設定聯盟伺服器Configure a Federation Server

適用於:Windows Server 2016、Windows Server 2012 R2Applies To: Windows Server 2016, Windows Server 2012 R2

您在電腦上安裝的 Active Directory 同盟服務 (AD FS) 角色服務之後,您就可以設定為聯盟伺服器這台電腦。After you install the Active Directory Federation Services (AD FS) role service on your computer, you are ready to configure this computer to become a federation server. 您可以執行下列其中一個動作:You can do one of the following:

將第一次聯盟伺服器設定中新的聯盟伺服器陣列Configure the first federation server in a new federation server farm

使用 Active Directory 同盟服務設定精靈中的新聯盟伺服器陣列設定的第一個聯盟伺服器To configure the first federation server in a new federation server farm by using the Active Directory Federation Service Configuration Wizard

注意

請確定您有網域系統管理員權限或先執行此程序有可用的網域系統管理員認證。Ensure that you have domain administrator permissions or have domain administrator credentials available before you perform this procedure.

  1. 在伺服器管理員儀表板頁面上,按一下 [通知標幟,然後按一下 [設定同盟服務,伺服器上On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the federation service on the server.

    Active Directory 同盟服務設定精靈開啟。The Active Directory Federation Service Configuration Wizard opens.

  2. 歡迎使用頁面上,選取聯盟伺服器陣列中建立的第一個聯盟伺服器,然後按一下 [下一步On the Welcome page, select Create the first federation server in a federation server farm, and then click Next.

  3. 連接到 AD DS頁面上的 Active Directory (AD) 網域的電腦所加入,然後再按一下使用網域系統管理員權限來指定 accountOn the Connect to AD DS page, specify an account by using domain administrator permissions for the Active Directory (AD) domain to which this computer is joined, and then click Next.

  4. 指定服務屬性頁面上,執行下列命令,,然後按:On the Specify Service Properties page, do the following, and then click Next:

    • 匯入.pfx 檔案中包含安全通訊端層 (SSL) 憑證,以及取得更早版本的按鍵。Import the .pfx file that contains the Secure Socket Layer (SSL) certificate and key that you have obtained earlier. 步驟 2:註冊 AD FS SSL 憑證,您已經取得此憑證,並將它複製到您想要設定為聯盟伺服器的電腦。In Step 2: Enroll an SSL Certificate for AD FS, you have obtained this certificate and copied it onto the computer that you want to configure as a federation server. 若要匯入透過精靈.pfx 檔案,請按一下匯入,然後瀏覽到檔案的位置。To import the .pfx file via the wizard, click Import, and then browse to the file’s location. 當系統提示您輸入的密碼.pfx 檔案。Enter the password for the .pfx file when you are prompted.

    • 提供您同盟服務的名稱。Provide a name for your federation service. 例如,fs.contoso.comFor example, fs.contoso.com. 此名稱必須符合主旨或主題替代名稱憑證中的其中一個。This name must match one of the subject or subject alternative names in the certificate.

    • 提供您同盟服務的顯示名稱。Provide a display name for your federation service. 例如,以 Contoso CorporationFor example, Contoso Corporation. 使用者在 Active Directory 同盟服務 (AD FS) sign\ 看到此名稱-頁面中。Users see this name on the Active Directory Federation Services (AD FS) sign-in page.

  5. 指定服務 Account頁面上指定的服務 account。On the Specify Service Account page, specify a service account. 您可以建立,或使用現有的群組管理服務 Account (gMSA) 或使用現有的使用者核對。You can either create or use an existing group Managed Service Account (gMSA) or use an existing domain user account. 如果您選取的選項來建立新 gMSA 帳號,指定新 account 的名稱。If you select the option to create a new gMSA account, specify a name for the new account. 如果您選擇使用現有 gMSA 或網域帳號,按選擇選取 account。If you select the option to use an existing gMSA or domain account, click Select to select an account.

    注意

    使用 gMSA account 優點是其 auto\ 交涉密碼更新的功能。The benefit of using a gMSA account is its auto-negotiated password update feature.

    警告

    如果您想要使用 gMSA 帳號,您必須至少網域控制站在您執行 Windows Server 2012 作業系統的環境中。If you want to use a gMSA account, you must have at least one domain controller in your environment that is running the Windows Server 2012 operating system.

    如果已停用 gMSA 選項,且您看到錯誤訊息,例如群組管理服務帳號因為尚未設定 KDS 根金鑰是無法使用,您可以在您的網域讓 gMSA,執行下列 Windows PowerShell 命令執行 Windows Server 2012」的網域控制站或更新版本,您的 Active Directory domain: Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)If the gMSA option is disabled, and you see an error message, such as Group Managed Service Accounts are not available because the KDS Root Key has not been set, you can enable gMSA in your domain by running the following Windows PowerShell command on a domain controller, which runs Windows Server 2012 or later, in your Active Directory domain: Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10). 然後返回精靈中,按一下 [上一步],,然後按一下 [下一步以 re-輸入指定服務 Account頁面。Then return to the wizard, click Previous, and then click Next to re-enter the Specify Service Account page. 現在應該會支援 gMSA 選項。The gMSA option should now be enabled. 您可以選取它,然後輸入您想要使用的 gMSA account 名稱。You can select it and enter a gMSA account name that you want to use.

  6. 指定設定資料庫頁面,指定 AD FS 設定資料庫,然後按一下 [On the Specify Configuration Database page, specify an AD FS configuration database, and then click Next. 您可以建立資料庫這台電腦上使用 Windows 內部資料庫 (WID),或是您可以指定的位置,以及執行個體的 Microsoft SQL Server 名稱。You can either create a database on this computer by using Windows Internal Database (WID), or you can specify the location and the instance name of Microsoft SQL Server.

    如需詳細資訊,請查看的角色 AD FS 設定資料庫的For more information, see The Role of the AD FS Configuration Database.

    重要

    如果您想要建立 AD FS 發電廠 SQL Server 來儲存您設定的資料的使用,您可以使用 SQL Server 2008 和較新版本,包括 SQL Server 2012 和 SQL Server 2014。If you want to create an AD FS farm and use SQL Server to store your configuration data, you can use SQL Server 2008 and newer versions, including SQL Server 2012 and SQL Server 2014.

  7. 評論選項頁面,確認您的設定選項,然後按一下 [On the Review Options page, verify your configuration selections, and then click Next.

  8. Pre-requisite 檢查頁面上,確認所有必要條件檢查成功完成,然後按設定On the Pre-requisite Checks page, verify that all prerequisite checks are successfully completed, and then click Configure.

  9. 結果頁面上,檢視結果並檢查是否已成功完成設定,然後按一下完成同盟服務部署所需的下一個步驟On the Results page, review the results and check whether the configuration is completed successfully, and then click Next steps required for completing your federation service deployment. 如需詳細資訊,請查看完成 AD FS 安裝下一個步驟For more information, see Next steps for completing your AD FS installation. 按一下關閉以結束精靈。Click Close to exit the wizard.

若要設定新的聯盟伺服器陣列透過 Windows PowerShell 中的第一個聯盟伺服器To configure the first federation server in a new federation server farm via Windows PowerShell

您可以使用新的或現有 gMSA account 或現有使用者核對建立新的聯盟伺服器陣列。You can create a new federation server farm by using either a new or existing gMSA account or an existing domain user account.

  • 如果您想要使用新的 gMSA account 建立新的聯盟伺服器,執行下列動作:If you want to create a new federation server by using a new gMSA account, do the following:

    重要

    您必須到的第一個聯盟伺服器建立新的聯盟伺服器陣列網域系統管理員權限。You must have domain administrator permissions to create the first federation server in a new federation server farm.

    1. 在電腦上您想要為聯盟伺服器設定,請確定所需的 SSL 憑證已匯入到本機 Computer\My 市集directory。On the computer that you want to configure as a federation server, ensure that the required SSL certificate has been imported into the Local Computer\My Store directory. 您可以檢查是否 SSL 憑證已匯入 Windows PowerShell 命令視窗中執行下列命令:dir Cert:\LocalMachine\MyYou can verify whether the SSL certificate has been imported by running the following command in the Windows PowerShell command window: dir Cert:\LocalMachine\My. 憑證列在其指紋的本機 Computer\My 市集directory。The certificate is listed by its thumbprint in the Local Computer\My Store directory.

    2. 在您的網域控制站,開放 Windows PowerShell 命令視窗中,執行下列命令,以確認是否已在您的網域中建立 KDS 根金鑰:Get-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)On your domain controller, open the Windows PowerShell command window and run the following command to verify whether the KDS Root Key has been created in your domain: Get-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10). 如果該尚未建立使輸出會顯示無資訊,執行下列命令,以建立鍵:Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)If it has not been created so that the output displays no information, run the following command to create the key: Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10).

    3. 在電腦上您想要設定為聯盟伺服器,開放的 Windows PowerShell 命令視窗中,並執行下列命令:On the computer that you want to configure as a federation server, open the Windows PowerShell command window, and run the following command:

      Install-AdfsFarm -CertificateThumbprint <certificate_thumbprint> -FederationServiceName <federation_service_name> -GroupServiceAccountIdentifier <domain>\<GMSA_Name>$  
      

      警告

      $是必要的登入前一個命令的結尾。The $ sign at the end of the previous command is required.

      若要取得的值為<certificate_thumbprint>、執行dir Cert:\LocalMachine\My,然後選取您的 SSL 憑證的指紋。To obtain the value for <certificate_thumbprint>, run dir Cert:\LocalMachine\My, and then select the thumbprint of your SSL certificate. <federation_service_name>是您同盟服務的名稱,例如fs.contoso.comThe value of <federation_service_name> is the name of your federation service, for example, fs.contoso.com.

      注意

      如果這不是執行此命令的第一次,新增OverwriteConfiguration的參數。If this is NOT the first time that you run this command, add the OverwriteConfiguration parameter.

      注意

      前一個命令中建立 WID 發電廠。The previous command creates a WID farm. 如果您想要建立 SQL Server 伺服器陣列,您必須已經安裝並操作 SQL Server 的執行個體。If you want to create a SQL Server server farm, you must have an instance of SQL Server already installed and operational.

      您可以使用下列命令來建立新的發電廠使用 SQL Server 執行個體的第一個聯盟伺服器:Install-AdfsFarm -CertificateThumbprint <certificate_thumbprint> -FederationServiceName <federation_service_name> -GroupServiceAccountIdentifier <domain>\<GMSA_name>$ -SQLConnectionString "Data Source=<SQL_Host_Name?\<SQL_instance_ name>;Integrated Security=True"< SQL_Host_Name >的伺服器執行的 SQL Server,名稱和< SQL_instance_name > SQL Server 的執行個體的名稱。You can use the following command to create the first federation server in a new farm that uses an instance of SQL Server: Install-AdfsFarm -CertificateThumbprint <certificate_thumbprint> -FederationServiceName <federation_service_name> -GroupServiceAccountIdentifier <domain>\<GMSA_name>$ -SQLConnectionString "Data Source=<SQL_Host_Name?\<SQL_instance_ name>;Integrated Security=True" where <SQL_Host_Name> is the name of the server on which SQL Server is running, and <SQL_instance_name> is the name of the instance of SQL Server. 如果您使用預設的執行個體 SQL server,使用SQLConnectionString的值]資料 Source\ = < SQL_Host_Name >; 整合 Security\ true」。If you use the default instance of SQL Server, use a SQLConnectionString value of "Data Source=<SQL_Host_Name>;Integrated Security=True".

      重要

      如果您想要建立 AD FS 發電廠 SQL Server 來儲存您設定的資料的使用,您可以使用 SQL Server 2008 和較新版本,包括 SQL Server 2012。If you want to create an AD FS farm and use SQL Server to store your configuration data, you can use SQL Server 2008 and newer versions, including SQL Server 2012.

  • 如果您想要建立新的聯盟伺服器使用現有的使用者網域帳號,執行下列動作:If you want to create a new federation server by using an existing domain user account, do the following:

    1. 在電腦上您想要為聯盟伺服器設定,請確定所需的 SSL 憑證已匯入到本機 Computer\My 市集directory。On the computer that you want to configure as a federation server, ensure that the required SSL certificate has been imported into the Local Computer\My Store directory. 您可以檢查是否 SSL 憑證已匯入 Windows PowerShell 命令視窗中執行下列命令:dir Cert:\LocalMachine\MyYou can verify whether the SSL certificate has been imported by running the following command in the Windows PowerShell command window: dir Cert:\LocalMachine\My. 憑證列在其指紋的本機 Computer\My 市集directory。The certificate is listed by its thumbprint in the Local Computer\My Store directory.

    2. 在電腦上您想要設定為聯盟伺服器,開放的 Windows PowerShell 命令視窗中,,然後執行下列命令:$fscred = Get-CredentialOn the computer that you want to configure as a federation server, open the Windows PowerShell command window, and then run the following command: $fscred = Get-Credential. 輸入您想要使用的格式網域 \ 使用者名稱同盟服務 account 網域使用者 account 認證。Enter the domain user account credentials that you want to use for the federation service account in the format domain\user name.

    3. 在同一個 Windows PowerShell 命令視窗中,執行下列命令:In the same Windows PowerShell command window, run the following command:

      Install-AdfsFarm -CertificateThumbprint <certificate_thumbprint> -FederationServiceName <federation_service_name> -ServiceAccountCredential $fscred  
      

      若要取得的值為< certificate_thumbprint >、執行dir Cert:\LocalMachine\My,然後選取您的 SSL 憑證的指紋。To obtain the value for <certificate_thumbprint>, run dir Cert:\LocalMachine\My, and then select the thumbprint of your SSL certificate. < federation_service_name >是您同盟服務,例如 fs.contoso.com 的名稱。The value of <federation_service_name> is the name of your federation service, for example, fs.contoso.com.

      注意

      如果這不是執行此命令的第一次,新增OverwriteConfiguration的參數。If this is NOT the first time that you run this command, add the OverwriteConfiguration parameter.

      注意

      前一個命令中建立 WID 發電廠。The previous command creates a WID farm. 如果您想要建立 SQL Server 陣列,您必須已經安裝並操作 SQL Server 的執行個體。If you want to create a SQL Server farm, you must have the instance of SQL Server already installed and operational.

      您可以使用下列命令來建立新的發電廠使用 SQL Server 執行個體的第一個聯盟伺服器:Install-AdfsFarm -CertificateThumbprint <certificate_thumbprint> -FederationServiceName <federation_service_name> -ServiceAccountCredential $fscredential -SQLConnectionString "Data Source=<SQL_Host_Name>\<SQL_instance_ name>;Integrated Security=True"SQL_Host_Name的伺服器執行的 SQL Server,名稱和SQL_instance_name SQL Server 的執行個體的名稱。You can use the following command to create the first federation server in a new farm that uses an instance of SQL Server: Install-AdfsFarm -CertificateThumbprint <certificate_thumbprint> -FederationServiceName <federation_service_name> -ServiceAccountCredential $fscredential -SQLConnectionString "Data Source=<SQL_Host_Name>\<SQL_instance_ name>;Integrated Security=True" where SQL_Host_Name is the name of the server on which SQL Server is running, and SQL_instance_name is the name of the instance of SQL Server. 如果您使用預設的執行個體 SQL server,使用SQLConnectionString的值]資料 Source\ = < SQL_Host_Name >; 整合 Security\ true」。If you use the default instance of SQL Server, use a SQLConnectionString value of "Data Source=<SQL_Host_Name>;Integrated Security=True".

      重要

      如果您想要建立 AD FS 發電廠 SQL Server 來儲存您設定的資料的使用,您可以使用 SQL Server 2008 和較新版本,包括 SQL Server 2012 和 SQL Server 2014。If you want to create an AD FS farm and use SQL Server to store your configuration data, you can use SQL Server 2008 and newer versions, including SQL Server 2012 and SQL Server 2014.

聯盟伺服器加入現有的聯盟伺服器陣列Add a federation server to an existing federation server farm

重要

請確定您已完成執行「步驟 3:安裝 AD FS 角色服務、之前任何程序開始在本區段中。Ensure that you have completed Step 3: Install the AD FS Role Service, before you start any of the procedures in this section.

重要

具備,您有效 SSL 伺服器驗證憑證才能完成此程序。Ensure that you have obtained a valid SSL server authentication certificate before you complete this procedure.

聯盟伺服器加入現有聯盟伺服器陣列透過 Active Directory 同盟服務設定精靈To add a federation server to an existing federation server farm via the Active Directory Federation Service Configuration Wizard

  1. 在伺服器管理員儀表板頁面上,按一下 [通知標幟,然後按一下 [設定同盟服務,伺服器上On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the federation service on the server.

    Active Directory 同盟服務設定精靈開啟。The Active Directory Federation Service Configuration Wizard opens.

  2. 歡迎頁面上,選取新增至聯盟伺服器陣列聯盟伺服器,然後按一下 [下一步On the Welcome page, select Add a federation server to a federation server farm, and then click Next.

  3. 連接到 AD DS頁面上,使用 AD 網域的電腦所加入,然後再按一下網域系統管理員權限來指定 accountOn the Connect to AD DS page, specify an account by using domain administrator permissions for the AD domain to which this computer is joined, and then click Next.

  4. 指定發電廠頁面上,提供使用 WID 發電廠中的主要同盟伺服器的名稱,或指定資料庫主機名稱及使用 SQL Server 現有聯盟伺服器陣列資料庫執行個體名稱。On the Specify Farm page, provide the name of the primary federation server in a farm that uses WID or specify the database host name and the database instance name of an existing federation server farm that uses SQL Server.

    警告

    在 Windows Server® 2012 R2,還有指定預設的執行個體 SQL server 因應措施。In Windows Server® 2012 R2, there is a workaround to specify the default instance of SQL Server. 因應措施是使用的使用者介面。The workaround is to not use the user interface. 請改用中的步驟執行設定新聯盟伺服器陣列透過 Windows PowerShell 中的第一個聯盟伺服器Instead, use the steps in To configure the first federation server in a new federation server farm via Windows PowerShell.

    重要

    如果您想要建立 AD FS 發電廠 SQL Server 來儲存您設定的資料的使用,您可以使用 SQL Server 2008 和較新版本,包括 SQL Server 2012。If you want to create an AD FS farm and use SQL Server to store your configuration data, you can use SQL Server 2008 and newer versions, including SQL Server 2012.

  5. 指定 SSL 憑證頁面上,匯入.pfx 檔案中包含 SSL 憑證,以及取得先前的金鑰。On the Specify SSL Certificate page, import the .pfx file that contains the SSL certificate and key that you have obtained previously. 這是憑證所需的服務驗證憑證。This certificate is the required service authentication certificate. 步驟 2:註冊 AD FS SSL 憑證,您已經取得此憑證,並將它複製到您想要設定為聯盟伺服器的電腦。In Step 2: Enroll an SSL Certificate for AD FS, you have obtained this certificate and copied it to the computer that you want to configure as a federation server. 若要匯入透過精靈.pfx 檔案,請按一下匯入,然後瀏覽到檔案的位置。To import the .pfx file via the wizard, click Import and browse to the file’s location. 當系統提示您輸入的密碼.pfx 檔案。Enter the password for the .pfx file when you are prompted.

  6. 指定服務 Account頁面上,指定您設定當您建立的第一個聯盟伺服器發電廠相同服務 account。On the Specify Service Account page, specify the same service account that you configured when you created the first federation server in the farm. 現有的群組管理服務 Account 或現有的使用者網域帳號,您可以使用。You can use an existing group Managed Service Account or an existing domain user account.

    重要

    指定 account 必須是相同的帳號 account 用農場的主要聯盟伺服器上為。The account that you specify must be the same account as the account that was used on the primary federation server in this farm.

  7. 評論選項頁面,確認您的設定選項,然後按一下 [On the Review Options page, verify your configuration selections, and then click Next.

  8. Pre-requisite 檢查頁面上,確認所有必要條件檢查成功完成,然後按設定On the Pre-requisite Checks page, verify that all prerequisite checks are successfully completed, and then click Configure.

  9. 結果頁面上,檢視結果並檢查是否已成功完成設定,然後按一下完成同盟服務部署所需的下一個步驟On the Results page, review the results and check whether the configuration is completed successfully, and then click Next steps required for completing your federation service deployment. 如需詳細資訊,請查看完成 AD FS 安裝下一個步驟For more information, see Next steps for completing your AD FS installation. 按一下關閉以結束精靈。Click Close to exit the wizard.

若要新增聯盟伺服器現有聯盟伺服器陣列透過 Windows PowerShellTo add a federation server to an existing federation server farm via Windows PowerShell

您可以使用現有的 gMSA 帳號或現有使用者核對現有發電廠增加聯盟伺服器。You can add a federation server to an existing farm by using either an existing gMSA account or an existing domain user account.

  • 如果您想要將聯盟伺服器加入發電廠使用現有的 gMSA 帳號,執行下列動作:If you want to join a federation server to a farm by using an existing gMSA account, do the following:

    1. 在電腦上您想要為聯盟伺服器設定,請確定所需的 SSL 憑證已匯入到本機 Computer\My 市集directory。On the computer that you want to configure as a federation server, ensure that the required SSL certificate has been imported into the Local Computer\My Store directory. 您可以檢查是否 SSL 憑證已匯入 Windows PowerShell 命令視窗中執行下列命令:dir Cert:\LocalMachine\MyYou can verify whether the SSL certificate has been imported by running the following command in the Windows PowerShell command window: dir Cert:\LocalMachine\My. 憑證列在其指紋的本機 Computer\My 市集directory。The certificate is listed by its thumbprint in the Local Computer\My Store directory.

    2. 在電腦上您想要設定為聯盟伺服器,打開 Windows PowerShell 命令視窗中,並執行下列命令。On the computer that you want to configure as a federation server, open the Windows PowerShell command window, and run the following command.

      Add-AdfsFarmNode -GroupServiceAccountIdentifier <domain>\<GMSA_name>$ -PrimaryComputerName <first_federation_server_hostname> -CertificateThumbprint <certificate_thumbprint>  
      

      <domain>\<GMSA_name> 為您的廣告網域並 gMSA 帳號網域中的名稱。is your AD domain and the name of your gMSA account in that domain. <first_federation_server_hostname> 是主機現有農場中的主要同盟伺服器的名稱。is the host name of the primary federation server in this existing farm.

      您可以取得的值為<certificate_thumbprint>執行dir Cert:\LocalMachine\My中的上一個步驟。You can obtain the value for <certificate_thumbprint> by running dir Cert:\LocalMachine\My in the previous step.

      注意

      如果這不是執行此命令的第一次,新增OverwriteConfiguration的參數。If this is NOT the first time that you run this command, add the OverwriteConfiguration parameter.

      注意

      前一個命令中建立 WID 發電廠節點。The previous command creates a WID farm node. 如果您想要建立伺服器發電廠節點執行 SQL Server 的電腦,您必須已經安裝並操作 SQL Server 的執行個體。If you want to create a server farm node of computers running SQL Server, you must have the instance of SQL Server already installed and operational.

      您可以加入現有發電廠使用 SQL Server 執行個體聯盟伺服器使用下列命令:Add-AdfsFarmNode -GroupServiceAccountIdentifier <domain>\<GMSA_name>$ -SQLConnectionString "Data Source=<SQL_Host_Name>\<SQL_instance_ name>;Integrated Security=True"位置SQL_Host_Name執行的 SQL Server,伺服器的名稱及SQL_instance_name SQL Server 的執行個體的名稱。You can use the following command to add a federation server to an existing farm that is using an instance of SQL Server: Add-AdfsFarmNode -GroupServiceAccountIdentifier <domain>\<GMSA_name>$ -SQLConnectionString "Data Source=<SQL_Host_Name>\<SQL_instance_ name>;Integrated Security=True" where SQL_Host_Name is the name of the server on which SQL Server is running, and SQL_instance_name is the name of the instance of SQL Server. 如果您使用預設的執行個體 SQL server,使用SQLConnectionString的值]資料 Source\ = < SQL_Host_Name >; 整合 Security\ true」。If you use the default instance of SQL Server, use a SQLConnectionString value of "Data Source=<SQL_Host_Name>;Integrated Security=True".

      重要

      如果您想要建立 AD FS 發電廠 SQL Server 來儲存您設定的資料的使用,您可以使用 SQL Server 2008 和較新版本,包括 SQL Server 2012 和 SQL Server 2014。If you want to create an AD FS farm and use SQL Server to store your configuration data, you can use SQL Server 2008 and newer versions, including SQL Server 2012 and SQL Server 2014.

  • 如果您想要聯盟伺服器加入發電廠使用現有的使用者網域帳號,執行下列動作:If you want to join a federation server to a farm by using an existing domain user account, do the following:

    1. 在電腦上您想要為聯盟伺服器設定,Windows PowerShellcommand 名稱,然後執行下列命令:$fscred = get-credentialOn the computer that you want to configure as a federation server, open the Windows PowerShellcommand window, and then run the following command: $fscred = get-credential. 輸入您想要使用的格式網域 \ 使用者名稱同盟服務 account 網域使用者 account 認證。Enter the domain user account credentials that you want to use for the federation service account in the format domain\user name.

    2. 在電腦上您想要為聯盟伺服器設定,請確定所需的 SSL 憑證已匯入到本機 Computer\My 市集directory。On the computer that you want to configure as a federation server, ensure that the required SSL certificate has been imported into the Local Computer\My Store directory. 您可以檢查是否 SSL 憑證已匯入 Windows PowerShellcommand 視窗中執行下列命令:dir Cert:\LocalMachine\MyYou can verify whether the SSL certificate has been imported by running the following command in the Windows PowerShellcommand window: dir Cert:\LocalMachine\My. 憑證列在其指紋的本機 Computer\My 市集directory。The certificate is listed by its thumbprint in the Local Computer\My Store directory.

    3. 在同一個 Windows PowerShell 命令視窗中,執行下列命令。In the same Windows PowerShell command window, run the following command.

      Add-AdfsFarmNode -ServiceAccountCredential $fscred -PrimaryComputerName <first_federation_server_hostname> -CertificateThumbprint <certificate_thumbprint>  
      

      注意

      如果這不是執行此命令的第一次,新增OverwriteConfiguration的參數。If this is NOT the first time that you run this command, add the OverwriteConfiguration parameter.

      注意

      前一個命令中建立 WID 發電廠節點。The previous command creates a WID farm node. 如果您想要建立伺服器發電廠節點執行 SQL Server 的電腦,您必須已經安裝並操作 SQL Server 的執行個體。If you want to create a server farm node of computers running SQL Server, you must have the instance of SQL Server already installed and operational. 您可以使用下列命令新增聯盟伺服器到現有發電廠使用 SQL Server 執行個體:Add-AdfsFarmNode -ServiceAccountCredential $fscred -SQLConnectionString "Data Source=<SQL_Host_Name>\<SQL_instance_ name>;Integrated Security=True"位置SQL_Host_Name執行的 SQL Server 的執行個體,伺服器的名稱及SQL_instance_name SQL Server 的執行個體的名稱。You can use the following command to add a federation server to an existing farm by using an instance of SQL Server: Add-AdfsFarmNode -ServiceAccountCredential $fscred -SQLConnectionString "Data Source=<SQL_Host_Name>\<SQL_instance_ name>;Integrated Security=True" where SQL_Host_Name is the name of the server on which the instance of SQL Server is running, and SQL_instance_name is the name of the instance of SQL Server. 如果您使用預設的執行個體 SQL server,使用SQLConnectionString的值]資料 Source\ = < SQL_Host_Name >; 整合 Security\ true」。If you use the default instance of SQL Server, use a SQLConnectionString value of "Data Source=<SQL_Host_Name>;Integrated Security=True".

      重要

      如果您想要建立 AD FS 發電廠 SQL Server 來儲存您設定的資料的使用,您可以使用 SQL Server 2008 和較新版本,包括 SQL Server 2012 和 SQL Server 2014。If you want to create an AD FS farm and use SQL Server to store your configuration data, you can use SQL Server 2008 and newer versions, including SQL Server 2012 and SQL Server 2014.

也了See Also

AD FS 部署AD FS Deployment

Windows Server 2012 R2 AD FS 部署指南Windows Server 2012 R2 AD FS Deployment Guide

部署聯盟伺服器陣列Deploying a Federation Server Farm