AD FS 註冊 SSL 憑證Enroll an SSL Certificate for AD FS

適用於:Windows Server 2016、Windows Server 2012 R2Applies To: Windows Server 2016, Windows Server 2012 R2

Active Directory 同盟服務 (AD FS) 需要聯盟伺服器陣列中每個聯盟伺服器上的安全通訊端層 (SSL) 伺服器驗證憑證。Active Directory Federation Services (AD FS) requires a certificate for Secure Socket Layer (SSL) server authentication on each federation server in your federation server farm. 每個聯盟在伺服器上發電廠可相同的憑證。The same certificate can be used on each federation server in a farm. 您必須擁有憑證和它提供的私密金鑰。You must have both the certificate and its private key available. 例如,如果您有憑證,其私密金鑰.pfx 檔案中,您可以匯入檔案直接 Active Directory 同盟服務設定精靈。For example, if you have the certificate and its private key in a .pfx file, you can import the file directly into the Active Directory Federation Services Configuration Wizard. 這個 SSL 憑證必須包含下列動作:This SSL certificate must contain the following:

  1. 主旨替代名稱與主體名稱必須包含您同盟服務名稱,例如 fs.contoso.com。The subject name and subject alternative name must contain your federation service name, such as fs.contoso.com.

  2. 替代主體名稱必須包含值enterpriseregistration,例如後面由您的組織的使用者主體名稱 (UPN) 尾碼enterpriseregistration.corp.contoso.comThe subject alternative name must contain the value enterpriseregistration that is followed by the User Principal Name (UPN) suffix of your organization, for example, enterpriseregistration.corp.contoso.com.

    警告

    如果您想要讓裝置登記服務 (DRS) 的工作地點加入主題替代名稱指定。Specify the subject alternative name if you plan to enable the Device Registration Service (DRS) for Workplace Join.

重要

如果您的組織都使用多個 UPN 尾碼,而且想要讓 DRS,SSL 憑證必須包含每個尾碼主題替代名稱的項目。If your organization uses multiple UPN suffixes, and you plan to enable the DRS, the SSL certificate must contain a subject alternative name entry for each suffix.

也了See Also

AD FS 部署AD FS Deployment

Windows Server 2012 R2 AD FS 部署指南Windows Server 2012 R2 AD FS Deployment Guide

部署聯盟伺服器陣列Deploying a Federation Server Farm