聯盟伺服器 Proxy 角色設定電腦Configure a Computer for the Federation Server Proxy Role

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

您將電腦設定的必要的憑證,並安裝同盟服務 Proxy 角色服務之後,您已經設定電腦,以成為聯盟 proxy 伺服器。After you configure a computer with the required certificates and have installed the Federation Service Proxy role service, you are ready to configure the computer to become a federation server proxy. 您可以使用下列程序,讓電腦的作用聯盟伺服器 proxy 角色。You can use the following procedure so that the computer acts in the federation server proxy role.

重要

使用此程序設定聯盟伺服器 proxy 電腦之前,請確定您有依照所有中的步驟執行檢查清單︰ 設定好聯盟伺服器 Proxy所列的順序。Before you use this procedure to configure the federation server proxy computer, make sure that you have followed all the steps in Checklist: Setting Up a Federation Server Proxy in the order that they are listed. 請確定該至少一個聯盟部署伺服器與所有所需的認證授權聯盟 proxy 伺服器設定實作。Make sure that at least one federation server is deployed and that all the necessary credentials for authorizing a federation server proxy configuration are implemented. 您還必須設定安全通訊端層 (SSL) 繫結預設的網站,或這個精靈將不會開始。You must also configure Secure Sockets Layer (SSL) bindings on the Default Web Site, or this wizard will not start. 所有工作必須先都完成此聯盟伺服器 proxy 可以運作。All these tasks must be completed before this federation server proxy can function.

電腦設定完成後,請確認聯盟 proxy 伺服器的如預期般運作。After you finish setting up the computer, verify that the federation server proxy is working as expected. 如需詳細資訊,請查看確認聯盟伺服器 Proxy 是操作For more information, see Verify That a Federation Server Proxy Is Operational.

資格在系統管理員,或相當於、在本機電腦上的最低需求完成此程序。Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. 檢視詳細資料使用適當的帳號,並群組成員資格,本機和網域預設群組Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups.

若要設定聯盟 proxy 角色電腦To configure a computer for the federation server proxy role

  1. 有兩種方法可以開始 AD FS 聯盟伺服器設定精靈。There are two ways to start the AD FS Federation Server Configuration Wizard. 若要開始精靈中,執行下列其中一個動作:To start the wizard, do one of the following:

    • [開始]畫面中,輸入AD FS 聯盟伺服器 Proxy 設定精靈,然後按 ENTER 鍵。On the Start screen, typeAD FS Federation Server Proxy Configuration Wizard, and then press ENTER.

    • 依照本身需求加以安裝精靈完成,開放 Windows 檔案總管] 之後,瀏覽至C:\Windows\ADFS資料夾,然後 double\ 按FspConfigWizard.exeAnytime after the setup wizard is complete, open Windows Explorer, navigate to the C:\Windows\ADFS folder, and then double-click FspConfigWizard.exe.

  2. 使用任一個方法,[開始] 精靈中,並在歡迎頁面上,按一下 [下一步Using either method, start the wizard, and on the Welcome page, click Next.

  3. 指定同盟服務名稱頁面上,在同盟服務名稱,輸入代表同盟服務的 proxy 角色做這台電腦的名稱。On the Specify Federation Service Name page, under Federation Service name, type the name that represents the Federation Service for which this computer will act in the proxy role.

  4. 根據您的特定網路需求,判斷是否您將需要使用 HTTP proxy 伺服器轉送要求同盟服務。Based on your specific network requirements, determine whether you will need to use an HTTP proxy server to forward requests to the Federation Service. 若是如此,請選取 [傳送到此同盟服務要求時使用 HTTP proxy 伺服器核取方塊,在HTTP proxy 伺服器位址輸入 proxy 伺服器的位址,請按一下測試連接]以確認連接,然後再按一下下一步If so, select the Use an HTTP proxy server when sending requests to this Federation Service check box, under HTTP proxy server address type the address of the proxy server, click Test Connection to verify connectivity, and then click Next.

  5. 當系統提示您指定所需之間這個聯盟伺服器 proxy 和同盟服務建立信任的憑證。When you are prompted, specify the credentials that are necessary to establish a trust between this federation server proxy and the Federation Service.

    根據預設,只服務 account 使用同盟服務或 BUILTIN\Administrators 本機群組成員可以授權聯盟 proxy 伺服器。By default, only the service account used by the Federation Service or a member of the local BUILTIN\Administrators group can authorize a federation server proxy.

  6. 適用於設定準備頁面上,檢視詳細資料。On the Ready to Apply Settings page, review the details. 若出現正確設定,請按一下下一步若要開始使用這些 proxy 設定設定此電腦。If the settings appear to be correct, click Next to begin configuring this computer with these proxy settings.

  7. 設定結果頁面上,檢視結果。On the Configuration Results page, review the results. 所有的設定步驟完成時,按關閉以結束精靈。When all the configuration steps are finished, click Close to exit the wizard.

    不還有任何 Microsoft Management Console (MMC) snap-中管理聯盟伺服器 proxys 使用。There is no Microsoft Management Console (MMC) snap-in to use for administering federation server proxys. 若要設定的每個聯盟伺服器 proxys 設定在組織中,使用 Windows PowerShell cmdlet。To configure settings for each of the federation server proxys in your organization, use Windows PowerShell cmdlets.

設定其他 TCP\ 日 IP 連接埠 Proxy 作業Configuring an Alternate TCP/IP Port for Proxy Operations

根據預設,聯盟 proxy 伺服器設定使用 HTTPS 流量流量和連接埠 80 HTTP 與聯盟伺服器通訊的 TCP 連接埠 443。By default, the federation server proxy service is configured to use TCP port 443 for HTTPS traffic and port 80 for HTTP traffic for communication with the federation server. 若要設定的 HTTPS 444 的 TCP 連接埠和連接埠 81 HTTP,例如不同的連接埠必須完成以下工作。To configure different ports, such as TCP port 444 for HTTPS and port 81 for HTTP, the following tasks must be completed.

注意

如果您想要一開始部署 AD FS 在替代 TCP\ 日 IP 連接埠運作,您應該第一次修改連接埠,在您 IIS 通訊協定繫結 HTTP 與 HTTPS 聯盟伺服器和聯盟 proxy 伺服器的電腦上。If you intend to initially deploy AD FS to operate under alternate TCP/IP ports, you should first modify ports in your IIS protocol bindings for HTTP and HTTPS on both the federation server and federation server proxy computers. 這應該會執行 AD FS 設定精靈的初始設定之前先發生。This should occur before you run the AD FS configuration wizards for initial configuration. 如果您是第一次設定 (IIS),替代 TCP\ 日 IP 連接埠設定發現時 wizard\ 為基礎的設定,就會發生在 AD FS,不需要下列程序。If you configure Internet Information Services (IIS) first, your alternate TCP/IP port settings are discovered when wizard-based configuration occurs within AD FS, and the following procedure is not necessary. 如果您想要變更的連接埠設定之後,更新 IIS 通訊協定繫結,然後使用下列程序更新連接埠設定正確。If you want to change the port settings later, update IIS protocol bindings first, and then use the following procedure to update port settings appropriately. 如需有關如何編輯 IIS 繫結的詳細資訊,請文章 149605 Microsoft 知識庫中。For more information about editing IIS bindings, see article 149605 in the Microsoft Knowledge Base.

設定使用聯盟伺服器 proxy 替代 TCP\ 日 IP 連接埠To configure alternate TCP/IP ports for the federation server proxy to use

  1. 設定為使用非預設連接埠聯盟伺服器。Configure the federation server to use the nondefault ports.

    若要這樣做,請指定連接埠號碼非預設包含與HttpsPortHttpPort選項的一部分Set-ADFSProperties cmdlet。To do this, specify the nondefault port number by including it with the HttpsPort and HttpPort options as part of the Set-ADFSProperties cmdlet. 例如,如果設定這些連接埠,您可以使用下列命令聯盟伺服器電腦上的 Windows PowerShell 工作階段中:For example, to configure these ports, use the following commands in the Windows PowerShell session on the federation server computer:

    Set-ADFSProperties -HttpsPort 444  
    Set-ADFSProperties -HttpPort 81  
    
  2. 設定為使用非預設連接埠聯盟伺服器 proxy。Configure the federation server proxy to use the nondefault port.

    若要這樣做,請指定連接埠號碼非預設包含與HttpsPortHttpPort選項的一部分Set-ADFSProxyProperties cmdlet。To do this, specify the nondefault port number by including it with the HttpsPort and HttpPort options as part of the Set-ADFSProxyProperties cmdlet. 例如,如果設定這些連接埠,您可以使用下列命令聯盟伺服器電腦上的 Windows PowerShell 工作階段中:For example, to configure these ports, use the following commands in the Windows PowerShell session on the federation server computer:

    Set-ADFSProxyProperties -HttpsPort 444  
    Set-ADFSProxyProperties -HttpPort 81  
    

    注意

    聯盟 proxy 伺服器的預設不會支援端點 Url。Endpoint URLs are not enabled by default for the federation server proxy service. 如果您設定新聯盟伺服器安裝,您必須先讓聯盟伺服器 proxy 服務端點。If you are configuring a new federation server installation, you must enable federation server proxy service endpoints first. 例如,我們假設,針對所有是指的範例此程序中的端點您有支援這些 proxy AD FS 管理 snap\ 中選取它們,然後選取上 proxy 讓For example, it is assumed that for all the endpoints that the example in this procedure refers to you have enabled them for proxy by selecting them in the AD FS Management snap-in and then selecting Enable on proxy.

  3. 更新聯盟 proxy 伺服器 IIS 安裝,如此安全性判斷提示標記語言 (SAML) 和 WS\ 信任端點都能反映更新連接埠號碼。Update the IIS installation at the federation server proxy so that Security Assertion Markup Language (SAML) and WS-Trust endpoints are configured to reflect the updated port number. 若要這樣做,您可以使用「記事本」修改下列 web.config,這是位於 systemdrive%\inetpub\adfs\ls\ 聯盟伺服器 proxy 電腦上。To do this, you can use Notepad to modify the following in the Web.config file, which is located at systemdrive%\inetpub\adfs\ls\ on the federation server proxy computer. 例如假設您有一個名為 sts1.contoso.com 的聯盟伺服器,新的連接埠號碼」可以是 444 瀏覽和聯盟伺服器 proxy 電腦上,在「記事本」開放 web.config,找出的下一節,修改反白顯示,以下為連接埠號碼,然後儲存結束「記事本」。For example, assuming that you have a federation server named sts1.contoso.com and the new port number is 444, browse to and open the Web.config file in Notepad on the federation server proxy computer, locate the following section, modify the port number as highlighted below, and then save and exit Notepad.

    <securityTokenService samlProtocolEndpoint="https://sts1.contoso.com:444/adfs/services/trust/samlprotocol/proxycertificatetransport"  
          wsTrustEndpoint="https://sts1.contoso.com:444/adfs/services/trust/proxycertificatetransport" />  
    
  4. 新增聯盟伺服器 proxy 服務帳號存取控制清單 (ACL) 相關的端點 url。Add the federation server proxy service user account to the access control list (ACL) for the related endpoint URLs. 例如,如果的連接埠號碼 1234 年,用來執行 AD FSfederation 伺服器 proxy 服務在帳號且 built\ 中網路服務帳號,在命令提示字元中輸入下列命令:For example, if the port number is 1234 and the user account that is used to run the AD FSfederation server proxy service under is the built-in Network Service account, type the following command at a command prompt:

    netsh http add urlacl https://+:444/adfs/fs/federationserverservice.asmx/ user="NT Authority\Network Service"  
    netsh http add urlacl https://+:444/FederationMetadata/2007-06/ user="NT Authority\Network Service"  
    netsh http add urlacl https://+:444/adfs/services/ user="NT Authority\Network Service"  
    
    netsh http add urlacl http://+:81/adfs/services/ user="NT Authority\Network Service"  
    

    聯盟伺服器和聯盟伺服器 proxy 電腦必須執行前一個命令。The previous commands must be run on both the federation server and the federation server proxy computers.

其他參考資料Additional references

檢查清單︰ 聯盟 Proxy 伺服器設定Checklist: Setting Up a Federation Server Proxy