AD FS 需求AD FS Requirements

適用於:Windows Server 2016Applies To: Windows Server 2016

以下是部署 AD FS 需求:The following are the requirements for deploying AD FS:

憑證需求Certificate requirements

SSL 憑證SSL Certificates

每個 AD FS 和 Web 應用程式 Proxy 伺服器有服務 HTTPS 要求同盟服務 SSL 憑證。Each AD FS and Web Application Proxy server has an SSL certificate to service HTTPS requests to the federation service. 應用程式網路 Proxy,可以讓要求發行的應用程式提供服務的其他 SSL 憑證。The Web Application Proxy can have additional SSL certificates to service requests to published applications.

建議:適用於所有 AD FS 聯盟伺服器和 Web 應用程式 proxy 使用相同的 SSL 憑證。Recommendation: Use the same SSL certificate for all AD FS federation servers and Web Application proxies.

需求:Requirements:

聯盟伺服器上的 SSL 憑證必須符合下列需求SSL certificates on federation servers must meet the following requirements

  • 憑證是公開受信任 (針對 production 部署)Certificate is publicly trusted (for production deployments)
  • 憑證包含伺服器驗證增強金鑰使用量 (EKU) 值Certificate contains the Server Authentication Enhanced Key Usage (EKU) value
  • 憑證包含同盟服務的名稱,例如 「 fs.contoso.com 「 主旨或主旨另一種方式名稱 (舊) 中Certificate contains the federation service name, such as "fs.contoso.com" in the Subject or Subject Alternative Name (SAN)
  • 連接埠 443 使用者憑證驗證,憑證包含 「 certauth。 \ < 同盟服務 name\ > 」,例如 「 certauth.fs.contoso.com 」 中舊For user certificate authentication on port 443, certificate contains "certauth.<federation service name>", such as "certauth.fs.contoso.com" in the SAN
  • 裝置登記或現代化驗證使用前的 Windows 10 戶端場所資源,舊必須包含 「 enterpriseregistration。 \ < upn suffix\ > [在使用每個 UPN 尾碼您在組織中。For device registration or for modern authentication to on premises resources using pre-Windows 10 clients, the SAN must contain "enterpriseregistration.<upn suffix>" for each UPN suffix in use in your organization.

在應用程式網路 Proxy SSL 憑證必須符合下列需求SSL certificates on the Web Application Proxy must meet the following requirements

  • 如果您使用的 proxy 使用 Windows 整合驗證 proxy SSL 憑證 proxy AD FS 要求必須是相同(使用相同的按鍵)為聯盟伺服器 SSL 憑證If the proxy is used to proxy AD FS requests that use Windows Integrated Authentication, the proxy SSL certificate must be the same (use the same key) as the federation server SSL certificate
  • 如果」ExtendedProtectionTokenCheck」是 AD FS 屬性支援(預設值 AD FS 中),proxy SSL 憑證必須是相同(使用相同的按鍵)聯盟伺服器 SSL 憑證If the AD FS property "ExtendedProtectionTokenCheck" is enabled (the default setting in AD FS), the proxy SSL certificate must be the same (use the same key) as the federation server SSL certificate
  • 否則,proxy SSL 憑證的需求的一樣聯盟伺服器 SSL 憑證Otherwise, the requirements for the proxy SSL certificate are the same as those for the federation server SSL certificate

服務通訊的憑證Service Communication Certificate

不需要大部分 AD FS 案例,其中包括 Azure AD 憑證此與 Office 365。This certificate is not required for most AD FS scenarios including Azure AD and Office 365. 根據預設,AD FS 設定為服務通訊憑證的初始設定所提供的 SSL 憑證。By default, AD FS configures the SSL certificate provided upon initial configuration as the service communication certificate.

建議:Recommendation:

  • 您在使用 SSL 使用相同憑證。Use the same certificate as you use for SSL.

權杖簽署的憑證Token Signing Certificate

這是憑證使用的登入發出權杖給信賴的對象,信賴廠商應用程式必須辨識憑證及相關已知及受信任的按鍵。This certificate is used sign issued tokens to relying parties, so relying party applications must recognize the certificate and it's associated key as known and trusted. 當權杖專屬的簽署憑證的變更,例如過期時,您設定一個新的憑證時,必須更新所有信賴派對。When the token signing certificate changes, such as when it expires and you configure a new certificate, all relying parties must be updated.

建議:使用 AD FS 預設內部產生自我的權杖簽署的憑證。Recommendation: Use the AD FS default, internally generated, self-signed token signing certificates.

需求:Requirements:

  • 如果您的組織需要從企業 PKI 憑證會用於權杖登入,這可以使用 Install-AdfsFarm cmdlet SigningCertificateThumbprint 參數。If your organization requires that certificates from the enterprise PKI be used for token signing, this can be done using the SigningCertificateThumbprint parameter of the Install-AdfsFarm cmdlet.
  • 您是否使用的預設內部產生憑證或外部退出的憑證,當您變更權杖專屬的簽署憑證必須確保所有信賴派對更新的新的憑證的資訊。Whether you use the default internally generated certificates or externally enrolled certificates, when the token signing certificate is changed you must ensure all relying parties are updated with the new certificate information. 否則,登入給任何依賴不更新將會失敗。Otherwise, logons to any relying parties not updated will fail.

權杖加密日解密憑證Token Encrypting/Decrypting Certificate

宣告提供者加密權杖發行給 AD FS 使用這個憑證。This certificate is used by claims providers who encrypt tokens issued to AD FS.

建議:使用 AD FS 預設內部產生解密憑證自我預付碼。Recommendation: Use the AD FS default, internally generated, self-signed token decrypting certificates.

需求:Requirements:

  • 如果您的組織需要從企業 PKI 憑證會用於權杖登入,這可以使用 Install-AdfsFarm cmdlet DecryptingCertificateThumbprint 參數。If your organization requires that certificates from the enterprise PKI be used for token signing, this can be done using the DecryptingCertificateThumbprint parameter of the Install-AdfsFarm cmdlet.
  • 您是否使用的預設內部產生憑證或外部退出的憑證,當您變更解密憑證權杖必須確保所有宣告提供者都更新的新的憑證的資訊。Whether you use the default internally generated certificates or externally enrolled certificates, when the token decrypting certificate is changed you must ensure all claims providers are updated with the new certificate information. 否則,登入使用任何宣告不在更新的提供者將會失敗。Otherwise, logons using any claims providers not updated will fail.

警告

用來登入 token\ 和 token\ decrypting\ 日加密憑證的重大同盟服務的穩定性。Certificates that are used for token-signing and token-decrypting/encrypting are critical to the stability of the Federation Service. 針對管理自己 token\ 簽署與 token\ decrypting\ 日加密憑證應該確定這些憑證的備份,且可獨立修復事件期間。Customers managing their own token-signing & token-decrypting/encrypting certificates should ensure that these certificates are backed up and are available independently during a recovery event.

使用者憑證User Certificates

  • 當使用的 x509 使用者憑證驗證,AD FS,所有使用者憑證的必須鏈到受到 AD FS 和 Web 應用程式 Proxy 伺服器信任的根憑證授權單位。When using x509 user certificate authentication with AD FS, all user certificates must chain up to a root certification authority that is trusted by the AD FS and Web Application Proxy servers.

硬體需求Hardware requirements

AD FS 和 Web 應用程式 Proxy 硬體需求 (實體或 virtual) 的 CPU、 上閘,因此您應該大小您發電廠處理容量。AD FS and Web Application Proxy hardware requirements (physical or virtual) are gated on CPU, so you should size your farm for processing capacity.

AD FS 的記憶體和磁碟需求是相當靜態,請查看如下表所示:The memory and disk requirements for AD FS are fairly static, see the table below:

硬體需求Hardware requirement 最低需求Minimum requirement 建議的需求Recommended requirement
RAMRAM 使用 2 GB2 GB 4 GB4 GB
磁碟空間Disk space 32 GB32 GB 100 GB100 GB

SQL Server 硬體需求SQL Server Hardware Requirements

如果您使用 AD FS 設定資料庫 SQL Server、 大小 SQL Server 根據最基本 SQL Server 建議。If you are using SQL Server for your AD FS configuration database, size the SQL Server according to the most basic SQL Server recommendations. AD FS 資料庫大小太小,而且 AD FS 不會將重要的處理負載放在資料庫執行個體。The AD FS database size is very small, and AD FS does not put a significant processing load on the database instance. AD FS,不過,連接至資料庫多次在驗證期間,因此應該穩定網路連接。AD FS does, however, connect to the database multiple times during an authentication, so the network connection should be robust. 很抱歉,AD FS 設定資料庫無法支援 SQL Azure。Unfortunately, SQL Azure is not supported for the AD FS configuration database.

Proxy 需求Proxy requirements

  • 您必須外部網路存取權限的部署 Web 應用程式 Proxy 角色服務 -遠端存取伺服器角色的一部分。For extranet access, you must deploy the Web Application Proxy role service - part of the Remote Access server role.

  • 第三方 proxy 必須支援MS-ADFSPIP 通訊協定以 AD FS proxy 支援。Third party proxies must support the MS-ADFSPIP protocol to be supported as an AD FS proxy.

  • AD FS 2016 需要在 Windows Server 2016 上 Web 應用程式的 Proxy 伺服器。AD FS 2016 requires Web Application Proxy servers on Windows Server 2016. 舊版 proxy 無法執行 2016年發電廠行為層級 AD FS 2016 發電廠的設定。A downlevel proxy cannot be configured for an AD FS 2016 farm running at the 2016 farm behavior level.

  • 聯盟 server 和 Web 應用程式 Proxy 角色服務無法安裝所在的電腦上。A federation server and the Web Application Proxy role service cannot be installed on the same computer.

AD DS 需求AD DS requirements

網域控制站需求Domain controller requirements

  • AD FS 需要網域控制站執行 Windows Server 2008,或更新版本。AD FS requires Domain controllers running Windows Server 2008 or later.

  • Microsoft Passport 工作的需要至少一個 Windows Server 2016 網域控制站。At least one Windows Server 2016 domain controller is required for Microsoft Passport for Work.

注意

與 Windows Server 2003 網域控制站的環境中的所有支援已都終止。All support for environments with Windows Server 2003 domain controllers has ended. 請造訪這個頁面如需 Microsoft 技術支援週期詳細資訊。Visit this page for additional information on the Microsoft Support Lifecycle.

網域 functional\ 層級需求Domain functional-level requirements

  • 所有使用者 account 網域與 AD FS 伺服器的加入的網域必須網域層級功能或更高版本的 Windows Server 2003 進行操作。All user account domains and the domain to which the AD FS servers are joined must be operating at the domain functional level of Windows Server 2003 or higher.

  • Windows Server 2008 網域功能層級或更高版本,才能 client 憑證驗證如果憑證明確對應帳號到 AD DS 中。A Windows Server 2008 domain functional level or higher is required for client certificate authentication if the certificate is explicitly mapped to a user's account in AD DS.

架構需求Schema requirements

  • AD FS 2016 的全新安裝需要 Active Directory 2016 架構 (最小版本 85)。New installations of AD FS 2016 require the Active Directory 2016 schema (minimum version 85).

  • 提高 2016年層級 AD FS 發電廠行為層級 (FBL) 需要 Active Directory 2016 架構 (最小版本 85)。Raising the AD FS farm behavior level (FBL) to the 2016 level requires the Active Directory 2016 schema (minimum version 85).

服務 account 需求Service account requirements

  • 任何標準核對可以當做服務 account AD fs。Any standard domain account can be used as a service account for AD FS. 也支援群組管理服務帳號。Group Managed Service accounts are also supported. 當您設定 AD FS,會自動新增所需執行階段的權限。The permissions required at runtime will be added automatically when you configure AD FS.

  • 群組管理服務帳號需要一個至少網域控制站執行 Windows Server 2012 或更高版本。Group Managed service accounts require at least one domain controller running Windows Server 2012 or higher.

  • Kerberos 驗證服務主體名稱為 'HOST/<adfs\_service\_name>' AD FS 服務 account 上必須將登記完畢。For Kerberos authentication, the service principal name ‘HOST/<adfs\_service\_name>’ must be registered on the AD FS service account. 根據預設,AD FS 會設定此建立新的 AD FS 發電廠時。By default, AD FS will configure this when creating a new AD FS farm. 如果失敗,例如在碰撞或權限不足,您會看到一則警告,您必須手動新增。If this fails, such as in the case of a collision or insufficient permissions, you'll see a warning and you should add it manually.

網域需求Domain Requirements

  • 所有 AD FS 伺服器都必須連接到 AD DS 網域。All AD FS servers must be a joined to an AD DS domain.

  • 必須在相同的網域部署發電廠中的所有 AD FS 伺服器。All AD FS servers within a farm must be deployed in the same domain.

使用多監視器樹系需求Multi Forest Requirements

  • 每個網域或森林包含使用者向 AD FS 服務,則必須信任 AD FS 伺服器的加入的網域。The domain to which the AD FS servers are joined must trust every domain or forest that contains users authenticating to the AD FS service.

  • 樹系的 AD FS 服務 account 成員,必須所有使用者登入的樹系標示為都信任。The forest, that the AD FS service account is a member of, must trust all user login forests.

  • AD FS 服務 account 必須為每個包含服務 AD FS 進行驗證使用者網域中的使用者屬性權限。The AD FS service account must have permissions to read user attributes in every domain that contains users authenticating to the AD FS service.

設定資料庫需求Configuration database requirements

本節需求和 AD FS 農場作為分別 Windows 內部資料庫 (WID) 或 SQL Server 資料庫限制:This section describes the requirements and restrictions for AD FS farms that use respectively the Windows Internal Database (WID) or SQL Server as the database:

WIDWID

  • 在 WID 發電廠不支援 SAML 2.0 成品解析度設定檔。The artifact resolution profile of SAML 2.0 is not supported in a WID farm.

  • 權杖重播偵測不支援 WID 發電廠。Token replay detection is not supported a WID farm. (此功能僅使用只能在何處做為聯盟提供者,使用外部宣告提供者的安全性權杖 AD FS 案例中)。(This functionality is only used only in scenarios where AD FS is acting as the federation provider and consuming security tokens from external claims providers.)

下表提供多少 AD FS 伺服器的摘要 WID 與 SQL Server 發電廠支援。The following table provides a summary of how many AD FS servers are supported in a WID vs a SQL Server farm.

1-100 可以廠商 (資源點數) 信任 AD FS 中設定1 - 100 relying party (RP) trusts configured in AD FS 超過 100 資源點數信任設定More than 100 RP trusts configured
1-30 AD FS 伺服器1 - 30 AD FS servers WID 支援WID Supported 不支援使用 WID-所需的 SQL ServerNot supported using WID - SQL Server required
超過 30 AD FS 伺服器More than 30 AD FS servers 不支援使用 WID-所需的 SQL ServerNot supported using WID - SQL Server required 不支援使用 WID-所需的 SQL ServerNot supported using WID - SQL Server required

SQL ServerSQL Server

  • 在 Windows Server 2016 AD fs 的支援 SQL Server 2008 和更高版本。For AD FS in Windows Server 2016, SQL Server 2008 and higher versions are supported.

  • 同時 SAML 成品解析度權杖重播偵測支援和陣列 SQL Server 中。Both SAML artifact resolution and token replay detection are supported in a SQL Server farm.

瀏覽器需求Browser requirements

AD FS 驗證的瀏覽器或瀏覽器控制項透過執行時,您的瀏覽器必須符合下列需求:When AD FS authentication is performed via a browser or browser control, your browser must comply to the following requirements:

  • JavaScript 必須將支援JavaScript must be enabled

  • 對於單一登入,必須 client 瀏覽器設定允許 cookieFor single sign on, the client browser must be configured to allow cookies

  • 伺服器名稱指示 (SNI) 必須支援Server Name Indication (SNI) must be supported

  • 使用者憑證與裝置憑證驗證的瀏覽器必須支援 SSL client 憑證驗證For user certificate & device certificate authentication, the browser must support SSL client certificate authentication

  • 使用 Windows 整合式驗證順暢的登入,必須在本機該處或受信任的網站設定同盟服務名稱 (例如 https://fs.contoso.com)。For seamless sign on using Windows Integrated Authentication, the federation service name (such as https://fs.contoso.com) must be configured in local intranet zone or trusted sites zone.

    網路需求Network requirements

防火牆需求Firewall Requirements

這兩個防火牆位於之間 Web 應用程式 Proxy 聯盟伺服器發電廠及戶端和 Web 應用程式 Proxy 之間的防火牆必須 443 支援的 TCP 連接埠輸入。Both the firewall located between the Web Application Proxy and the federation server farm and the firewall between the clients and the Web Application Proxy must have TCP port 443 enabled inbound.

此外,如果 client 使用者憑證驗證 \ (使用 X509 clientTLS 驗證使用者 certificates) 需要並不支援 certauth 端點 443 連接埠,AD FS 2016 需要用的 TCP 連接埠 49443 戶端和 Web 應用程式 Proxy 之間防火牆上輸入。In addition, if client user certificate authentication (clientTLS authentication using X509 user certificates) is required and the certauth endpoint on port 443 is not enabled, AD FS 2016 requires that TCP port 49443 be enabled inbound on the firewall between the clients and the Web Application Proxy. 這不是需要應用程式網路 Proxy 之間聯盟 servers\ 防火牆上)。This is not required on the firewall between the Web Application Proxy and the federation servers).

如需有關混合連接埠需求查看混合身分連接埠和通訊協定For additional information on hybrid port requirements see Hybrid Identity Ports and Protocols.

如需詳細資訊請查看的最佳做法保護 Active Directory 同盟服務For additional information see Best practices for securing Active Directory Federation Services

DNS 需求DNS Requirements

  • 內部網路存取權限存取 AD FS 服務的公司連絡 (intranet) 中的所有戶端都必須無法解析負載平衡器 AD FS 伺服器或 AD FS 伺服器 AD FS 服務名稱。For intranet access, all clients accessing AD FS service within the internal corporate network (intranet) must be able to resolve the AD FS service name to the load balancer for the AD FS servers or the AD FS server.

  • 外部網路存取權限存取 AD FS 服務的公司網路 (extranet/internet) 以外的所有戶端都必須 AD FS 服務名稱解析負載平衡器 Web 應用程式的 Proxy 伺服器或網路應用程式的 Proxy 伺服器。For extranet access, all clients accessing AD FS service from outside the corporate network (extranet/internet) must be able to resolve the AD FS service name to the load balancer for the Web Application Proxy servers or the Web Application Proxy server.

  • 在 DMZ 每個 Web 應用程式的 Proxy 伺服器必須 AD FS 服務的名稱解析為負載平衡器 AD FS 伺服器或 AD FS 伺服器。Each Web Application Proxy server in the DMZ must be able to resolve AD FS service name to the load balancer for the AD FS servers or the AD FS server. 這可以使用其他 DNS 伺服器 DMZ 網路,或變更本機伺服器解析度使用主機檔案達成。This can be achieved using an alternate DNS server in the DMZ network or by changing local server resolution using the HOSTS file.

  • 適用於 Windows 整合式驗證,您必須使用 DNS A 記錄 (not CNAME) 同盟服務的名稱。For Windows Integrated authentication, you must use a DNS A record (not CNAME) for the federation service name.

  • 連接埠 443 使用者憑證驗證,必須設定 「 certauth。 \ < 同盟服務 name\ > [DNS 伺服器聯盟或 web 應用程式 proxy 解析中。For user certificate authentication on port 443, "certauth.<federation service name>" must be configured in DNS to resolve to the federation server or web application proxy.

  • 裝置登記或現代化驗證使用前的 Windows 10 戶端場所資源,「 enterpriseregistration。 \ < upn suffix\ > 」,您在組織中使用每個 UPN 尾碼必須解析聯盟伺服器或網路應用程式的 proxy 設定。For device registration or for modern authentication to on premises resources using pre-Windows 10 clients, "enterpriseregistration.<upn suffix>", for each UPN suffix in use in your organization, must be configured to resolve to the federation server or web application proxy.

使用權限要求Permissions requirements

AD FS 伺服器上執行,安裝,以及 AD FS 的初始設定的系統管理員必須本機系統管理員權限。The administrator that performs the installation and the initial configuration of AD FS must have local administrator permissions on the AD FS server. 如果本機系統管理員會建立 Active Directory 物件的權限,就必須先網域系統管理員建立所需的廣告物件,然後使用 AdminConfiguration 參數 AD FS 發電廠的設定。If the local administrator does not have permissions to create objects in Active Directory, they must first have a domain admin create the required AD objects, then configure the AD FS farm using the AdminConfiguration parameter.