逐步解說指南: 管理條件存取控制的風險Walkthrough Guide: Manage Risk with Conditional Access Control

適用於: Windows Server 2012 R2Applies To: Windows Server 2012 R2

有關本指南About This Guide

本節提供管理因素 (使用者資料) 提供的其中一種風險透過條件存取控制機制在 Windows Server 2012 R2 的 Active Directory 同盟 Services (AD FS) 中的指示。This walkthrough provides instructions for managing risk with one of the factors (user data) available through the conditional access control mechanism in Active Directory Federation Services (AD FS) in Windows Server 2012 R2. 如需條件存取控制與授權機制 AD FS 在 Windows Server 2012 R2 的詳細資訊,請查看使用風險管理條件存取控制與For more information about conditional access control and authorization mechanisms in AD FS in Windows Server 2012 R2, see Manage Risk with Conditional Access Control.

本節下列各節所組成:This walkthrough consists of the following sections:

步驟 1: 實驗室設定Step 1: Setting up the lab environment

完成本節,您必須環境,包含下列元件:In order to complete this walkthrough, you need an environment that consists of the following components:

  • 測試使用者和群組帳號,升級到 Windows Server 2012 R2 或 Windows Server 2012 R2 上執行 Active Directory domain 其結構描述 Windows Server 2008、 Windows Server 2008 R2 或 Windows Server 2012 上執行 Active Directory domainAn Active Directory domain with a test user and group accounts, running on Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 with its schema upgraded to Windows Server 2012 R2 or an Active Directory domain running on Windows Server 2012 R2

  • Windows Server 2012 R2 上執行的聯盟伺服器A federation server running on Windows Server 2012 R2

  • 網頁伺服器裝載範例應用程式A web server that hosts your sample application

  • Client 電腦,您可以存取的範例應用程式A client computer from which you can access the sample application

警告

我們建議 (兩者皆 production 或測試環境),不做聯盟伺服器和您的網頁伺服器使用相同的電腦。It is highly recommended (both in production or test environments) that you do not use the same computer to be your federation server and your web server.

在此環境中聯盟伺服器問題,讓使用者可以存取的範例應用程式所需的宣告。In this environment, the federation server issues the claims that are required so that users can access the sample application. Web 伺服器裝載的範例應用程式,將信任的使用者提供宣告聯盟伺服器的問題。The Web server hosts a sample application that will trust the users who present the claims that the federation server issues.

如何設定此環境中的指示,請查看在 Windows Server 2012 R2 AD FS 設定實驗室For instructions on how to set up this environment, see Set up the lab environment for AD FS in Windows Server 2012 R2.

步驟 2: 驗證預設 AD FS 存取控制機制Step 2: Verify the default AD FS access control mechanism

在此步驟,您將會驗證預設 AD FS 存取控制機制,使用者會重新導向至 AD FS 登入頁面,提供有效的憑證,並會授與應用程式存取。In this step you will verify the default AD FS access control mechanism, where the user is redirected to the AD FS sign-in page, provides valid credentials, and is granted access to the application. 您可以使用劉小龍 Hatley AD account 和claimapp範例應用程式中設定設定在 Windows Server 2012 R2 AD FS 實驗室You can use the Robert Hatley AD account and the claimapp sample application that you configured in Set up the lab environment for AD FS in Windows Server 2012 R2.

若要確認預設 AD FS 存取控制機制To verify the default AD FS access control mechanism

  1. 您 client 在電腦上,開放瀏覽器視窗,並瀏覽到您的範例應用程式: https://webserv1.contoso.com/claimappOn your client computer, open a browser window, and navigate to your sample application: https://webserv1.contoso.com/claimapp.

    這個動作會自動重新導向至 amc 要求聯盟伺服器,並提示您使用的使用者名稱和密碼登入。This action automatically redirects the request to the federation server and you are prompted to sign in with a username and password.

  2. 輸入認證劉小龍 Hatley您在建立廣告 account設定實驗室 AD FS 在 Windows Server 2012 R2 的Type in the credentials of the Robert Hatley AD account that you created in Set up the lab environment for AD FS in Windows Server 2012 R2.

    您將會授與應用程式的存取。You will be granted access to the application.

步驟 3: 設定的使用者資料的條件存取控制原則Step 3: Configure conditional access control policy based on user data

在此步驟將會設定根據群組成員資格資料使用者存取控制原則。In this step you will set up an access control policy based on the user group membership data. 亦即,您將會設定發行授權規則代表您的範例應用程式-信賴廠商信任聯盟伺服器上claimappIn other words, you will configure an Issuance Authorization Rule on your federation server for a relying party trust that represents your sample application - claimapp. 此規則的邏輯,劉小龍 Hatley AD 使用者發行宣告因為他屬於存取此應用程式所需的財經群組。By this rule's logic, Robert Hatley AD user will be issued claims that are required to access this application because he belongs to a Finance group. 您新增劉小龍 Hatley帳號至財經群組中設定在 Windows Server 2012 R2 AD FS 實驗室You have added the Robert Hatley account to the Finance group in Set up the lab environment for AD FS in Windows Server 2012 R2.

您可以完成使用其中一個 AD FS 管理主控台這項工作或透過 Windows PowerShell。You can complete this task using either AD FS Management Console or via Windows PowerShell.

設定使用者資料 AD FS 管理主控台透過為基礎的條件存取控制原則To configure conditional access control policy based on user data via the AD FS Management Console

  1. 在 AD FS 管理主控台中,瀏覽至信任關係,然後做為基礎的派對信任In the AD FS Management Console, navigate to Trust Relationships, and then Relying Party Trusts.

  2. 選取信賴廠商信任,表示您的範例應用程式 (claimapp),然後再在動作窗格或以滑鼠右鍵按一下這個信賴廠商信任,選取編輯理賠要求規則Select the relying party trust that represents your sample application (claimapp), and then either in the Actions pane or by right-clicking this relying party trust, select Edit Claim Rules.

  3. 適用於 claimapp 編輯理賠要求規則視窗中,選取發行授權規則索引標籤,然後按一下 [新增規則In the Edit Claim Rules for claimapp window, select Issuance Authorization Rules tab and click Add Rule.

  4. 新增發行授權取得規則精靈,在頁面選取 [規則範本,請選取允許] 或 [拒絕使用者根據傳入取得取得規則範本,然後按一下下一步In the Add Issuance Authorization Claim Rule Wizard, on the Select Rule Template page, select Permit or Deny Users Based on an Incoming Claim claim rule template and then click Next.

  5. 設定規則頁面上,執行下列所有,然後按完成]:On the Configure Rule page, do all of the following and then click Finish:

    1. 輸入宣告規則名稱,例如TestRuleEnter a name for the claim rule, for example TestRule.

    2. 選取 [群組 SID傳入取得輸入Select Group SID as Incoming claim type.

    3. 按一下瀏覽],輸入財經AD 名稱測試群組,並將其的解析傳入取得值欄位。Click Browse, type in Finance for the name of your AD test group, and resolve it for the Incoming claim value field.

    4. 選取 [拒絕這個傳入理賠要求的使用者存取的選項。Select the Deny access to users with this incoming claim option.

  6. 編輯理賠要求規則 claimapp視窗中,請務必 delete允許所有使用者存取建立這個信賴廠商信任已建立預設規則。In the Edit Claim Rules for claimapp window, make sure to delete the Permit Access to All Users rule that was created by default when you created this relying party trust.

設定的使用者資料是透過 Windows PowerShell 條件存取控制原則To configure conditional access control policy based on user data via Windows PowerShell

  1. 在您聯盟的伺服器,開放 Windows PowerShell 命令視窗中,執行下列命令:On your federation server, open the Windows PowerShell command window and run the following command:
`$rp = Get-AdfsRelyingPartyTrust -Name claimapp`
  1. 在同一個 Windows PowerShell 命令視窗中,執行下列命令:In the same Windows PowerShell command window, run the following command:
`$GroupAuthzRule = '@RuleTemplate = "Authorization" @RuleName = "Foo" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "^(?i)<group_SID>$"] =>issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "DenyUsersWithClaim");'
Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -IssuanceAuthorizationRules $GroupAuthzRule`

注意

確定要取代的 AD SID 值 < group_SID >財經群組。Make sure to replace <group_SID> with the value of the SID of your AD Finance group.

步驟 4: 確認條件存取控制機制Step 4: Verify conditional access control mechanism

您將會在此步驟來驗證您在上一個步驟中設定的條件存取控制原則。In this step you will verify the conditional access control policy that you set up in the previous step. 您可以使用下列程序,以確認劉小龍 Hatley AD 使用者可以存取您的範例應用程式,因為他屬於財經群組並不屬於 AD 使用者財經群組無法存取的範例應用程式。You can use the following procedure to verify that Robert Hatley AD user can access your sample application because he belongs to the Finance group and AD users who do not belong to the Finance group cannot access the sample application.

  1. 您 client 在電腦上,開放瀏覽器視窗,並瀏覽到您的範例應用程式: https://webserv1.contoso.com/claimappOn your client computer, open a browser window, and navigate to your sample application: https://webserv1.contoso.com/claimapp

    這個動作會自動重新導向至 amc 要求聯盟伺服器,並提示您使用的使用者名稱和密碼登入。This action automatically redirects the request to the federation server and you are prompted to sign in with a username and password.

  2. 輸入認證劉小龍 Hatley您在建立廣告 account設定實驗室 AD FS 在 Windows Server 2012 R2 的Type in the credentials of the Robert Hatley AD account that you created in Set up the lab environment for AD FS in Windows Server 2012 R2.

    您將會授與應用程式的存取。You will be granted access to the application.

  3. 不屬於的另一個 AD 使用者的認證中輸入財經群組。Type in the credentials of another AD user that does NOT belong to the Finance group. (如需如何建立廣告帳號,請查看http://technet.microsoft.com/library/cc7833232.aspx(For more information on how to create user accounts in AD, see http://technet.microsoft.com/library/cc7833232.aspx.

    此時,您設定一個步驟中存取控制原則,因為拒絕存取 」 的訊息會顯示不屬於此 AD 使用者財經群組。At this point, because of the access control policy that you set up in the previous step, an 'access denied' message is displayed for this AD user that does NOT belong to the Finance group. 預設的訊息文字是您未授權存取此網站。按一下此處以登出並重新登入或連絡您的系統管理員權限。The default message text is You are not authorized to access this site. Click here to sign out and sign in again or contact your administrator for permissions. 不過,這文字可完全自訂。However, this text is fully customizable. 如需了解如何自訂體驗登入資訊,請查看[自訂頁面 AD FS 登入For more information about how to customize the sign-in experience, see Customizing the AD FS Sign-in Pages.

也了See Also

管理風險條件存取控制與 設定實驗室 AD FS 在 Windows Server 2012 R2Manage Risk with Conditional Access Control Set up the lab environment for AD FS in Windows Server 2012 R2