搭配 AD FS 與 Web 應用程式 Proxy 部署工作資料夾︰步驟 3 設定工作資料夾Deploy Work Folders with AD FS and Web Application Proxy: Step 3, Set-up Work Folders

適用於:Windows Server (半年度管道)、Windows Server 2016Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016

本主題說明使用 Active Directory 同盟服務 (AD FS) 和 Web 應用程式 Proxy 部署工作資料夾的第三個步驟。This topic describes the third step in deploying Work Folders with Active Directory Federation Services (AD FS) and Web Application Proxy. 您可以在這些主題中找到這個程序的其他步驟︰You can find the other steps in this process in these topics:

注意

本節中涵蓋的指示僅適用於 Server 2016 環境。The instructions covered in this section are for a Server 2016 environment. 如果您使用 Windows Server 2012 R2,請依照 Windows Server 2012 R2 指示If you're using Windows Server 2012 R2, follow the Windows Server 2012 R2 instructions.

若要設定工作資料夾,請使用下列程序。To set up Work Folders, use the following procedures.

預先安裝工作Pre-installment work

為了安裝工作資料夾,您的伺服器必須加入網域並執行 Windows Server 2016。In order to install Work Folders, you must have a server that is joined to the domain and running Windows Server 2016. 伺服器的網路設定必須是有效的。The server must have a valid network configuration.

在測試範例中,請將要執行工作資料夾的電腦加入 Contoso 網域,並依照下列各節所述設定網路介面。For the test example, join the machine that will run Work Folders to the Contoso domain and set up the network interface as described in the following sections.

設定伺服器 IP 位址Set the server IP address

將伺服器 IP 位址變更為靜態 IP 位址。Change your server IP address to a static IP address. 在測驗範例中,請使用 IP 類別 A,也就是 192.168.0.170 / 子網路遮罩︰255.255.0.0 / 預設閘道︰192.168.0.1 / 慣用 DNS︰192.168.0.150 (網域控制站的 IP 位址)。For the test example, use IP class A, which is 192.168.0.170 / subnet mask: 255.255.0.0 / Default Gateway: 192.168.0.1 / Preferred DNS: 192.168.0.150 (the IP address of your domain controller).

建立工作資料夾的 CNAME 記錄Create the CNAME record for Work Folders

若要建立工作資料夾的 CNAME 記錄,請依照下列步驟執行︰To create the CNAME record for Work Folders, follow these steps:

  1. 在網域控制站上開啟 DNS 管理員On your domain controller, open DNS Manager.

  2. 展開 [正向對應區域] 資料夾,在您的網域上按滑鼠右鍵,再按一下 [新增別名 (CNAME)]Expand the Forward Lookup Zones folder, right-click on your domain, and click New Alias (CNAME).

  3. [新增資源記錄] 視窗的 [別名名稱] 欄位中,輸入工作資料夾的別名。In the New Resource Record window, in the Alias name field, enter the alias for Work Folders. 在測試範例中,此別名為 workfoldersIn the test example, this is workfolders.

  4. [完整的網域名稱] 欄位中,該值應為 workfolders.contoso.comIn the Fully qualified domain name field, the value should be workfolders.contoso.com.

  5. [目標主機的完整網域名稱] 欄位中,輸入工作資料夾伺服器的 FQDN。In the Fully qualified domain name for target host field, enter the FQDN for the Work Folders server. 在測試範例中,該值為 2016-WF.contoso.comIn the test example, this is 2016-WF.contoso.com.

  6. 按一下 [確定]Click OK.

若要透過 Windows PowerShell 完成相同的步驟,請使用下列命令。To accomplish the equivalent steps via Windows PowerShell, use the following command. 命令必須在網域控制站中執行。The command must be executed on the domain controller.

Add-DnsServerResourceRecord  -ZoneName "contoso.com" -Name workfolders -CName  -HostNameAlias 2016-wf.contoso.com   

安裝 AD FS 憑證Install the AD FS certificate

將 AD FS 設定期間建立的 AD FS 憑證安裝至本機電腦憑證存放區,請使用下列步驟:Install the AD FS certificate that was created during AD FS setup into the local computer certificate store, using these steps:

  1. 按一下 [開始],然後按一下 [執行]Click Start, and then click Run.

  2. 輸入 MMCType MMC.

  3. 按一下 [檔案] 功能表上的 [新增/移除嵌入式管理單元]On the File menu, click Add/Remove Snap-in.

  4. [可用的嵌入式管理單元] 清單中,選取 [憑證],然後按一下 [新增]In the Available snap-ins list, select Certificates, and then click Add. [憑證嵌入式管理單元精靈] 就會啟動。The Certificates Snap-in Wizard starts.

  5. 選取 [電腦帳戶],然後按 [下一步]Select Computer account, and then click Next.

  6. 選取 [本機電腦 (執行這個主控台的電腦)],然後按一下 [完成]Select Local computer: (the computer this console is running on), and then click Finish.

  7. 按一下 [確定]Click OK.

  8. 展開資料夾 Console Root\Certificates(Local Computer)\Personal\CertificatesExpand the folder Console Root\Certificates(Local Computer)\Personal\Certificates.

  9. 以滑鼠右鍵按一下 [憑證],按一下 [所有工作],然後按一下 [匯入]Right-click Certificates, click All Tasks, and then click Import.

  10. 瀏覽至含有 AD FS 憑證的資料夾,然後依照精靈中的指示匯入檔案,並將它放在憑證存放區。Browse to the folder that contains the AD FS certificate, and follow the instructions in the wizard to import the file and place it in the certificate store.

  11. 展開資料夾 Console Root\Certificates(Local Computer)\Trusted Root Certification Authorities\CertificatesExpand the folder Console Root\Certificates(Local Computer)\Trusted Root Certification Authorities\Certificates.

  12. 以滑鼠右鍵按一下 [憑證],按一下 [所有工作],然後按一下 [匯入]Right-click Certificates, click All Tasks, and then click Import.

  13. 瀏覽至含有 AD FS 憑證的資料夾,然後依照精靈中的指示匯入檔案,並將它放在「受信任的根憑證授權單位」存放區。Browse to the folder that contains the AD FS certificate, and follow the instructions in the wizard to import the file and place it in the Trusted Root Certification Authorities store.

建立工作資料夾自我簽署憑證Create the Work Folders self-signed certificate

若要建立工作資料夾自我簽署憑證,請依照下列步驟執行︰To create the Work Folders self-signed certificate, follow these steps:

  1. 下載 搭配 AD FS 與 Web 應用程式 Proxy 部署工作資料夾 部落格文章中提供的指令碼,然後將檔案 makecert.ps1 複製到工作資料夾電腦。Download the scripts provided in the Deploying Work Folders with AD FS and Web Application Proxy blog post and then copy the file makecert.ps1 to the Work Folders machine.

  2. 以系統管理員權限開啟 Windows PowerShell 視窗。Open a Windows PowerShell window with admin privileges.

  3. 將執行原則設為不受限制︰Set the execution policy to unrestricted:

    PS C:\temp\scripts> Set-ExecutionPolicy -ExecutionPolicy Unrestricted   
    
  4. 變更至複製指令碼的目錄。Change to the directory where you copied the script.

  5. 執行 makeCert 指令碼:Execute the makeCert script:

    PS C:\temp\scripts> .\makecert.ps1  
    
  6. 當系統提示您變更主體憑證時,請輸入主體的新值。When you are prompted to change the subject certificate, enter the new value for the subject. 在此範例中,該值為 workfolders.contoso.comIn this example, the value is workfolders.contoso.com.

  7. 當系統提示您輸入主體別名 (SAN) 的名稱時,請按下 Y 鍵,然後輸入 SAN 名稱 (一次輸入一個)。When you are prompted to enter subject alternative name (SAN) names, press Y and then enter the SAN names, one at a time.

    例如,輸入workfolders.contoso.com,然後按 Enter 鍵。For this example, type workfolders.contoso.com, and press Enter. 然後輸入 2016-WF.contoso.com 並按 Enter 鍵。Then type 2016-WF.contoso.com and press Enter.

    在輸入所有的 SAN 名稱後,在空白行上按 Enter 鍵。When all of the SAN names have been entered, press Enter on an empty line.

  8. 當系統提示您將憑證安裝至受信任的根憑證授權單位存放區時,按下 Y 鍵。When you are prompted to install the certificates to the Trusted Root Certification Authority store, press Y.

工作資料夾憑證必須是具有下列值的 SAN 憑證︰The Work Folders certificate must be a SAN certificate with the following values:

  • 工作資料夾.網域workfolders.domain

  • 電腦名稱.網域machine name.domain

在測驗範例中,這些值為︰In the test example, the values are:

  • workfolders.contoso.comworkfolders.contoso.com

  • 2016-WF.contoso.com2016-WF.contoso.com

安裝工作資料夾Install Work Folders

若要安裝工作資料夾角色,請依照下列步驟執行︰To install the Work Folders role, follow these steps:

  1. 開啟 [伺服器管理員],按一下 [新增角色及功能],然後按 [下一步]Open Server Manager, click Add roles and features, and click Next.

  2. [安裝類型] 頁面上,選取 [角色型或功能型安裝],然後按 [下一步]On the Installation Type page, select Role-based or feature-based installation, and click Next.

  3. [選取伺服器]頁面上,選取您目前的伺服器,然後按 [下一步]On the Server Selection page, select the current server, and click Next.

  4. [伺服器角色] 頁面上,依序展開 [檔案和存放服務][檔案和 iSCSI 服務],然後選取 [工作資料夾]On the Server Roles page, expand File and Storage Services, expand File and iSCSI Services, and then select Work Folders.

  5. [新增角色及功能精靈] 頁面上,按一下 [新增功能],然後按 [下一步]On the Add Roles and Feature Wizard page, click Add Features, and click Next.

  6. [功能] 頁面上,按 [下一步]On the Features page, click Next.

  7. [確認] 頁面上,按一下 [安裝]On the Confirmation page, click Install.

設定工作資料夾Configure Work Folders

若要設定工作資料夾,請依照下列步驟執行:To configure Work Folders, follow these steps:

  1. 開啟伺服器管理員Open Server Manager.

  2. 選取 [檔案和存放服務],然後選取 [工作資料夾]Select File and Storage Services, and then select Work Folders.

  3. [工作資料夾] 頁面上,啟動 [新增同步共用精靈],然後按 [下一步]On the Work Folders page, start the New Sync Share Wizard, and click Next.

  4. [伺服器和路徑] 頁面上,選取將建立同步共用的伺服器,輸入要儲存工作資料夾資料的本機路徑,然後按 [下一步]On the Server and Path page, select the server where the sync share will be created, enter a local path where the Work Folders data will be stored, and click Next.

    如果路徑不存在,系統將會提示您建立它。If the path doesn't exist, you'll be prompted to create it. 按一下 [確定]Click OK.

  5. [使用者資料夾結構]頁面上,選取[使用者別名],然後按 [下一步]On the User Folder Structure page, select User alias, and then click Next.

  6. [同步共用名稱]頁面上,輸入同步共用的名稱。On the Sync Share Name page, enter the name for the sync share. 在測試範例中,此別名為 WorkFoldersFor the test example, this is WorkFolders. [下一步]Click Next.

  7. [同步存取] 頁面上,新增將具備同步共用存取權限的使用者或群組。On the Sync Access page, add the users or groups that will have access to the new sync share. 在測試範例中會將存取權限授予所有網域使用者。For the test example, grant access to all domain users. [下一步]Click Next.

  8. [電腦安全性原則] 頁面上,選取 [加密工作資料夾][自動鎖定頁面並要求輸入密碼]On the PC Security Policies page, select Encrypt work folders and Automatically lock page and require a password. [下一步]Click Next.

  9. [確認] 頁面中,按一下 [建立] 以完成設定程序。On the Confirmation page, click Create to finish the configuration process.

工作資料夾後設定工作Work Folders post-configuration work

若要完成工作資料夾設定,請執行這些額外步驟︰To finish setting up Work Folders, complete these additional steps:

  • 將工作資料夾憑證繫結到 SSL 連接埠。Bind the Work Folders certificate to the SSL port

  • 設定工作資料夾以使用 AD FS 驗證Configure Work Folders to use AD FS authentication

  • 匯出工作資料夾憑證 (如果您正在使用自我簽署憑證)Export the Work Folders certificate (if you are using a self-signed certificate)

繫結憑證Bind the certificate

工作資料夾只能透過 SSL 通訊,且必須將您稍早建立的 (或憑證授權單位發行的) 自我簽署憑證繫結至連接埠。Work Folders communicates only over SSL and must have the self-signed certificate that you created earlier (or that your certificate authority issued) bound to the port.

您可以使用兩種方式以透過 Windows PowerShell 將憑證繫結至連接埠:IIS Cmdlet 和 netsh。There are two methods that you can use to bind the certificate to the port via Windows PowerShell: IIS cmdlets and netsh.

使用 netsh 繫結憑證Bind the certificate by using netsh

若要在 Windows PowerShell 中使用 netsh 命令列指令碼公用程式,您必須使用管線將命令傳送至 netsh。To use the netsh command-line scripting utility in Windows PowerShell, you must pipe the command to netsh. 以下範例指令碼會使用主體 workfolders.contoso.com 尋找憑證,並使用 netsh 將其繫結至連接埠 443:The following example script finds the certificate with the subject workfolders.contoso.com and binds it to port 443 by using netsh:

$subject = "workfolders.contoso.com"   
Try  
{  
#In case there are multiple certificates with the same subject, get the latest version   
$cert = Get-ChildItem CERT:\LocalMachine\My |where {$_.Subject -match $subject} | sort $_.NotAfter -Descending | select -first 1    
$thumbprint = $cert.Thumbprint  
$Command = "http add sslcert ipport=0.0.0.0:443 certhash=$thumbprint appid={CE66697B-3AA0-49D1-BDBD-A25C8359FD5D} certstorename=MY"  
$Command | netsh  
}  
Catch  
{  
"     Error: unable to locate certificate for $($subject)"  
Exit  
}   

使用 IIS Cmdlet 繫結憑證Bind the certificate by using IIS cmdlets

您也可以使用 IIS 管理 Cmdlet 將憑證繫結至連接埠,不過您必須安裝 IIS 管理工具和指令碼才可使用該 Cmdlet。You can also bind the certificate to the port by using IIS management cmdlets, which are available if you installed the IIS management tools and scripts.

注意

安裝 IIS 管理工具並不會在工作資料夾電腦上啟用 Internet Information Services 的完整版,它只會啟用管理 Cmdlet。Installation of the IIS management tools doesn't enable the full version of Internet Information Services (IIS) on the Work Folders machine; it only enables the management cmdlets. 此設定還可提供一些好處,There are some possible benefits to this setup. (比如說) 要是您正在尋找 Cmdlet 以提供 netsh 所發揮之功能的話。For example, if you're looking for cmdlets to provide the functionality that you get from netsh. 當憑證是透過 New-WebBinding Cmdlet 繫結至連接埠時,該繫結並不會以任何方式依存於 IIS。When the certificate is bound to the port via the New-WebBinding cmdlet, the binding is not dependent on IIS in any way. 在進行繫結之後,即使您已移除 Web-Mgmt-Console 功能,憑證仍可繫結至連接埠。After you do the binding, you can even remove the Web-Mgmt-Console feature, and the certificate will still be bound to the port. 您可以輸入 netsh http show sslcert 以透過 netsh 驗證繫結。You can verify the binding via netsh by typing netsh http show sslcert.

以下範例使用 New-WebBinding Cmdlet 以尋找具有主體workfolders.contoso.com 的憑證,並將其繫結至連接埠 443:The following example uses the New-WebBinding cmdlet to find the certificate with the subject workfolders.contoso.com and bind it to port 443:

$subject = "workfolders.contoso.com"  
Try  
{  
#In case there are multiple certificates with the same subject, get the latest version   
$cert =Get-ChildItem CERT:\LocalMachine\My |where {$_.Subject -match $subject } | sort $_.NotAfter -Descending | select -first 1   
$thumbprint = $cert.Thumbprint  
New-WebBinding -Name "Default Web Site" -IP * -Port 443 -Protocol https  
#The default IIS website name must be used for the binding. Because Work Folders uses Hostable Web Core and its own configuration file, its website name, 'ECSsite', will not work with the cmdlet. The workaround is to use the default IIS website name, even though IIS is not enabled, because the NewWebBinding cmdlet looks for a site in the default IIS configuration file.   
Push-Location IIS:\SslBindings  
Get-Item cert:\LocalMachine\MY\$thumbprint | new-item *!443  
Pop-Location  
}  
Catch  
{  
"     Error: unable to locate certificate for $($subject)"  
Exit  
}   

設定 ADFS 驗證Set up AD FS authentication

若要設定工作資料夾以使用 AD FS 進行驗證,請依照下列步驟執行:To configure Work Folders to use AD FS for authentication, follow these steps:

  1. 開啟伺服器管理員Open Server Manager.

  2. 按一下 [伺服器] **,然後在清單中選取您的工作資料夾。Click **Servers, and then select your Work Folders server in the list.

  3. 在伺服器名稱上按滑鼠右鍵,再按一下 [工作資料夾設定]Right-click the server name, and click Work Folders Settings.

  4. [工作資料夾設定] 視窗中,選取 [Active Directory 同盟服務],並輸入 Federation Service URL。In the Work Folder Settings window, select Active Directory Federation Services, and type in the Federation Service URL. 按一下 [套用]Click Apply.

    在測試範例中,此 URL 是 https://blueadfs.contoso.comIn the test example, the URL is https://blueadfs.contoso.com.

透過 Windows PowerShell 完成相同工作的 Cmdlet 是:The cmdlet to accomplish the same task via Windows PowerShell is:

Set-SyncServerSetting -ADFSUrl "https://blueadfs.contoso.com"   

如果您使用自我簽署憑證設定 AD FS,可能會收到表示 Federation Service URL 不正確、無法連線或未設定信賴憑證者信任的錯誤訊息。If you're setting up AD FS with self-signed certificates, you might receive an error message that says the Federation Service URL is incorrect, unreachable, or a relying party trust has not been set up.

如果 AD FS 憑證未安裝在工作資料夾伺服器上,或者未正確設定 AD FS 的 CNAME 時,也會發生此錯誤。This error can also happen if the AD FS certificate was not installed on the Work Folders server or if the CNAME for AD FS was not set up correctly. 您必須修正這些問題才能繼續。You must correct these issues before proceeding.

匯出工作資料夾憑證Export the Work Folders certificate

您必須先將自我簽署工作資料夾憑證匯出,才能在測試環境中將其安裝於下列電腦上:The self-signed Work Folders certificate must be exported so that you can later install it on the following machines in the test environment:

  • 用於 Web 應用程式 Proxy 的伺服器The server that is used for Web Application Proxy

  • 加入網域的 Windows 用戶端The domain-joined Windows client

  • 非加入網域的 Windows 用戶端The non-domain-joined Windows client

若要匯出憑證,請執行與稍早用於匯出 AD FS 憑證相同的步驟,如 搭配 AD FS 與 Web 應用程式 Proxy 部署工作資料夾:步驟 2 AD FS 後續設定工作 所述,匯出 AD FS 憑證。To export the certificate, follow the same steps you used to export the AD FS certificate earlier, as described in Deploy Work Folders with AD FS and Web Application Proxy: Step 2, AD FS Post-Configuration Work, Export the AD FS certificate.

下一個步驟:搭配 AD FS 與 Web 應用程式 Proxy 部署工作資料夾:步驟 4 設定 Web 應用程式 ProxyNext step: Deploy Work Folders with AD FS and Web Application Proxy: Step 4, Set Up Web Application Proxy

另請參閱See Also

工作資料夾概觀Work Folders Overview