請使用 AD FS 使用 AD DS 宣告Using AD DS Claims with AD FS

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

您可以讓聯盟應用程式為豐富存取控制 Active Directory Domain Services (AD DS)-issued 使用者和裝置宣告 Active Directory 同盟服務 (AD FS) 一起使用。You can enable richer access control for federated applications by using Active Directory Domain Services (AD DS)-issued user and device claims together with Active Directory Federation Services (AD FS).

關於動態存取控制About Dynamic Access Control

在 Windows Server® 2012 的動態存取控制功能可以讓組織權限授與檔案根據使用者宣告 \ (這來源使用者 account attributes\) 和裝置宣告 \ (這來源電腦 account attributes\) 所發行的 Active Directory Domain Services (AD DS)。In Windows Server® 2012, the Dynamic Access Control feature enables organizations to grant access to files based on user claims (which are sourced by user account attributes) and device claims (which are sourced by computer account attributes) that are issued by Active Directory Domain Services (AD DS). Windows 透過 Kerberos 驗證通訊協定的整合式驗證已經整合 AD DS 發出主張。AD DS issued claims are integrated into Windows integrated authentication through the Kerberos authentication protocol.

如需動態存取控制的詳細資訊,請查看動態存取控制內容藍圖For more information about Dynamic Access Control, see Dynamic Access Control Content Roadmap.

AD FS 中的新功能?What’s New in AD FS?

AD FS Windows Server 2012 中的為動態存取控制案例擴充功能,可以立即:As an extension to the Dynamic Access Control scenario, AD FS in Windows Server 2012 can now:

  • 除了從 AD DS 中的使用者 account 屬性存取電腦 account 屬性。Access computer account attributes in addition to user account attributes from within AD DS. 在舊版 AD FS,同盟服務無法存取電腦 account 屬性完全 AD DS 從。In previous versions of AD FS, the Federation Service could not access computer account attributes at all from AD DS.

  • 請使用 AD DS 發出使用者或裝置宣告位於 Kerberos 驗證票證。Consume AD DS issued user or device claims that reside in a Kerberos authentication ticket. AD FS 舊版,宣告引擎是讀取使用者和群組安全性 Id (SIDs) 從 Kerberos 但找不到任何朗讀宣告 Kerberos 票證中所包含的資訊。In previous versions of AD FS, the claims engine was able to read user and group security IDs (SIDs) from Kerberos but was not able to read any claims information contained within a Kerberos ticket.

  • 轉換 AD DS 發出的使用者或裝置宣告到 SAML 權杖信賴的應用程式可以用來執行更豐富的存取控制。Transform AD DS issued user or device claims into SAML tokens that relying applications can use to perform richer access control.

優點 AD DS AD FS 使用的宣告Benefits of Using AD DS Claims with AD FS

發行宣告這些 AD DS 可以插入 Kerberos 驗證票證及使用 AD FS 進行提供下列優點:These AD DS issued claims can be inserted into Kerberos authentication tickets and used with AD FS to provide the following benefits:

  • 需要更豐富的存取控制原則組織可以使用 AD DS 發出宣告儲存在指定的使用者或電腦 account AD DS 屬性的值為基礎的讓 claims\ 型存取應用程式和資源。Organizations that require richer access control policies can enable claims-based access to applications and resources by using AD DS issued claims that are based on the attribute values stored in AD DS for a given user or computer account. 這可以幫助系統管理員可以降低其他建立及管理相關聯的費用:This can help administrators to reduce additional overhead associated with creating and managing:

    • AD DS 安全性群組,否則會用來控制存取應用程式與資源,可透過 Windows 整合式驗證。AD DS security groups that would otherwise be used for controlling access to applications and resources that are accessible via Windows Integrated authentication.

    • 否則會用來控制 Business\ to\ 商務 (B2B) 存取信任的樹系 \ 日網際網路無障礙應用程式和資源。Forest trusts that would otherwise be used for controlling access to Business-to-Business (B2B) / Internet accessible applications and resources.

  • 組織可以立即防止未經授權的存取網路資源從依據特定電腦 account 是否屬性儲存在 AD DS 值 client 電腦 \ (例如電腦的 DNS name) 符合存取資源的控制項原則 \ (例如,檔案伺服器的 claims\ 已 ACLd) 或信賴的派對原則 \ (例如,claims\ 感知 Web application)。Organizations can now prevent unauthorized access to network resources from client computers based on whether a specific computer account attribute value stored in AD DS (for example, a computer’s DNS name) matches the access control policy of the resource (for example, a file server that has been ACLd with claims) or the relying party policy (for example, a claims-aware Web application). 這可以幫助系統管理員設定美好存取控制原則資源或的應用程式:This can help administrators to set finer access control policies for resources or applications that are:

    • 只存取透過 Windows 整合式驗證。Only accessible via Windows Integrated authentication.

    • AD FS 驗證機制透過可以存取網際網路。Internet accessible via AD FS authentication mechanisms. AD FS 可用於轉換成 SAML 發行,可由網際網路存取資源或信賴方應用程式可以封裝 AD FS 宣告發出裝置宣告 AD DS。AD FS can be used to transform AD DS issued device claims into AD FS claims that can be encapsulated into SAML tokens which can be consumed by an Internet accessible resource or relying party application.

AD DS 與 AD FS 不同發出宣告Differences Between AD DS and AD FS Issued Claims

有兩個區分因素重要了解有關宣告所發行的 AD DS 與 AD FS。There are two differentiating factors that are important to understand about claims that are issued from AD DS vs. AD FS. 這些不同包括:These differences include:

  • AD DS 只能發行封裝 Kerberos 門票,不 SAML 權杖中的主張。AD DS can only issue claims that are encapsulated in Kerberos tickets, not SAML tokens. 如需有關如何 AD DS 問題宣告,請查看動態存取控制內容藍圖For more information about how AD DS issues claims, see Dynamic Access Control Content Roadmap.

  • AD FS 只能發行,會在 SAML 發行,而不 Kerberos 門票封裝宣告。AD FS can only issue claims that are encapsulated in SAML tokens, not Kerberos tickets. 如需有關如何 AD FS 問題宣告,請查看的角色宣告引擎的For more information about how AD FS issues claims, see The Role of the Claims Engine.

AD DS 發行宣告 AD FS 使用的方式How AD DS Issued Claims Work with AD FS

發行宣告 AD DS 可以搭配直接從使用者的驗證操作,而另外 LDAP 電話給 Active Directory 存取使用者及裝置宣告 AD FS。AD DS issued claims can be used with AD FS to access both user and device claims directly from the user’s authentication context, rather than making a separate LDAP call to Active Directory. 下圖與對應的步驟討論此程序中更多詳細資料,以便 claims\ 式存取控制動態存取控制案例的運作方式。The following illustration and corresponding steps discusses how this process works in more detail to enable claims-based access control for the Dynamic Access Control scenario.


  1. AD DS 系統管理員會使用 Active Directory 管理中心主機或允許特定理賠要求輸入物件 PowerShell cmdlet AD DS 結構描述。An AD DS administrator uses the Active Directory Administrative Center console or PowerShell cmdlets to enables specific claim type objects in the AD DS schema.

  2. AD FS 管理員來建立和設定宣告提供者和信賴使用 AD FS 管理主控台信任的其中一個 pass\ 透過或轉換宣告規則。An AD FS administrator uses the AD FS Management console to create and configure the claims provider and relying party trusts with either pass-through or transform claim rules.

  3. Windows client 嘗試存取該網路。A Windows client attempts to access the network. Kerberos 驗證程序的一部分,client 提供使用者和電腦 ticket\ 授與票證 (TGT) 這並不會尚未包含網域控制站,任何主張。As part of the Kerberos authentication process, the client presents its user and computer ticket-granting ticket (TGT) which does not yet contain any claims, to the domain controller. 網域控制站 AD DS 尋找讓的宣告類型,然後傳回 Kerberos 票證包含任何結果主張。The domain controller then looks in AD DS for enabled claim types, and includes any resulting claims in the returned Kerberos ticket.

  4. 當使用者 \ 日 client 嘗試存取 ACLd 需要宣告檔案資源時,他們就可以存取資源,因為已從 Kerberos 提出複合 ID 這些宣告。When the user/client attempts to access a file resource that is ACLd to require the claims, they can access the resource because the compound ID that was surfaced from Kerberos has these claims.

  5. 當相同 client 嘗試存取設定為使用 AD FS 驗證網站或 Web 應用程式時,使用者會重新導向至設定為 Windows 整合驗證,AD FS 聯盟伺服器。When the same client attempts to access a Web site or Web application that is configured for AD FS authentication, the user is redirected to an AD FS federation server that is configured for Windows integrated authentication. Client 網域控制站使用 Kerberos 傳送要求。The client sends a request to the domain controller using Kerberos. 網域控制站問題 Kerberos 票證包含要求的宣告 client 可以再呈現聯盟伺服器。The domain controller issues a Kerberos ticket containing the requested claims which the client can then present to the federation server.

  6. 根據宣告規則宣告提供者已設定的方式,可以廠商信任的系統管理員先前設定,AD FS 讀取宣告 Kerberos 票證,並在該問題的 client SAML 權杖中包含他們。Based on the way the claims rules have been configured on the claims provider and relying party trusts that the administrator configured previously, AD FS reads the claims from the Kerberos ticket and includes them in a SAML token that it issues for the client.

  7. Client 會收到包含正確宣告 SAML 預付碼和會重新導向至該網站。The client receives the SAML token containing the correct claims and is then redirected to the website.

如需如何建立理賠要求規則所需的發行 AD DS 宣告 AD FS 使用的詳細資訊,請查看建立規則轉換取得連入For more information about how to create the claim rules required for AD DS issued claims to work with AD FS, see Create a Rule to Transform an Incoming Claim.

也了See Also

Windows Server 2012 中的 AD FS 設計指南AD FS Design Guide in Windows Server 2012