在 Windows Server 2012 R2 AD FS 設定實驗室Set up the lab environment for AD FS in Windows Server 2012 R2

適用於: Windows Server 2012 R2Applies To: Windows Server 2012 R2

本主題列出設定的測試環境,可以用來完成的逐步教學下列逐步解說指南中的步驟:This topic outlines the steps to configure a test environment that can be used to complete the walkthroughs in the following walkthrough guides:

注意

我們不建議在相同的電腦上安裝的網頁伺服器與聯盟伺服器。We do not recommend that you install the web server and the federation server on the same computer.

若要設定此測試環境,請完成下列步驟:To set up this test environment, complete the following steps:

  1. 步驟 1: 設定的網域控制站 (DC1)Step 1: Configure the domain controller (DC1)

  2. 步驟 2: 使用裝置的登記服務設定聯盟伺服器 (ADFS1)Step 2: Configure the federation server (ADFS1) with Device Registration Service

  3. 步驟 3: 設定網頁伺服器 (WebServ1) 及範例宣告型應用程式Step 3: Configure the web server (WebServ1) and a sample claims-based application

  4. 步驟 4: 設定電腦 client (Client1)Step 4: Configure the client computer (Client1)

步驟 1: 設定的網域控制站 (DC1)Step 1: Configure the domain controller (DC1)

基於這項測試環境,您可以撥號您根 Active Directory domain contoso.com ,然後指定** pass@word1 以系統管理員密碼。For the purposes of this test environment, you can call your root Active Directory domain **contoso.com and specify pass@word1 as the administrator password.

  • 安裝 AD DS 角色服務,並安裝 Active Directory Domain Services (AD DS),在 Windows Server 2012 R2 網域控制站讓您的電腦。Install the AD DS role service and install Active Directory Domain Services (AD DS) to make your computer a domain controller in Windows Server 2012 R2 . 這個動作升級您的網域控制站建立一部分的 AD DS 結構描述。This action upgrades your AD DS schema as part of the domain controller creation. 如需詳細資訊和逐步指示,請查看http://technet.microsoft.com/library/hh472162.aspxFor more information and step-by-step instructions, seehttp://technet.microsoft.com/library/hh472162.aspx.

建立測試 Active Directory 帳號Create test Active Directory accounts

您的網域控制站功能之後,您可以在這個網域中建立測試群組和測試使用者帳號,並加入該群組帳號帳號。After your domain controller is functional, you can create a test group and test user accounts in this domain and add the user account to the group account. 您可以使用這些帳號完成中參考此主題中前面逐步解說指南的逐步教學。You use these accounts to complete the walkthroughs in the walkthrough guides that are referenced earlier in this topic.

建立帳號:Create the following accounts:

  • 使用者:劉小龍 Hatley的下列認證: 使用者名稱: RobertH及密碼:P@sswordUser: Robert Hatley with the following credentials: User name: RobertH and password: P@ssword

  • 群組:財經Group: Finance

如需如何建立使用者和群組帳號 Active Directory (廣告) 有關的資訊,請查看http://technet.microsoft.com/library/cc783323%28v.aspxFor information about how to create user and group accounts in Active Directory (AD), see http://technet.microsoft.com/library/cc783323%28v.aspx.

新增劉小龍 Hatley以帳號財經群組。Add the Robert Hatley account to the Finance group. 如需有關如何將使用者新增到群組 Active Directory 中資訊,請http://technet.microsoft.com/library/cc737130%28v=ws.10%29.aspxFor information on how to add a user to a group in Active Directory, see http://technet.microsoft.com/library/cc737130%28v=ws.10%29.aspx.

建立 GMSA 帳號Create a GMSA account

在 Active Directory 同盟 Services (AD FS) 安裝和設定,就需要群組管理服務 Account (GMSA) account。The group Managed Service Account (GMSA) account is required during the Active Directory Federation Services (AD FS) installation and configuration.

若要建立 GMSA accountTo create a GMSA account
  1. Windows PowerShell 命令視窗中,輸入開放:Open a Windows PowerShell command window and type:

    Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)
    New-ADServiceAccount FsGmsa -DNSHostName adfs1.contoso.com -ServicePrincipalNames http/adfs1.contoso.com
    

步驟 2: 使用裝置的登記服務設定聯盟伺服器 (ADFS1)Step 2: Configure the federation server (ADFS1) by using Device Registration Service

若要設定另一部一樣,安裝 Windows Server 2012 R2,並將它連接到網域contoso.comTo set up another virtual machine, install Windows Server 2012 R2 and connect it to the domain contoso.com. 之後您已經加入網域,設定電腦,然後繼續安裝並設定 AD FS 角色。Set up the computer after you have joined it to the domain, and then proceed to install and configure the AD FS role.

影片,請查看Active Directory 同盟服務方法一系列影片: 安裝 AD FS 伺服器陣列For a video, see Active Directory Federation Services How-To Video Series: Installing an AD FS Server Farm.

安裝伺服器 SSL 憑證Install a server SSL certificate

您必須在電腦本機存放區 ADFS1 伺服器上安裝伺服器安全通訊端層 (SSL) 憑證。You must install a server Secure Socket Layer (SSL) certificate on the ADFS1 server in the local computer store. 憑證必須具備下列屬性:The certificate MUST have the following attributes:

  • 主體名稱 (DATA-CN): adfs1.contoso.comSubject Name (CN): adfs1.contoso.com

  • 主旨替代名稱 」 (DNS): adfs1.contoso.comSubject Alternative Name (DNS): adfs1.contoso.com

  • 主旨替代名稱 」 (DNS): enterpriseregistration.contoso.comSubject Alternative Name (DNS): enterpriseregistration.contoso.com

如需 SSL 憑證設定的詳細資訊,請查看設定 SSL 日 TLS 網域中的網站上企業 CA 與For more information about setting up SSL certificates, see Configure SSL/TLS on a Web site in the domain with an Enterprise CA.

Active Directory 同盟服務方法一系列的影片: 更新憑證Active Directory Federation Services How-To Video Series: Updating Certificates.

安裝 AD FS 伺服器角色Install the AD FS server role

若要安裝同盟服務的角色To install the Federation Service role service
  1. 登入,使用系統管理員核對伺服器administrator@contoso.com。Log on to the server by using the domain administrator account administrator@contoso.com.

  2. 伺服器管理員 [開始]。Start Server Manager. 若要開始伺服器管理員中,按一下 [伺服器管理員windows [開始]畫面上,或按一下 [伺服器管理員在 Windows 工作列上的 Windows 桌面。To start Server Manager, click Server Manager on the Windows Start screen, or click Server Manager on the Windows taskbar on the Windows desktop. 快速入門索引標籤的歡迎使用] 磚上儀表板頁面上,按一下新增角色與功能On the Quick Start tab of the Welcome tile on the Dashboard page, click Add roles and features. 或者,您可以按一下新增角色與功能管理功能表。Alternatively, you can click Add Roles and Features on the Manage menu.

  3. 在您開始之前頁面上,按一下 [On the Before you begin page, click Next.

  4. 選取 [安裝類型頁面上,按一下 [以角色為基礎,或為基礎的功能的安裝,然後按一下 [下一步On the Select installation type page, click Role-based or feature-based installation, and then click Next.

  5. 選取目的伺服器頁面上,按一下 [伺服器集區中選取 [伺服器,確認的目標電腦已選取,然後按下一步On the Select destination server page, click Select a server from the server pool, verify that the target computer is selected, and then click Next.

  6. 選擇伺服器角色頁面上,按一下 [ Active Directory 同盟服務,然後按一下 [下一步On the Select server roles page, click Active Directory Federation Services, and then click Next.

  7. 選擇功能頁面上,按一下 [On the Select features page, click Next.

  8. Active Directory 同盟服務 (AD FS)頁面上,按On the Active Directory Federation Service (AD FS) page, click Next.

  9. 在確認此資訊後確認安裝選項頁面上,選取必要時自動重新開機目的伺服器核取方塊,並再按安裝After you verify the information on the Confirm installation selections page, select the Restart the destination server automatically if required check box, and then click Install.

  10. 安裝進度頁面,確認所有正確,安裝,然後按一下 [關閉On the Installation progress page, verify that everything installed correctly, and then click Close.

將聯盟伺服器設定Configure the federation server

下一個步驟是設定聯盟伺服器。The next step is to configure the federation server.

若要將聯盟伺服器設定To configure the federation server
  1. 在伺服器管理員儀表板頁面上,按一下 [通知標幟,然後按一下 [設定同盟服務,伺服器上On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the federation service on the server.

    Active Directory 同盟服務設定精靈開啟。The Active Directory Federation Service Configuration Wizard opens.

  2. 歡迎使用頁面上,選取聯盟伺服器陣列中建立的第一個聯盟伺服器,然後按一下 [下一步On the Welcome page, select Create the first federation server in a federation server farm, and then click Next.

  3. 連接到 AD DS頁面上指定的 account 網域系統管理員權限的contoso.com這台電腦所加入的 Active Directory domain,然後按下一步On the Connect to AD DS page, specify an account with domain administrator rights for the contoso.com Active Directory domain that this computer is joined to, and then click Next.

  4. 指定服務屬性頁面上,執行下列命令,,然後按:On the Specify Service Properties page, do the following, and then click Next:

    • 匯入之前取得 SSL 憑證。Import the SSL certificate that you have obtained earlier. 這是憑證所需的服務驗證憑證。This certificate is the required service authentication certificate. 瀏覽至您的 SSL 憑證的位置。Browse to the location of your SSL certificate.

    • 若要提供您同盟服務的名稱,輸入adfs1.contoso.comTo provide a name for your federation service, type adfs1.contoso.com. 這個的值為您提供您退出 SSL 憑證在 Active Directory 憑證 Services (AD CS) 時的相同的值。This value is the same value that you provided when you enrolled an SSL certificate in Active Directory Certificate Services (AD CS).

    • 若要提供您同盟服務的顯示名稱,輸入以 Contoso CorporationTo provide a display name for your federation service, type Contoso Corporation.

  5. 指定服務 Account頁面上,選取現有的網域帳號使用者或群組管理服務 Account,然後指定 GMSA account fsgmsa您建立您的網域控制站在建立時。On the Specify Service Account page, select Use an existing domain user account or group Managed Service Account, and then specify the GMSA account fsgmsa that you created when you created the domain controller.

  6. 指定設定資料庫頁面上,選取建立在使用 Windows 內部資料庫此伺服器上的資料庫,然後按一下 [下一步On the Specify Configuration Database page, select Create a database on this server using Windows Internal Database, and then click Next.

  7. 評論選項頁面,確認您的設定選項,然後按一下 [On the Review Options page, verify your configuration selections, and then click Next.

  8. 必要條件檢查頁面上,確認所有必要條件檢查已成功完成,然後按設定On the Pre-requisite Checks page, verify that all prerequisite checks were successfully completed, and then click Configure.

  9. 結果頁面上,檢視結果,請檢查是否已成功完成設定,然後按一下完成同盟服務部署所需的下一個步驟On the Results page, review the results, check whether the configuration has completed successfully, and then click Next steps required for completing your federation service deployment.

設定裝置登記服務Configure Device Registration Service

下一個步驟是設定裝置登記服務 ADFS1 伺服器上。The next step is to configure Device Registration Service on the ADFS1 server. 影片,請查看Active Directory 同盟服務方法一系列影片: 讓裝置登記服務For a video, see Active Directory Federation Services How-To Video Series: Enabling the Device Registration Service.

若要設定裝置登記服務適用於 Windows Server 2012 RTMTo configure Device Registration Service for Windows Server 2012 RTM
  1. 重要

    Windows Server 2012 R2 RTM 建置適用於下列步驟。The following step applies to the Windows Server 2012 R2 RTM build.

    Windows PowerShell 命令視窗中,輸入開放:Open a Windows PowerShell command window and type:

    Initialize-ADDeviceRegistration
    

    當系統提示您服務的帳號時,輸入contoso\fsgmsa$When you are prompted for a service account, type contoso\fsgmsa$.

    現在,執行的 Windows PowerShell cmdlet。Now run the Windows PowerShell cmdlet.

    Enable-AdfsDeviceRegistration
    
  2. ADFS1 伺服器上的AD FS 管理主機、 瀏覽至驗證原則On the ADFS1 server, in the AD FS Management console, navigate to Authentication Policies. 選取 [編輯全球主要驗證Select Edit Global Primary Authentication. 選取核取方塊接下來讓裝置驗證,然後按一下 [ [確定]Select the check box next to Enable Device Authentication, and then click OK.

主機 (A) 及別名 (CNAME) 資源記錄加入 DNSAdd Host (A) and Alias (CNAME) Resource Records to DNS

在 DC1,您必須建立的網域名稱系統 」 (DNS) 下列記錄裝置登記服務。On DC1, you must ensure that the following Domain Name System (DNS) records are created for Device Registration Service.

項目Entry 輸入Type 地址Address
adfs1adfs1 主機 (A)Host (A) AD FS 伺服器的 IP 位址IP address of the AD FS server
enterpriseregistrationenterpriseregistration 別名 (CNAME)Alias (CNAME) adfs1.contoso.comadfs1.contoso.com

若要新增公司名稱 dns 伺服器聯盟和裝置登記服務主機 (A) 資源記錄,您可以使用下列程序。You can use the following procedure to add a host (A) resource record to corporate DNS name servers for the federation server and Device Registration Service.

系統管理員群組或相當於成員資格已完成此程序的最低需求。Membership in the Administrators group or an equivalent is the minimum requirement to complete this procedure. 檢視詳細資料使用適當帳號和超連結 「 http://go.microsoft.com/fwlink/?LinkId=83477 「 本機和網域預設群組 (http://go.microsoft.com/fwlink/p/?LinkId=83477) 群組成員資格。Review details about using the appropriate accounts and group memberships in the HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=83477" Local and Domain Default Groups (http://go.microsoft.com/fwlink/p/?LinkId=83477).

加入主機 (A) 及別名 (CNAME) 資源記錄 DNS 伺服器聯盟To add a host (A) and alias (CNAME) resource records to DNS for your federation server
  1. 在 DC1,從伺服器管理員中,在工具功能表上,按DNS打開 DNS 嵌入式管理單元。On DC1, from Server Manager, on the Tools menu, click DNS to open the DNS snap-in.

  2. 主控台依序展開 DC1、正向對應區域上, 按一下滑鼠右鍵contoso.com,然後按一下 [新主機 (或 AAAA)In the console tree, expand DC1, expand Forward Lookup Zones, right-click contoso.com, and then click New Host (A or AAAA).

  3. 的名稱,輸入您想要使用 AD FS 發電廠您的名稱。In Name, type the name you want to use for your AD FS farm. 本節中,輸入adfs1For this walkthrough, type adfs1.

  4. 的 IP 位址,輸入 ADFS1 伺服器的 IP 位址。In IP address, type the IP address of the ADFS1 server. 按一下新增主機Click Add Host.

  5. 以滑鼠右鍵按一下contoso.com,然後按新別名 (CNAME)Right-click contoso.com, and then click New Alias (CNAME).

  6. 新資源記錄對話方塊中,輸入enterpriseregistration別名方塊。In the New Resource Record dialog box, type enterpriseregistration in the Alias name box.

  7. 在完全完整網域名稱 (FQDN) 的目標主機方塊中,輸入adfs1.contoso.com,然後按[確定]In the Fully Qualified Domain Name (FQDN) of the target host box, type adfs1.contoso.com, and then click OK.

    重要

    在現實世界的部署,如果您的公司有多個使用者主體名稱 (UPN) 尾碼,您必須建立多個 CNAME 記錄 dns 這些 UPN 尾碼個。In a real-world deployment, if your company has multiple user principal name (UPN) suffixes, you must create multiple CNAME records, one for each of those UPN suffixes in DNS.

步驟 3: 設定網頁伺服器 (WebServ1) 及範例宣告型應用程式Step 3: Configure the web server (WebServ1) and a sample claims-based application

設定一樣 (WebServ1) 來安裝 Windows Server 2012 R2 的作業系統,並將它連接到網域contoso.comSet up a virtual machine (WebServ1) by installing the Windows Server 2012 R2 operating system and connect it to the domain contoso.com. 它已經加入網域之後,您就可以設定網頁伺服器角色加以安裝。After it is joined to the domain, you can proceed to install and configure the Web Server role.

若要完成稍早本主題中所參照的逐步教學,您必須聯盟伺服器 (ADFS1) 受保護的範例應用程式。To complete the walkthroughs that were referenced earlier in this topic, you must have a sample application that is secured by your federation server (ADFS1).

您可以下載身分基本知識的 Windows SDK (http://www.microsoft.com/download/details.aspx?id=4451,其中包含一個範例宣告型應用程式。You can download Windows Identity Foundation SDK (http://www.microsoft.com/download/details.aspx?id=4451, which includes a sample claims-based application.

您必須先完成下列步驟來設定此範例宣告型應用程式與 web 伺服器。You must complete the following steps to set up a web server with this sample claims-based application.

注意

執行 Windows Server 2012 R2 作業系統的網頁伺服器經過這些步驟。These steps have been tested on a web server that runs the Windows Server 2012 R2 operating system.

  1. 安裝 Windows 的身分基礎與 Web 伺服器角色Install the Web Server Role and Windows Identity Foundation

  2. 安裝 Windows SDK 的身分基礎Install Windows Identity Foundation SDK

  3. 在設定簡單宣告應用程式Configure the simple claims app in IIS

  4. 聯盟伺服器上建立信賴廠商信任Create a relying party trust on your federation server

安裝 Windows 的身分基礎與 Web 伺服器角色Install the Web Server role and Windows Identity Foundation

  1. 注意

    您必須在 Windows Server 2012 R2 的安裝媒體來存取。You must have access to the Windows Server 2012 R2 installation media.

    登入 WebServ1 使用** administrator@contoso.com 的密碼和 pass@word1 Log on to WebServ1 by using **administrator@contoso.com and the password pass@word1.

  2. 從伺服器管理員中,在快速入門索引標籤的歡迎使用] 磚上儀表板頁面上,按一下新增角色與功能From Server Manager, on the Quick Start tab of the Welcome tile on the Dashboard page, click Add roles and features. 或者,您可以按一下新增角色與功能管理功能表。Alternatively, you can click Add Roles and Features on the Manage menu.

  3. 在您開始之前頁面上,按一下 [On the Before you begin page, click Next.

  4. 選取 [安裝類型頁面上,按一下 [以角色為基礎,或為基礎的功能的安裝,然後按一下 [下一步On the Select installation type page, click Role-based or feature-based installation, and then click Next.

  5. 選取目的伺服器頁面上,按一下 [伺服器集區中選取 [伺服器,確認的目標電腦已選取,然後按下一步On the Select destination server page, click Select a server from the server pool, verify that the target computer is selected, and then click Next.

  6. 選取伺服器角色頁面上,選取核取方塊接下來網頁伺服器 (IIS),按一下 [新增功能,,然後按一下下一步On the Select server roles page, select the check box next to Web Server (IIS), click Add Features, and then click Next.

  7. 選取功能頁面上,選取Windows 身分基本知識 3.5,然後按一下 [下一步On the Select features page, select Windows Identity Foundation 3.5, and then click Next.

  8. 網頁伺服器角色 (IIS)頁面上,按On the Web Server Role (IIS) page, click Next.

  9. 選擇角色服務頁面上,選取 [展開應用程式開發On the Select role services page, select and expand Application Development. 選取 [ ASP.NET 3.5,按一下 [新增功能,然後按一下 [下一步Select ASP.NET 3.5, click Add Features, and then click Next.

  10. 確認安裝選項頁面上,按一下 [指定替代來源路徑On the Confirm installation selections page, click Specify an alternate source path. Windows Server 2012 R2 的安裝媒體位於 Sxs directory 輸入的路徑。Enter the path to the Sxs directory that is located in the Windows Server 2012 R2 installation media. 例如,D:\Sources\Sxs。For example D:\Sources\Sxs. 按一下[確定],然後按安裝Click OK, and then click Install.

安裝 Windows SDK 的身分基礎Install Windows Identity Foundation SDK

  1. 執行 WindowsIdentityFoundation-SDK-3.5.msi 安裝 Windows 的身分基本知識 SDK 3.5 (http://www.microsoft.com/download/details.aspx?id=4451)。Run WindowsIdentityFoundation-SDK-3.5.msi to install Windows Identity Foundation SDK 3.5 (http://www.microsoft.com/download/details.aspx?id=4451). 請選擇預設的選項。Choose all of the default options.

在設定簡單宣告應用程式Configure the simple claims app in IIS

  1. 憑證存放區的電腦安裝有效 SSL 憑證。Install a valid SSL certificate in the computer certificate store. 憑證應包含您的網頁伺服器的名稱webserv1.contoso.comThe certificate should contain the name of your web server, webserv1.contoso.com.

  2. 複製到 C:\Program 檔案 (x86) \Windows Identity Foundation SDK\v3.5\Samples\Quick Start\Web Application\PassiveRedirectBasedClaimsAwareWebApp 以 C:\Inetpub\Claimapp。Copy the contents of C:\Program Files (x86)\Windows Identity Foundation SDK\v3.5\Samples\Quick Start\Web Application\PassiveRedirectBasedClaimsAwareWebApp to C:\Inetpub\Claimapp.

  3. 編輯Default.aspx.cs ,讓任何宣告篩選發生檔案。Edit the Default.aspx.cs file so that no claim filtering takes place. 執行此步驟以確保的範例應用程式顯示所有宣告所發行的聯盟伺服器。This step is performed to ensure that the sample application displays all the claims that are issued by the federation server. 執行下列動作:Do the following:

    1. 開放Default.aspx.cs在文字編輯器中。Open Default.aspx.cs in a text editor.

    2. 搜尋檔案的第二個ExpectedClaimsSearch the file for the second instance of ExpectedClaims.

    3. 查看整個意見IF聲明,並其括號。Comment out the entire IF statement and its braces. 表示意見,輸入 「 日日 」 (不含報價) 一行的開頭。Indicate comments by typing "//" (without the quotes) at the beginning of a line.

    4. FOREACH隱私權聲明應該看起來像此程式碼範例。Your FOREACH statement should now look like this code example.

      Foreach (claim claim in claimsIdentity.Claims)
      {
         //Before showing the claims validate that this is an expected claim
         //If it is not in the expected claims list then don't show it
         //if (ExpectedClaims.Contains( claim.ClaimType ) )
         // {
            writeClaim( claim, table );
         //}
      }
      
    5. 儲存,並關閉Default.aspx.csSave and close Default.aspx.cs.

    6. 開放web.config在文字編輯器中。Open web.config in a text editor.

    7. 移除整個<microsoft.identityModel>區段。Remove the entire <microsoft.identityModel> section. 移除所有項目從including <microsoft.identityModel>最多及包括</microsoft.identityModel>Remove everything starting from including <microsoft.identityModel> and up to and including </microsoft.identityModel>.

    8. 儲存,並關閉web.configSave and close web.config.

  4. 設定 IIS 管理員Configure IIS Manager

    1. 開放資訊網際網路服務 (IIS) 管理員Open Internet Information Services (IIS) Manager.

    2. 移至應用程式集區,以滑鼠右鍵按一下DefaultAppPool以選取 [進階設定]Go to Application Pools, right-click DefaultAppPool to select Advanced Settings. 設定載入的使用者設定檔為 True,然後按一下 [ [確定]Set Load User Profile to True, and then click OK.

    3. 以滑鼠右鍵按一下DefaultAppPool選取設定基本Right-click DefaultAppPool to select Basic Settings. 變更.NET CLR 版本.NET CLR 版本 v2.0.50727Change the .NET CLR Version to .NET CLR Version v2.0.50727.

    4. 以滑鼠右鍵按一下預設的網站選取編輯繫結Right-click Default Web Site to select Edit Bindings.

    5. 新增HTTPS繫結至連接埠443安裝 SSL 憑證。Add an HTTPS binding to port 443 with the SSL certificate that you have installed.

    6. 以滑鼠右鍵按一下預設的網站選取新增應用程式Right-click Default Web Site to select Add Application.

    7. 為別名claimapp的實體路徑和c:\inetpub\claimappSet the alias to claimapp and the physical path to c:\inetpub\claimapp.

  5. 若要設定claimapp若要搭配您的聯盟伺服器,執行下列動作:To configure claimapp to work with your federation server, do the following:

    1. 執行 FedUtil.exe 位於C:\Program 檔案 (x86) \Windows Identity Foundation SDK\v3.5Run FedUtil.exe, which is located in C:\Program Files (x86)\Windows Identity Foundation SDK\v3.5.

    2. 將應用程式設定位置設定C:\inetput\claimapp\web.config設為您的網站 URL URI 應用程式和https://webserv1.contoso.com /claimapp/Set the application configuration location to C:\inetput\claimapp\web.config and set the application URI to the URL for your site, https://webserv1.contoso.com /claimapp/. 按一下下一步Click Next.

    3. 選取 [使用現有 STS ,然後瀏覽至您的 AD FS 伺服器中繼資料 URL https://adfs1.contoso.com/federationmetadata/2007-06/federationmetadata.xmlSelect Use an existing STS and browse to your AD FS server's metadata URL https://adfs1.contoso.com/federationmetadata/2007-06/federationmetadata.xml. 按一下下一步Click Next.

    4. 選取 [停用的憑證鏈結驗證,然後按一下 [Select Disable certificate chain validation, and then click Next.

    5. 選取 [未加密,然後按一下 [Select No encryption, and then click Next. 提供宣告頁面上,按On the Offered claims page, click Next.

    6. 選取核取方塊旁邊排程工作執行日常 WS 同盟中繼資料更新Select the check box next to Schedule a task to perform daily WS-Federation metadata updates. 按一下完成Click Finish.

    7. 範例應用程式現在設定。Your sample application is now configured. 如果您在測試應用程式 URL https://webserv1.contoso.com/claimapp,它應該會重新導向至您的聯盟伺服器。If you test the application URL https://webserv1.contoso.com/claimapp, it should redirect you to your federation server. 因為您未尚未設定信賴的派對信任聯盟伺服器應該會顯示錯誤頁面。The federation server should display an error page because you have not yet configured the relying party trust. 亦即,您不安全,AD FS 此測試應用程式。In other words, you have not secured this test application by AD FS.

現在,您必須保護您的網頁伺服器使用 AD FS 上執行的範例應用程式。You must now secure your sample application that runs on your web server with AD FS. 您可以藉由信賴的派對信任新增聯盟伺服器 (ADFS1) 上執行此動作。You can do this by adding a relying party trust on your federation server (ADFS1). 影片,請查看Active Directory 同盟服務方法一系列影片: 新增可以方信任For a video, see Active Directory Federation Services How-To Video Series: Add a Relying Party Trust.

聯盟伺服器上建立信賴廠商信任Create a relying party trust on your federation server

  1. 您聯盟伺服器上 (ADFS1),在AD FS 管理主控台,瀏覽至可以信任派對,,然後按一下 [新增可以方信任On you federation server (ADFS1), in the AD FS Management console, navigate to Relying Party Trusts, and then click Add Relying Party Trust.

  2. 選取資料來源頁面上,選取 [匯入信賴有關的資料發行 online 或本機網路上,輸入中繼資料 URL claimapp,,然後按一下下一步On the Select Data Source page, select Import data about the relying party published online or on a local network, enter the metadata URL for claimapp, and then click Next. 執行 FedUtil.exe 建立中繼資料.xml 檔案。Running FedUtil.exe created a metadata .xml file. 這是位於https://webserv1.contoso.com/claimapp/federationmetadata/2007-06/federationmetadata.xmlIt is located at https://webserv1.contoso.com/claimapp/federationmetadata/2007-06/federationmetadata.xml.

  3. 指定顯示名稱頁面上指定顯示名稱您信賴的派對信任的claimapp,然後按一下 [下一步On the Specify Display Name page, specify the display name for your relying party trust, claimapp, and then click Next.

  4. 設定現在多因素驗證嗎?頁面上,選取我不想指定多因素驗證設定信賴信任派對這次,然後按一下下一步On the Configure Multi-factor Authentication Now? page, select I do not want to specify multi-factor authentication setting for this relying party trust at this time, and then click Next.

  5. 選擇發行授權規則頁面上,選取允許所有使用者存取此信賴,然後按一下 [下一步On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party, and then click Next.

  6. 準備好新增信任頁面上,按一下 [On the Ready to Add Trust page, click Next.

  7. 編輯理賠要求規則對話方塊中,按[新增規則On the Edit Claim Rules dialog box, click Add Rule.

  8. 選擇規則類型頁面上,選取傳送主張使用自訂規則,然後按一下 [下一步On the Choose Rule Type page, select Send Claims Using a Custom Rule, and then click Next.

  9. 設定理賠要求規則頁面上,在理賠要求規則名稱方塊中,輸入所有宣告On the Configure Claim Rule page, in the Claim rule name box, type All Claims. 自訂規則方塊中,輸入下列理賠要求規則。In the Custom rule box, type the following claim rule.

    c:[ ]
    => issue(claim = c);
    
  10. 按一下完成,然後按[確定]Click Finish, and then click OK.

步驟 4: 設定電腦 client (Client1)Step 4: Configure the client computer (Client1)

設定其他一樣,安裝 Windows 8.1。Set up another virtual machine and install Windows 8.1. 這個一樣必須是相同的 virtual 網路的其他電腦上。This virtual machine must be on the same virtual network as the other machines. 這台電腦應該不會以 Contoso 網域加入。This machine should NOT be joined to the Contoso domain.

Client 必須信任 SSL 憑證聯盟伺服器 (ADFS1),您在設定使用步驟 2: 設定聯盟伺服器 (ADFS1) 裝置登記服務的The client MUST trust the SSL certificate that is used for the federation server (ADFS1), which you set up in Step 2: Configure the federation server (ADFS1) with Device Registration Service. 它也必須驗證憑證的憑證撤銷資訊。It must also be able to validate certificate revocation information for the certificate.

您還必須設定並使用 Microsoft account Client1 登入。You also must set up and use a Microsoft account to log on to Client1.

也了See Also