AD FS 和 Windows Server 2016 中的 WAP 管理 SSL 憑證Managing SSL Certificates in AD FS and WAP in Windows Server 2016

適用於:Windows Server 2016Applies To: Windows Server 2016

此文章將描述 AD FS 和 WAP 的伺服器來部署新 SSL 憑證的方式。This article describes how to deploy a new SSL certificate to your AD FS and WAP servers.

注意

接下來的 AD FS 發電廠 SSL 憑證的取代的建議的方式是使用 Azure AD 連接。The recommended way to replace the SSL certificate going forward for an AD FS farm is to use Azure AD Connect. 如需詳細資訊請查看更新 Active Directory 同盟 Services (AD FS) 發電廠 SSL 憑證For more information see Update the SSL certificate for an Active Directory Federation Services (AD FS) farm

取得您 SSL 憑證Obtaining your SSL Certificates

對於 production AD FS 農場建議公開信任的 SSL 憑證。For production AD FS farms a publicly trusted SSL certificate is recommended. 這通常被取得提交憑證簽署要求 (CSR),第三方、 公用憑證提供者。This is usually obtained by submitting a certificate signing request (CSR) to a third party, public certificate provider. 有各種不同的方式產生 CSR,包括從 Windows 7 或更高的電腦。There are a variety of ways to generate the CSR, including from a Windows 7 or higher PC. 您的供應商應該會有這樣的文件。Your vendor should have documentation for this.

需要多少憑證How many certificates are needed

建議使用的常見 SSL 憑證所有 AD FS 和 Web 應用程式的 Proxy 伺服器上。It is recommended that you use a common SSL certificate across all AD FS and Web Application Proxy servers. 詳細的需求看到文件中的AD FS 和 Web 應用程式 Proxy SSL 憑證需求For detailed requirements see the document AD FS and Web Application Proxy SSL certificate requirements

SSL 憑證需求SSL Certificate Requirements

包括命名需求根信任與擴充功能的看到文件AD FS 和 Web 應用程式 Proxy SSL 憑證需求For requirements including naming, root of trust and extensions see the document AD FS and Web Application Proxy SSL certificate requirements

AD fs 更換 SSL 憑證Replacing the SSL certificate for AD FS

注意

AD FS SSL 憑證不找到 AD FS 管理嵌入式管理單元 AD FS 服務通訊憑證相同。The AD FS SSL certificate is not the same as the AD FS Service communications certificate found in the AD FS Management snap-in. 若要變更 AD FS SSL 憑證,您將需要使用 PowerShell。To change the AD FS SSL certificate, you will need to use PowerShell.

首先,判斷繫結模式的憑證 AD FS 伺服器執行: 預設憑證驗證繫結或其他 client TLS 繫結模式。First, determine which certificate binding mode your AD FS servers are running: default certificate authentication binding, or alternate client TLS binding mode.

執行預設的憑證驗證繫結模式 AD fs 更換 SSL 憑證Replacing the SSL certificate for AD FS running in default certificate authentication binding mode

AD FS 預設執行裝置憑證驗證 443 連接埠和使用者憑證驗證 49443 連接埠 (或不 443 可連接埠)。AD FS by default performs device certificate authentication on port 443 and user certificate authentication on port 49443 (or a configurable port that is not 443). 在此模式下,使用 powershell cmdlet AdfsSslCertificate 設定的管理 SSL 憑證。In this mode, use the powershell cmdlet Set-AdfsSslCertificate to manage the SSL certificate.

請依照下列步驟:Follow the steps below:

  1. 首先,您必須以取得新的憑證。First, you will need to obtain the new certificate. 這通常是提交憑證簽署要求 (CSR),第三方、 公用憑證提供者。This is usually done by submitting a certificate signing request (CSR) to a third party, public certificate provider. 有各種不同的方式產生 CSR,包括從 Windows 7 或更高的電腦。There are a variety of ways to generate the CSR, including from a Windows 7 or higher PC. 您的供應商應該會有這樣的文件。Your vendor should have documentation for this.

  2. 一旦您取得憑證提供者所提供的回應,請將它匯入到本機存放區每個 AD FS 和 Web 應用程式 Proxy 伺服器上。Once you get the response from your certificate provider, import it to the Local Machine store on each AD FS and Web Application Proxy server.

  3. 主要AD FS 伺服器,使用下列 cmdlet 安裝新的 SSL 憑證On the primary AD FS server, use the following cmdlet to install the new SSL certificate

Set-AdfsSslCertificate -Thumbprint '<thumbprint of new cert>'

您可以找到憑證指紋來執行這個命令:The certificate thumbprint can be found by executing this command:

dir Cert:\LocalMachine\My\

其他資訊Additional Notes

  • 設定-AdfsSslCertificate cmdlet 是多節點 cmdlet;這表示它只有執行主要,將更新發電廠中的所有節點。The Set-AdfsSslCertificate cmdlet is a multi-node cmdlet; this means it only has to run from the primary and all nodes in the farm will be updated. 這是 Server 2016 中的新功能。This is new in Server 2016. Server 2012 R2 上,您必須在每個伺服器上執行設定的 AdfsSslCertificate。On Server 2012 R2 you had to run Set-AdfsSslCertificate on each server.
  • 設定-AdfsSslCertificate cmdlet 必須執行主要伺服器上。The Set-AdfsSslCertificate cmdlet has to be run only on the primary server. 主要伺服器已執行 Server 2016 和應 2016 引發發電廠行為層級。The primary server has to be running Server 2016 and the Farm Behavior Level should be raised to 2016.
  • 設定-AdfsSslCertificate cmdlet 將會使用遠端 PowerShell 來設定的其他 AD FS 伺服器,請確認連接埠 5985 (TCP) 是開放式其他節點上。The Set-AdfsSslCertificate cmdlet will use PowerShell Remoting to configure the other AD FS servers, make sure port 5985 (TCP) is open on the other nodes.
  • 設定-AdfsSslCertificate cmdlet 會授與 adfssrv 主要朗讀的權限的私密金鑰 SSL 憑證。The Set-AdfsSslCertificate cmdlet will grant the adfssrv principal read permissions to the private keys of the SSL certificate. 這個原則代表 AD FS 服務。This principal represents the AD FS service. 您不需要權限授與 AD FS 服務 account 朗讀私密金鑰 SSL 憑證。It's not necessary to grant the AD FS service account read access to the private keys of the SSL certificate.

適用於執行其他 TLS 繫結模式 AD FS 更換 SSL 憑證Replacing the SSL certificate for AD FS running in alternate TLS binding mode

在其他 client 設定 TLS 繫結模式,AD FS 執行裝置憑證驗證 443 連接埠與使用者憑證驗證連接埠,443 不同的主機。When configured in alternate client TLS binding mode, AD FS performs device certificate authentication on port 443 and user certificate authentication on port 443 as well, on a different hostname. 主機使用者的憑證會 AD FS 主機附加的 「 certauth 「,例如 「 certauth.fs.contoso.com 」。The user certificate hostname is the AD FS hostname pre-pended with "certauth", for example "certauth.fs.contoso.com". 在此模式下,使用 powershell cmdlet AdfsAlternateTlsClientBinding 設定的管理 SSL 憑證。In this mode, use the powershell cmdlet Set-AdfsAlternateTlsClientBinding to manage the SSL certificate. 這會管理替代 client TLS 繫結不僅 AD FS 設定 SSL 憑證其他繫結。This will manage not only the alternative client TLS binding but all other bindings on which AD FS sets the SSL certificate as well.

請依照下列步驟:Follow the steps below:

  1. 首先,您必須以取得新的憑證。First, you will need to obtain the new certificate. 這通常是提交憑證簽署要求 (CSR),第三方、 公用憑證提供者。This is usually done by submitting a certificate signing request (CSR) to a third party, public certificate provider. 有各種不同的方式產生 CSR,包括從 Windows 7 或更高的電腦。There are a variety of ways to generate the CSR, including from a Windows 7 or higher PC. 您的供應商應該會有這樣的文件。Your vendor should have documentation for this.

  2. 一旦您取得憑證提供者所提供的回應,請將它匯入到本機存放區每個 AD FS 和 Web 應用程式 Proxy 伺服器上。Once you get the response from your certificate provider, import it to the Local Machine store on each AD FS and Web Application Proxy server.

  3. 主要AD FS 伺服器,使用下列 cmdlet 安裝新的 SSL 憑證On the primary AD FS server, use the following cmdlet to install the new SSL certificate

Set-AdfsAlternateTlsClientBinding -Thumbprint '<thumbprint of new cert>'

您可以找到憑證指紋來執行這個命令:The certificate thumbprint can be found by executing this command:

dir Cert:\LocalMachine\My\

其他資訊Additional Notes

  • 設定-AdfsAlternateTlsClientBinding cmdlet 是多節點 cmdlet;這表示它只有執行主要,將更新發電廠中的所有節點。The Set-AdfsAlternateTlsClientBinding cmdlet is a multi-node cmdlet; this means it only has to run from the primary and all nodes in the farm will be updated.
  • 設定-AdfsAlternateTlsClientBinding cmdlet 必須執行主要伺服器上。The Set-AdfsAlternateTlsClientBinding cmdlet has to be run only on the primary server. 主要伺服器已執行 Server 2016 和應 2016 引發發電廠行為層級。The primary server has to be running Server 2016 and the Farm Behavior Level should be raised to 2016.
  • 設定-AdfsAlternateTlsClientBinding cmdlet 將會使用遠端 PowerShell 來設定的其他 AD FS 伺服器,請確認連接埠 5985 (TCP) 是開放式其他節點上。The Set-AdfsAlternateTlsClientBinding cmdlet will use PowerShell Remoting to configure the other AD FS servers, make sure port 5985 (TCP) is open on the other nodes.
  • 設定-AdfsAlternateTlsClientBinding cmdlet 會授與 adfssrv 主要朗讀的權限的私密金鑰 SSL 憑證。The Set-AdfsAlternateTlsClientBinding cmdlet will grant the adfssrv principal read permissions to the private keys of the SSL certificate. 這個原則代表 AD FS 服務。This principal represents the AD FS service. 您不需要權限授與 AD FS 服務 account 朗讀私密金鑰 SSL 憑證。It's not necessary to grant the AD FS service account read access to the private keys of the SSL certificate.

更換 SSL 憑證 proxy Web 應用程式Replacing the SSL certificate for the Web Application Proxy

我們可以使用設定-WebApplicationProxySslCertificate cmdlet 上 WAP 設定預設憑證驗證繫結或其他 client TLS 繫結模式。For configuring both the default certificate authentication binding or alternate client TLS binding mode on the WAP we can use the Set-WebApplicationProxySslCertificate cmdlet. 在更換 Web 應用程式 Proxy SSL 憑證,每個Web 應用程式的 Proxy 伺服器使用下列 cmdlet 安裝新的 SSL 憑證:To replace the Web Application Proxy SSL certificate, on each Web Application Proxy server use the following cmdlet to install the new SSL certificate:

Set-WebApplicationProxySslCertificate '<thumbprint of new cert>'

如果上述 cmdlet 失敗的原因舊的憑證已經過期,請重新設定使用下列 cmdlet proxy:If the above cmdlet fails because the old certificate has already expired, reconfigure the proxy using the following cmdlets:

$cred = Get-Credential

輸入是本機系統管理員 AD FS 伺服器上的網域使用者的認證Enter the credentials of a domain user who is local administrator on the AD FS server

Install-WebApplicationProxy -FederationServiceTrustCredential $cred -CertificateThumbprint '<thumbprint of new cert>' -FederationServiceName 'fs.contoso.com'

其他參考資料Additional references