建立聯盟伺服器的時機When to Create a Federation Server

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

當您建立聯盟 serverin Active Directory 同盟服務 (AD FS) 時,您提供一種方法可以您的組織:When you create a federation serverin Active Directory Federation Services (AD FS), you provide a means by which your organization can:

  • 交戰 single\ sign\ 在網頁中 \ (SSO) – 根據通訊與其他公司 \ (也有一個以上的聯盟 server\) 和必要時,使用您的組織中的員工 \ (人員將需要透過 Internet\ 存取)。Engage in Web single-sign-on (SSO)–based communication with another organization (that also has at least one federation server) and, when necessary, with the employees in your own organization (who need access over the Internet).

  • 讓模擬基礎結構服務使用的身分委派使用者前端服務。Enable front end services to impersonate users to infrastructure services using identity delegation. 如需詳細資訊,請查看何時要使用的身分委派For more information, see When to Use Identity Delegation.

下列章節描述一些重要決策判斷時,並建立一個或多個聯盟伺服器的位置。The following sections describe some of the key decisions for determining when and where to create one or more federation servers.

判斷組織聯盟伺服器角色Determine the organizational role for the federation server

要充分有關何時建立新的聯盟伺服器,您必須先判斷組織的伺服器會位於。To make an informed decision regarding when to create a new federation server, you must first determine in which organization the server will reside. 聯盟伺服器播放是在組織中的角色是否放置聯盟伺服器 account 合作夥伴公司或資源合作夥伴組織中而定。The role that a federation server plays in an organization depends on whether you place the federation server in the account partner organization or in the resource partner organization.

當聯盟伺服器位於 account 合作夥伴的企業網路時,其的角色是驗證的瀏覽器、 Web 服務或身分選取器戶端使用者認證,並傳送安全性權杖給戶端。When a federation server is placed in the corporate network of the account partner, its role is to authenticate the user credentials of browser, Web service, or identity selector clients and send security tokens to the clients. 如需詳細資訊,請查看檢視聯盟伺服器 Account 合作夥伴中的角色For more information, see Review the Role of the Federation Server in the Account Partner.

聯盟伺服器置於企業網路資源協力廠商,當的角色是驗證使用者,根據發出聯盟伺服器資源合作夥伴組織中的安全性權杖或的角色是重新導向權杖要求 account 合作夥伴公司 client 屬於設定的 Web 應用程式或 Web 服務。When a federation server is placed in the corporate network of the resource partner, its role is to authenticate users, based on a security token that is issued by a federation server in the resource partner organization, or its role is to redirect token requests from configured Web applications or Web services to the account partner organization that the client belongs to. 如需詳細資訊,請查看檢視的資源合作夥伴聯盟伺服器角色For more information, see Review the Role of the Federation Server in the Resource Partner.

判斷 AD FS 設計部署Determine which AD FS design to deploy

建立聯盟伺服器您在組織中每當您想要部署的下列 AD FS 設計的任何:You create federation servers in your organization whenever you want to deploy any of the following AD FS designs:

如有需要,部署的聯盟網路 SSO 設計組織可以設定單一聯盟伺服器,使其做 account 合作夥伴角色與資源合作夥伴角色中。If necessary, an organization that deploys a Federated Web SSO design can configure a single federation server so that it acts in both the account partner role and in the resource partner role. 在這種情形下,聯盟伺服器可能會根據其組織中帳號安全性判斷提示標記語言 (SAML) 權杖,或變更路徑權杖要求組織,根據使用者帳號所在的位置。In this case, the federation server may produce Security Assertion Markup Language (SAML) tokens, based on user accounts in its own organization, or reroute token requests to the organization, based on where the users' accounts reside.

注意

聯盟網路 SSO 設計,必須在 account 合作夥伴至少一個聯盟伺服器和資源合作夥伴至少一個聯盟伺服器。For the Federated Web SSO design, there must be at least one federation server in the account partner and at least one federation server in the resource partner.

聯盟伺服器與聯盟 proxy 伺服器不同Differences between a federation server and a federation server proxy

聯盟伺服器可以查看網頁 sign\ 中原則、 驗證和探索做聯盟 proxy 伺服器會相同的方式。A federation server can serve out Web pages for sign-in, policy, authentication, and discovery in the same way that a federation server proxy does. 聯盟伺服器及聯盟 proxy 伺服器主要不同可以執行的作業聯盟伺服器可以執行的聯盟 proxy 伺服器無法執行。The primary differences between a federation server and a federation server proxy have to do with what operations a federation server can perform that a federation server proxy cannot perform.

以下是聯盟伺服器可以執行的作業:The following are the operations that only a federation server can perform:

  • 聯盟伺服器執行權杖密碼編譯作業。The federation server performs the cryptographic operations that produce the token. 雖然聯盟的 proxy 伺服器無法產生權杖,他們可以用於路由或重新導向權杖給戶端,必要時,回聯盟伺服器。Although federation server proxies cannot produce tokens, they can be used to route or redirect the tokens to clients and, when necessary, back to the federation server. 如需有關使用聯盟伺服器的資訊,請查看當建立聯盟 Proxy 伺服器For more information about using federation servers, see When to Create a Federation Server Proxy.

  • 聯盟伺服器支援使用 Windows 整合驗證的企業網路; 戶端聯盟伺服器 proxy 不執行動作。Federation servers support the use of Windows Integrated Authentication for clients on the corporate network; federation server proxies do not. 如需關於 Windows 的整合式驗證使用聯盟伺服器的資訊,請查看當建立聯盟伺服器陣列For more information about using Windows Integrated Authentication with federation server, see When to Create a Federation Server Farm.

警告

聯盟伺服器及 SQL Server 設定資料庫、 SQL Server 屬性存放區,網域控制站與廣告 LDS 執行個體之間的通訊不完整性或機密性預設保護。Communication between federation servers and SQL Server configuration databases, SQL Server attribute stores, domain controllers, and AD LDS instances is not integrity or confidentiality protected by default. 若要減少此問題,請考慮保護這些伺服器使用 IPSEC 或使用這些伺服器的所有之間的實體安全連接間通訊通道。To mitigate this, consider protecting the communication channel between these servers using IPSEC or using a physically secure connection between all of these servers. 聯盟伺服器 SQL 伺服器間通訊,請考慮使用 SSL 保護連接字串。For communication between federation servers and SQL servers, consider using SSL protection in the connection string. 網域控制站伺服器聯盟之間的連接,請考慮將在 Kerberos 簽署及加密。For connections between federation servers and domain controllers, consider turning on Kerberos signing and encryption. 適用於 LDAP,LDAP\ S/不支援的廣告 LDS\ 日 AD DS。For LDAP, LDAP/S is not supported for AD LDS/AD DS.

如何建立聯盟伺服器How to create a federation server

您可以建立聯盟伺服器使用 AD FS 聯盟伺服器設定精靈或 Fsconfig.exe command\ 列工具。You can create a federation server using the AD FS Federation Server Configuration Wizard or the Fsconfig.exe command-line tool. 當您使用這些工具時,您可以選取下列其中一個選項來建立聯盟伺服器任何。When you use either of these tools, you can select any of the following options to create a federation server.

如需詳細資訊每個選項的工作方式時,請查看的角色 AD FS 設定資料庫的For more detailed information about how each of these options work, see The Role of the AD FS Configuration Database.

如需了解如何設定所有必要條件部署聯盟伺服器所需的詳細資訊,請查看檢查清單︰ 設定好聯盟伺服器For more information about how to set up all the prerequisites necessary to deploy a federation server, see Checklist: Setting Up a Federation Server.

也了See Also

Windows Server 2012 中的 AD FS 設計指南AD FS Design Guide in Windows Server 2012