權杖簽署的憑證Token-Signing Certificates

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

聯盟伺服器需要 token\ 簽署的憑證,以避免攻擊者變更或仿冒的安全性權杖嘗試聯盟資源未經授權的存取。Federation servers require token-signing certificates to prevent attackers from altering or counterfeiting security tokens in an attempt to gain unauthorized access to federated resources. 搭配的公用 private\ 日鍵 token\ 簽署的憑證以用於是最重要的任何聯盟合作關係驗證機制,因為這些按鍵驗證的安全性權杖核發有效協力廠商聯盟伺服器,並在傳送時,未修改預付碼。The private/public key pairing that is used with token-signing certificates is the most important validation mechanism of any federated partnership because these keys verify that a security token was issued by a valid partner federation server and that the token was not modified during transit.

Token\ 簽署憑證需求Token-signing certificate requirements

Token\ 簽署的憑證必須符合下列需求,請使用 AD FS:A token-signing certificate must meet the following requirements to work with AD FS:

  • 成功登入的安全性權杖 token\ 簽署的憑證,token\ 簽署的憑證能私密金鑰。For a token-signing certificate to successfully sign a security token, the token-signing certificate must contain a private key.

  • AD FS 服務 account 必須 token\ 簽署的憑證私密金鑰存取在本機電腦的個人的市集。The AD FS service account must have access to the token-signing certificate’s private key in the personal store of the local computer. 這是處理的安裝程式。This is taken care of by Setup. 您也可以使用 AD FS 管理 snap\ 中,以確保如果後續變更 token\ 簽署的憑證的存取權。You can also use the AD FS Management snap-in to ensure this access if you subsequently change the token-signing certificate.

注意

最好公用基礎結構 (PKI) 不分享的私密金鑰多個項目的。It is a public key infrastructure (PKI) best practice to not share the private key for multiple purposes. 因此,不使用您聯盟 token\ 簽署的憑證的伺服器安裝的服務通訊憑證。Therefore, do not use the service communication certificate that you installed on the federation server as the token-signing certificate.

如何用所有合作夥伴 token\ 簽署的憑證How token-signing certificates are used across partners

每個 token\ 簽署的憑證包含密碼編譯私人和公開鍵是用來簽署 \(藉由私人 key) 的安全性權杖。Every token-signing certificate contains cryptographic private keys and public keys that are used to digitally sign (by means of the private key) a security token. 之後,它們會接收到透過協力廠商聯盟伺服器之後,這些按鍵驗證真確性 \(藉由公用 key) 加密的安全性權杖。Later, after they are received by a partner federation server, these keys validate the authenticity (by means of the public key) of the encrypted security token.

每個的安全性權杖數位簽章 account 合作夥伴,因為資源合作夥伴可以檢查的安全性權杖的處理機都會確實由 account 合作夥伴發出與它不修改。Because each security token is digitally signed by the account partner, the resource partner can verify that the security token was in fact issued by the account partner and that it was not modified. 數位簽章的合作夥伴的 token-仙蹤憑證的公用部分來確認。Digital signatures are verified by the public key portion of a partner’s token-singing certificate. 簽章驗證之後,資源聯盟伺服器產生自己的安全性權杖對其組織,並且它簽章自己 token\ 簽署的憑證的安全性權杖。After the signature is verified, the resource federation server generates its own security token for its organization and it signs the security token with its own token-signing certificate.

聯盟合作夥伴環境中,當 ca 發行後 token\ 簽署的憑證,確保:For federation partner environments, when the token-signing certificate has been issued by a CA, ensure that:

  1. 憑證撤銷清單 (CRLs) 的憑證的存取信賴派對和信任聯盟伺服器的網頁伺服器。The certificate revocation lists (CRLs) of the certificate are accessible to relying parties and Web servers that trust the federation server.

  2. CA 根憑證會受信任的依賴派對和信任聯盟伺服器的網頁伺服器。The root CA certificate is trusted by the relying parties and Web servers that trust the federation server.

資源合作夥伴的網頁伺服器使用的 token\ 簽署的憑證來驗證您的安全性權杖已資源聯盟伺服器。The Web server in the resource partner uses the public key of the token-signing certificate to verify that the security token is signed by the resource federation server. 然後,網頁伺服器可讓 client 適當存取。The Web server then allows the appropriate access to the client.

部署考量 token\ 簽署的憑證Deployment considerations for token-signing certificates

當您部署新 AD FS 安裝的第一個聯盟伺服器時,您必須取得 token\ 簽署的憑證,並安裝該聯盟伺服器上的本機電腦個人化的憑證存放區。When you deploy the first federation server in a new AD FS installation, you must obtain a token-signing certificate and install it in the local computer personal certificate store on that federation server. 您可以取得 token\ 簽署 CA 或公用 CA 憑證被要求的企業版或來建立 self\ 簽署的憑證。You can obtain a token-signing certificate by requesting one from an enterprise CA or a public CA or by creating a self-signed certificate.

部署時 AD FS 發電廠,會有不同,根據您要如何建立伺服器陣列安裝 token\ 簽署的憑證。When you deploy an AD FS farm, token-signing certificates are installed differently, depending on how you create the server farm.

有兩個 token\ 簽署的憑證取得您的部署時,您可以考慮伺服器發電廠選項:There are two server farm options that you can consider when you obtain token-signing certificates for your deployment:

  • 所有聯盟伺服器在之間共用私密金鑰從一個 token\ 簽署的憑證。A private key from one token-signing certificate is shared among all the federation servers in a farm.

    在聯盟伺服器發電廠環境中,我們建議您所有的聯盟伺服器分享 (or reuse) 相同 token\ 簽署的憑證。In a federation server farm environment, we recommend that all federation servers share (or reuse) the same token-signing certificate. 您可以從 CA 聯盟的伺服器上安裝的單一 token\ 簽署的憑證,然後匯出私密金鑰,只要標示為匯出發行的憑證。You can install a single token-signing certificate from a CA on a federation server and then export the private key, as long as the issued certificate is marked as exportable.

    如下所示,即可共用私密金鑰從單一 token\ 簽署的憑證,以發電廠中的所有聯盟伺服器。As shown in the following illustration, the private key from a single token-signing certificate can be shared to all the federation servers in a farm. 此選項,相較於下列」唯一 token\ 簽署的憑證」選項,如果您想要從公開 CA 取得 token\ 簽署的憑證降低成本。This option—compared to the following "unique token-signing certificate" option—reduces costs if you plan to obtain a token-signing certificate from a public CA.

權杖登入

  • 還有陣列中每個聯盟伺服器的唯一 token\ 簽署憑證。There is a unique token-signing certificate for each federation server in a farm.

    當您使用多個時,唯一整個您發電廠,在農地的每個伺服器的憑證會有自己的唯一私密金鑰簽署權杖。When you use multiple, unique certificates throughout your farm, each server in that farm signs tokens with its own unique private key.

    如下所示,您可以取得陣列中每個單一聯盟伺服器的獨立 token\ 簽署憑證。As shown in the following illustration, you can obtain a separate token-signing certificate for every single federation server in the farm. 這個選項會在價格如果您想要從公開 CA 取得您 token\ 簽署的憑證。This option is more expensive if you plan to obtain your token-signing certificates from a public CA.

權杖登入

安裝憑證,當您使用 Microsoft 憑證服務為您的企業 CA 相關資訊,請查看IIS 7.0:建立網域伺服器憑證 IIS 7.0 在For information about installing a certificate when you use Microsoft Certificate Services as your enterprise CA, see IIS 7.0: Create a Domain Server Certificate in IIS 7.0.

安裝憑證從公用 CA 相關的資訊,請查看IIS 7.0:要求網際網路伺服器的憑證For information about installing a certificate from a public CA, see IIS 7.0: Request an Internet Server Certificate.

安裝 self\ 簽署的憑證相關資訊,請查看IIS 7.0:建立 Self-Signed 伺服器憑證 IIS 7.0 在For information about installing a self-signed certificate, see IIS 7.0: Create a Self-Signed Server Certificate in IIS 7.0.

也了See Also

Windows Server 2012 中的 AD FS 設計指南AD FS Design Guide in Windows Server 2012