AD FS 進行驗證憑證的替代主機繫結支援AD FS support for alternate hostname binding for certificate authentication

適用於:Windows Server 2016Applies To: Windows Server 2016

在許多網路上的本機防火牆原則可能不允許流量透過 49443 像的標準連接埠。On many networks the local firewall policies might not allow traffic through non-standard ports like 49443. 這嘗試以完成憑證驗證,AD FS 之前的 Windows Server 2016 AD FS 使用時變得的問題。This became an issue when trying to accomplish certificate authentication with AD FS prior to AD FS in Windows Server 2016. 這是因為您未可能會有不同裝置驗證及使用者憑證的驗證連結同一部主機上。This is because you could not have different bindings for device authentication and user certificate authentication on the same host. 預設的連接埠 443 繫結至接收的裝置上的憑證,並無法以相同的通道支援多繫結變更。The default port 443 is bound to receive device certificates and cannot be altered to support multiple binding in the same channel. 結果已智慧卡驗證無法運作,是因為不會顯示很事情所要發生的問題,您不知道的使用者。The results were that smart card authentication would not work and users were unaware of what happened since there is no indication of what really happened.

AD FS 在 Windows Server 2016 的作法。With AD FS in Windows Server 2016 this can be accomplished.

在 Windows Server 2016 上 AD FS 這已變更。In AD FS on Windows Server 2016 this has changed. 我們支援兩種模式,現在第一個會使用不同的連接埠 (443、 49443) 相同的主機 (亦即 adfs.contoso.com)。Now we support two modes, the first uses the same host (i.e. adfs.contoso.com) with different ports (443, 49443). 第二個不同的主機 (adfs.contoso.com 和 certauth.adfs.contoso.com) 使用相同的連接埠 (443)。The second used different hosts (adfs.contoso.com and certauth.adfs.contoso.com) with the same port (443). 這將會需要支援 「 certauth。 < adfs 服務-名稱 > 」 做為備用主體名稱 SSL 憑證。This will require an SSL certificate to support "certauth." as an alternate subject name. 這可以稍後透過 PowerShell 發電廠建立的時間。This can be done at the time of the farm creation or later via PowerShell.

如何設定替代主機驗證憑證的名稱繫結How to configure alternate host name binding for certificate authentication

有兩種方式,您可以將其他主機驗證憑證的名稱繫結新增。There are two ways that you can add the alternate host name binding for certificate authentication. 首先,如果憑證包含主題替代名稱 (舊),則它會自動設定為使用上述的第二個方法設定新的 Windows Server 2016 AD FS 使用 AD FS 發電廠時。The first is when setting up a new AD FS farm with AD FS for Windows Server 2016, if the certificate contains a subject alternative name (SAN), then it will automatically be setup to use the second method mentioned above. 是的它將會自動設定兩個不同的主機 (sts.contoso.com 和 certauth.sts.contoso.com 使用相同的連接埠。That is, it will automatically setup two different hosts (sts.contoso.com and certauth.sts.contoso.com with the same port. 如果憑證不包含舊,您會看到一則警告憑證主題替代名稱不支援 certauth.* 告知您。If the certificate does not contain a SAN, then you will see a warning telling you that certificate subject alternative names does not support certauth.*. 查看下的螢幕擷取畫面。See the screenshots below. 第一個顯示位置憑證有舊,會顯示憑證不第二個安裝。The first one shows an installation where the certificate had a SAN and the second one shows a certificate that did not.

替代主機繫結

替代主機繫結

同樣地,在已部署 Windows Server 2016 中的 AD FS 之後您可以使用 PowerShell cmdlet: 設定-AdfsAlternateTlsClientBinding。Likewise, once AD FS in Windows Server 2016 has been deployed you can use the PowerShell cmdlet: Set-AdfsAlternateTlsClientBinding.

Set-AdfsAlternateTlsClientBinding -Member DC1.contoso.com -Thumbprint '<thumbprint of cert>'

出現提示時,按一下 [是] 進行確認。When prompted, click Yes to confirm. 而且,應該它。And that should be it.

替代主機繫結

其他參考資料Additional references