讓使用 AD FS 2016 Oauth 機密戶端Enabling Oauth Confidential Clients with AD FS 2016

適用於:Windows Server 2016Applies To: Windows Server 2016

在的初始 Oauth 支援 AD FS 在 Windows Server 2012 R2 上建置,AD FS 2016 導入工作維護他們自己的密碼,例如 app 或網頁伺服器上執行之服務的支援。Building on the initial Oauth support in AD FS in Windows Server 2012 R2, AD FS 2016 introduces support for clients capable of maintaining their own secret, such as an app or service running on a web server. 這些戶端稱為機密戶端。These clients are known as confidential clients.
以下是圖解網頁伺服器上執行,並且做為來 AD FS 機密 client web 應用程式:Below is a schematic of a web application running on a web server and serving as a confidential client to AD FS:

必要條件Pre-requisites

以下是清單之前完成這份文件所需的必要條件。The following are a list of pre-requisites that are required prior to completing this document. 本文件假設 AD FS 已經安裝,且已建立 AD FS 發電廠。This document assumes that AD FS has been installed and an AD FS farm has been created.

  • Azure AD 裝機費(免費試用版很好)An Azure AD subscription (a free trial is fine)

  • GitHub client 工具GitHub client tools

  • AD FS 在 Windows Server 2016 TP4 或更新版本AD FS in Windows Server 2016 TP4 or later

  • Visual Studio 2013 或更新版本。Visual Studio 2013 or later.

AD FS 2016 中建立應用程式群組Create an Application Group in AD FS 2016

下一節告訴您如何設定 AD FS 2016 中的應用程式群組。The following section describes how to configure the application group in AD FS 2016.

建立群組應用程式Create the Application Group

  1. AD FS 管理,以滑鼠右鍵按一下應用程式群組,然後選取[新增應用程式群組In AD FS Management, right-click on Application Groups and select Add Application Group.

  2. 在應用程式群組精靈,做為名稱輸入ADFSOAUTHCC,在獨立應用程式選取伺服器應用程式或網站範本。On the Application Group Wizard, for the name enter ADFSOAUTHCC and under Standalone applications select the Server application or Website template. 按一下下一步Click Next.

    AD FS Oauth

  3. 複製Client 識別碼值。Copy the Client Identifier value. 值為稍後將會使用ida: ClientId中的應用程式 web.config 檔案。It will be used later as the value for ida:ClientId in the applications web.config file.

    AD FS Oauth

  4. 輸入下列項目適用於重新導向 URI: - https://localhost:44323Enter the following for Redirect URI: - https://localhost:44323. 按一下新增Click Add. 按一下下一步Click Next.

  5. 設定應用程式認證畫面中,將在檢查產生共用的密碼和複製密碼。On the Configure Application Credentials screen, place a check in Generate a shared secretand copy the secret. 稍後的值為這將會使用ida: AppKey中的應用程式 web.config 檔案。This will be used later as the value for ida:AppKey in the applications web.config file. 按一下下一步Click Next.

    AD FS Oauth

  6. 摘要畫面中,按On the Summary screen, click Next.

  7. 完成畫面中,按關閉On the Complete screen, click Close.

  8. 現在,以滑鼠右鍵按一下新的應用程式群組上,選取屬性Now, on the right-click the new Application Group and select Properties.

  9. ADFSOAUTHCC 屬性將應用程式新增On ADFSOAUTHCC Properties click Add application.

  10. 新增新的應用程式範例的應用程式選取Web API並按下一步On the Add a new application to Sample Application select Web APIand click Next.

    AD FS Oauth

  11. 設定 Web API畫面中,輸入下列識別碼 - https://contoso.com/WebAppOn the Configure Web API screen, enter the following for Identifier - https://contoso.com/WebApp. 按一下新增Click Add. 按一下下一步Click Next. 這個值稍後適用於ida: GraphResourceId中的應用程式 web.config 檔案。This value will be used later for ida:GraphResourceId in the applications web.config file.

    AD FS Oauth

  12. 選擇存取控制原則畫面上,選取允許所有人下一步On the Choose Access Control Policy screen, select Permit everyone and click Next.

    AD FS Oauth

  13. 設定應用程式權限畫面上,請確定user_impersonation選取時,按一下 [下一步On the Configure Application Permissions screen, make sureuser_impersonation is selected and click Next.

    AD FS Oauth

  14. 摘要畫面中,按On the Summary screen, click Next.

  15. 完成畫面中,按關閉On the Complete screen, click Close.

  16. ADFSOAUTHCC 屬性[確定]On the ADFSOAUTHCC Properties click OK.

升級資料庫Upgrade the database

建立本節中使用 visual Studio 2015。Visual Studio 2015 was used in creating this walkthrough. 為了取得使用 Visual Studio 2015 範例您會需要更新資料庫檔案。In order to get the example working with Visual Studio 2015 you will need to update the database file. 若要這樣做,使用下列程序。Use the following procedure to do this.

本節如何下載 Web API 的範例,以及升級資料庫中 Visual Studio 2015。This section discusses how to download the sample Web API and upgrade the database in Visual Studio 2015. 我們會使用 Azure AD 範例的在此We will be using the Azure AD sample that is here.

下載範例專案,使用給 Bash 並輸入下列命令:To download the sample project, use Git Bash and type the following:

git clone https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-oauth2-useridentity.git  

AD FS Oauth

若要升級資料庫檔案To upgrade the database file

  1. Visual Studio 中開放專案、會告知您的應用程式需要 SQL Server 2102 快速快顯,或您將需要升級資料庫。Open the project in Visual Studio, there will be a pop-up telling you that the app requires SQL Server 2102 Express or you will need to upgrade the database. 按一下 \ [確定 ]。Click Ok.

    AD FS Oauth

  2. 下一步編譯選取建置的應用程式-> 組建方案,在最上方。Next compile the application by selecting Build -> Build Solution at the top. 這將會還原所有 NuGet 套件。This will restore all of the NuGet packages.

    AD FS Oauth

  3. 現在在最上方,選取 [檢視 -> 伺服器總管]Now at the top, select View -> Server Explorer. 一旦開啟,在資料連接,以滑鼠右鍵按一下DefaultConnection,然後選取修改連接Once that opens, under Data Connections, right-click DefaultConnection and select Modify Connection.

    AD FS Oauth

  4. 修改連接進階]On Modify Connection, select Advanced.

    AD FS Oauth

  5. 在 [進階] 功能表上找資料來源,使用下拉式變更從(LocalDb\v11.0)(LoaclDB) MSSQLLocalDBOn the Advanced Properties, locate Data Source and use the drop-down to change it from (LocalDb\v11.0) to (LoaclDB)MSSQLLocalDB.

    AD FS Oauth

  6. 按一下 \ [確定 ]。Click Ok. 按一下 \ [確定 ]。Click Ok. 按一下 [是] 升級資料庫。Click Yes to upgrade the database.

    AD FS Oauth

  7. 這完成時,超過右邊,複製值方塊中旁邊字串連接。When this completes, over on the right, copy the value in the box next to Connection String.

    AD FS Oauth

  8. 現在,開放 web.config 並取代您複製上方的值與連接字串的值。Now, open the Web.config file and replace the value that is in connectionString with the value you copied above. 儲存 Web.config 檔案。Save the Web.config file.

    注意

    上述步驟是必要的因此我們可以取得新連接字串。The steps above are necessary so that we can get the new connectionString. 否則,當我們執行 Update-Database 下方會出錯誤。Otherwise, when we run Update-Database below it will error out.

    AD FS Oauth

  9. 在 Visual Studio 的最上方,選取 [檢視 -> Windows 其他 -> 封裝管理員」主控台At the top of Visual Studio, select View -> Other Windows -> Package Manager Console.

    AD FS Oauth

  10. 在下方,套件 Manager 主控台中輸入:Enable-Migrations和點擊輸入。At the bottom, in the Package Manager Console enter: Enable-Migrations and hit enter.

    注意

    如果您收到錯誤,指出 Enable-Migrations 無法辨識為 cmdlet,請輸入 Install-Package EntityFramework 更新 EntityFramework。If you get an error that says Enable-Migrations is not recognized as a cmdlet, enter Install-Package EntityFramework to update the EntityFramework.

    AD FS Oauth

  11. 在下方,套件 Manager 主控台中輸入:Add-Migration <anynamehere>和點擊輸入。At the bottom, in the Package Manager Console enter: Add-Migration <anynamehere> and hit enter.

    AD FS Oauth

  12. 在下方,套件 Manager 主控台中輸入:Update-Database和點擊輸入。At the bottom, in the Package Manager Console enter: Update-Database and hit enter.

    AD FS Oauth

修改 Visual Studio 中 WebApiModify the WebApi in Visual Studio

修改範例 Web APITo Modify the Sample Web API

  1. 打開使用 Visual Studio 的範例。Open the sample using Visual Studio.

  2. 打開 web.config。Open the web.config file. 修改下列值:Modify the following values:

    • ida: ClientId-從 #3 上述輸入值。ida:ClientId - enter the value from #3 above.

    • ida: AppKey-# 5 上述輸入值。ida:AppKey - enter the value from #5 above.

    • ida: GraphResourceId-# 11 上述輸入值。ida:GraphResourceId - enter the value from #11 above.

    AD FS Oauth

  3. 打開 App_Start Startup.Auth.cs 檔案,並進行下列變更:Open the Startup.Auth.cs file under App_Start and make the following changes:

    • 查看下列行加:Comment out the following lines:

      //private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];  
      //private static string tenant = ConfigurationManager.AppSettings["ida:Tenant"];  
      //public static readonly string Authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);  
      

      AD FS Oauth

    • 新增下列該位置:Add the following in it's place:

      public static readonly string Authority = "https://<your_fsname>/adfs";  
      

      < your_fsname > 取代您同盟服務 url,例如 adfs.contoso.com DNS 部分的位置where <your_fsname> is replaced with the DNS portion of your federation service url, for example adfs.contoso.com

      AD FS Oauth

  4. 打開 UserProfileController.cs 檔案,並進行下列變更:Open the UserProfileController.cs file and make the following changes:

    • 加查看下列動作:Comment out the following:

      //authContext = new AuthenticationContext(Startup.Authority, new TokenDbCache(userObjectID));  
      
    • 這兩個項目取代下列動作:Replace both occurrences with the following:

      authContext = new AuthenticationContext(Startup.Authority, false, new TokenDbCache(userObjectID));  
      

      AD FS Oauth

    • 加查看下列動作:Comment out the following:

      //authContext = new AuthenticationContext(Startup.Authority);  
      
    • 這兩個項目取代下列動作:Replace both occurrences with the following:

      authContext = new AuthenticationContext(Startup.Authority, false);  
      

      AD FS Oauth

    • 查看所有的執行個體的動作現在意見:Now comment out all instances of the following:

      Uri redirectUri = new Uri(Request.Url.GetLeftPart(UriPartial.Authority.ToString() + "/OAuth");  
      
    • 使用下列取代所有項目:Replace all occurrences with the following:

      Uri redirectUri = new Uri(Request.Url.GetLeftPart(UriPartial.Authority.ToString());  
      

      AD FS Oauth

測試方案Test the Solution

在本區段中,我們將測試機密 client 方案。In this section we will test the confidential client solution. 使用下列程序測試方案。Use the following procedure to test the solution.

測試機密 client 方案Testing the confidential client solution

  1. 在 Visual Studio 頂端,請確定已選取 [Internet Explorer,按一下遺漏箭頭。At the top of Visual Studio, make sure Internet Explorer is selected and click the green arrow.

    AD FS Oauth

  2. 一旦 ASP.Net 頁面上出現時,按一下登記Once the ASP.Net page comes up, click on Register.

    AD FS Oauth

  3. 輸入使用者名稱和密碼,然後按一下登記Enter a username and password and then click Register. 這會建立本機 account SQL 資料庫。This creates a local account in the SQL database.

    AD FS Oauth

  4. 請注意,ASP.NET 網站標示為 Hello bsimon。Notice now, the ASP.NET site says Hello bsimon!. 按一下設定檔Click Profile.

    AD FS Oauth

  5. 這就會出現的任何資訊頁面,並顯示,我們必須按一下此處以登入。This brings up a page without any information and says that we must click here to sign-in. 按一下在此Click here.

    AD FS Oauth

  6. 您現在將會提示登入 AD FS。You will now be prompted to sign-in to AD FS.

    AD FS Oauth