提供您的 Active Directory 使用者存取權的應用程式與其他公司的服務Provide Your Active Directory Users Access to the Applications and Services of Other Organizations

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

這個 Active Directory 同盟服務 (AD FS) 部署目標組建上的目標提供您 Active Directory 使用者存取您宣告感知應用程式與服務This Active Directory Federation Services (AD FS) deployment goal builds on the goal in Provide Your Active Directory Users Access to Your Claims-Aware Applications and Services.

當您是系統管理員 account 合作夥伴組織和您有提供員工聯盟的存取部署目標裝載另一個組織中的資源:When you are an administrator in the account partner organization and you have a deployment goal to provide federated access for employees to hosted resources in another organization:

  • 員工的公司網路 Active Directory domain 登入可用來存取多個 Web\ 為基礎的應用程式或服務、在另一家中的應用程式或服務時,所受到 AD FS,single\ sign\ 上 (SSO) 功能。Employees who are logged on to an Active Directory domain in the corporate network can use single-sign-on (SSO) functionality to access multiple Web-based applications or services, which are secured by AD FS, when the applications or services are in a different organization. 如需詳細資訊,請查看的聯盟網路 SSO 設計For more information, see Federated Web SSO Design.

    例如,Fabrikam 可能會想公司網路員工有聯盟裝載中 Contoso Web 服務的存取。For example, Fabrikam may want corporate network employees to have federated access to Web services that are hosted in Contoso.

  • Active Directory domain 登入遠端員工可從聯盟伺服器聯盟 AD FS – 保護 Web\ 型應用程式或其他組織裝載的服務存取您在組織中取得權杖 AD FS。Remote employees who are logged on to an Active Directory domain can obtain AD FS tokens from the federation server in your organization to gain federated access to AD FS–secured Web-based applications or services that are hosted in another organization.

    例如,Fabrikam 可能會想有同盟服務的存取 AD FS – 保護裝載中 Contoso,而不需要將 Fabrikam 公司網路上的 Fabrikam 員工其遠端員工。For example, Fabrikam may want its remote employees to have federated access to AD FS–secured services that are hosted in Contoso, without requiring the Fabrikam employees to be on the Fabrikam corporate network.

除了中所述的基礎元件提供您 Active Directory 使用者存取您宣告感知應用程式與服務,將會變暗下圖,下列元件所需的此部署目標:In addition to the foundational components that are described in Provide Your Active Directory Users Access to Your Claims-Aware Applications and Services and that are shaded in the following illustration, the following components are required for this deployment goal:

  • 考慮合作夥伴聯盟伺服器 proxy:員工可從網際網路存取同盟的服務或應用程式可以使用此 AD FS 元件進行驗證。Account partner federation server proxy: Employees that access the federated service or application from the Internet can use this AD FS component to perform authentication. 根據預設,這元件執行表單驗證,但它也可以執行基本驗證。By default, this component performs forms authentication, but it can also perform basic authentication. 您也可以設定此元件執行安全通訊端層 (SSL) client 驗證,如果在您的組織員工呈現的憑證。You can also configure this component to perform Secure Sockets Layer (SSL) client authentication if employees at your organization have certificates to present. 如需詳細資訊,請查看放置聯盟 Proxy 伺服器For more information, see Where to Place a Federation Server Proxy.

  • 周邊 DNS:這個實作網域名稱系統 (DNS) 提供主機周邊網路的名稱。Perimeter DNS: This implementation of Domain Name System (DNS) provides the host names for the perimeter network. 如需有關如何周邊 DNS 聯盟 proxy 伺服器設定的詳細資訊,請查看聯盟的 Proxy 伺服器的名稱解析需求For more information about how to configure perimeter DNS for a federation server proxy, see Name Resolution Requirements for Federation Server Proxies.

  • 遠端員工:員工遠端存取 Web\ 為基礎的應用程式 \(透過支援 Web browser) 或 Web\ 服務 \(透過 application),使用有效的憑證,從公司網路時,員工時離站使用網際網路。Remote employee: The remote employee accesses a Web-based application (through a supported Web browser) or a Web-based service (through an application), using valid credentials from the corporate network, while the employee is offsite using the Internet. 在遠端位置員工的 client 電腦會直接與聯盟伺服器 proxy 產生預付碼和驗證的應用程式或服務通訊。The employee's client computer in the remote location communicates directly with the federation server proxy to generate a token and authenticate to the application or service.

檢視後連結主題中的資訊,就可以開始中的步驟來部署這個目標檢查清單︰ 實作聯盟網路 SSO 設計After reviewing the information in the linked topics, you can begin deploying this goal by following the steps in Checklist: Implementing a Federated Web SSO Design.

下圖顯示每個此 AD FS 部署目標的必要元件。The following illustration shows each of the required components for this AD FS deployment goal.

存取您的應用程式

也了See Also

Windows Server 2012 中的 AD FS 設計指南AD FS Design Guide in Windows Server 2012