部署聯盟伺服器Deploying Federation Servers

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

若要部署在 Active Directory 同盟服務 (AD FS) 聯盟伺服器,完成的工作中每個檢查清單︰ 設定好聯盟伺服器To deploy federation servers in Active Directory Federation Services (AD FS), complete each of the tasks in Checklist: Setting Up a Federation Server.

注意

當您使用此檢查清單時,我們建議您先朗讀聯盟伺服器計劃的資訊尋找參考資料在 Windows Server 2012 中 AD FS 程式設計指南設定伺服器的程序在您開始之前。When you use this checklist, we recommend that you first read the references to federation server planning in the AD FS Design Guide in Windows Server 2012 before you begin the procedures for configuring the servers. 下列如此一來檢查清單可提供變得更好了解聯盟伺服器的設計和部署程序。Following the checklist in this way provides a better understanding of the design and deployment process for federation servers.

有關聯盟伺服器的資訊About federation servers

聯盟伺服器的電腦安裝軟體 AD FS 使用執行 Windows Server 2008 已設定為作用中聯盟伺服器角色。Federation servers are computers running Windows Server 2008 with the AD FS software installed that have been configured to act in the federation server role. 聯盟伺服器驗證,或是傳送要求在組織中其他使用者帳號,並從 client 可以隨時隨地在網際網路的電腦。Federation servers authenticate or route requests from user accounts in other organizations and from client computers that can be located anywhere on the Internet.

在電腦上安裝 AD FS 軟體,並使用 AD FS 聯盟伺服器設定精靈聯盟伺服器角色該設定的動作可該電腦聯盟伺服器。The act of installing the AD FS software on a computer and using the AD FS Federation Server Configuration Wizard to configure it for the federation server role makes that computer a federation server. 它也可以 AD FS 管理 snap\ 中提供在電腦上Start\Administrative Tools\功能表,您可以指定下列:It also makes the AD FS Management snap-in available on that computer in the Start\Administrative Tools\ menu so that you can specify the following:

  • AD FS 主機名稱位置合作夥伴和應用程式將會傳送權杖要求和回應The AD FS host name where partner organizations and applications will send token requests and responses

  • AD FS 識別碼的合作夥伴公司和應用程式將會以找出的唯一名稱或位置,您的組織使用The AD FS identifier that partner organizations and applications will use to identify the unique name or location of your organization

  • Token\ 簽署的憑證問題並登入權杖會使用所有聯盟伺服器伺服器The token-signing certificate that all federation servers in a server farm will use to issue and sign tokens

  • 自訂 ASP.NET 網頁 client 登入、登出,以及將愉快 client 的 account 合作夥伴探索的位置The location of customized ASP.NET Web pages for client logon, logoff, and account partner discovery that will enhance the client experience

    注意

    大部分的核心使用者介面 (UI) 設定,全都在 web.config 每個聯盟伺服器上。The majority of these core user interface (UI) settings are contained in the web.config file on each federation server. AD FS 主機 AD FS 識別碼值不是指定名稱及 web.config 檔案中。The AD FS host name and AD FS identifier values are not specified in the web.config file.

聯盟伺服器裝載問題權杖根據認證宣告發行引擎 \(如範例、使用者名稱和 password\)的看到它。Federation servers host a claims issuance engine that issues tokens based on the credentials (for example, user name and password) that are presented to it. 安全性權杖是一或多個宣告的密碼編譯簽署的資料單位。A security token is a cryptographically signed data unit that expresses one or more claims. 宣告伺服器會聲明 \(,例如名稱、的身分、金鑰、群組,權限或 capability\)client 有關。A claim is a statement that a server makes (for example, name, identity, key, group, privilege, or capability) about a client. 聯盟伺服器上驗證認證之後 \(透過的使用者登入 process),使用者宣告會收集使用者屬性是儲存在指定的屬性市集中檢查透過。After the credentials are verified on the federation server (through the user logon process), claims for the user are collected through examination of the user attributes that are stored in the specified attribute store.

在聯盟網路 Single-Sign-On (SSO) 設計 \(AD FS 的設計帶有中的兩個或更多的每個組織都 involved\),適用於特定信賴理賠要求規則可以修改宣告。In Federated Web Single-Sign-On (SSO) designs (AD FS designs in which two or more organizations are involved), claims can be modified by claim rules for a specific relying party. 宣告建置到聯盟資源合作夥伴組織的伺服器來傳送預付碼。The claims are built into a token that is sent to a federation server in the resource partner organization. 聯盟伺服器資源夥伴中的收到為連入宣告宣告之後,它會執行執行一組篩選、通過,或轉換那些宣告理賠要求規則宣告發行引擎。After a federation server in the resource partner receives the claims as incoming claims, it executes the claims issuance engine to run a set of claim rules to filter, pass through, or transform those claims. 宣告然後建置到新傳送到 Web 資源合作夥伴伺服器的憑證。The claims are then built into a new token that is sent to the Web server in the resource partner.

在網頁 SSO 設計 \(中只有一個組織是 involved\ AD FS 設計),以讓員工可以上一次登入和仍會存取其中多個應用程式可以使用單一聯盟伺服器。In the Web SSO design (an AD FS design in which only one organization is involved), a single federation server can be used so that employees can log on once and still access multiple applications.