部署宣告跨樹系(示範步驟)Deploy Claims Across Forests (Demonstration Steps)

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主題中,我們將實體鍵盤保護蓋如何設定宣告轉換信任和受信任的樹系之間的基本案例。In this topic, we'll cover a basic scenario that explains how to configure claims transformations between trusting and trusted forests. 您會了解可以如何建立並連結到信任上信任的樹系受信任的樹系宣告轉換原則物件。You will learn how claims transformation policy objects can be created and linked to the trust on the trusting forest and the trusted forest. 然後,您將驗證案例。You will then validate the scenario.

案例概觀Scenario overview

Adatum 公司提供金融服務,以 Contoso,ltd.Adatum Corporation provides financial services to Contoso, Ltd. 每個季 Adatum 會計複製他們 account 試算表位於 Contoso,ltd.檔案伺服器上的資料夾Each quarter, Adatum accountants copy their account spreadsheets to a folder on a file server located at Contoso, Ltd. 還有雙向信任 Adatum Contoso 的設定。There is a two-way trust set up from Contoso to Adatum. Contoso,ltd.Contoso, Ltd. 想要保護分享,以便僅 Adatum 員工可以存取遠端分享。wants to protect the share so that only Adatum employees can access the remote share.

在本案例:In this scenario:

  1. 設定的必要元件以及測試環境Set up the prerequisites and the test environment

  2. 設定宣告轉換上受信任的樹系 (Adatum)Set up claims transformation on trusted forest (Adatum)

  3. 在信任的樹系 (Contoso) 設定宣告轉換Set up claims transformation in the trusting forest (Contoso)

  4. 驗證案例Validate the scenario

設定的必要元件以及測試環境Set up the prerequisites and the test environment

測試設定包括有兩個森林設定:Adatum Corporation Contoso,Ltd.,並有雙向 Contoso 之間 Adatum 信任。The test configuration involves setting up two forests: Adatum Corporation and Contoso, Ltd, and having a two-way trust between Contoso and Adatum. 「adatum.com「受信任的樹系,「contoso.com「且信任的樹系。"adatum.com" is the trusted forest and "contoso.com" is the trusting forest.

宣告轉換案例示範轉換到宣告信任的樹系的受信任的樹系理賠要求。The claims transformation scenario demonstrates transformation of a claim in the trusted forest to a claim in the trusting forest. 若要這樣做,您需要設定新的樹系稱為 adatum.com 填入樹系公司值為 'Adatum' 測試使用者使用。To do this, you need to set up a new forest called adatum.com and populate the forest with a test user with a company value of 'Adatum'. 然後,您必須設定雙向 contoso.com 之間 adatum.com 信任。You then have to set up a two-way trust between contoso.com and adatum.com.

重要

當設定 Contoso 和 Adatum 森林,您必須確定兩根網域網域層級 Windows Server 2012 功能宣告轉換運作。When setting up the Contoso and Adatum forests, you must ensure that both the root domains are at the Windows Server 2012 Domain Functional Level for claims transformation to work.

您需要設定為實驗室下列。You need to set up the following for the lab. 下列程序的詳述在附錄 b 設定好的測試環境These procedures are explained in detail in Appendix B: Setting Up the Test Environment

您必須實作下列程序,設定實驗室本案例:You need to implement the following procedures to set up the lab for this scenario:

  1. 將 Adatum 設定為受信任的樹系,以 ContosoSet Adatum as trusted forest to Contoso

  2. 建立 Contoso '公司' 宣告類型Create the 'Company' claim type on Contoso

  3. 讓 Contoso '公司' 資源屬性Enable the 'Company' resource property on Contoso

  4. 建立的中央存取規則Create the central access rule

  5. 建立的中央存取原則Create the central access policy

  6. 發行新原則透過群組原則Publish the new policy through Group Policy

  7. 獲利伺服器上建立資料夾的檔案Create the Earnings folder on the file server

  8. 設定分類與套用新資料夾的中央存取原則Set classification and apply the central access policy on the new folder

若要完成此案例,使用下列資訊:Use the following information to complete this scenario:

物件Objects 詳細資料Details
使用者Users Jeff 低,以 ContosoJeff Low, Contoso
Adatum 和 Contoso 使用者宣告User claims on Adatum and Contoso ID: ad: / / ext 日公司:ContosoAdatum,ID: ad://ext/Company:ContosoAdatum,

來源屬性:公司Source attribute: company

建議的值:Contoso、Adatum重要事項:您必須設定 ID 對 '公司' 宣告類型 Contoso 和 Adatum 相同宣告轉換運作。Suggested values: Contoso, Adatum Important: You must set the ID on the 'Company' claim type on both Contoso and Adatum to be the same for the claims transformation to work.
在 Contoso 的中央存取規則Central access rule on Contoso AdatumEmployeeAccessRuleAdatumEmployeeAccessRule
Contoso 中央存取原則Central access policy on Contoso 只存取原則 AdatumAdatum Only Access Policy
宣告 Adatum,以 Contoso 轉換原則Claims Transformation policies on Adatum and Contoso DenyAllExcept 公司DenyAllExcept Company
檔案 Contoso 資料夾File folder on Contoso D:\EARNINGSD:\EARNINGS

設定宣告轉換上受信任的樹系 (Adatum)Set up claims transformation on trusted forest (Adatum)

在此步驟建立 Adatum 拒絕 '公司' 以外的所有宣告傳遞至 Contoso 轉換原則。In this step you create a transformation policy in Adatum to deny all claims except 'Company' to pass to Contoso.

Windows PowerShell 模組 Active Directory 提供DenyAllExcept會指定宣告以外的所有項目中的轉換原則卸除引數。The Active Directory module for Windows PowerShell provides the DenyAllExcept argument, which drops everything except the specified claims in the transformation policy.

宣告轉換設定,您需要建立宣告轉換原則,並將它信任及信任的樹系之間的連結。To set up a claims transformation, you need to create a claims transformation policy and link it between the trusted and trusting forests.

建立 Adatum 宣告轉換原則Create a claims transformation policy in Adatum

若要建立轉換原則 Adatum 拒絕 '公司' 以外的所有宣告To create a transformation policy Adatum to deny all claims except 'Company'
  1. 網域控制站 adatum.com 以系統管理員身分使用密碼登入pass@word1Sign in to the domain controller, adatum.com as Administrator with the password pass@word1.

  2. 打開提升權限的命令提示字元中,Windows PowerShell 中,輸入下列:Open an elevated command prompt in Windows PowerShell, and type the following:

    New-ADClaimTransformPolicy `  
    -Description:"Claims transformation policy to deny all claims except Company"`  
    -Name:"DenyAllClaimsExceptCompanyPolicy" `  
    -DenyAllExcept:company `  
    -Server:"adatum.com" `  
    

在此步驟,您適用的新建立的宣告轉換原則 Adatum 的信任的網域物件 Contoso。In this step, you apply the newly created claims transformation policy on Adatum's trust domain object for Contoso.

若要套用宣告轉換原則To apply the claims transformation policy
  1. 網域控制站 adatum.com 以系統管理員身分使用密碼登入pass@word1Sign in to the domain controller, adatum.com as Administrator with the password pass@word1.

  2. 打開提升權限的命令提示字元中,Windows PowerShell 中,輸入下列:Open an elevated command prompt in Windows PowerShell, and type the following:

    
      Set-ADClaimTransformLink `  
    -Identity:"contoso.com" `  
    -Policy:"DenyAllClaimsExceptCompanyPolicy" `  
    '"TrustRole:Trusted `  
    

在信任的樹系 (Contoso) 設定宣告轉換Set up claims transformation in the trusting forest (Contoso)

您可以在此步驟建立拒絕 '公司。' 以外的所有宣告 Contoso(信任的樹系)宣告轉換原則In this step you create a claims transformation policy in Contoso (the trusting forest) to deny all claims except 'Company.' 您需要建立宣告轉換原則連結到信任的樹系。You need to create a claims transformation policy and link it to the forest trust.

建立 Contoso 宣告轉換原則Create a claims transformation policy in Contoso

若要建立轉換原則 Adatum 拒絕 '公司' 的全部項目To create a transformation policy Adatum to deny all except 'Company'
  1. 網域控制站 contoso.com 以系統管理員身分使用密碼登入pass@word1Sign in to the domain controller, contoso.com as Administrator with the password pass@word1.

  2. Windows PowerShell 中開放提升權限的命令提示字元中,輸入下列:Open an elevated command prompt in Windows PowerShell and type the following:

    New-ADClaimTransformPolicy `  
    -Description:"Claims transformation policy to deny all claims except company" `  
    -Name:"DenyAllClaimsExceptCompanyPolicy" `  
    -DenyAllExcept:company `  
    -Server:"contoso.com" `  
    

在此步驟,您將套用新建立宣告轉換原則 contoso.com 信任網域物件的 Adatum 允許」公司」會通過 contoso.com。In this step, you apply the newly created claims transformation policy on the contoso.com trust domain object for Adatum to allow "Company" be passed through to contoso.com. 信任的網域物件命名 adatum.com。The trust domain object is named adatum.com.

若要設定宣告轉換原則To set the claims transformation policy
  1. 網域控制站 contoso.com 以系統管理員身分使用密碼登入pass@word1Sign in to the domain controller, contoso.com as Administrator with the password pass@word1.

  2. Windows PowerShell 中開放提升權限的命令提示字元中,輸入下列:Open an elevated command prompt in Windows PowerShell and type the following:

    
      Set-ADClaimTransformLink   
    -Identity:"adatum.com" `  
    -Policy:"DenyAllClaimsExceptCompanyPolicy" `  
    -TrustRole:Trusting `  
    

驗證案例Validate the scenario

在此步驟您嘗試存取檔案伺服器 1 設定要驗證使用者的共用資料夾存取 D:\EARNINGS 資料夾。In this step you try to access the D:\EARNINGS folder that was set up on the file server FILE1 to validate that the user has access to the shared folder.

若要確保 Adatum 使用者都可以存取的共用的資料夾To ensure that the Adatum user can access the shared folder

  1. Client 電腦 CLIENT1 為 Jeff 低使用密碼登入pass@word1Sign in to the Client machine, CLIENT1 as Jeff Low with the password pass@word1.

  2. 瀏覽至資料夾 \\FILE1.contoso.com\Earnings。Browse to the folder \\FILE1.contoso.com\Earnings.

  3. Jeff 低才能存取該資料夾。Jeff Low should be able to access the folder.

宣告轉換原則針對其他案例Additional scenarios for claims transformation policies

以下是清單額外的常見案例中宣告轉換。Following is a list of additional common cases in claims transformation.

案例Scenario 原則Policy
允許所有來自前往 Contoso Adatum Adatum 宣告Allow all claims that come from Adatum to go through to Contoso Adatum 程式碼-Code -
New-ADClaimTransformPolicy ]New-ADClaimTransformPolicy \</span></span><br /> <span data-ttu-id="52c0f-192">描述:「宣告轉換原則,以允許所有宣告」\]</span><span class="sxs-lookup"><span data-stu-id="52c0f-192">-Description:"Claims transformation policy to allow all claims" \\
-名稱:「AllowAllClaimsPolicy「]-Name:"AllowAllClaimsPolicy" \</span></span><br /><span data-ttu-id="52c0f-194">「全部允許-」\]</span><span class="sxs-lookup"><span data-stu-id="52c0f-194">-AllowAll \\
伺服器:「contoso.com「]-Server:"contoso.com" \</span></span><br /><span data-ttu-id="52c0f-196">Set-ADClaimTransformLink \]</span><span class="sxs-lookup"><span data-stu-id="52c0f-196">Set-ADClaimTransformLink \\
-身分:「adatum.com「]-Identity:"adatum.com" \</span></span><br /><span data-ttu-id="52c0f-198">原則:「AllowAllClaimsPolicy「\]</span><span class="sxs-lookup"><span data-stu-id="52c0f-198">-Policy:"AllowAllClaimsPolicy" \\
-TrustRole:信任 ]-TrustRole:Trusting \</span></span><br /><span data-ttu-id="52c0f-200">伺服器:「contoso.com「'</span><span class="sxs-lookup"><span data-stu-id="52c0f-200">-Server:"contoso.com" \
拒絕來自前往 Contoso Adatum Adatum 所有宣告Deny all claims that come from Adatum to go through to Contoso Adatum 程式碼-Code -
New-ADClaimTransformPolicy ]New-ADClaimTransformPolicy \</span></span><br /><span data-ttu-id="52c0f-204">描述:「宣告拒絕所有宣告轉換原則」\]</span><span class="sxs-lookup"><span data-stu-id="52c0f-204">-Description:"Claims transformation policy to deny all claims" \\
-名稱:「DenyAllClaimsPolicy「]-Name:"DenyAllClaimsPolicy" \</span></span><br /> <span data-ttu-id="52c0f-206">-DenyAll \]</span><span class="sxs-lookup"><span data-stu-id="52c0f-206">-DenyAll \\
伺服器:「contoso.com「]-Server:"contoso.com" \</span></span><br /><span data-ttu-id="52c0f-208">Set-ADClaimTransformLink \]</span><span class="sxs-lookup"><span data-stu-id="52c0f-208">Set-ADClaimTransformLink \\
-身分:「adatum.com「]-Identity:"adatum.com" \</span></span><br /><span data-ttu-id="52c0f-210">原則:「DenyAllClaimsPolicy「\]</span><span class="sxs-lookup"><span data-stu-id="52c0f-210">-Policy:"DenyAllClaimsPolicy" \\
-TrustRole:信任 ]-TrustRole:Trusting \</span></span><br /><span data-ttu-id="52c0f-212">伺服器:「contoso.com「'</span><span class="sxs-lookup"><span data-stu-id="52c0f-212">-Server:"contoso.com"\
允許來自 Adatum」公司」和「部門「前往 Contoso Adatum 以外的所有宣告Allow all claims that come from Adatum except "Company" and "Department" to go through to Contoso Adatum 程式碼Code
-New-ADClaimTransformationPolicy ]- New-ADClaimTransformationPolicy \</span></span><br /><span data-ttu-id="52c0f-216">描述:「宣告轉換原則,以允許所有宣告以外的公司和部門「\]</span><span class="sxs-lookup"><span data-stu-id="52c0f-216">-Description:"Claims transformation policy to allow all claims except company and department" \\
-名稱:「AllowAllClaimsExceptCompanyAndDepartmentPolicy「]-Name:"AllowAllClaimsExceptCompanyAndDepartmentPolicy" \</span></span><br /><span data-ttu-id="52c0f-218">-AllowAllExcept:公司、部門 \]</span><span class="sxs-lookup"><span data-stu-id="52c0f-218">-AllowAllExcept:company,department \\
伺服器:「contoso.com「]-Server:"contoso.com" \</span></span><br /><span data-ttu-id="52c0f-220">Set-ADClaimTransformLink \]</span><span class="sxs-lookup"><span data-stu-id="52c0f-220">Set-ADClaimTransformLink \\
-身分:「adatum.com「]-Identity:"adatum.com" \</span></span><br /><span data-ttu-id="52c0f-222">原則:「AllowAllClaimsExceptCompanyAndDepartmentPolicy「\]</span><span class="sxs-lookup"><span data-stu-id="52c0f-222">-Policy:"AllowAllClaimsExceptCompanyAndDepartmentPolicy" \\
-TrustRole:信任 ]-TrustRole:Trusting \</span></span><br /><span data-ttu-id="52c0f-224">伺服器:「contoso.com「'</span><span class="sxs-lookup"><span data-stu-id="52c0f-224">-Server:"contoso.com" \

也了See also