提供您 Active Directory 的使用者存取您的宣告感知應用程式與服務Provide Your Active Directory Users Access to Your Claims-Aware Applications and Services

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

當您在 Active Directory 同盟服務 (AD FS) 部署 account 合作夥伴公司的系統管理員與您有提供您裝載資源公司網路上的員工 (SSO) 存取 single\ sign\ 上部署目標:When you are an administrator in the account partner organization in an Active Directory Federation Services (AD FS) deployment and you have a deployment goal to provide single-sign-on (SSO) access for employees on the corporate network to your hosted resources:

  • 員工登入的 Active Directory 森林中的企業網路存取多個應用程式或服務周邊網路在組織中的使用 SSO。Employees who are logged on to an Active Directory forest in the corporate network can use SSO to access multiple applications or services in the perimeter network in your own organization. 這些應用程式和服務會受到 AD FS。These applications and services are secured by AD FS.

    例如,Fabrikam 可能會想公司網路員工有聯盟 Web\ 為基礎的應用程式的 Fabrikam 裝載周邊網路存取。For example, Fabrikam may want corporate network employees to have federated access to Web-based applications that are hosted in the perimeter network for Fabrikam.

  • Active Directory domain 登入遠端員工可從聯盟伺服器聯盟廣告 FS\ 保護 Web\ 為基礎的應用程式或服務的存放在您的組織存取您在組織中取得權杖 AD FS。Remote employees who are logged on to an Active Directory domain can obtain AD FS tokens from the federation server in your organization to gain federated access to AD FS-secured Web-based applications or services that also reside in your organization.

  • Active Directory 屬性存放區中的資訊可擴展到員工 AD FS 發行。Information in the Active Directory attribute store can be populated into the employees' AD FS tokens.

下列元件所需此部署目標:The following components are required for this deployment goal:

  • Active Directory Domain Services (AD DS): AD DS 包含員工使用建立 AD FS 權杖帳號。Active Directory Domain Services (AD DS): AD DS contains the employees' user accounts that are used to generate AD FS tokens. 填入 AD FS 權杖群組宣告及自訂宣告到資訊,例如群組成員資格和屬性。Information, such as group memberships and attributes, is populated into AD FS tokens as group claims and custom claims.

    注意

    您也可以使用輕量型 Directory 存取通訊協定 (LDAP) 或結構化查詢語言 (SQL) 包含 AD FS 權杖代身分。You can also use Lightweight Directory Access Protocol (LDAP) or Structured Query Language (SQL) to contain the identities for AD FS token generation.

  • 企業 DNS:這個實作網域名稱系統 (DNS) 包含簡單主機 (A) 資源記錄,使內部戶端可以找出 account 聯盟伺服器。Corporate DNS: This implementation of Domain Name System (DNS) contains a simple host (A) resource record so that intranet clients can locate the account federation server. 此實作 DNS 也可能會主機其他公司網路中所需的 DNS 記錄。This implementation of DNS may also host other DNS records that are required in the corporate network. 如需詳細資訊,請查看聯盟伺服器的名稱解析需求For more information, see Name Resolution Requirements for Federation Servers.

  • Account 合作夥伴聯盟 server:這個聯盟伺服器加入網域 account 合作夥伴森林中。Account partner federation server: This federation server is joined to a domain in the account partner forest. 它驗證員工帳號,並會產生權杖 AD FS。It authenticates employee user accounts and generates AD FS tokens. 員工 client 電腦執行 Windows 的整合式驗證產生 AD FS 權杖此聯盟伺服器。The client computer for the employee performs Windows Integrated Authentication against this federation server to generate an AD FS token. 如需詳細資訊,請查看檢視聯盟伺服器 Account 合作夥伴中的角色For more information, see Review the Role of the Federation Server in the Account Partner.

    Account 合作夥伴聯盟伺服器可以進行下列使用者驗證:The account partner federation server can authenticate the following users:

    • 員工帳號,在這個網域中Employees with user accounts in this domain

    • 員工帳號此森林中的任何位置點一下Employees with user accounts anywhere in this forest

    • 員工的任何位置的 forests 的帳號信任的樹系 \(透過 two\ 向 Windows trust)Employees with user accounts anywhere in forests that are trusted by this forest (through a two-way Windows trust)

  • 員工:員工存取 Web\ 服務 (through an application) 或 Web\ 型應用程式 \(透過支援 Web browser) 時他登入公司網路。Employee: An employee accesses a Web-based service (through an application) or a Web-based application (through a supported Web browser) while he or she is logged on to the corporate network. 員工的公司網路上的 client 電腦會直接與驗證的聯盟伺服器通訊。The employee's client computer on the corporate network communicates directly with the federation server for authentication.

檢視後連結主題中的資訊,就可以開始中的步驟來部署這個目標檢查清單︰ 實作聯盟網路 SSO 設計After reviewing the information in the linked topics, you can begin deploying this goal by following the steps in Checklist: Implementing a Federated Web SSO Design.

下圖顯示每個此 AD FS 部署目標的必要元件。The following illustration shows each of the required components for this AD FS deployment goal.

存取您的宣告

也了See Also

Windows Server 2012 中的 AD FS 設計指南AD FS Design Guide in Windows Server 2012