跨樹系部署宣告Deploy Claims Across Forests

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

在 Windows Server 2012,宣告類型是用它已相關的物件聲明。In Windows Server 2012 , a claim type is an assertion about the object with which it's associated. 每個樹系的 Active Directory 定義宣告類型。Claim types are defined per forest in Active Directory. 有許多案例安全性主體可能需要往返信任邊界,存取受信任的樹系的資源。There are many scenarios where a security principal may need to traverse a trust boundary to access resources in a trusted forest. Windows Server 2012 中的跨樹系宣告轉換可讓您轉換輸出並輸入,以便宣告的音效卡且其接受信任和受信任的樹系往返樹系的宣告。Cross-forest claims transformation in Windows Server 2012 enables you to transform egress and ingress claims that traverse forests so that the claims are recognized and accepted in the trusting and trusted forests. 實際案例轉換索賠項目包括:Some of the real-world scenarios for transformation of claims are:

  • 信任的樹系可以使用理賠要求轉換防範權限提高為篩選宣告傳入的特定的值。Trusting forests can use claim transformation as a guard against elevation of privilege by filtering the incoming claims with specific values.

    信任的樹系也可以發行索賠主體來自信任邊界受信任的樹系不支援或發出任何主張。Trusting forests can also issue claims for principals coming over a trust boundary if the trusted forest does not support or issue any claims.

  • 信任的樹系可用來防止特定理賠要求類型與特定值宣告前往信任的樹系宣告轉換。Trusted forests can use claim transformation to prevent certain claim types and claims with certain values from going out to the trusting forest.

  • 您也可以使用理賠要求地圖不同轉換宣告信任和受信任的樹系之間的類型。You can also use claim transformation to map different claim types between trusting and trusted forests. 這可要將宣告類型、宣告值,或兩者。This can be used to generalize the claim-type, the claim value, or both. 不,您需要標準化樹系之前,您可以使用宣告間的資料。Without this, you need to standardize the data between the forests before you can use the claims. 一般化宣告信任和受信任的樹系之間減少 IT 成本。Generalizing claims between the trusting and trusted forests reduces the IT costs.

取得轉換規則Claim transformation rules

轉換規則語言語法分為兩個主要部分單一的規則:條件聲明問題聲明一系列。The transformation rule language syntax divides a single rule into two main parts: a series of condition statements and the issue statement. 每個條件聲明有兩個子:理賠要求識別碼和條件。Each condition statement has two subcomponents: the claim identifier and the condition. 問題隱私權聲明包含關鍵字、分隔字元,以及運算式的問題。The issue statement contains keywords, delimiters, and an issue expression. 宣告識別碼變數,表示相符輸入的宣告選擇性開始條件聲明。The condition statement optionally begins with a claim identifier variable, which represents the matched input claim. 檢查運算式條件。The condition checks for the expression. 如果輸入的宣告不符合的條件,轉換引擎會忽略的問題聲明,並評估轉換規則針對下一步輸入的宣告。If the input claim does not match the condition, then the transformation engine ignores the issue statement and evaluates the next input claim against the transformation rule. 如果所有的條件符合輸入的宣告,它會處理問題聲明。If all conditions match the input claim, it processes the issue statement.

宣告規則語言的詳細資訊,請查看宣告轉換規則語言For detailed information on claim rules language, see Claims Transformation Rules Language.

宣告轉換原則連結到森林Linking claim transformation policies to forests

有兩個元件參與設定宣告轉換原則:取得轉換原則物件和轉換連結。There are two components involved in setting up claim transformation policies: claim transformation policy objects and the transformation link. 原則物件居住設定命名關聯的樹系,並包含對應宣告資訊。The policy objects live in the configuration naming context in a forest, and they contain mapping information for the claims. 連結指定哪些信任並受信任的樹系對應適用於。The link specifies which trusting and trusted forests the mapping applies to.

請務必以了解樹系是否信任或受信任的樹系因為這是基準連結轉換原則物件。It is important to understand if the forest is the trusting or trusted forest because this is basis for linking transformation policy objects. 例如,受信任的樹系是樹系包含帳號需要存取。For example, the trusted forest is the forest that contains user accounts that require access. 信任的樹系是樹系包含您想要讓使用者存取權的資源。The trusting forest is the forest that contains resources that you want to give users access to. 宣告相同的安全性原則需要存取權的方向移動。Claims travel in the same direction as the security principal that requires access. 例如,adatum.com 樹系單向信任的樹系 contoso.com 時,宣告將會從流向 adatum.com contoso.com,可讓使用者從 adatum.com 存取 contoso.com 中的資源。For example, if there is a one-way trust from the contoso.com forest to the adatum.com forest, the claims will flow from adatum.com to contoso.com, which allows users from adatum.com to access resources in contoso.com.

根據預設,受信任的樹系允許通過,所有傳出宣告並信任的樹系卸除收到的所有傳入宣告。By default, a trusted forest allows all outgoing claims to pass, and a trusting forest drops all incoming claims that it receives.

本案例中In this scenario

本案例可下列指導方針:The following guidance is available for this scenario:

角色與包含在本案例中的功能Roles and features included in this scenario

下表列出的角色與本案例的功能,並告訴他們支援的方式。The following table lists the roles and features that are part of this scenario and describes how they support it.

角色/功能Role/feature 它如何支援此案例How it supports this scenario
Active Directory Domain ServicesActive Directory Domain Services 在本案例中,您需要兩個 Active Directory 樹系雙向信任的設定。In this scenario, you are required to set up two Active Directory forests with a two-way trust. 您有兩個森林中的宣告。You have claims in both forests. 您也可以設定中央存取原則上信任的樹系資源所在的位置。You also set central access policies on the trusting forest where the resources reside.
檔案與儲存空間服務的角色File and Storage Services role 在本案例中,資料分類會套用到檔案伺服器上的資源。In this scenario, the data classification is applied to the resources on the file servers. 中央存取原則會套用到您想要權限授與使用者的資料夾。The central access policy is applied to the folder where you want to grant user access. 轉換後宣告授與使用者存取資源根據會套用至該檔案伺服器上的資料夾的中央存取原則。After transformation, the claim grants user access to resources based on the central access policy that is applied to the folder on the file server.