設定合作夥伴公司Configuring Partner Organizations

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

若要部署新的合作夥伴組織中 Active Directory 同盟服務 (AD FS),完成的工作中檢查清單︰ 設定資源合作夥伴公司檢查清單:設定 Account 合作夥伴公司、根據您的設計 AD FS。To deploy a new partner organization in Active Directory Federation Services (AD FS), complete the tasks in either Checklist: Configuring the Resource Partner Organization or Checklist: Configuring the Account Partner Organization, depending on your AD FS design.

注意

當您使用這些檢查清單時,建議您第一次看到 account 協力廠商或計劃中的指導方針資源合作夥伴參考在 Windows Server 2012 中 AD FS 程式設計指南繼續新的合作夥伴公司所設定的程序。When you use either of these checklists, we strongly recommend that you first read the references to account partner or resource partner planning guidance in the AD FS Design Guide in Windows Server 2012 before continuing to the procedures for setting up the new partner organization. 遵循檢查清單,如此一來,有助於提供更好了解完整 AD FS 設計和部署的資訊 account 協力廠商或資源合作夥伴組織。Following the checklist in this way will help provide a better understanding of the full AD FS design and deployment story for the account partner or resource partner organization.

關於 account 合作夥伴公司About account partner organizations

Account 合作夥伴是在聯盟信任關係的實際儲存帳號,AD FS – 支援屬性市集中的組織。An account partner is the organization in the federation trust relationship that physically stores user accounts in an AD FS–supported attribute store. Account 合作夥伴負責收集驗證使用者的認證,建立宣告的使用者,並將宣告封裝安全性權杖到。The account partner is responsible for collecting and authenticating a user's credentials, building up claims for that user, and packaging the claims into security tokens. 然後,這些權杖可以顯示跨,可讓存取 Web\ 資源資源合作夥伴組織都位於聯盟信任。These tokens can then be presented across a federation trust to enable access to Web-based resources that are located in the resource partner organization.

亦即,account 協力廠商代表其使用者伺服器端 account\ 聯盟問題的安全性權杖組織。In other words, an account partner represents the organization for whose users the account-side federation server issues security tokens. 聯盟伺服器 account 合作夥伴組織驗證本機使用者和建立資源合作夥伴使用的安全性權杖中決策授權。The federation server in the account partner organization authenticates local users and creates security tokens that the resource partner uses in making authorization decisions.

對於屬性存放區,AD FS 中的 account 合作夥伴等於概念單一 Active Directory 樹系的帳號需要實際上另一個森林中的資源的存取權。With regard to attribute stores, the account partner in AD FS is conceptually equivalent to a single Active Directory forest whose accounts need access to resources that are physically located in another forest. 有兩個樹系之間的關係,並使用授權的適當權限已設定的使用者想要存取的資源信任的樹系或外部信任時,只帳號此森林中的可以存取資源資源樹系。Accounts in this forest can access resources in the resource forest only when an external trust or forest trust relationship exists between the two forests and the resources to which the users are trying to gain access have been set with the proper authorization permissions.

相關資源合作夥伴公司About resource partner organizations

資源夥伴在組織中 AD FS 部署網頁伺服器的所在位置。The resource partner is the organization in an AD FS deployment where Web servers are located. 資源合作夥伴信任 account 合作夥伴驗證使用者。The resource partner trusts the account partner to authenticate users. 因此,以做出授權,資源夥伴所使用的安全性權杖來自 account 合作夥伴使用者在已封裝宣告。Therefore, to make authorization decisions, the resource partner consumes the claims that are packaged in security tokens that come from users in the account partner.

囉資源合作夥伴代表的組織的網頁伺服器受到 resource\ 端聯盟伺服器。In other words, a resource partner represents the organization whose Web servers are protected by the resource-side federation server. 聯盟伺服器,資源合作夥伴使用的由 account 合作夥伴做出授權網頁伺服器資源夥伴中的安全性權杖。The federation server at the resource partner uses the security tokens that are produced by the account partner to make authorization decisions for Web servers in the resource partner.

如 AD FS 資源,資源合作夥伴組織中的網頁伺服器可能必須具有 Windows 身分基本知識 (WIF) 運作安裝或安裝的 Active Directory 同盟服務 (AD FS) 1.x Claims\ 感知 Web 代理程式角色服務。To function as an AD FS resource, Web servers in the resource partner organization must either have Windows Identity Foundation (WIF) installed or have the Active Directory Federation Services (AD FS) 1.x Claims-Aware Web Agent role services installed. 作為 AD FS 資源的網頁伺服器可裝載 Web\ browser\ 根據或 Web\ service\ 型應用程式。Web servers that function as an AD FS resource can host either Web-browser-based or Web-service-based applications.