聯盟的 Proxy 伺服器的憑證需求Certificate Requirements for Federation Server Proxies

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

使用安全通訊端層 (SSL) 伺服器驗證憑證需要聯盟伺服器 proxy 中的角色 (AD FS) Active Directory 同盟服務正在執行的伺服器。Servers that are running in the federation server proxy role in Active Directory Federation Services (AD FS) are required to use Secure Sockets Layer (SSL) server authentication certificates. 聯盟伺服器 proxy 使用 SSL 伺服器驗證憑證安全網路戶端與 Web 伺服器流量的通訊。Federation server proxies use SSL server authentication certificates to secure Web server traffic communication with Web clients.

網際網路上的電腦未包含在您企業公用基礎結構通常公開聯盟伺服器 proxy (PKI)。Federation server proxies are usually exposed to computers on the Internet that are not included in your enterprise public key infrastructure (PKI). 因此,使用伺服器驗證憑證的公用 (third-party) 憑證授權單位發行 (CA),例如 VeriSign。Therefore, use a server authentication certificate that is issued by a public (third-party) certification authority (CA), for example, VeriSign.

當您有 proxy 發電廠聯盟伺服器時,所有聯盟伺服器 proxy 電腦必須都使用相同的伺服器驗證憑證。When you have a federation server proxy farm, all federation server proxy computers must use the same server authentication certificate. 如需詳細資訊,請查看當建立聯盟 Proxy 伺服器陣列For more information, see When to Create a Federation Server Proxy Farm.

請務必驗證中伺服器驗證憑證的主體名稱符合 AD FS 管理 snap\ 中指定的同盟服務名稱值。It is important to verify that the subject name in the server authentication certificate matches the Federation Service name value that is specified in the AD FS Management snap-in. 要尋找此值,請打開 snap\ 中 right\ 按一下服務,按一下 [編輯同盟服務屬性,然後尋找中的值同盟服務名稱文字方塊。To locate this value, open the snap-in, right-click Service, click Edit Federation Service Properties, and then find the value in Federation Service name text box.

一般使用 SSL 憑證的詳細資訊,會看到設定安全通訊端層 IIS 7.0 \ (http:////go.microsoft.com/fwlink/ 嗎?LinkID\ = 108544) 和設定伺服器的憑證在 7.0 \ (http:////go.microsoft.com/fwlink/ 嗎?LinkID\ = 108545)。For general information about using SSL certificates, see Configuring Secure Sockets Layer in IIS 7.0 (http://go.microsoft.com/fwlink/?LinkID=108544) and Configuring Server Certificates in IIS 7.0 (http://go.microsoft.com/fwlink/?LinkID=108545).

注意

Client 驗證憑證並不需要 AD FS 聯盟伺服器 proxy。Client authentication certificates are not required for AD FS federation server proxies.

如果您使用的任何憑證有撤銷列出 (CRLs) 憑證,設定憑證伺服器必須連絡分散 Crl 伺服器。If any certificate that you use has certificate revocation lists (CRLs), the server with the configured certificate must be able to contact the server that distributes the CRLs. CRL 類型會判斷使用何種連接埠。The type of CRL determines what ports are used.

也了See Also

Windows Server 2012 中的 AD FS 設計指南AD FS Design Guide in Windows Server 2012