設定 AD FS 進行使用者憑證驗證Configuring AD FS for user certificate authentication

適用於:Windows Server 2016、Windows Server 2012 R2Applies To: Windows Server 2016, Windows Server 2012 R2

AD FS 可設定的 x509 使用其中一種模式使用者憑證驗證中所述的本文AD FS can be configured for x509 user certificate authentication using one of the modes described in this article. 此功能可以使用使用 Azure Active Directory或自己,以讓戶端和裝置提供給使用者的憑證存取 AD FS 資源內部網路或外部網路。This capability can be used with Azure Active Directory or on its own, to enable clients and devices provisioned with user certificates to access AD FS resources from the intranet or the extranet.

必要條件Prerequisites

  • 確定您的使用者憑證的信任的所有 AD FS 和 WAP 伺服器Ensure that your user certificates are trusted by all AD FS and WAP servers
  • 確保您使用者的認證信任的根憑證 NTAuth 市集中 Active Directory 中Ensure that the root certificate of the chain of trust for your user certificates is in the NTAuth store in Active Directory
  • 如果使用 AD FS 替代憑證驗證模式,請確定您 AD FS 和 WAP 伺服器有 SSL 憑證包含 AD FS 主機加上「certauth「,例如「certauth.fs.contoso.com」,並透過防火牆允許此主機流量的If using AD FS in alternate certificate authentication mode, ensure that your AD FS and WAP servers have SSL certificates that contain the AD FS hostname prefixed with "certauth", for example "certauth.fs.contoso.com", and that traffic to this hostname is allowed through the firewall
  • 如果使用的外部憑證驗證,確保至少一個 AIA 和至少一個 CDP 或 OCSP 位置,指定您的憑證在清單中從網際網路存取。If using certificate authentication from the extranet, ensure that at least one AIA and at least one CDP or OCSP location from the list specified in your certificates are accessible from the internet.
  • 如果您要設定 AD FS 進行 Azure AD 憑證驗證,請確定您已設定設定 Azure ADAD FS 取得所需的規則憑證發行者和的序號If you are configuring AD FS for Azure AD certificate authentication, ensure that you have configured the Azure AD settings and the AD FS claim rules required for certificate Issuer and Serial Number
  • 也 Azure AD 憑證驗證 Exchange ActiveSync 用戶端,client 憑證必須使用者 s 路由傳送電子郵件地址 Exchange online 主體名稱或主體替代名稱欄位 RFC822 名稱值。Also for Azure AD certificate authentication, for Exchange ActiveSync clients, the client certificate must have the user�s routable email address in Exchange online in either the Principal Name or the RFC822 Name value of the Subject Alternative Name field. (azure Active Directory 地圖服務 RFC822 值 directory 中的位址 Proxy 屬性。)(Azure Active Directory maps the RFC822 value to the Proxy Address attribute in the directory.)

設定 AD FS 進行使用者憑證驗證Configure AD FS for user certificate authentication

  • 讓使用者憑證驗證為內部或中 AD FS 使用 AD FS 管理主控台或 PowerShell cmdlet Set-AdfsGlobalAuthenticationPolicy 外部網路的驗證方法Enable user certificate authentication as an intranet or extranet authentication method in AD FS, using either the AD FS Management console or the PowerShell cmdlet Set-AdfsGlobalAuthenticationPolicy
  • 確定每個 AD FS 和 WAP 伺服器上安裝整個信任,包括任何中繼的憑證鏈結。Ensure that the entire chain of trust, including any intermediate certificates, is installed on every AD FS and WAP server. 應該安裝中繼憑證在本機電腦中繼憑證授權單位網上商店的所有 AD FS 與 WAP 伺服器上。The intermediate certificates should be installed in the local computer intermediate certification authorities store on all AD FS and WAP servers.
  • 如果您想要使用宣告根據憑證欄位和擴充功能,除了 EKU(宣告類型 http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku),請在 Active Directory 宣告提供者信任設定通過規則的其他理賠要求。If you wish to use claims based on certificate fields and extensions in addition to EKU (claim type http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku), configure additional claim pass through rules on the Active Directory claims provider trust. 查看下列的主張使用憑證的完整清單。See below for a complete list of available certificate claims.
  • [選擇性]設定中的 [允許發行憑證憑證授權單位 client 使用指導方針在「信任的發行者 client 驗證管理」本文[Optional] Configure allowed issuing certification authorities for client certificates using the guidance under "Management of trusted issuers for client authentication" in this article.

疑難排解Troubleshooting

  • 如果憑證驗證要求失敗,並「不內容 https://certauth.fs.contoso.com 的「回應 HTTP 204,確認根和中繼 CA 憑證已安裝,分別,CA 和中繼 CA 受信任的根憑證存放區所有聯盟伺服器上。If certificate authentication requests fail with an HTTP 204 "No Content from https://certauth.fs.contoso.com" response, verify that the root and any intermediate CA certificates are installed, respectively, to the trusted root CA and intermediate CA certificate stores on all federation servers.
  • 如果憑證驗證要求會因不明原因而失敗,client 憑證匯出至.cer 檔案,並執行命令「certutil-f-urlfetch-驗證 certificatefilename.cer」。If certificate authentication requests are failing for unknown reasons, export the client certificate to a .cer file, and run the command "certutil -f -urlfetch -verify certificatefilename.cer". 請確定任何 CRL 和 delta CRL 位置解析。Ensure any CRL and delta CRL locations resolve. 請注意,找不到 delta CRL 位置為基礎的基底 CRL 到。Note that delta CRL locations are found based on the contents of the Base CRL.

參考:使用者憑證的完整清單取得類型與範例值Reference: Complete list of user certificate claim types and example values

宣告類型Claim type 範例值。Example Value
http://schemas.microsoft.com/2012/12/certificatecontext/field/x509versionhttp://schemas.microsoft.com/2012/12/certificatecontext/field/x509version 33
http://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithmhttp://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithm sha256RSAsha256RSA
http://schemas.microsoft.com/2012/12/certificatecontext/field/issuerhttp://schemas.microsoft.com/2012/12/certificatecontext/field/issuer DATA-CN = entca,DC = 網域俠 = contoso 俠 = comCN=entca, DC=domain, DC=contoso, DC=com
http://schemas.microsoft.com/2012/12/certificatecontext/field/issuernamehttp://schemas.microsoft.com/2012/12/certificatecontext/field/issuername DATA-CN = entca,DC = 網域俠 = contoso 俠 = comCN=entca, DC=domain, DC=contoso, DC=com
http://schemas.microsoft.com/2012/12/certificatecontext/field/notbeforehttp://schemas.microsoft.com/2012/12/certificatecontext/field/notbefore 12/05/2016 20:50:1812/05/2016 20:50:18
http://schemas.microsoft.com/2012/12/certificatecontext/field/notafterhttp://schemas.microsoft.com/2012/12/certificatecontext/field/notafter 12/05/2017 20:50:1812/05/2017 20:50:18
http://schemas.microsoft.com/2012/12/certificatecontext/field/subjecthttp://schemas.microsoft.com/2012/12/certificatecontext/field/subject E =user@contoso.com,DATA-CN = 使用者 DATA-CN = DC 的使用者,= 網域俠 = contoso 俠 = comE=user@contoso.com, CN=user, CN=Users, DC=domain, DC=contoso, DC=com
http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectnamehttp://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname E =user@contoso.com,DATA-CN = 使用者 DATA-CN = DC 的使用者,= 網域俠 = contoso 俠 = comE=user@contoso.com, CN=user, CN=Users, DC=domain, DC=contoso, DC=com
http://schemas.microsoft.com/2012/12/certificatecontext/field/rawdatahttp://schemas.microsoft.com/2012/12/certificatecontext/field/rawdata {Base64 編碼數位憑證資料}{Base64 encoded digital certificate data}
http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusagehttp://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage DigitalSignatureDigitalSignature
http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusagehttp://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage KeyEnciphermentKeyEncipherment
http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifierhttp://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifier 9D11941EC06FACCCCB1B116B56AA97F3987D620A9D11941EC06FACCCCB1B116B56AA97F3987D620A
http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifierhttp://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier 金鑰識別碼為 = d6 13 e3 6b bc e5 d8 15 52 0a fd 36 6a d5 0b 51 f3 0b 25 7fKeyID=d6 13 e3 6b bc e5 d8 15 52 0a fd 36 6a d5 0b 51 f3 0b 25 7f
http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatenamehttp://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatename 使用者User
http://schemas.microsoft.com/2012/12/certificatecontext/extension/sanhttp://schemas.microsoft.com/2012/12/certificatecontext/extension/san 其他名稱:主體名稱 =user@contoso.com、RFC822 名稱 =user@contoso.comOther Name:Principal Name=user@contoso.com, RFC822 Name=user@contoso.com
http://schemas.microsoft.com/2012/12/certificatecontext/extension/ekuhttp://schemas.microsoft.com/2012/12/certificatecontext/extension/eku 1.3.6.1.4.1.311.10.3.41.3.6.1.4.1.311.10.3.4