搭配 AD FS 與 Web 應用程式 Proxy 部署工作資料夾︰步驟 2 AD FS 後續設定工作Deploy Work Folders with AD FS and Web Application Proxy: Step 2, AD FS Post-Configuration Work

適用於:Windows Server (半年度管道)、Windows Server 2016Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016

本主題說明使用 Active Directory 同盟服務 (AD FS) 和 Web 應用程式 Proxy 部署工作資料夾的第二個步驟。This topic describes the second step in deploying Work Folders with Active Directory Federation Services (AD FS) and Web Application Proxy. 您可以在這些主題中找到這個程序的其他步驟︰You can find the other steps in this process in these topics:

注意

本節中涵蓋的指示僅適用於 Server 2016 環境。The instructions covered in this section are for a Server 2016 environment. 如果您使用 Windows Server 2012 R2,請依照 Windows Server 2012 R2 指示If you're using Windows Server 2012 R2, follow the Windows Server 2012 R2 instructions.

在步驟 1 中,您可以安裝並設定 AD FS。In step 1, you installed and configured AD FS. 現在,您需要為 AD FS 執行下列後續設定步驟。Now, you need to perform the following post-configuration steps for AD FS.

設定 DNS 項目Configure DNS entries

您必須為 AD FS 建立兩個 DNS 項目。You must create two DNS entries for AD FS. 這些是當您建立主體別名 (SAN) 憑證時在預先安裝步驟中所使用的兩個相同項目。These are the same two entries that were used in the pre-installation steps when you created the subject alternative name (SAN) certificate.

DNS 項目的格式如下︰The DNS entries are in the form:

  • AD FS service name.domainAD FS service name.domain

  • enterpriseregistration.domainenterpriseregistration.domain

  • AD FS server name.domain (DNS 項目應已經存在,AD FS server name.domain (DNS entry should already exist. 例如 2016-ADFS.contoso.com)e.g., 2016-ADFS.contoso.com)

在測驗範例中,這些值為︰In the test example, the values are:

  • blueadfs.contoso.comblueadfs.contoso.com

  • enterpriseregistration.contoso.comenterpriseregistration.contoso.com

為 AD FS 建立 A 和 CNAME 記錄Create the A and CNAME records for AD FS

若要為 AD FS 建立 A 和 CNAME 記錄,請依照下列步驟執行︰To create A and CNAME records for AD FS, follow these steps:

  1. 在網域控制站上開啟 DNS 管理員。On your domain controller, open DNS Manager.

  2. 展開 [正向對應區域] 資料夾,以滑鼠右鍵按一下您的網域,然後選取 [新增主機 (A)]Expand the Forward Lookup Zones folder, right-click on your domain, and select New Host (A).

  3. [新增主機] 視窗隨即開啟。The New Host window opens. [名稱] 欄位中,輸入 AD FS 服務名稱的別名。In the Name field, enter the alias for the AD FS service name. 在測試範例中,此別名為 blueadfsIn the test example, this is blueadfs.

    別名必須與用於 AD FS 的憑證主體相同。The alias must be the same as the subject in the certificate that was used for AD FS. 例如,如果主體是 adfs.contoso.com,則在此輸入的別名就會是 adfsFor example, if the subject was adfs.contoso.com, then the alias entered here would be adfs.

    重要

    當您使用 Windows Server 使用者介面 (UI),而不是 Windows PowerShell 設定 AD FS 時,您必須為 AD FS 建立 A 記錄而不是 CNAME 記錄。When you set up AD FS by using the Windows Server user interface (UI) instead of Windows PowerShell, you must create an A record instead of a CNAME record for AD FS. 原因是透過 UI 建立的服務主體名稱 (SPN) 只包含用來設定 AD FS 服務為主機的別名。The reason is that the service principal name (SPN) that is created via the UI contains only the alias that is used to set up the AD FS service as the host.

  4. [IP 位址] 中,輸入 AD FS 伺服器的 IP 位址。In IP address, enter the IP address for the AD FS server. 在測試範例中,這是 192.168.0.160In the test example, this is 192.168.0.160. 按一下 [新增主機]Click Add Host.

  5. 在 [正向對應區域] 資料夾中,再次以滑鼠右鍵按一下您的網域,然後選取 [新增別名 (CNAME)]In the Forward Lookup Zones folder, right-click on your domain again, and select New Alias (CNAME).

  6. [新增資源記錄] 視窗中,新增別名 enterpriseregistration 並輸入 AD FS 伺服器的 FQDN。In the New Resource Record window, add the alias name enterpriseregistration and enter the FQDN for the AD FS server. 此別名是用於裝置加入,而且必須呼叫 enterpriseregistrationThis alias is used for Device Join and must be called enterpriseregistration.

  7. 按一下 [確定]Click OK.

若要透過 Windows PowerShell 完成相同的步驟,請使用下列命令。To accomplish the equivalent steps via Windows PowerShell, use the following command. 命令必須在網域控制站中執行。The command must be executed on the domain controller.

Add-DnsServerResourceRecord  -ZoneName "contoso.com" -Name blueadfs -A -IPv4Address 192.168.0.160   
Add-DnsServerResourceRecord  -ZoneName "contoso.com" -Name enterpriseregistration -CName  -HostNameAlias 2016-ADFS.contoso.com   

設定工作資料夾的 AD FS 信賴憑證者信任Set up the AD FS relying party trust for Work Folders

您可以設定工作資料夾的信賴憑證者信任,即使尚未設定工作資料夾。You can set up and configure the relying party trust for Work Folders, even though Work Folders hasn't been set up yet. 信賴憑證者信任必須設定以啟用要使用 AD FS 的工作資料夾。The relying party trust must be set up to enable Work Folders to use AD FS. 因為您已經在設定 AD FS 的程序中,現在是執行此步驟的好時機。Because you're in the process of setting up AD FS, now is a good time to do this step.

若要設定信賴憑證者信任︰To set up the relying party trust:

  1. 開啟 [伺服器管理員],在 [工具] 功能表中,選取 [AD FS 管理]Open Server Manager, on the Tools menu, select AD FS Management.

  2. 在右窗格中,按一下 [動作] 下的 [新增信賴憑證者信任]In the right-hand pane, under Actions, click Add Relying Party Trust.

  3. [歡迎] 頁面上,選取 [宣告感知],然後按一下 [啟動]On the Welcome page, select Claims aware and click Start.

  4. [選取資料來源] 頁面上,選取 [手動輸入信賴憑證者相關資料],然後按 [下一步]On the Select Data Source page, select Enter data about the relying party manually, and then click Next.

  5. [顯示名稱] 欄位中,輸入 WorkFolders,然後按 [下一步]In the Display name field, enter WorkFolders, and then click Next.

  6. [設定憑證] 頁面上,按 [下一步]On the Configure Certificate page, click Next. 權杖加密憑證是選擇性的並不需要進行測試設定。The token encryption certificates are optional, and are not needed for the test configuration.

  7. [設定 URL] 頁面上,按 [下一步]On the Configure URL page, click Next.

  8. [設定識別碼] 頁面上,新增下列識別碼︰https://windows-server-work-folders/V1On the Configure Identifiers page, add the following identifier: https://windows-server-work-folders/V1. 此識別碼是工作資料夾所使用的硬式編碼,「工作資料夾」服務在與 AD FS 通訊時會進行傳送。This identifier is a hard-coded value used by Work Folders, and is sent by the Work Folders service when it is communicating with AD FS. [下一步]Click Next.

  9. 在 [選擇存取控制原則] 頁面上,選取 [允許所有人],然後按 [下一步]On the Choose Access Control Policy page, select Permit Everyone, and then click Next.

  10. [準備新增信任] 頁面上,按 [下一步]On the Ready to Add Trust page, click Next.

  11. 設定完成後,精靈中的最後一頁會指出設定成功。After the configuration is finished, the last page of the wizard indicates that the configuration was successful. 選取核取方塊以編輯宣告規則,然後按一下 [關閉]Select the checkbox for editing the claims rules, and click Close.

  12. 在 AD FS 嵌入式管理單元中,選取 WorkFolders 信賴憑證者信任,並按一下 [動作] 下的 [編輯宣告發行原則]In the AD FS snap-in, select the WorkFolders relying party trust and click Edit Claim Issuance Policy under Actions.

  13. [編輯 WorkFolders 的宣告發行原則] 視窗隨即開啟。The Edit Claim Issuance Policy for WorkFolders window opens. 按一下 [新增規則]Click Add rule.

  14. [宣告規則範本] 下拉式清單中,選取 [以宣告方式傳送 LDAP 屬性],然後按 [下一步]In the Claim rule template drop-down list, select Send LDAP Attributes as Claims, and click Next.

  15. [設定宣告規則] 頁面上的 [宣告規則名稱] 欄位中,輸入 WorkFoldersOn the Configure Claim Rule page, in the Claim rule name field, enter WorkFolders.

  16. [屬性存放區] 下拉式清單中,選取 [Active Directory]In the Attribute store drop-down list, select Active Directory.

  17. 在對應表格中,輸入這些值︰In the mapping table, enter these values:

    • User-Principal-Name: UPNUser-Principal-Name: UPN

    • Display Name: NameDisplay Name: Name

    • Surname: SurnameSurname: Surname

    • Given-Name: Given NameGiven-Name: Given Name

  18. 按一下 [完成]Click Finish. 您會看到 [發佈轉換規則] 標籤上列出的 WorkFolders 規則,按一下 [確定]You'll see the WorkFolders rule listed on the Issuance Transform Rules tab and click OK.

設定信賴憑證者信任選項Set relying part trust options

AD FS 的信賴憑證者信任設定好之後,您必須執行 Windows PowerShell 中的五個命令來完成設定。After the relying party trust has been set up for AD FS, you must finish the configuration by running five commands in Windows PowerShell. 這些命令集選項是工作資料夾所需,才能與 AD FS 成功通訊,無法透過 UI 設定。These commands set options that are needed for Work Folders to communicate successfully with AD FS, and can't be set through the UI. 這些選項包括:These options are:

  • 使用 JSON Web 權杖 (JWT)Enable the use of JSON web tokens (JWTs)

  • 停用加密的宣告Disable encrypted claims

  • 啟用自動更新Enable auto-update

  • 設定發行 Oauth 重新整理權杖給所有裝置。Set the issuing of Oauth refresh tokens to All Devices.

  • 授與用戶端權存取信賴憑證者信任的權限Grant clients access to the relying party trust

若要設定這些選項,請使用下列命令︰To set these options, use the following commands:

Set-ADFSRelyingPartyTrust -TargetIdentifier "https://windows-server-work-folders/V1" -EnableJWT $true   
Set-ADFSRelyingPartyTrust -TargetIdentifier "https://windows-server-work-folders/V1" -Encryptclaims $false   
Set-ADFSRelyingPartyTrust -TargetIdentifier "https://windows-server-work-folders/V1" -AutoupdateEnabled $true   
Set-ADFSRelyingPartyTrust -TargetIdentifier "https://windows-server-work-folders/V1" -IssueOAuthRefreshTokensTo AllDevices
Grant-AdfsApplicationPermission -ServerRoleIdentifier "https://Windows-Server-Work-Folders/V1" -AllowAllRegisteredClients  

啟用 Workplace JoinEnable Workplace Join

啟用 Workplace Join 是選擇性的,但是當您想讓使用者能夠使用個人裝置存取工作地點資源時會很實用。Enabling Workplace Join is optional, but can be useful when you want users to be able to use their personal devices to access workplace resources.

若要啟用 Workplace Join 的裝置註冊,您必須執行下列 Windows PowerShell 命令,它會設定裝置註冊,以及設定通用驗證原則︰To enable device registration for Workplace Join, you must run the following Windows PowerShell commands, which will configure device registration and set the global authentication policy:

Initialize-ADDeviceRegistration -ServiceAccountName <your AD FS service account>
    Example: Initialize-ADDeviceRegistration -ServiceAccountName contoso\adfsservice$
Set-ADFSGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true   

匯出 AD FS 憑證Export the AD FS certificate

接下來,將自我簽署 AD FS 憑證匯出,以便在測試環境中安裝於下列電腦︰Next, export the self-signed AD FS certificate so that it can be installed on the following machines in the test environment:

  • 用於工作資料夾的伺服器The server that is used for Work Folders

  • 用於 Web 應用程式 Proxy 的伺服器The server that is used for Web Application Proxy

  • 加入網域的 Windows 用戶端The domain-joined Windows client

  • 非加入網域的 Windows 用戶端The non-domain-joined Windows client

若要匯出憑證,請依照下列步驟執行︰To export the certificate, follow these steps:

  1. 按一下 [開始],然後按一下 [執行]Click Start, and then click Run.

  2. 輸入 MMCType MMC.

  3. 按一下 [檔案] 功能表上的 [新增/移除嵌入式管理單元]On the File menu, click Add/Remove Snap-in.

  4. [可用的嵌入式管理單元] 清單中,選取 [憑證],然後按一下 [新增]In the Available snap-ins list, select Certificates, and then click Add. [憑證嵌入式管理單元精靈] 就會啟動。The Certificates Snap-in Wizard starts.

  5. 選取 [電腦帳戶],然後按 [下一步]Select Computer account, and then click Next.

  6. 選取 [本機電腦 (執行這個主控台的電腦)],然後按一下 [完成]Select Local computer: (the computer this console is running on), and then click Finish.

  7. 按一下 [確定]Click OK.

  8. 展開資料夾 Console Root\Certificates(Local Computer)\Personal\CertificatesExpand the folder Console Root\Certificates(Local Computer)\Personal\Certificates.

  9. 以滑鼠右鍵按一下 [AD FS 憑證],按一下 [所有工作],然後按一下 [匯出...]Right-click the AD FS certificate, click All Tasks, and then click Export....

  10. [憑證匯出精靈] 隨即開啟。The Certificate Export Wizard opens. 選取 [是,匯出私密金鑰]Select Yes, export the private key.

  11. [匯出檔案格式] 頁面上,維持選取預設選項,然後按 [下一步]On the Export File Format page, leave the default options selected, and click Next.

  12. 建立憑證的密碼。Create a password for the certificate. 這是您在匯入憑證到其他裝置時稍後將會使用密碼。This is the password that you'll use later when you import the certificate to other devices. [下一步]Click Next.

  13. 輸入憑證的位置和名稱,然後按一下 [完成]Enter a location and name for the certificate, and then click Finish.

憑證的安裝涵蓋在稍後的部署程序中。Installation of the certificate is covered later in the deployment procedure.

管理私密金鑰設定Manage the private key setting

您必須提供 AD FS 服務帳戶權限,才能存取新憑證的私密金鑰。You must give the AD FS service account permission to access the private key of the new certificate. 在通訊憑證過期後,您在取代該憑證時將需要再次授與此權限。You will need to grant this permission again when you replace the communication certificate after it expires. 若要授與權限,請依照下列步驟執行︰To grant permission, follow these steps:

  1. 按一下 [開始],然後按一下 [執行]Click Start, and then click Run.

  2. 輸入 MMCType MMC.

  3. 按一下 [檔案] 功能表上的 [新增/移除嵌入式管理單元]On the File menu, click Add/Remove Snap-in.

  4. [可用的嵌入式管理單元] 清單中,選取 [憑證],然後按一下 [新增]In the Available snap-ins list, select Certificates, and then click Add. [憑證嵌入式管理單元精靈] 就會啟動。The Certificates Snap-in Wizard starts.

  5. 選取 [電腦帳戶],然後按 [下一步]Select Computer account, and then click Next.

  6. 選取 [本機電腦 (執行這個主控台的電腦)],然後按一下 [完成]Select Local computer: (the computer this console is running on), and then click Finish.

  7. 按一下 [確定]Click OK.

  8. 展開資料夾 Console Root\Certificates(Local Computer)\Personal\CertificatesExpand the folder Console Root\Certificates(Local Computer)\Personal\Certificates.

  9. 以滑鼠右鍵按一下 [AD FS 憑證],按一下 [所有工作],然後按一下 [管理私密金鑰]Right-click the AD FS certificate, click All Tasks, and then click Manage Private Keys.

  10. [權限] 視窗中,按一下 [新增]In the Permissions window, click Add.

  11. [物件類型] 視窗中,選取 [服務帳戶],然後按一下 [確定]In the Object Types window, select Service Accounts, and then click OK.

  12. 輸入執行 AD FS 的帳戶名稱。Type the name of the account that is running AD FS. 在測試範例中,這是 ADFSService。In the test example, this is ADFSService. 按一下 [確定]Click OK.

  13. [權限] 視窗中,提供帳戶至少讀取的權限,然後按一下 [確定]In the Permissions window, give the account at least read permissions, and click OK.

如果您沒有可管理私密金鑰的選項,您可能需要執行下列命令︰If you don't have the option to manage private keys, you might need to run the following command: certutil -repairstore my *

請確認 AD FS 可操作Verify that AD FS is operational

若要確認 AD FS 是否可操作,請開啟瀏覽器視窗,然後前往 https://blueadfs.contoso.com/federationmetadata/2007-06/federationmetadata.xmlTo verify that AD FS is operational, open a browser window and go to https://blueadfs.contoso.com/federationmetadata/2007-06/federationmetadata.xml

瀏覽器視窗將會顯示不含任何格式的同盟伺服器中繼資料。The browser window will display the federation server metadata without any formatting. 您可以查看資料,而不會有任何 SSL 錯誤或警告,您的同盟伺服器是可操作的。If you can see the data without any SSL errors or warnings, your federation server is operational.

後續步驟:搭配 AD FS 與 Web 應用程式 Proxy 部署工作資料夾︰步驟 3 設定工作資料夾Next step: Deploy Work Folders with AD FS and Web Application Proxy: Step 3, Set Up Work Folders

另請參閱See Also

工作資料夾概觀Work Folders Overview