設定聯盟伺服器裝置登記服務與Configure a federation server with Device Registration Service

適用於: Windows Server 2012 R2Applies To: Windows Server 2012 R2

您可以讓裝置登記服務 (DRS) 聯盟伺服器上之後您完成程序,執行「步驟 4:設定聯盟伺服器You can enable Device Registration Service (DRS) on your federation server after you complete the procedures in Step 4: Configure a Federation Server. 裝置登記服務提供順暢的第二個訓練機制因數驗證、持續單一 sign\ 上 (SSO) 和條件消費者需要存取權的資源公司存取。The Device Registration Service provides an onboarding mechanism for seamless second factor authentication, persistent single sign-on (SSO), and conditional access to consumers that require access to company resources. 如需 DRS 的詳細資訊,請查看加入的任何裝置 SSO 和順暢第二個因數驗證在公司應用程式的地點For more information about DRS, see Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications

準備您的 Active Directory 樹系支援的裝置Prepare your Active Directory forest to support devices

注意

這是您準備 Active Directory 樹系支援的裝置必須執行階段 one\ 作業。This is a one-time operation that you must run to prepare your Active Directory forest to support devices. 您必須以企業的系統管理員權限登入並 Active Directory 樹系必須完成此程序的 Windows Server 2012 R2 結構描述。You must be logged on with enterprise administrator permissions and your Active Directory forest must have the Windows Server 2012 R2 schema to complete this procedure. 此外,DRS,就需要至少一個通用伺服器森林根網域中。Additionally, DRS requires that you have at least one global catalog server in your forest root domain.

此外,DRS,就需要至少一個通用伺服器森林根網域中。Additionally, DRS requires that you have at least one global catalog server in your forest root domain. 通用伺服器,才能執行初始化 -ADDeviceRegistration 和 AD FS 進行驗證時。The global catalog server is required in order to run Initialize-ADDeviceRegistration and during AD FS authentication. AD FS 初始化 in\ 記憶體的代表項 DRS 組態上的物件每個驗證要求,如果 DRS 組態物件上找不 DC 目前網域中,針對 DRS 物件已提供期間初始化 -ADDeviceRegistration GC 嘗試要求。AD FS initializes an in-memory representation of the DRS config object on each authentication request and if the DRS config object cannot be found on a DC in the current domain, the request is attempted against the GC on which the DRS objects were provisioned during Initialize-ADDeviceRegistration.

準備 Active Directory 樹系To prepare the Active Directory forest

  1. 在您聯盟的伺服器,開放的 Windows PowerShell 命令視窗和類型:On your federation server, open a Windows PowerShell command window and type:

    Initialize-ADDeviceRegistration  
    
  2. 當 ServiceAccountName 的提示,請輸入當做服務 account AD fs 服務 account 的名稱。When prompted for ServiceAccountName, enter the name of the service account you selected as the service account for AD FS. 如果是 gMSA 帳號,輸入中的帳號domain\accountname$格式。If it is a gMSA account, enter the account in the domain\accountname$ format. 適用於核對,使用的格式domain\accountnameFor a domain account, use the format domain\accountname.

聯盟伺服器發電廠節點上讓裝置登記服務Enable Device Registration Service on a federation server farm node

注意

您必須登入以完成此程序的網域系統管理員權限。You must be logged on with domain administrator permissions to complete this procedure.

若要讓裝置登記服務To enable Device Registration Service

  1. 在您聯盟的伺服器,開放的 Windows PowerShell 命令視窗和類型:On your federation server, open a Windows PowerShell command window and type:

    Enable-AdfsDeviceRegistration  
    
  2. 重複此步驟,AD FS 陣列中每個聯盟發電廠節點上。Repeat this step on each federation farm node in your AD FS farm..

讓順暢第二個因素驗證Enable seamless second factor authentication

順暢第二個因數驗證是 enhancement 中提供的外部裝置,嘗試存取它們公司資源和應用程式存取保護新增層級 AD FS。Seamless second factor authentication is an enhancement in AD FS that provides an added level of access protection to corporate resources and applications from external devices that are trying to access them. 當地點加入個人裝置,在已知' 裝置和系統管理員可以使用此資訊來資源磁碟機條件存取和門存取。When a personal device is Workplace Joined, it becomes a ‘known’ device and administrators can use this information to drive conditional access and gate access to resources.

若要讓順暢的第二個因數驗證、持續單一 sign\ 上 (SSO) 和條件存取加入的工作地點裝置To enable seamless second factor authentication, persistent single sign-on (SSO) and conditional access for Workplace Joined devices

  1. AD FS 管理主控台中,瀏覽至驗證原則。In the AD FS Management console, navigate to Authentication Policies. 選取 [編輯全球主要驗證。Select Edit Global Primary Authentication. 選取 [讓裝置驗證旁邊的核取方塊,然後按一下 [確定]。Select the check box next to Enable Device Authentication, and then click OK.

更新 Web 應用程式的 Proxy 設定Update the Web Application Proxy configuration

重要

您不需要應用程式網路 proxy 發行裝置登記服務。You do not need to publish the Device Registration Service to the Web Application Proxy. 裝置登記服務將可獲得應用程式網路 Proxy 之後可以聯盟的伺服器上。The Device Registration Service will be available through the Web Application Proxy once it is enabled on a federation server. 您可能需要在完成之前讓裝置登記服務部署如果更新 Web 應用程式的 Proxy 設定此程序。You may need to complete this procedure to update the Web Application Proxy configuration if it was deployed prior to enabling the Device Registration Service.

更新 Web 應用程式的 Proxy 設定To update the Web Application Proxy Configuration

  1. 在您的網頁應用程式的 Proxy 伺服器開放的 Windows PowerShell 命令視窗中,輸入On your Web Application Proxy server, open a Windows PowerShell command window and type

    Update-WebApplicationProxyDeviceRegistration  
    
  2. 出現提示時輸入認證,輸入的權限來聯盟伺服器的認證。When prompted for credentials, enter the credentials of an account that has administrative rights to your federation servers.

也了See Also

AD FS 部署AD FS Deployment

Windows Server 2012 R2 AD FS 部署指南Windows Server 2012 R2 AD FS Deployment Guide

部署聯盟伺服器陣列Deploying a Federation Server Farm