使用身分委派When to Use Identity Delegation

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

身分委派為何?What is identity delegation?

身分委派是 Active Directory 同盟服務,可模擬使用者 administrator\ 指定帳號 (AD FS) 的功能。Identity delegation is a feature of Active Directory Federation Services (AD FS) that allows administrator-specified accounts to impersonate users. 模擬使用者 account 稱為委派The account that impersonates the user is called the delegate. 此委派功能是重要的許多分散式應用程式的還有一系列存取控制檢查必須每個應用程式、 資料庫,或服務的原始要求授權鏈結中,依序進行。This delegation capability is critical for many distributed applications for which there is a series of access control checks that must be made sequentially for each application, database, or service that is in the authorization chain for the originating request. 許多 real\ 世界案例中有的 Web 應用程式 」 前端 「 必須擷取更安全 」 後端 」,例如已連接到的 Microsoft SQL Server 資料庫 Web 服務的資料。Many real-world scenarios exist in which a Web application “front end” must retrieve data from a more secure “back end”, such as a Web service that is connected to a Microsoft SQL Server database.

例如,現有 parts\ 排序的網站可以增強以程式設計方式,讓它可以讓合作夥伴公司檢視他們自己的購買歷史及 account 狀態。For example, an existing parts-ordering Web site can be enhanced programmatically so that it allows partner organizations to view their own purchase history and account status. 基於安全性考量,所有的 partner 財務資料會儲存在安全資料庫專用的結構化查詢語言 (SQL) 伺服器上。For security reasons, all partner financial data is stored in a secure database on a dedicated Structured Query Language (SQL) server. 此時,front\ 端的應用程式中的程式碼完全不知道財務合作夥伴公司的資料。In this situation, the code in the front-end application knows nothing about the partner organization’s financial data. 因此,就必須從另一部電腦裝載網路上的其他地方擷取的資料 \ (在本 case) Web 服務的部分資料庫 (the back end)。Therefore, it must retrieve that data from another computer elsewhere on the network that hosts (in this case) the Web service for the parts database (the back end).

成功此 data\ 擷取程序,「 hand\ 搖動 「 必須接受的授權的一些連續放置 Web 應用程式與 Web 服務為部分資料庫,如下所示。For this data-retrieval process to succeed, some succession of authorization “hand-shaking” must take place between the Web application and the Web service for the parts database, as shown in the following illustration.


因為原始要求的 Web 伺服器,這是位於完全不同的使用者嘗試存取的網頁伺服器組織的組織可能,請傳送以及要求您的安全性權杖不符合存取的網頁伺服器以外的任何其他電腦所需的授權條件。Because the original request was made to the Web server itself, which is likely to be located in a completely different organization from the organization of the user who is attempting to access the Web server, the security token that is sent along with the request does not meet the authorization criteria required to access any other computer besides the Web server. 因此,是中繼聯盟伺服器置於重新有適當存取權限的安全性權杖發行可協助資源合作夥伴組織,可以完成原始的使用者要求的唯一方式。Therefore, the only way that the originating user request can be fulfilled is by placing an intermediate federation server in the resource partner organization to help with reissuing a security token that does have the appropriate access privileges.

身分委派如何運作?How does identity delegation work?

Web 架構多應用程式中的應用程式通常通話 Web 服務存取常用的資料或功能。Web applications in multitier application architectures often call Web services to access common data or functionality. 請務必知道的原始的使用者身分服務可以做出授權,並促進稽核,這些 Web 服務。It is important for these Web services to know the identity of the original user so that the service can make authorization decisions and facilitate auditing. 若是如此,front\ 端 Web 應用程式表示使用者 Web 服務為代理人。In this case, the front-end Web application represents the user to the Web service as a delegate. AD FS 幫助您允許 Active Directory 帳號,做為另一部信賴使用者本案例。AD FS facilitates this scenario by allowing Active Directory accounts to act as a user to another relying party. 下圖顯示身分委派案例。An identity delegation scenario is shown in the following illustration.


  1. Frank 嘗試存取 part\ 訂購歷史從在另一部組織 Web 應用程式。Frank attempts to access part-ordering history from a Web application in another organization. 他 client 的電腦會要求並權杖接收 AD FS front\ 端 part\ 訂購 Web 應用程式。His client computer requests and receives a token from AD FS for the front-end part-ordering Web application.

  2. Client 電腦 Web 應用程式,包括在步驟 1 所證明 client 的身分獲得權杖傳送要求。The client computer sends a request to the Web application, including the token obtained in step 1, to prove the client’s identity.

  3. 需要 Web 應用程式與 Web 服務才能完成交易 client 的通訊。The Web application needs to communicate with the Web service to complete its transaction for the client. Web 應用程式的連絡人取得委派預付碼和 Web 服務互動 AD FS。The Web application contacts AD FS to obtain a delegation token to interact with the Web service. 委派權杖的安全性權杖發給做為使用者委派。Delegation tokens are security tokens that are issued to a delegate to act as a user. AD FS 傳回使用 Web 服務為目標,client 宣告委派預付碼。AD FS returns a delegation token with claims about the client, targeted for the Web service.

  4. Web 應用程式使用的從在執行 「 步驟 3 存取做為 client Web 服務的 AD FS 取得預付碼。The Web application uses the token that was obtained from AD FS in step 3 to access the Web service that is acting as the client. 檢查委派預付碼,Web 服務可以判斷 Web 應用程式,做為 client。Examining the delegation token, the Web service can determine that the Web application is acting as the client. Web 服務執行它授權的原則、 登的要求,並提供所需的部分歷史資料原來 Web 應用程式要求 Frank,因此到 Frank。The Web service executes its authorization policy, logs the request, and provides the needed parts history data that was originally requested by Frank to the Web application and therefore to Frank.

適用於特定代理人,AD FS] 可以限制的 Web 應用程式可能會要求委派權杖 Web 服務。For a particular delegate, AD FS can limit the Web services for which the Web application may request a delegation token. 不需要 client 的電腦不會有才能繼續此操作 Active Directory 負責。The client computer does not have to have an Active Directory account for this operation to succeed. 最後,如之前所述,Web 服務可以輕鬆地判斷代理人做為使用者的身分。Finally, as noted previously, the Web service can easily determine the identity of the delegate that is acting as the user. 這可讓 Web 服務依據他們的交談直接 client 電腦,或是透過委派不同的行為。This allows Web services to exhibit different behavior based on whether they are talking directly to the client computer or through a delegate.

設定 AD FS 進行身分委派Configuring AD FS for identity delegation

您可以使用 AD FS 管理 snap\ 中設定的身分委派 AD FS 每當您需要協助的資料擷取程序。You can use the AD FS Management snap-in to configure AD FS for identity delegation whenever you need to facilitate the data retrieval process. 您將其設定之後,AD FS 可產生新的安全性權杖將會包含 back\ 後端服務可能需要授權操作之前它可提供存取受保護資料。After you configure it, AD FS can generate new security tokens that will include the authorization context that the back-end service may require before it can provide access to the protected data.

AD FS 不會限制可模擬的使用者。AD FS does not restrict which users can be impersonated. AD FS 進行身分委派設定之後,它會執行下列:After you configure AD FS for identity delegation, it does the following:

  • 它也會判斷哪一部伺服器委派要求權杖模擬使用者的授權。It determines which servers can be delegated the authority to request tokens to impersonate a user.

  • 建立,並保留不同委派 client account 和伺服器做為委派這兩個身分操作。It establishes and keeps separate both the identity context for the client account that is delegated and the server that acts as a delegate.

您可以設定委派身分加入信賴廠商信任 snap\ 中 AD FS 管理委派授權規則。You can configure identity delegation by adding delegation authorization rules to a relying party trust in the AD FS Management snap-in. 如需如何執行此動作,請查看檢查清單︰ 建立理賠要求規則可以方信任For more information about how to do this, see Checklist: Creating Claim Rules for a Relying Party Trust.

設定的身分委派 front\ 端 Web 應用程式Configuring the front-end Web application for identity delegation

開發人員可擁有數個選項可供它們適當計畫將 AD FS 電腦委派要求 Web front\ 端的應用程式或服務。Developers have several options that they can use to appropriately program the Web front-end application or service to redirect delegation requests to an AD FS computer. 如需如何自訂身分委派使用 Web 應用程式的詳細資訊,請查看Windows 身分基本知識 SDKFor more information about how to customize a Web application to work with identity delegation, see the Windows Identity Foundation SDK.

也了See Also

Windows Server 2012 中的 AD FS 設計指南AD FS Design Guide in Windows Server 2012