搭配 AD FS 與 Web 應用程式 Proxy 部署工作資料夾︰步驟 1 設定 AD FSDeploy Work Folders with AD FS and Web Application Proxy: Step 1, Set-up AD FS

適用於:Windows Server (半年度管道)、Windows Server 2016Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016

本主題說明使用 Active Directory 同盟服務 (AD FS) 和 Web 應用程式 Proxy 部署工作資料夾的第一個步驟。This topic describes the first step in deploying Work Folders with Active Directory Federation Services (AD FS) and Web Application Proxy. 您可以在這些主題中找到這個程序的其他步驟︰You can find the other steps in this process in these topics:


本節中涵蓋的指示僅適用於 Server 2016 環境。The instructions covered in this section are for a Server 2016 environment. 如果您使用 Windows Server 2012 R2,請依照 Windows Server 2012 R2 指示If you're using Windows Server 2012 R2, follow the Windows Server 2012 R2 instructions.

若要設定 AD FS 以搭配使用工作資料夾,請使用下列程序。To set up AD FS for use with Work Folders, use the following procedures.

預先安裝工作Pre-installment work

如果您打算利用這些指示將您要設定的測試環境轉換為生產,在您開始之前有兩件事您可能需要執行︰If you intend to convert the test environment that you're setting up with these instructions to production, there are two things that you might want to do before you start:

  • 設定 Active Directory 系統管理員帳戶,以用來執行 AD FS 服務。Set up an Active Directory domain administrator account to use to run the AD FS service.

  • 取得伺服器驗證用的安全通訊端層 (SSL) 主體別名 (SAN) 憑證。Obtain a Secure Sockets Layer (SSL) subject alternative name (SAN) certificate for server authentication. 對於測試範例,您將使用自我簽署憑證,但對於生產您應該使用公開信任憑證。For the test example, you will use a self-signed certificate but for production you should use a publicly trusted certificate.

依據貴公司的原則而定,取得這些項目可能需要一些時間,所以在您開始建立測試環境之前,先展開項目的請求程序可能比較有利於您的作業。Obtaining these items can take some time, depending on your company's policies, so it can be beneficial to start the request process for the items before you begin to create the test environment.

您可以從許多商業憑證授權單位購買憑證。There are many commercial certificate authorities (CAs) from which you can purchase the certificate. 您可以在知識庫 931125 中找到 Microsoft所受信任的 CA 清單。You can find a list of the CAs that are trusted by Microsoft in KB article 931125. 另一個方法是從您公司的企業 CA 取得憑證。Another alternative is to get a certificate from your company's enterprise CA.

對於測試環境,您將使用由所提供的指令碼之一建立的自我簽署憑證。For the test environment, you will use a self-signed certificate that is created by one of the provided scripts.


AD FS 不支援新一代密碼編譯 (CNG) 憑證,這表示您無法使用 Windows PowerShell Cmdlet New-SelfSignedCertificate 建立自我簽署憑證。AD FS does not support Cryptography Next Generation (CNG) certificates, which means that you cannot create the self-signed certificate by using the Windows PowerShell cmdlet New-SelfSignedCertificate. 不過,您可以使用搭配 AD FS 與 Web 應用程式 Proxy 部署工作資料夾部落格文章內所含的 makecert.ps1 指令碼。You can, however, use the makecert.ps1 script included in the Deploying Work Folders with AD FS and Web Application Proxy blog post. 這個指令碼會建立可配合 AD FS 使用的自我簽署憑證,以及提示輸入建立憑證所需的 SAN 名稱。This script creates a self-signed certificated that works with AD FS and prompts for the SAN names that will be needed to create the certificate.

接著,執行以下區段中所述的其他預先安裝工作。Next, do the additional pre-installment work described in the following sections.

建立 AD FS 自我簽署憑證Create an AD FS self-signed certificate

若要建立 AD FS 自我簽署憑證,請依照下列步驟執行︰To create an AD FS self-signed certificate, follow these steps:

  1. 下載搭配 AD FS 與 Web 應用程式 Proxy 部署工作資料夾部落格文章中提供的指令碼,然後將檔案 makecert.ps1 複製到 AD FS 電腦。Download the scripts provided in the Deploying Work Folders with AD FS and Web Application Proxy blog post and then copy the file makecert.ps1 to the AD FS machine.

  2. 以系統管理員權限開啟 Windows PowerShell 視窗。Open a Windows PowerShell window with admin privileges.

  3. 將執行原則設為不受限制︰Set the execution policy to unrestricted:

    PS C:\temp\scripts> .\makecert.ps1 C:\temp\scripts> Set-ExecutionPolicy –ExecutionPolicy Unrestricted   
  4. 變更至複製指令碼的目錄。Change to the directory where you copied the script.

  5. 執行 makecert 指令碼:Execute the makecert script:

    PS C:\temp\scripts> .\makecert.ps1  
  6. 當系統提示您變更主體憑證時,請輸入主體的新值。When you are prompted to change the subject certificate, enter the new value for the subject. 在此範例中,該值為 blueadfs.contoso.comIn this example, the value is blueadfs.contoso.com.

  7. 當系統提示您輸入 SAN 名稱時,請按下 Y 鍵,然後輸入 SAN 名稱 (一次輸入一個)。When you are prompted to enter SAN names, press Y and then enter the SAN names, one at a time.

    例如,輸入 blueadfs.contoso.com 並按 Enter 鍵,然後輸入 2016-adfs.contoso.com 並按 Enter 鍵,再輸入 enterpriseregistration.contoso.com 並按 Enter 鍵。For this example, type blueadfs.contoso.com and press Enter, then type 2016-adfs.contoso.com and press Enter, then type enterpriseregistration.contoso.com and press Enter.

    在輸入所有的 SAN 名稱後,在空白行上按 Enter 鍵。When all of the SAN names have been entered, press Enter on an empty line.

  8. 當系統提示您將憑證安裝至受信任的根憑證授權單位存放區時,按下 Y 鍵。When you are prompted to install the certificates to the Trusted Root Certification Authority store, press Y.

AD FS 憑證必須是具有下列值的 SAN 憑證︰The AD FS certificate must be a SAN certificate with the following values:

  • AD FS service name.domainAD FS service name.domain

  • enterpriseregistration.domainenterpriseregistration.domain

  • AD FS server name.domainAD FS server name.domain

在測驗範例中,這些值為︰In the test example, the values are:

  • blueadfs.contoso.comblueadfs.contoso.com

  • enterpriseregistration.contoso.comenterpriseregistration.contoso.com

  • 2016-adfs.contoso.com2016-adfs.contoso.com

Workplace Join 需要 enterpriseregistration SAN。The enterpriseregistration SAN is needed for Workplace Join.

設定伺服器 IP 位址Set the server IP address

將伺服器 IP 位址變更為靜態 IP 位址。Change your server IP address to a static IP address. 在測驗範例中,請使用 IP 類別 A,也就是 / 子網路遮罩︰ / 預設閘道︰ / 慣用 DNS︰ (網域控制站的 IP 位址)。For the test example, use IP class A, which is / subnet mask: / Default Gateway: / Preferred DNS: (the IP address of your domain controller).

安裝 AD FS 角色服務Install the AD FS role service

若要安裝,請依照下列步驟執行:To install AD FS, follow these steps:

  1. 登入您打算安裝 AD FS 的實體或虛擬機器,開啟 [伺服器管理員],然後啟動 [新增角色及功能精靈]。Log on to the physical or virtual machine on which you plan to install AD FS, open Server Manager, and start the Add Roles and Features Wizard.

  2. [伺服器角色] 頁面上,選取 [Active Directory 同盟服務],然後按 [下一步]On the Server Roles page, select the Active Directory Federation Services role, and then click Next.

  3. [Active Directory 同盟服務 (AD FS)] 頁面上,您會看到一則訊息表示 Web 應用程式 Proxy 角色無法安裝在與 AD FS 同一部電腦上。On the Active Directory Federation Services (AD FS) page, you will see a message that states that the Web Application Proxy role cannot be installed on the same computer as AD FS. [下一步]Click Next.

  4. 在確認頁面上,按一下 [安裝]Click Install on the confirmation page.

若要透過 Windows PowerShell 完成相同安裝的 AD FS,請使用下列命令︰To accomplish the equivalent installation of AD FS via Windows PowerShell, use these commands:

Add-WindowsFeature RSAT-AD-Tools  
Add-WindowsFeature AD FS-Federation –IncludeManagementTools  

設定 AD FSConfigure AD FS

接下來,使用伺服器管理員或 Windows PowerShell 設定 AD FS。Next, configure AD FS by using either Server Manager or Windows PowerShell.

使用伺服器管理員設定 AD FSConfigure AD FS by using Server Manager

若要使用伺服器管理員設定 AD FS,請依照下列步驟執行︰To configure AD FS by using Server Manager, follow these steps:

  1. 開啟 [伺服器管理員]。Open Server Manager.

  2. 在 [伺服器管理員] 視窗上方,按一下 [通知] 旗標,然後按一下 [設定此伺服器上的 Federation Service].。Click the Notifications flag at the top of the Server Manager window, and then click Configure the federation service on this server.

  3. [Active Directory 同盟服務設定精靈] 隨即啟動。The Active Directory Federation Services Configuration Wizard launches. [連線到 AD DS] 頁面上,輸入您想要用作 AD FS 帳戶的網域管理員帳戶,然後按 [下一步]On the Connect to AD DS page, enter the domain administrator account that you want to use as the AD FS account, and click Next.

  4. [指定服務內容] 頁面上,輸入 SSL 憑證的主體名稱,以用於 AD FS 通訊。On the Specify Service Properties page, enter the subject name of the SSL certificate to use for AD FS communication. 在測驗範例中,這是 blueadfs.contoso.comIn the test example, this is blueadfs.contoso.com.

  5. 輸入同盟服務名稱。Enter the Federation Service name. 在測驗範例中,這是 blueadfs.contoso.com。按一下 [下一步]In the test example, this is blueadfs.contoso.com. Click Next.


    同盟服務名稱不得使用環境中現有伺服器的名稱。The Federation Service name must not use the name of an existing server in the environment. 如果您使用現有伺服器的名稱,AD FS 安裝就會失敗且必須重新開始。If you do use the name of an existing server, the AD FS installation will fail and must be restarted.

  6. [指定服務帳戶] 頁面上,輸入您想要用於受管理服務帳戶的名稱。On the Specify Service Account page, enter the name that you would like to use for the managed service account. 對於測試範例,選取 [建立群組受管理的服務帳戶],並在 [帳戶名稱] 中輸入 ADFSServiceFor the test example, select Create a Group Managed Service Account, and in Account Name, enter ADFSService. [下一步]Click Next.

  7. [指定設定資料庫] 頁面上,選取 [在此伺服器上使用 Windows 內部資料庫來建立資料庫],然後按 [下一步]On the Specify Configuration Database page, select Create a database on this server using Windows Internal Database, and click Next.

  8. [檢閱選項] 頁面會顯示您所選擇的選項的概觀。The Review Options page shows you an overview of the options you have selected. [下一步]Click Next.

  9. [先決條件檢查] 頁面會指出所有必要條件是否成功通過檢查。The Pre-requisite Checks page indicates whether all the prerequisite checks passed successfully. 如果沒有任何問題,請按一下 [設定]If there are no issues, click Configure.


    如果您用了 AD FS 伺服器或同盟服務的任何其他現有電腦的名稱,則會顯示錯誤訊息。If you used the name of the AD FS server or any other existing machine for the Federation Service Name, an error message is displayed. 您必須從頭開始安裝,然後選擇現有電腦名稱以外的名稱。You must start the installation over and choose a name other than the name of an existing machine.

  10. 設定成功完成時,[結果] 頁面會確認 AD FS 已成功設定。When the configuration completes successfully, the Results page confirms that AD FS was successfully configured.

使用 PowerShell 設定 AD FSConfigure AD FS by using PowerShell

若要透過 Windows PowerShell 完成 AD FS 的相等設定,請使用下列命令。To accomplish the equivalent configuration of AD FS via Windows PowerShell, use the following commands.

若要安裝 AD FS:To install AD FS:

Add-WindowsFeature RSAT-AD-Tools  
Add-WindowsFeature ADFS-Federation -IncludeManagementTools   

若要建立受管理服務帳戶︰To create the managed service account:

New-ADServiceAccount "ADFSService"-Server 2016-DC.contoso.com -Path "CN=Managed Service Accounts,DC=Contoso,DC=COM" -DNSHostName 2016-ADFS.contoso.com -ServicePrincipalNames HTTP/2016-ADFS,HTTP/2016-ADFS.contoso.com  

在您設定 AD FS 之後,您必須使用您在上一個步驟所建立的受管理服務帳戶,以及您在預先設定步驟中建立的憑證,設定 AD FS 陣列。After you configure AD FS, you must set up an AD FS farm by using the managed service account that you created in the previous step and the certificate you created in the pre-configuration steps.

若要設定 AD FS 陣列︰To set up an AD FS farm:

$cert = Get-ChildItem CERT:\LocalMachine\My |where {$_.Subject -match blueadfs.contoso.com} | sort $_.NotAfter -Descending | select -first 1    
$thumbprint = $cert.Thumbprint  
Install-ADFSFarm -CertificateThumbprint $thumbprint -FederationServiceDisplayName "Contoso Corporation" –FederationServiceName blueadfs.contoso.com -GroupServiceAccountIdentifier contoso\ADFSService$ -OverwriteConfiguration -ErrorAction Stop  

後續步驟:搭配 AD FS 與 Web 應用程式 Proxy 部署工作資料夾︰步驟 2 AD FS 後續設定工作Next step: Deploy Work Folders with AD FS and Web Application Proxy: Step 2, AD FS Post-Configuration Work

另請參閱See Also

工作資料夾概觀Work Folders Overview