the federation server role by using the AD FS Federation Server Configuration Wizard.

當您想要設定 stand\ 只聯盟伺服器、建立新的發電廠的第一個聯盟伺服器,或將電腦加入現有的聯盟伺服器發電廠,請執行此程序。Follow this procedure when you want to set up a stand-alone federation server, create the first federation server in a new farm or join a computer to an existing federation server farm. 注意:的聯盟網路單一 Sign-On (SSO) 設計,您必須有至少一個聯盟伺服器 account 合作夥伴組織和至少一個聯盟伺服器資源合作夥伴組織中的。Note: For the Federated Web Single Sign-On (SSO) design, you must have at least one federation server in the account partner organization and at least one federation server in the resource partner organization.
<span data-ttu-id="a8880-168">設定聯盟伺服器建立獨立聯盟伺服器](Create-a-Stand-Alone-Federation-Server.md)setting up a federated serverCreate a Stand-Alone Federation Server

<span data-ttu-id="a8880-169">設定聯盟伺服器第一個聯盟伺服器建立聯盟伺服器陣列](Create-the-First-Federation-Server-in-a-Federation-Server-Farm.md)setting up a federated serverCreate the First Federation Server in a Federation Server Farm

<span data-ttu-id="a8880-170">設定聯盟伺服器新增至聯盟伺服器陣列聯盟伺服器](Add-a-Federation-Server-to-a-Federation-Server-Farm.md)setting up a federated serverAdd a Federation Server to a Federation Server Farm
聯盟伺服器設定 (Optional) 使用 AD FS 管理 snap\ 中新增及設定所需的 AD FS 憑證部署所需您的設計。(Optional) Use the AD FS Management snap-in to add and configure the necessary AD FS certificates required to deploy your design. 如需有關何時要新增或變更 snap\ 中使用的憑證的詳細資訊,請查看聯盟伺服器的憑證需求For more information about when to add or change certificates using the snap-in, see Certificate Requirements for Federation Servers. <span data-ttu-id="a8880-174">設定聯盟伺服器加入權杖簽署的憑證](Add-a-Token-Signing-Certificate.md)setting up a federated serverAdd a Token-Signing Certificate

<span data-ttu-id="a8880-175">設定聯盟伺服器加入權杖解密憑證](Add-a-Token-Decrypting-Certificate.md)setting up a federated serverAdd a Token-Decrypting Certificate

<span data-ttu-id="a8880-176">設定聯盟伺服器設定服務通訊憑證](Set-a-Service-Communications-Certificate.md)setting up a federated serverSet a Service Communications Certificate
聯盟伺服器設定 如果這是您在組織中的第一個聯盟伺服器,設定同盟服務,使其符合您 AD FS 設計。If this is the first federation server in your organization, configure the Federation Service so that it conforms to your AD FS design. <span data-ttu-id="a8880-179">設定聯盟伺服器檢查清單︰ 設定 Account 合作夥伴公司](Checklist--Configuring-the-Account-Partner-Organization.md)setting up a federated serverChecklist: Configuring the Account Partner Organization

<span data-ttu-id="a8880-180">設定聯盟伺服器檢查清單︰ 設定資源合作夥伴公司](Checklist--Configuring-the-Resource-Partner-Organization.md)setting up a federated serverChecklist: Configuring the Resource Partner Organization
聯盟伺服器設定 從 client 的電腦,請確認聯盟伺服器操作。From a client computer, verify that the federation server is operational. <span data-ttu-id="a8880-183">設定聯盟伺服器確認聯盟伺服器是操作](Verify-That-a-Federation-Server-Is-Operational.md)setting up a federated serverVerify That a Federation Server Is Operational