AD FS 需求AD FS Requirements

適用於: Windows Server 2012 R2Applies To: Windows Server 2012 R2

以下是您必須符合部署 AD FS 時的各種需求:The following are the various requirements that you must conform to when deploying AD FS:

憑證需求Certificate requirements

憑證播放最重要的角色保護聯盟伺服器、 Web 應用程式 Proxy、 claims\ 感知應用程式,以及 Web 戶端間通訊。Certificates play the most critical role in securing communications between federation servers, Web Application Proxies, claims-aware applications, and Web clients. 根據是否您的設定聯盟伺服器或 proxy 電腦,此一節中所述,而有所不同憑證的需求。The requirements for certificates vary, depending on whether you are setting up a federation server or a proxy computer, as described in this section.

聯盟伺服器的憑證Federation server certificates

憑證類型Certificate type 需求、 支援和必須知道的事項Requirements, Support & Things to Know
安全通訊端層 (SSL) 憑證:這是確保聯盟伺服器戶端間通訊使用標準 SSL 憑證。Secure Sockets Layer (SSL) certificate: This is a standard SSL certificate that is used for securing communications between federation servers and clients. -此憑證必須公開 trusted\ * X509 v3 憑證。- This certificate must be a publicly trusted* X509 v3 certificate.
-所有戶端存取任何 AD FS 端點必須都信任此憑證。- All clients that access any AD FS endpoint must trust this certificate. 建議使用公用 (third-party) 憑證授權單位發行憑證 (CA)。It is strongly recommended to use certificates that are issued by a public (third-party) certification authority (CA). 您可以在實驗室測試環境聯盟伺服器成功使用 self\ 簽章 SSL 憑證。You can use a self-signed SSL certificate successfully on federation servers in a test lab environment. 不過,production 環境中,我們建議您從公開 CA 取得該憑證。However, for a production environment, we recommend that you obtain the certificate from a public CA.
-支援 Windows Server 2012 R2 的支援 SSL 憑證任何按鍵大小。- Supports any key size supported by Windows Server 2012 R2 for SSL certificates.
-並不支援使用 CNG 按鍵的憑證。- Does not support certificates that use CNG keys.
-使用工作地點裝置 Join\ 日登記服務一起時, 主題替代名稱 SSL 憑證 AD FS 服務必須包含後面組織,例如 enterpriseregistration.contoso.com 的使用者主體名稱 (UPN) 尾碼值 enterpriseregistration。- When used together with Workplace Join/Device Registration Service, the subject alternative name of the SSL certificate for the AD FS service must contain the value enterpriseregistration that is followed by the User Principal Name (UPN) suffix of your organization, for example, enterpriseregistration.contoso.com.
-萬用字元憑證的支援。- Wild card certificates are supported. 當您建立您的 AD FS 陣列時,將會系統會提示您以提供服務的名稱,AD FS 服務 \ (例如, adfs.contoso.comWhen you create your AD FS farm, you will be prompted to provide the service name for the AD FS service (for example, adfs.contoso.com.
-建議使用 Web 應用程式 Proxy 相同 SSL 憑證。- It is strongly recommended to use the same SSL certificate for the Web Application Proxy. 但這是需要以支援 Windows 整合式驗證端點透過 Web 應用程式 Proxy 和延伸保護驗證會亮起來 (default setting) 時,會相同。This is however required to be the same when supporting Windows Integrated Authentication endpoints through the Web Application Proxy and when Extended Protection Authentication is turned on (default setting).
此憑證-主體名稱用來表示同盟服務的名稱為每個您要部署的 AD FS 執行個體。- The Subject name of this certificate is used to represent the Federation Service name for each instance of AD FS that you deploy. 基於這個原因,您可能要考慮選擇主體名稱在任何新 CA\ 發行憑證的最佳代表您的公司或組織的合作夥伴的名稱。For this reason, you may want to consider choosing a Subject name on any new CA-issued certificates that best represents the name of your company or organization to partners.
認證身分必須符合同盟服務名稱 \ (例如,fs.contoso.com)。身分任一主旨替代副檔名的類型 dNSName 或者,如果不有任何主題替代名稱的項目,請主體名稱指定為保持一般的名稱。The identity of the certificate must match the federation service name (for example, fs.contoso.com).The identity is either a subject alternative name extension of type dNSName or, if there are no subject alternative name entries, the subject name specified as a common name. 其中一個符合同盟服務名稱提供多個主題替代名稱的項目可以是憑證中。Multiple subject alternative name entries can be present in the certificate, provided one of them matches the federation service name.
- 重要事項:已經建議您 AD FS 發電廠的所有節點,以及陣列 AD FS 中的所有 Web 應用程式 proxy 上使用相同的 SSL 憑證。- Important: it’s strongly recommended to use the same SSL certificate across all nodes of your AD FS farm as well as all Web Application proxies in your AD FS farm.
服務通訊的憑證:這個憑證允許 WCF 訊息安全性保護之間聯盟伺服器通訊。Service communication certificate: This certificate enables WCF message security for securing communications between federation servers. -預設為服務通訊憑證使用 SSL 憑證。- By default, the SSL certificate is used as the service communications certificate. 但您也可以選擇另一個憑證設定為服務通訊的憑證。But you also have the option to configure another certificate as the service communication certificate.
- 重要事項:如果您使用 SSL 憑證服務通訊的憑證,以在 SSL 憑證過期時,請確定您服務通訊的憑證以進行更新的 SSL 憑證。- Important: if you are using the SSL certificate as the service communication certificate, when the SSL certificate expires, make sure to configure the renewed SSL certificate as your service communication certificate. 這不會自動執行。This does not happen automatically.
-此憑證的必須信任的 AD FS 使用 WCF 訊息安全性用。- This certificate must be trusted by clients of AD FS that use WCF Message Security.
-我們建議您使用伺服器驗證憑證的公用 (third-party) 憑證授權單位發行 (CA)。- We recommend that you use a server authentication certificate that is issued by a public (third-party) certification authority (CA).
-服務通訊憑證無法使用 CNG 按鍵的憑證。- The service communication certificate cannot be a certificate that uses CNG keys.
-請使用 AD FS 管理主控台可以管理此憑證。- This certificate can be managed using the AD FS Management console.
Token\ 簽署的憑證:此為標準 X509 用於安全地登入所有權杖問題聯盟伺服器的憑證。Token-signing certificate: This is a standard X509 certificate that is used for securely signing all tokens that the federation server issues. 依預設,AD FS 建立 2048 元按鍵 self\ 簽署的憑證。- By default, AD FS creates a self-signed certificate with 2048 bit keys.
-也支援發出 CA 憑證,並可以使用 AD FS 管理 snap\ 中變更- CA issued certificates are also supported and can be changed using the AD FS Management snap-in
必須會儲存 CA 發行憑證與 CSP 密碼編譯提供者所提供的存取。- CA issued certificates must be stored & accessed through a CSP Crypto Provider.
憑證登入-預付碼無法使用 CNG 按鍵的憑證。- The token signing certificate cannot be a certificate that uses CNG keys.
-AD FS 不需要權杖簽署的憑證外部參加授權。- AD FS does not require externally enrolled certificates for token signing.
AD FS 自動續約這些 self\ 簽署的憑證,過期之前第一次設定新的憑證,以次要的憑證以允許的合作夥伴使用,然後到在 [處理程序稱為 「 自動憑證變換主要翻轉。我們建議使用預設值,自動權杖簽署的憑證。AD FS automatically renews these self-signed certificates before they expire, first configuring the new certificates as secondary certificates to allow for partners to consume them, then flipping to primary in a process called automatic certificate rollover.We recommend that you use the default, automatically generated certificates for token signing.
如果您的組織會有不同的憑證來設定需要權杖登的原則,您可以指定憑證使用 Powershell 的安裝時間 \ (使用 Install-AdfsFarm cmdlet\ 的 – SigningCertificateThumbprint 參數)。If your organization has policies that require different certificates to be configured for token signing, you can specify the certificates at installation time using Powershell (use the –SigningCertificateThumbprint parameter of the Install-AdfsFarm cmdlet). 安裝完成後,您可以檢視和管理使用 AD FS Management console 或 Powershell cmdlet Set-AdfsCertificate 和 Get-AdfsCertificate 權杖專屬的簽署憑證。After installation, you can view and manage token signing certificates using the AD FS Management console or Powershell cmdlets Set-AdfsCertificate and Get-AdfsCertificate.
當憑證外部參加授權用於權杖登入時,AD FS 不會執行憑證自動續約或變換。When externally enrolled certificates are used for token signing, AD FS does not perform automatic certificate renewal or rollover. 必須由系統管理員的身分執行此程序。This process must be performed by an administrator.
若要允許憑證變換一個憑證接近過期時,可在 AD FS 設定次要權杖簽署的憑證。To allow for certificate rollover when one certificate is close to expiring, a secondary token signing certificate can be configured in AD FS. 根據預設,所有權杖專屬的簽署憑證發行聯盟中繼資料中,但僅主要 token\ 簽署的憑證使用 AD FS 確實登入權杖。By default, all token signing certificates are published in federation metadata, but only the primary token-signing certificate is used by AD FS to actually sign tokens.
Token\ decryption/加密憑證:這是一種標準 X509 憑證也就是用來 decrypt\ 日加密任何連入權杖。Token-decryption/encryption certificate: This is a standard X509 certificate that is used to decrypt/encrypt any incoming tokens. 這也被發行聯盟中繼資料中。It is also published in federation metadata. 依預設,AD FS 建立 2048 元按鍵 self\ 簽署的憑證。- By default, AD FS creates a self-signed certificate with 2048 bit keys.
-也支援發出 CA 憑證,並可以使用 AD FS 管理 snap\ 中變更- CA issued certificates are also supported and can be changed using the AD FS Management snap-in
必須會儲存 CA 發行憑證與 CSP 密碼編譯提供者所提供的存取。- CA issued certificates must be stored & accessed through a CSP Crypto Provider.
-Token\ decryption/加密憑證無法使用 CNG 按鍵的憑證。- The token-decryption/encryption certificate cannot be a certificate that uses CNG keys.
依預設,AD FS 產生,並使用它自己,內部並 self\ 簽署的憑證權杖解密。- By default, AD FS generates and uses its own, internally generated and self-signed certificates for token decryption. AD FS 不需要為這個項目的外部參加授權的憑證。AD FS does not require externally enrolled certificates for this purpose.
此外,AD FS 自動續約這些 self\ 簽署的憑證到期。In addition, AD FS automatically renews these self-signed certificates before they expire.
我們建議使用預設值,自動權杖解密的憑證。We recommend that you use the default, automatically generated certificates for token decryption.
如果您的組織會有不同的憑證來設定需要權杖解密原則,您可以指定憑證使用 Powershell 的安裝時間 \ (使用 Install-AdfsFarm cmdlet\ 的 – DecryptionCertificateThumbprint 參數)。If your organization has policies that require different certificates to be configured for token decryption, you can specify the certificates at installation time using Powershell (use the –DecryptionCertificateThumbprint parameter of the Install-AdfsFarm cmdlet). 安裝完成後,您可以檢視和管理使用 AD FS Management console 或 Powershell cmdlet Set-AdfsCertificate 和 Get-AdfsCertificate 權杖解密憑證。After installation, you can view and manage token decryption certificates using the AD FS Management console or Powershell cmdlets Set-AdfsCertificate and Get-AdfsCertificate.
使用外部參加授權的憑證權杖解密時, AD FS 不會執行憑證自動續約。必須由系統管理員的身分執行此程序When externally enrolled certificates are used for token decryption, AD FS does not perform automatic certificate renewal. This process must be performed by an administrator.
-AD FS 服務 account 必須 token\ 簽署的憑證私密金鑰存取在本機電腦的個人的市集。- The AD FS service account must have access to the token-signing certificate’s private key in the personal store of the local computer. 這是處理的安裝程式。This is taken care of by Setup. 您也可以使用 AD FS 管理 snap\ 中,以確保如果後續變更 token\ 簽署的憑證的存取權。You can also use the AD FS Management snap-in to ensure this access if you subsequently change the token-signing certificate.

警告

用來登入 token\ 和 token\ decrypting\ 日加密憑證的重大同盟服務的穩定性。Certificates that are used for token-signing and token-decrypting/encrypting are critical to the stability of the Federation Service. 針對管理自己 token\ 簽署與 token\ decrypting\ 日加密憑證應該確定這些憑證的備份,且可獨立修復事件期間。Customers managing their own token-signing & token-decrypting/encrypting certificates should ensure that these certificates are backed up and are available independently during a recovery event.

注意

AD FS 中,您可以變更適用於數位簽章 SHA-1 或 SHA-256 (more secure) 安全 Hash 演算法 (SHA) 層級。In AD FS you can change the Secure Hash Algorithm (SHA) level that is used for digital signatures to either SHA-1 or SHA-256 (more secure). AD FS 不支援使用憑證的其他 hash 方法,例如 MD5 \ (預設 hash 的演算法所使用的 Makecert.exe command\ 列 tool\)。AD FS does not support the use of certificates with other hash methods, such as MD5 (the default hash algorithm that is used with the Makecert.exe command-line tool). 最好的安全性,以我們建議您使用 SHA-256 \(這由 default\ 設定)的所有特徵標記。As a security best practice, we recommend that you use SHA-256 (which is set by default) for all signatures. 建議 SHA-1 只在您必須交互的通訊,例如 non\ Microsoft product 或傳統版本 AD fs 使用 SHA\ 256 不支援的案例。SHA-1 is recommended for use only in scenarios in which you must interoperate with a product that does not support communications using SHA-256, such as a non-Microsoft product or legacy versions of AD FS.

注意

您收到 CA 憑證之後,確認所有憑證的匯都入至本機電腦的個人憑證存放區。After you receive a certificate from a CA, make sure that all certificates are imported into the personal certificate store of the local computer. 您可以個人憑證 MMC snap\ 在使用網上商店匯入的憑證。You can import certificates to the personal store with the Certificates MMC snap-in.

硬體需求Hardware requirements

適用於在 Windows Server 2012 R2 的 AD FS 聯盟伺服器下列最低與建議的硬體需求:The following minimum and recommended hardware requirements apply to the AD FS federation servers in Windows Server 2012 R2:

硬體需求Hardware requirement 最低需求Minimum requirement 建議的需求Recommended requirement
CPU 速度CPU speed 1.4 64\ 位元處理器1.4 GHz 64-bit processor Quad\ 核心,2 GHzQuad-core, 2 GHz
RAMRAM 512 MB512 MB 4 GB4 GB
磁碟空間Disk space 32 GB32 GB 100 GB100 GB

軟體需求Software requirements

AD FS 下列需求適用於建置 Windows Server® 2012 R2 作業系統伺服器功能:The following AD FS requirements are for the server functionality that is built into the Windows Server® 2012 R2 operating system:

  • 您必須外部網路存取權限的部署 Web 應用程式 Proxy 角色服務 -部分的 Windows Server® 2012 R2 遠端存取伺服器角色。For extranet access, you must deploy the Web Application Proxy role service - part of the Windows Server® 2012 R2 Remote Access server role. 在 Windows Server® 2012 R2 AD FS 不支援舊版聯盟 proxy 伺服器。Prior versions of a federation server proxy are not supported with AD FS in Windows Server® 2012 R2.

  • 聯盟 server 和 Web 應用程式 Proxy 角色服務無法安裝所在的電腦上。A federation server and the Web Application Proxy role service cannot be installed on the same computer.

AD DS 需求AD DS requirements

網域控制站需求Domain controller requirements

所有使用者網域 AD FS 伺服器的加入的網域中的網域控制站必須執行 Windows Server 2008 或更新版本。Domain controllers in all user domains and the domain to which the AD FS servers are joined must be running Windows Server 2008 or later.

注意

與 Windows Server 2003 網域控制站的環境中的所有支援都會之後延伸支援都結束日期的 Windows Server 2003 都終止。All support for environments with Windows Server 2003 domain controllers will end after the Extended Support End Date for Windows Server 2003. 針對建議儘快升級他們網域控制站。Customers are strongly recommended to upgrade their domain controllers as soon as possible. 請造訪這個頁面如需 Microsoft 技術支援週期詳細資訊。Visit this page for additional information on Microsoft Support Lifecycle. 針對發現的問題,而特定 Windows Server 2003 網域控制站環境修正發出僅限安全性問題修正如果可發行之前的延伸支援的 Windows Server 2003 到期。For issues discovered that are specific to Windows Server 2003 domain controller environments, fixes will be issued only for security issues and if a fix can be issued prior to the expiry of Extended Support for Windows Server 2003.

網域 functional\ 層級需求Domain functional-level requirements

所有使用者 account 網域與 AD FS 伺服器的加入的網域必須網域層級功能或更高版本的 Windows Server 2003 進行操作。All user account domains and the domain to which the AD FS servers are joined must be operating at the domain functional level of Windows Server 2003 or higher.

大部分的 AD FS 功能不需要 AD DS functional\ 層級修改順利運作。Most AD FS features do not require AD DS functional-level modifications to operate successfully. 不過,Windows Server 2008 網域功能層級或更高版本,才能 client 憑證驗證憑證明確對應到 AD DS 中的使用者 account 如果順利運作。However, Windows Server 2008 domain functional level or higher is required for client certificate authentication to operate successfully if the certificate is explicitly mapped to a user's account in AD DS.

架構需求Schema requirements

  • AD FS 不需要的架構變更或修改 AD DS functional\ 層級。AD FS does not require schema changes or functional-level modifications to AD DS.

  • 若要使用的工作地點加入的功能,AD FS 伺服器加入的樹系的結構描述必須為 Windows Server 2012 R2。To use Workplace Join functionality, the schema of the forest that AD FS servers are joined to must be set to Windows Server 2012 R2.

服務 account 需求Service account requirements

  • 任何標準服務 account 可以當做服務 account AD fs。Any standard service account can be used as a service account for AD FS. 也支援群組管理服務帳號。Group Managed Service accounts are also supported. 這需要一個至少網域控制站 \ (建議部署兩個或 more) 執行 Windows Server 2012 或更高版本。This requires at least one domain controller (it is recommended that you deploy two or more) that is running Windows Server 2012 or higher.

  • 適用於 Kerberos 驗證,AD FS domain\ 加入戶端之間的功能 ' HOST\ 日 < adfs_service_name >' 必須為服務帳號 SPN 會登記。For Kerberos authentication to function between domain-joined clients and AD FS, the ‘HOST/<adfs_service_name>’ must be registered as a SPN on the service account. 根據預設,AD FS 會設定此建立新的 AD FS 發電廠有權限來執行此作業不足時。By default, AD FS will configure this when creating a new AD FS farm if it has sufficient permissions to perform this operation.

  • AD FS 服務 account 必須信任使用者網域中,包含使用者向 AD FS 服務。The AD FS service account must be trusted in every user domain that contains users authenticating to the AD FS service.

網域需求Domain Requirements

  • 所有 AD FS 伺服器都必須連接到 AD DS 網域。All AD FS servers must be a joined to an AD DS domain.

  • 必須在單一網域部署發電廠中的所有 AD FS 伺服器。All AD FS servers within a farm must be deployed in a single domain.

  • AD FS 伺服器加入網域必須信任包含使用者向 AD FS 服務每個使用者 account 網域。The domain that the AD FS servers are joined to must trust every user account domain that contains users authenticating to the AD FS service.

使用多監視器樹系需求Multi Forest Requirements

  • 每個使用者 account 網域或森林包含使用者服務 AD FS 進行驗證,AD FS 伺服器加入網域必須標示為信任。The domain that the AD FS servers are joined to must trust every user account domain or forest that contains users authenticating to the AD FS service.

  • AD FS 服務 account 必須信任使用者網域中,包含使用者向 AD FS 服務。The AD FS service account must be trusted in every user domain that contains users authenticating to the AD FS service.

設定資料庫需求Configuration database requirements

以下是需求和適用的限制會依據的設定存放區類型:The following are the requirements and restrictions that apply based on the type of configuration store:

WIDWID

  • 如果您依賴 100 或較少廠商信任,WID 發電廠的 30 聯盟伺服器的上限。A WID farm has a limit of 30 federation servers if you have 100 or fewer relying party trusts.

  • 在 WID 設定資料庫不支援 SAML 2.0 成品解析度設定檔。Artifact resolution profile in SAML 2.0 is not supported in the WID configuration database. 在 WID 設定資料庫權杖重播偵測不受支援。Token Replay Detection is not supported in the WID configuration database. 只在案例中,做為聯盟提供者,使用外部宣告提供者的安全性權杖 AD FS 只使用這項功能。This functionality is only used only in scenarios where AD FS is acting as the federation provider and consuming security tokens from external claims providers.

  • 部署 AD FS 伺服器中出現的資料中心容錯移轉或,只要伺服器數量不會超過 30 地理負載平衡支援。Deploying AD FS servers in distinct data centers for failover or geographic load balancing is supported as long as the number of servers does not exceed 30.

下表使用 WID 發電廠提供摘要。The following table provides a summary for using a WID farm. 使用它來規劃實作。Use it to plan your implementation.

1 -100 資源點數信任1 - 100 RP Trusts 超過 100 資源點數信任More than 100 RP Trusts
1 -30 AD FS 節點1 - 30 AD FS Nodes WID 支援WID Supported 不支援使用 WID -SQL 需要Not supported using WID - SQL Required
超過 30 AD FS 節點More than 30 AD FS Nodes 不支援使用 WID -SQL 需要Not supported using WID - SQL Required 不支援使用 WID -SQL 需要Not supported using WID - SQL Required

SQL ServerSQL Server

在 Windows Server 2012 R2 AD FS,您可以使用 SQL Server 2008 與更高版本For AD FS in Windows Server 2012 R2, you can use SQL Server 2008 and higher

瀏覽器需求Browser requirements

AD FS 驗證的瀏覽器或瀏覽器控制項透過執行時,您的瀏覽器必須符合下列需求:When AD FS authentication is performed via a browser or browser control, your browser must comply to the following requirements:

  • JavaScript 必須將支援JavaScript must be enabled

  • Cookie 必須亮Cookies must be turned on

  • 伺服器名稱指示 (SNI) 必須支援Server Name Indication (SNI) must be supported

  • 使用者憑證與裝置憑證驗證 \ (的工作地點加入 functionality),在瀏覽器必須支援 SSL client 憑證驗證For user certificate & device certificate authentication (workplace join functionality), the browser must support SSL client certificate authentication

幾個重要的瀏覽器與平台已經過驗證的轉譯與功能的詳細資訊,如下所示。Several key browsers and platforms have undergone validation for rendering and functionality the details of which are listed below. 瀏覽器並不此表格所涵蓋的裝置仍支援符合上述的需求:Browsers and devices that not covered in this table are still supported if they meet the requirements listed above:

瀏覽器Browsers 平台Platforms
IE 10.0IE 10.0 Windows 7、 Windows 8.1、 Windows Server 2008 R2、 Windows Server 2012、 Windows Server 2012 R2Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
IE 11.0IE 11.0 Windows7、 Windows 8.1、 Windows Server 2008 R2、 Windows Server 2012、 Windows Server 2012 R2Windows7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Windows Web 驗證代理人Windows Web Authentication Broker Windows 8.1Windows 8.1
Firefox [v21]Firefox [v21] Windows 7、 Windows 8.1Windows 7, Windows 8.1
Safari [v7]Safari [v7] iOS 6 Mac OS-X 10.7iOS 6, Mac OS-X 10.7
Chrome [v27]Chrome [v27] Windows 7、 Windows 8.1、 Windows Server 2012、 Windows Server 2012 R2、 Mac OS\ X 10.7Windows 7, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Mac OS-X 10.7

重要

已知問題 -Firefox: 將裝置使用裝置的憑證辨識的工作地點加入的功能不正常 Windows 平台上運作。Known issue - Firefox: Workplace Join functionality that identifies the device using device certificate is not functional on Windows platforms. Firefox 目前不支援使用在 Windows 戶端使用者憑證存放區提供憑證執行的 SSL client 憑證驗證。Firefox does not currently support performing SSL client certificate authentication using certificates provisioned to the user certificate store on Windows clients.

CookieCookies

AD FS 建立 session\ 與持續性必須 client 電腦 sign\ 中提供、 sign\ 出、 單一 sign\ 上 (SSO),以及其他功能儲存 cookie。AD FS creates session-based and persistent cookies that must be stored on client computers to provide sign-in, sign-out, single sign-on (SSO), and other functionality. 因此,必須接受 cookie 設定 client 瀏覽器。Therefore, the client browser must be configured to accept cookies. Cookie 可用來驗證都是安全超傳輸通訊協定 (HTTPS) 工作階段 cookie 所撰寫的原生伺服器。Cookies that are used for authentication are always Secure Hypertext Transfer Protocol (HTTPS) session cookies that are written for the originating server. 如果 client 瀏覽器不允許 cookie 這些設定,AD FS 無法正常運作。If the client browser is not configured to allow these cookies, AD FS cannot function correctly. 持續 cookie 可用來保留宣告提供者的使用者選取項目。Persistent cookies are used to preserve user selection of the claims provider. 您可以停用來設定檔 AD FS sign\ 在網頁中使用的設定。You can disable them by using a configuration setting in the configuration file for the AD FS sign-in pages. 基於安全性考量需要 SSL TLS\ 日的支援。Support for TLS/SSL is required for security reasons.

外部需求Extranet requirements

為了提供給 AD FS 服務外部網路的存取,您必須部署 Web 應用程式 Proxy 角色服務外部面對角色該 proxy 驗證要求 AD FS 服務安全的方式。To provide extranet access to the AD FS service, you must deploy the Web Application Proxy role service as the extranet facing role that proxies authentication requests in a secure manner to the AD FS service. 這會提供 AD FS 服務端點隔離以及隔離的所有安全性金鑰 \ (例如權杖簽署 certificates) 從來自網際網路的要求。This provides isolation of the AD FS service endpoints as well as isolation of all security keys (such as token signing certificates) from requests that originate from the internet. 此外,例如柔軟的外部鎖定的功能需要 Proxy Web 應用程式的使用。In addition, features such as Soft Extranet Account Lockout require the use of the Web Application Proxy. 如需 Web 應用程式 Proxy 的詳細資訊,請查看Web 應用程式 ProxyFor more information about Web Application Proxy, see Web Application Proxy.

如果您想要使用 third\ 廠商 proxy 外部網路的存取,這個 third\ 廠商 proxy 必須支援定義的通訊協定http:////download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5bMS-ADFSPIP%5d.pdfIf you want to use a third-party proxy for extranet access, this third-party proxy must support the protocol defined in http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5bMS-ADFSPIP%5d.pdf.

網路需求Network requirements

設定適當的網路下列服務已成功 AD FS 您在組織中部署的重要:Configuring the following network services appropriately is critical for successful deployment of AD FS in your organization:

設定公司防火牆Configuring Corporate Firewall

這兩個防火牆位於之間 Web 應用程式 Proxy 聯盟伺服器發電廠及戶端和 Web 應用程式 Proxy 之間的防火牆必須 443 支援的 TCP 連接埠輸入。Both the firewall located between the Web Application Proxy and the federation server farm and the firewall between the clients and the Web Application Proxy must have TCP port 443 enabled inbound.

此外,如果 client 使用者憑證驗證 \ (使用 X509 clientTLS 驗證使用者 certificates) 時,在 Windows Server 2012 R2 AD FS 需要用的 TCP 連接埠 49443 戶端和 Web 應用程式 Proxy 之間防火牆上輸入。In addition, if client user certificate authentication (clientTLS authentication using X509 user certificates) is required, AD FS in Windows Server 2012 R2 requires that TCP port 49443 be enabled inbound on the firewall between the clients and the Web Application Proxy. 這不是需要應用程式網路 Proxy 之間聯盟 servers\ 防火牆上)。This is not required on the firewall between the Web Application Proxy and the federation servers).

設定 DNSConfiguring DNS

  • 為內部網路存取權限存取 AD FS 服務的公司連絡 (intranet) 中的所有戶端都必須能 AD FS 服務名稱解析 \ (SSL certificate\ 所提供的名稱) AD FS 伺服器或 AD FS 伺服器的負載平衡器。For intranet access, all clients accessing AD FS service within the internal corporate network (intranet) must be able to resolve the AD FS service name (name provided by the SSL certificate) to the load balancer for the AD FS servers or the AD FS server.

  • 外部網路存取權限存取 AD FS 服務的公司網路 (extranet/internet) 以外的所有戶端都必須能 AD FS 服務名稱解析 \ (SSL certificate\ 所提供的名稱) 的 Web 應用程式的 Proxy 伺服器或網路應用程式的 Proxy 伺服器的負載平衡器。For extranet access, all clients accessing AD FS service from outside the corporate network (extranet/internet) must be able to resolve the AD FS service name (name provided by the SSL certificate) to the load balancer for the Web Application Proxy servers or the Web Application Proxy server.

  • 存取外部正常運作,在 DMZ 每個 Web 應用程式的 Proxy 伺服器必須能 AD FS 服務的名稱解析 \ (SSL certificate\ 所提供的名稱) AD FS 伺服器或 AD FS 伺服器的負載平衡器。For extranet access to function properly, each Web Application Proxy server in the DMZ must be able to resolve AD FS service name (name provided by the SSL certificate) to the load balancer for the AD FS servers or the AD FS server. 這可以使用其他 DNS 伺服器 DMZ 網路,或變更本機伺服器解析度使用主機檔案達成。This can be achieved using an alternate DNS server in the DMZ network or by changing local server resolution using HOSTS file.

  • 對於整合式 Windows 工作中網路,以及網路上的端點透過 Web 應用程式 Proxy 公開子集外驗證,您必須使用 A 記錄 (not CNAME) 指向負載平衡器。For Windows Integrated authentication to work inside the network and outside the network for a subset of endpoints exposed through the Web Application Proxy, you must use an A record (not CNAME) to point to the load balancers.

適用於企業 DNS 同盟服務和裝置登記服務設定的詳細資訊,請查看設定 DRS 和同盟服務的公司 DNSFor information on configuring corporate DNS for the federation service and Device Registration Service, see Configure Corporate DNS for the Federation Service and DRS.

設定公司 DNS proxy Web 應用程式的詳細資訊,會看到的 「 設定 DNS] 區段中步驟 1: 設定 Web 應用程式 Proxy 架構For information on configuring corporate DNS for Web Application proxies, see the “Configure DNS” section in Step 1: Configure the Web Application Proxy Infrastructure.

了解如何設定叢集 IP 位址或叢集 FQDN 使用 NLB 資訊,會看到指定叢集參數, http:////go.microsoft.com/fwlink/ 嗎?LinkId\ = 75282For information about how to configure a cluster IP address or cluster FQDN using NLB, see Specifying the Cluster Parameters at http://go.microsoft.com/fwlink/?LinkId=75282.

屬性市集需求Attribute store requirements

AD FS 需要至少屬性市集驗證使用者與解壓縮安全性宣告那些使用者使用。AD FS requires at least one attribute store to be used for authenticating users and extracting security claims for those users. 針對一份屬性儲存 AD FS 支援,請查看的角色的屬性儲存For a list of attribute stores that AD FS supports, see The Role of Attribute Stores.

注意

AD FS 預設會自動建立 「 Active Directory 「 屬性市集。AD FS automatically creates an “Active Directory” attribute store, by default. 您的組織是否做為 account 合作夥伴屬性市集需求而定 \ (主持聯盟的 users\) 或資源合作夥伴 \ (主持聯盟的 application\)。Attribute store requirements depend on whether your organization is acting as the account partner (hosting the federated users) or the resource partner (hosting the federated application).

LDAP 屬性存放區LDAP Attribute Stores

當您使用其他輕量型 Directory 存取通訊協定 \ -based 屬性存放區 (LDAP),您必須連接到 LDAP 伺服器支援 Windows 整合式驗證。When you work with other Lightweight Directory Access Protocol (LDAP)-based attribute stores, you must connect to an LDAP server that supports Windows Integrated authentication. RFC 2255 中所述 LDAP 連接字串必須也撰寫 LDAP URL 的格式。The LDAP connection string must also be written in the format of an LDAP URL, as described in RFC 2255.

它也會需要 AD FS 服務服務負責有擷取 LDAP 屬性存放區中的使用者資訊的權限。It is also required that the service account for the AD FS service has the right to retrieve user information in the LDAP attribute store.

SQL Server 屬性存放區SQL Server Attribute Stores

AD fs 在 Windows Server 2012 R2 順利運作,裝載 SQL Server 屬性網上商店的電腦必須執行 Microsoft SQL Server 2008,或更高版本。For AD FS in Windows Server 2012 R2 to operate successfully, computers that host the SQL Server attribute store must be running either Microsoft SQL Server 2008 or higher. 當您使用 SQL\ 為基礎的屬性存放區時,您還必須設定連接字串。When you work with SQL-based attribute stores, you also must configure a connection string.

自訂屬性存放區Custom Attribute Stores

您可以開發自訂屬性存放區,可讓進階的案例。You can develop custom attribute stores to enable advanced scenarios.

  • 建置到 AD FS 原則語言可以參考自訂屬性存放區,以便增強案例下列任一項:The policy language that is built into AD FS can reference custom attribute stores so that any of the following scenarios can be enhanced:

    • 建立 [本機驗證使用者宣告Creating claims for a locally authenticated user

    • 補充外部驗證使用者宣告Supplementing claims for an externally authenticated user

    • 若要取得權杖使用者的授權Authorizing a user to obtain a token

    • 若要取得行為的使用者權杖服務的授權Authorizing a service to obtain a token on behavior of a user

    • 發行信賴派對發出 AD FS 的安全性權杖中的其他資料。Issuing additional data in security tokens issued by AD FS to relying parties.

  • .NET 4.0 上方或更高版本,就必須先建置所有自訂屬性存放區。All custom attribute stores must be built on top of .NET 4.0 or higher.

當您使用自訂的屬性網上商店時,您也可能設定連接字串。When you work with a custom attribute store, you might also have to configure a connection string. 若是如此,您可以輸入自訂可讓您自訂屬性存放區的連接您選擇的程式碼。In that case, you can enter a custom code of your choice that enables a connection to your custom attribute store. 在這種情形連接字串是一組 name\ 日值組解譯為實作自訂屬性網上商店的開發人員。如需有關開發和使用自訂屬性存放區的詳細資訊,請屬性市集概觀The connection string in this situation is a set of name/value pairs that are interpreted as implemented by the developer of the custom attribute store.For more information about developing and using custom attribute stores, see Attribute Store Overview.

應用程式需求Application requirements

AD FS 支援,請使用下列通訊協定 claims\ 感知應用程式:AD FS supports claims-aware applications that use the following protocols:

  • -聯盟 WS\WS-Federation

  • WS\ 信任WS-Trust

  • 使用 IDPLite、 SPLite 與 eGov1.5 設定檔 SAML 2.0 通訊協定。SAML 2.0 protocol using IDPLite, SPLite & eGov1.5 profiles.

  • OAuth 2.0 授權授與的設定檔OAuth 2.0 Authorization Grant Profile

AD FS 也支援驗證以及授權的任何支援的應用程式網路 Proxy non\ claims\ 感知應用程式。AD FS also supports authentication and authorization for any non-claims-aware applications that are supported by the Web Application Proxy.

驗證的需求Authentication requirements

AD DS 驗證 (Primary Authentication)AD DS Authentication (Primary Authentication)

內部網路存取權限的支援下列標準驗證機制 AD ds:For intranet access, the following standard authentication mechanisms for AD DS are supported:

  • Windows 使用交涉 Kerberos 與 NTLM 的整合式驗證Windows Integrated Authentication using Negotiate for Kerberos & NTLM

  • 使用密碼 username\ 日表單驗證Forms Authentication using username/passwords

  • 使用對應至帳號 AD ds 憑證憑證驗證Certificate Authentication using certificates mapped to user accounts in AD DS

外部網路的存取,支援下列驗證機制:For extranet access, the following authentication mechanisms are supported:

  • 使用密碼 username\ 日表單驗證Forms Authentication using username/passwords

  • 使用對應至帳號 AD ds 憑證憑證驗證Certificate Authentication using certificates that are mapped to user accounts in AD DS

  • Windows 使用交涉 (NTLM only) WS\ 信任端點接受 Windows 整合式驗證,驗證整合。Windows Integrated Authentication using Negotiate (NTLM only) for WS-Trust endpoints that accept Windows Integrated Authentication.

憑證驗證:For Certificate Authentication:

  • 延伸到智慧卡,可保護 pin 碼。Extends to smartcards that can be pin protected.

  • 輸入 pin 碼使用者 GUI AD FS 不提供,也不需要將 client 作業系統使用 client TLS 時所顯示的一部分。The GUI for the user to enter their pin is not provided by AD FS and is required to be part of the client operating system that is displayed when using client TLS.

  • 讀取和密碼編譯服務提供者智慧卡 (CSP) 必須瀏覽器所在的電腦上運作。The reader and cryptographic service provider (CSP) for the smart card must work on the computer where the browser is located.

  • 智慧卡憑證必須鏈到所有伺服器 AD FS 和 Web 應用程式的 Proxy 伺服器上受信任的網站。The smart card certificate must chain up to a trusted root on all the AD FS servers and Web Application Proxy servers.

  • 憑證必須對應到 AD ds 帳號下列方法:The certificate must map to the user account in AD DS by either of the following methods:

    • 憑證主體名稱相當於在 AD DS 帳號 LDAP 分辨名稱。The certificate subject name corresponds to the LDAP distinguished name of a user account in AD DS.

    • 憑證主旨 altname 擴充功能有使用者主體名稱使用者中帳號 AD DS (UPN)。The certificate subject altname extension has the user principal name (UPN) of a user account in AD DS.

進行完美的 Windows 整合驗證使用 Kerberos 內部網路For seamless Windows Integrated Authentication using Kerberos in the intranet,

  • 需要服務的名稱為 「 信任的網站或近端網站的一部分。It is required for the service name to be part of the Trusted Sites or the Local Intranet sites.

  • 此外,HOST\ / < adfs_service_name > SPN 必須設定服務帳號,AD FS 農場上執行。In addition, the HOST/<adfs_service_name> SPN must be set on the service account that the AD FS farm runs on.

Multi\ 雙因素驗證Multi-Factor Authentication

AD FS 支援額外的驗證 \ (超過主要驗證,AD DS\ 支援) 使用提供者模型是針對 vendors\ 日可以建立自己的系統管理員可以登記並登入時使用 multi\ 雙因素驗證介面卡。AD FS supports additional authentication (beyond primary authentication supported by AD DS) using a provider model whereby vendors/customers can build their own multi-factor authentication adapter that an administrator can register and use during login.

每個 MFA 配接器必須建立.NET 4.5 上方。Every MFA adapter must be built on top of .NET 4.5.

適用於 MFA 詳細資訊,請查看管理其他多因素驗證敏感的應用程式的風險For more information on MFA, see Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications.

裝置驗證Device Authentication

AD FS 支援的裝置驗證使用憑證的裝置登記服務提供期間終端使用者的工作地點加入他們的裝置的動作。AD FS supports device authentication using certificates provisioned by the Device Registration Service during the act of an end user workplace joining their device.

地點加入需求Workplace join requirements

使用者可以的工作地點加入他們的裝置,請使用 AD FS 的組織。End users can workplace join their devices to an organization using AD FS. AD FS 中裝置登記服務支援此功能。This is supported by the Device Registration Service in AD FS. 因此,使用者會取得 SSO 跨越 AD FS 支援的應用程式的其他優點。As a result, end users get the additional benefit of SSO across the applications supported by AD FS. 此外,系統管理員可以管理藉由應用程式只有已加入組織的工作地點裝置上限制存取的風險。In addition, administrators can manage risk by restricting access to applications only to devices that have been workplace joined to the organization. 以下是此案例,以便下列需求。Below are the following requirements to enable this scenario.

  • AD FS 適用於 Windows 8.1 和 iOS 裝置 5\ + 支援的工作地點加入AD FS supports workplace join for Windows 8.1 and iOS 5+ devices

  • 若要使用的工作地點加入的功能,AD FS 伺服器加入的樹系的結構描述必須 Windows Server 2012 R2。To use Workplace Join functionality, the schema of the forest that AD FS servers are joined to must be Windows Server 2012 R2.

  • 主旨替代名稱 SSL 憑證 AD FS 服務必須包含後面組織,例如 enterpriseregistration.corp.contoso.com 的使用者主體名稱 (UPN) 尾碼值 enterpriseregistration。The subject alternative name of the SSL certificate for AD FS service must contain the value enterpriseregistration that is followed by the User Principal Name (UPN) suffix of your organization, for example, enterpriseregistration.corp.contoso.com.

密碼編譯需求Cryptography requirements

下表 AD FS 權杖登入,權杖 encryption/解密功能提供額外的密碼編譯支援資訊:The following table provides additional cryptography support information on the AD FS token signing, token encryption/decryption functionality:

演算法Algorithm 長度鍵Key lengths 回應/Applications\ Protocols\ 日Protocols/Applications/Comments
TripleDES – 預設 192 \ (支援 192 – 256) - http://// www.w3.org /2001/04/xmlenc#tripledes-cbcTripleDES – Default 192 (Supported 192 – 256) - http://www.w3.org/2001/04/xmlenc#tripledes-cbc >= 192>= 192 支援的安全性權杖的加密演算法。Supported algorithm for Encrypting the security token.
AES128 -http://// www.w3.org /2001/04/xmlenc#aes128-cbcAES128 - http://www.w3.org/2001/04/xmlenc#aes128-cbc 128128 支援的安全性權杖的加密演算法。Supported algorithm for Encrypting the security token.
AES192 -http://// www.w3.org /2001/04/xmlenc#aes192-cbcAES192 - http://www.w3.org/2001/04/xmlenc#aes192-cbc 192192 支援的安全性權杖的加密演算法。Supported algorithm for Encrypting the security token.
AES256 - http://// www.w3.org /2001/04/xmlenc#aes256-cbcAES256 - http://www.w3.org/2001/04/xmlenc#aes256-cbc 256256 預設的Default. 支援的安全性權杖的加密演算法。Supported algorithm for Encrypting the security token.
TripleDESKeyWrap -http://// www.w3.org /2001/04/xmlenc#kw-tripledesTripleDESKeyWrap - http://www.w3.org/2001/04/xmlenc#kw-tripledes .NET 4.0+ 所支援的所有鍵大小All Key sizes supported by .NET 4.0+ 支援演算法加密對稱式的安全性權杖已加密金鑰。Supported algorithm for Encrypting the symmetric key that encrypts a security token.
AES128KeyWrap - http://// www.w3.org /2001/04/xmlenc#kw-aes128AES128KeyWrap - http://www.w3.org/2001/04/xmlenc#kw-aes128 128128 支援演算法加密對稱式的安全性權杖已加密金鑰。Supported algorithm for Encrypting the symmetric key that encrypts the security token.
AES192KeyWrap - http://// www.w3.org /2001/04/xmlenc#kw-aes192AES192KeyWrap - http://www.w3.org/2001/04/xmlenc#kw-aes192 192192 支援演算法加密對稱式的安全性權杖已加密金鑰。Supported algorithm for Encrypting the symmetric key that encrypts the security token.
AES256KeyWrap - http://// www.w3.org /2001/04/xmlenc#kw-aes256AES256KeyWrap - http://www.w3.org/2001/04/xmlenc#kw-aes256 256256 支援演算法加密對稱式的安全性權杖已加密金鑰。Supported algorithm for Encrypting the symmetric key that encrypts the security token.
RsaV15KeyWrap -http://// www.w3.org /2001/04/xmlenc#rsa-1_5RsaV15KeyWrap - http://www.w3.org/2001/04/xmlenc#rsa-1_5 10241024 支援演算法加密對稱式的安全性權杖已加密金鑰。Supported algorithm for Encrypting the symmetric key that encrypts the security token.
RsaOaepKeyWrap - http://// www.w3.org /2001/04/xmlenc#rsa-oaep-mgf1pRsaOaepKeyWrap - http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p 10241024 預設值。Default. 支援演算法加密對稱式的安全性權杖已加密金鑰。Supported algorithm for Encrypting the symmetric key that encrypts the security token.
SHA1\ http: / / \ 日 www.w3.org /PICS/DSig/SHA1_1_0.htmlSHA1-http://www.w3.org/PICS/DSig/SHA1_1_0.html A N\ 日N/A AD FS 伺服器用於成品 SourceId 代: 在本案例中,STS 使用 SHA1 \ (每個中 SAML 2.0 standard\ 推薦) 來建立成品 sourceiD 簡短 160 元值。Used by AD FS Server in artifact SourceId generation: In this scenario, the STS uses SHA1 (per the recommendation in the SAML 2.0 standard) to create a short 160 bit value for the artifact sourceiD.

ADFS web 代理程式也用 \ (傳統元件 WS2003 timeframe\) 找出的變更,在 [上次更新日期 」 的時間數值,讓它知道更新 STS 資訊的時機。Also used by the ADFS web agent (legacy component from WS2003 timeframe) to identify changes in a “last updated” time value so that it knows when to update information from the STS.
SHA1withRSA-SHA1withRSA-

http://// www.w3.org /PICS/DSig/RSA-SHA1_1_0.htmlhttp://www.w3.org/PICS/DSig/RSA-SHA1_1_0.html
A N\ 日N/A 當 AD FS 伺服器的驗證的 SAML AuthenticationRequest 簽章,請使用案例中,登入成品解析度要求或回應、 建立 token\ 簽署的憑證。Used in cases when AD FS Server validates the signature of SAML AuthenticationRequest, sign the artifact resolution request or response, create token-signing certificate.

在這些案例中,SHA256 預設值,且如果合作夥伴 (relying party) 不支援 SHA256,必須使用 SHA1 只會使用 SHA1。In these cases, SHA256 is the default, and SHA1 is only used if the partner (relying party) cannot support SHA256 and must use SHA1.

使用權限要求Permissions requirements

執行安裝及 AD FS 的初始設定的系統管理員必須網域系統管理員權限在本機網域 \ (亦即的聯盟伺服器所加入的網域。 )The administrator that performs the installation and the initial configuration of AD FS must have domain administrator permissions in the local domain (in other words, the domain to which the federation server is joined to.)

也了See Also

在 Windows Server 2012 R2 的 AD FS 設計指南AD FS Design Guide in Windows Server 2012 R2