AD FS 進行驗證使用者 LDAP 目錄中儲存的設定Configure AD FS to authenticate users stored in LDAP directories

適用於:Windows Server 2016Applies To: Windows Server 2016

下列主題描述,可讓您 AD FS 基礎結構,以驗證身分其儲存在輕量型 Directory 存取通訊協定 (LDAP) v3 相容目錄使用者所需的設定。The following topic describes the configuration required to enable your AD FS infrastructure to authenticate users whose identities are stored in Lightweight Directory Access Protocol (LDAP) v3-compliant directories.

許多組織中的身分管理方案所組成的 Active Directory、AD LDS 或第三方 LDAP 目錄組合。In many organizations, identity management solutions consist of a combination of Active Directory, AD LDS, or third-party LDAP directories. 搭配 AD FS 驗證使用者 LDAP v3 相容目錄中儲存的支援,可受惠整個企業級的 AD FS 功能無論儲存您的使用者身分設定。With the addition of AD FS support for authenticating users stored in LDAP v3-compliant directories, you can benefit from the entire enterprise-grade AD FS feature set regardless of where your user identities are stored. AD FS 支援任何 LDAP v3 相容 directory。AD FS supports any LDAP v3-compliant directory.

注意

部分 AD FS 功能包括單一登入 (SSO),裝置驗證,彈性的條件存取原則、工作-從的任何位置點一下整合的應用程式網路 Proxy,並使用 Azure AD 接著順暢聯盟透過可讓您與您的使用者使用雲端,包括 Office 365 和其他 SaaS 應用程式的支援。Some of the AD FS features include single sign-on (SSO), device authentication, flexible conditional access policies, support for work-from-anywhere through the integration with the Web Application Proxy, and seamless federation with Azure AD which in turn enables you and your users to utilize the cloud, including Office 365 and other SaaS applications. 如需詳細資訊,請查看Active Directory 同盟服務概觀For more information, see Active Directory Federation Services Overview.

為了讓 AD FS 進行驗證使用者 LDAP directory,您必須連接這個 LDAP directory 到您 AD FS 發電廠來建立本機宣告提供者信任In order for AD FS to authenticate users from an LDAP directory, you must connect this LDAP directory to your AD FS farm by creating a local claims provider trust. 本機宣告提供者信任是表示 AD FS 陣列中的 LDAP directory 信任物件。A local claims provider trust is a trust object that represents an LDAP directory in your AD FS farm. 本機宣告提供者信任物件包含許多不同的識別碼、名稱,以及找出本機同盟服務此 LDAP directory 規則。A local claims provider trust object consists of a variety of identifiers, names, and rules that identify this LDAP directory to the local federation service.

您可以在多個 LDAP 目錄,每一個都有它自己的設定中新增多個相同 AD FS 發電廠支援本機宣告提供者信任You can support multiple LDAP directories, each with its own configuration, within the same AD FS farm by adding multiple local claims provider trusts. 此外,不受信任的樹系 AD FS 存放於 AD DS 森林也可以為本機宣告提供者信任以。In addition, AD DS forests that are not trusted by the forest that AD FS lives in can also be modeled as local claims provider trusts. 您可以使用 Windows PowerShell 來建立本機宣告提供者信任。You can create local claims provider trusts by using Windows PowerShell.

LDAP 目錄(本機宣告提供者信任)一起相同 AD FS 伺服器,在同一個 AD FS 農場上存在的廣告目錄(宣告提供者信任),因此,AD FS 一個執行個體的驗證並授權的存取,會儲存在兩 AD 和非 AD 目錄。LDAP directories (local claims provider trusts) can co-exist with AD directories (claims provider trusts) on the same AD FS server, within the same AD FS farm, therefore, a single instance of AD FS is capable of authenticating and authorizing access for users that are stored in both AD and non-AD directories.

只表單架構的驗證,驗證使用者從 LDAP 目錄支援。Only forms-based authentication is supported for authenticating users from LDAP directories. 適用於驗證使用者 LDAP 目錄不支援憑證式和整合 Windows 驗證。Certificate-based and Integrated Windows authentication are not supported for authenticating users in LDAP directories.

所有被動式授權通訊協定 AD FS,包括 SAML,WS 聯盟來支援的和的身分儲存 LDAP 目錄中的 OAuth 也支援。All passive authorization protocols that are supported by AD FS, including SAML, WS-Federation, and OAuth are also supported for identities that are stored in LDAP directories.

也支援的身分儲存在 LDAP 目錄 Ws-trust 授權使用通訊協定。The WS-Trust active authorization protocol is also supported for identities that are stored in LDAP directories.

AD FS 進行驗證使用者 LDAP directory 中儲存的設定Configure AD FS to authenticate users stored in an LDAP directory

若要設定您的 AD FS 陣列驗證使用者從 LDAP directory,您可以完成下列步驟:To configure your AD FS farm to authenticate users from an LDAP directory, you can complete the following steps:

  1. 首先,設定連接到您 LDAP directory 使用新-AdfsLdapServerConnection cmdlet:First, configure a connection to your LDAP directory using the New-AdfsLdapServerConnection cmdlet:

    $DirectoryCred = Get-Credential
    $vendorDirectory = New-AdfsLdapServerConnection -HostName dirserver -Port 50000 -SslMode None -AuthenticationMethod Basic -Credential $DirectoryCred
    

    注意

    建議您建立新的每個 LDAP 伺服器您想要連接到連接物件。It is recommended that you create a new connection object for each LDAP server you want to connect to. AD FS 可連接到多個複本 LDAP 伺服器,並自動容錯以防特定 LDAP 伺服器已關閉。AD FS can connect to multiple replica LDAP servers and automatically fail over in case a specific LDAP server is down. 針對此類案例中,您可以為每個這些複本 LDAP 伺服器建立一個 AdfsLdapServerConnection 並再新增連接物件使用陣列-LdapServerConnection的參數新增-AdfsLocalClaimsProviderTrust cmdlet。For such a case, you can create one AdfsLdapServerConnection for each of these replica LDAP servers and then add the array of connection objects using the -LdapServerConnection parameter of the Add-AdfsLocalClaimsProviderTrust cmdlet.

    注意:您嘗試使用 Get-Credential 並輸入一個 DN 和密碼會用來執行個體 LDAP 繫結可能造成失敗因為的使用者介面需求適用於特定輸入格式,例如網域 \ 使用者名稱或user@domain.tld。NOTE: Your attempt to use Get-Credential and type in a DN and password to be used to bind to an LDAP instance might result in a failure because the of the user interface requirement for specific input formats, for example, domain\username or user@domain.tld. 您可以改為使用 ConvertTo-SecureString cmdlet 如下 (下方假設 uid = 組織單位,管理員為要用來繫結至 LDAP 執行個體的認證 DN = 系統):You can instead use the ConvertTo-SecureString cmdlet as follows (the example below assumes uid=admin,ou=system as the DN of the credentials to be used to bind to the LDAP instance):

    $ldapuser = ConvertTo-SecureString -string "uid=admin,ou=system" -asplaintext -force
    $DirectoryCred = Get-Credential -username $ldapuser -Message "Enter the credentials to bind to the LDAP instance:"
    

    然後輸入的密碼 uid = 系統管理員,並完成其餘步驟。Then enter the password for the uid=admin and complete the rest of the steps.

  2. 接下來,您可以執行步驟選用 LDAP 屬性對應至現有的 AD FS 主張使用新-AdfsLdapAttributeToClaimMapping cmdlet。Next, you can perform the optional step of mapping LDAP attributes to the existing AD FS claims using the New-AdfsLdapAttributeToClaimMapping cmdlet. 以下範例您地圖 givenName,姓氏和 CommonName LDAP 屬性 AD FS 宣告:In the example below, you map givenName, Surname, and CommonName LDAP attributes to the AD FS claims:

    #Map given name claim
    $GivenName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute givenName -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
    # Map surname claim
    $Surname = New-AdfsLdapAttributeToClaimMapping -LdapAttribute sn -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
    # Map common name claim
    $CommonName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute cn -ClaimType "http://schemas.xmlsoap.org/claims/CommonName"
    

    為了進行屬性從 LDAP 存放區提供建立 AD FS 條件存取控制規則,以便在 AD FS 宣告完成此對應。This mapping is done in order to make attributes from the LDAP store available as claims in AD FS in order to create conditional access control rules in AD FS. 它也會讓 AD FS 提供對應宣告 LDAP 屬性簡單的方式來使用自訂 LDAP 存放區結構描述。It also enables AD FS to work with custom schemas in LDAP stores by providing an easy way to map LDAP attributes to claims.

  3. 最後,您必須登記 LDAP 網上商店使用 AD FS 在本機宣告提供者信任使用新增-AdfsLocalClaimsProviderTrust cmdlet:Finally, you must register the LDAP store with AD FS as a local claims provider trust using the Add-AdfsLocalClaimsProviderTrust cmdlet:

    Add-AdfsLocalClaimsProviderTrust -Name "Vendors" -Identifier "urn:vendors" -Type Ldap
    
    # Connection info
    -LdapServerConnection $vendorDirectory 
    
    # How to locate user objects in directory
    -UserObjectClass inetOrgPerson -UserContainer "CN=VendorsContainer,CN=VendorsPartition" -LdapAuthenticationMethod Basic 
    
    # Claims for authenticated users
    -AnchorClaimLdapAttribute mail -AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -LdapAttributeToClaimMapping @($GivenName, $Surname, $CommonName) 
    
    # General claims provider properties
    -AcceptanceTransformRules "c:[Type != ''] => issue(claim=c);" -Enabled $true 
    
    # Optional - supply user name suffix if you want to use Ws-Trust
    -OrganizationalAccountSuffix "vendors.contoso.com"
    

    在上面範例中,您會建立本機宣告提供者信任稱為「廠商」。In the example above, you are creating a local claims provider trust called "Vendors". 這個區域宣告提供者信任代表指派 AD FS 連接到 LDAP directory 連接資訊指定$vendorDirectory-LdapServerConnection的參數。You are specifying connection information for AD FS to connect to the LDAP directory this local claims provider trust represents by assigning $vendorDirectory to the -LdapServerConnection parameter. 請注意,在一個步驟中,您已指派給$vendorDirectory以供連接到您的特定 LDAP directory 時連接字串。Note that in step one, you've assigned $vendorDirectory a connection string to be used when connecting to your specific LDAP directory. 最後,您所指定的$GivenName$Surname,以及$CommonName(在您對應至 AD FS 宣告)LDAP 屬性的條件存取控制,包括多因素驗證原則和發行授權規則,以及透過 AD FS 發行的安全性權杖中宣告發行的使用。Finally, you are specifying that the $GivenName, $Surname, and $CommonName LDAP attributes (which you mapped to the AD FS claims) are to be used for conditional access control, including multi-factor authentication policies and issuance authorization rules, as well as for issuance via claims in AD FS-issued security tokens. 您必須使用 AD FS Ws-trust 像的作用中通訊協定,以來指定 OrganizationalAccountSuffix 參數,可讓明確之間本機宣告提供者信任維護授權使用要求時 AD FS。In order to use active protocols like Ws-Trust with AD FS, you must specify the OrganizationalAccountSuffix parameter, which enables AD FS to disambiguate between local claims provider trusts when servicing an active authorization request.

也了See Also

AD FS 作業AD FS Operations