聯盟伺服器的憑證需求Certificate Requirements for Federation Servers

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

在任何 Active Directory 同盟服務 (AD FS) 設計,必須使用各種不同的憑證以安全通訊,並促進使用者之間網際網路戶端與聯盟伺服器的驗證。In any Active Directory Federation Services (AD FS) design, various certificates must be used to secure communication and facilitate user authentications between Internet clients and federation servers. 每個聯盟伺服器憑證服務通訊並 token\ 簽署的憑證前必須參與 AD FS 通訊。Each federation server must have a service communication certificate and a token-signing certificate before it can participate in AD FS communications. 下表描述聯盟伺服器相關聯的憑證類型。The following table describes the certificate types that are associated with federation server.

憑證類型Certificate type 描述Description
Token\ 簽署的憑證Token-signing certificate Token\ 簽署的憑證會 X509 憑證。A token-signing certificate is an X509 certificate. 聯盟伺服器以數位方式簽署的它們產生所有安全性權杖使用相關聯的 public\ 日私人配對。Federation servers use associated public/private key pairs to digitally sign all security tokens that they produce. 這包括發行的聯盟中繼資料和成品解析度要求的登入。This includes the signing of published federation metadata and artifact resolution requests.

您可以有多個 token\ 簽署憑證 snap\ 在一個憑證時接近過期的憑證變換允許 AD FS 管理設定。You can have multiple token-signing certificates configured in the AD FS Management snap-in to allow for certificate rollover when one certificate is close to expiring. 根據預設,所有的憑證在清單中的發行,但只主要 token\ 簽署的憑證使用 AD FS 確實登入權杖。By default, all the certificates in the list are published, but only the primary token-signing certificate is used by AD FS to actually sign tokens. 您的所有憑證都必須私密金鑰相對應。All certificates that you select must have a corresponding private key.

如需詳細資訊,請查看權杖簽署的憑證中加入權杖簽署的憑證For more information, see Token-Signing Certificates and Add a Token-Signing Certificate.
服務通訊的憑證Service communication certificate 聯盟伺服器使用伺服器驗證憑證,也就是服務通訊的 Windows 通訊基本知識 (WCF) 訊息安全性。Federation servers use a server authentication certificate, also known as a service communication for Windows Communication Foundation (WCF) Message Security. 根據預設,這是安全通訊端層 (SSL) 中的憑證網際網路資訊服務 (IIS) 聯盟伺服器使用相同憑證。By default, this is the same certificate that a federation server uses as the Secure Sockets Layer (SSL) certificate in Internet Information Services (IIS). 注意: AD FS 管理 snap\ 中指的是伺服器驗證憑證的同盟服務通訊的憑證以的伺服器。Note: The AD FS Management snap-in refers to server authentication certificates for federation servers as service communication certificates.

如需詳細資訊,請查看服務通訊的憑證設定服務通訊憑證For more information, see Service Communications Certificates and Set a Service Communications Certificate.

因為服務通訊憑證必須受 client 電腦使用,我們建議您使用的受信任的憑證授權單位已簽署的憑證 (CA)。Because the service communication certificate must be trusted by client computers, we recommend that you use a certificate that is signed by a trusted certification authority (CA). 您的所有憑證都必須私密金鑰相對應。All certificates that you select must have a corresponding private key.
安全通訊端層 (SSL) 憑證Secure Sockets Layer (SSL) certificate 聯盟伺服器保護 Web 服務的資料傳輸 Web 戶端與聯盟伺服器 proxy SSL 通訊使用 SSL 憑證。Federation servers use an SSL certificate to secure Web services traffic for SSL communication with Web clients and with federation server proxies.

由於 client 的電腦必須信任 SSL 憑證,我們建議您使用的由信賴 CA 簽署的憑證。Because the SSL certificate must be trusted by client computers, we recommend that you use a certificate that is signed by a trusted CA. 您的所有憑證都必須私密金鑰相對應。All certificates that you select must have a corresponding private key.
Token-解密憑證Token-decryption certificate 這個憑證用來解密權杖所此聯盟伺服器接收。This certificate is used to decrypt tokens that are received by this federation server.

您可以有多個解密憑證。You can have multiple decryption certificates. 這可讓您可能可以解密發行新的憑證已設為主要解密憑證後使用較舊的憑證發出的資源聯盟伺服器。This makes it possible for a resource federation server to be able to decrypt tokens that are issued with an older certificate after a new certificate is set as the primary decryption certificate. 所有憑證可以都用來解密,但僅限主要 token\ 解密憑證實際上發行聯盟中繼資料中。All certificates can be used for decryption, but only the primary token-decrypting certificate is actually published in federation metadata. 您的所有憑證都必須私密金鑰相對應。All certificates that you select must have a corresponding private key.

如需詳細資訊,請查看加入權杖解密憑證For more information, see Add a Token-Decrypting Certificate.

您可以要求和所要求服務通訊憑證透過 Microsoft Management Console (MMC) snap\ 安裝 SSL 憑證或服務通訊憑證-中 iis。You can request and install an SSL certificate or service communication certificate by requesting a service communication certificate through the Microsoft Management Console (MMC) snap-in for IIS. 有關更一般使用 SSL 憑證,請查看IIS 7.0:設定安全通訊端層 IIS 7.0 在IIS 7.0: IIS 7.0 中設定伺服器憑證For more general information about using SSL certificates, see IIS 7.0: Configuring Secure Sockets Layer in IIS 7.0 and IIS 7.0: Configuring Server Certificates in IIS 7.0 .

注意

AD FS 中,您可以變更適用於數位簽章 SHA-1 或 SHA-256 (more secure) 安全 Hash 演算法 (SHA) 層級。In AD FS you can change the Secure Hash Algorithm (SHA) level that is used for digital signatures to either SHA-1 or SHA-256 (more secure). AD FSdoes 不支援使用憑證的其他 hash 方法,例如 MD5 \(預設 hash 的演算法所使用的 Makecert.exe command\ 列 tool\)。AD FSdoes not support the use of certificates with other hash methods, such as MD5 (the default hash algorithm that is used with the Makecert.exe command-line tool). 最好的安全性,以我們建議您使用 SHA-256 \(這由 default\ 設定)的所有特徵標記。As a security best practice, we recommend that you use SHA-256 (which is set by default) for all signatures. 建議 SHA-1 只在您必須交互不支援使用 SHA-256,例如 non\ Microsoft product 或 AD FS 1 通訊 product 的案例。SHA-1 is recommended for use only in scenarios in which you must interoperate with a product that does not support communications using SHA-256, such as a non-Microsoft product or AD FS 1. x *.x*.

判斷您 CA 策略Determining your CA strategy

AD FS 不需要 CA,發行憑證。AD FS does not require that certificates be issued by a CA. 不過,SSL 憑證 \(也會使用預設值為服務通訊 certificate\ 憑證)必須信任 AD FS 用。However, the SSL certificate (the certificate that is also used by default as the service communications certificate) must be trusted by the AD FS clients. 我們建議您無法使用 self\ 簽署的憑證這些憑證類型。We recommend that you not use self-signed certificates for these certificate types.

重要

使用 self\ 簽章,production 環境中 SSL 憑證可讓使用者惡意 account 合作夥伴公司資源合作夥伴組織掌控聯盟伺服器中。Use of self-signed, SSL certificates in a production environment can allow a malicious user in an account partner organization to take control of federation servers in a resource partner organization. 這種安全性風險存在因為 self\ 簽署的憑證根憑證。This security risk exists because self-signed certificates are root certificates. 它們必須新增受信任的根網上商店的另一部聯盟伺服器 \ (例如,資源聯盟 server),這可以讓該伺服器容易受到攻擊。They must be added to the trusted root store of another federation server (for example, the resource federation server), which can leave that server vulnerable to attack.

您收到 CA 憑證之後,確認所有憑證的匯都入至本機電腦的個人憑證存放區。After you receive a certificate from a CA, make sure that all certificates are imported into the personal certificate store of the local computer. 您可以個人憑證 MMC snap\ 在使用網上商店匯入的憑證。You can import certificates to the personal store with the Certificates MMC snap-in.

或者,使用 snap\ 中的憑證,您可以也匯入您的預設網站指派 SSL 憑證 IIS 管理員 snap\ 中時使用 SSL 憑證。As an alternative to using the Certificates snap-in, you can also import the SSL certificate with the IIS Manager snap-in at the time that you assign the SSL certificate to the default Web site. 如需詳細資訊,請查看匯入伺服器驗證憑證的預設網站For more information, see Import a Server Authentication Certificate to the Default Web Site.

注意

您的電腦將會變成聯盟伺服器上安裝 AD FS 軟體之前,請確定的本機電腦個人憑證存放區中的兩個憑證和的 SSL 憑證已指派給預設網站。Before you install the AD FS software on the computer that will become the federation server, make sure that both certificates are in the Local Computer personal certificate store and that the SSL certificate is assigned to the Default Web Site. 有關更多的聯盟伺服器設定所需的工作順序,請查看檢查清單︰ 設定好聯盟伺服器For more information about the order of the tasks that are required to set up a federation server, see Checklist: Setting Up a Federation Server.

根據您的安全性和預算需求,仔細考量,您憑證將會取得公用,CA 或公司 CA。Depending on your security and budget requirements, carefully consider which of your certificates will be obtained by a public CA or a corporate CA. 下圖顯示建議的 CA 發行者指定的憑證類型。The following figure shows the recommended CA issuers for a given certificate type. 這個建議反映 best-方法安全性及成本。This recommendation reflects a best-practice approach regarding security and cost.

憑證需求

憑證撤銷清單Certificate revocation lists

如果您使用的任何憑證有 Crl,必須連絡伺服器分配 Crl 伺服器的憑證設定。If any certificate that you use has CRLs, the server with the configured certificate must be able to contact the server that distributes the CRLs.

也了See Also

Windows Server 2012 中的 AD FS 設計指南AD FS Design Guide in Windows Server 2012