使用 Azure AD Connect 管理 AD FS 与 Azure AD 之间的信任关系Manage AD FS trust with Azure AD using Azure AD Connect


Azure AD Connect 可以管理本地 Active Directory 联合身份验证服务 (AD FS) 与 Azure AD 之间的联合。Azure AD Connect can manage federation between on-premises Active Directory Federation Service (AD FS) and Azure AD. 本文提供以下方面的概述:This article provides an overview of:

  • Azure AD Connect 针对信任配置的各种设置The various settings configured on the trust by Azure AD Connect
  • Azure AD Connect 设置的颁发转换规则(声明规则)The issuance transform rules (claim rules) set by Azure AD Connect
  • 如何在备份和还原升级与配置更新之间的声明规则。How to back-up and restore your claim rules between upgrades and configuration updates.

Azure AD Connect 控制的设置Settings controlled by Azure AD Connect

Azure AD Connect 管理与 Azure AD 信任相关的设置。Azure AD Connect manages only settings related to Azure AD trust. Azure AD Connect 不会修改 AD FS 中有关其他信赖方信任的任何设置。Azure AD Connect does not modify any settings on other relying party trusts in AD FS. 下表指出了 Azure AD Connect 控制的设置。The following table indicates settings that are controlled by Azure AD Connect.

设置Setting 说明Description
令牌签名证书Token signing certificate Azure AD Connect 可用于重置和重新创建与 Azure AD 之间的信任关系。Azure AD Connect can be used to reset and recreate the trust with Azure AD. Azure AD Connect 针对 AD FS 的令牌签名证书执行一次性的立即滚动更新,并更新 Azure AD 域联合设置。Azure AD Connect does a one-time immediate rollover of token signing certificates for AD FS and updates the Azure AD domain federation settings.
令牌签名算法Token signing algorithm Microsoft 建议使用 SHA-256 作为令牌签名算法。Microsoft recommends using SHA-256 as the token signing algorithm. Azure AD Connect 可以检测令牌签名算法是否设置为安全性不如 SHA-256 的值。Azure AD Connect can detect if the token signing algorithm is set to a value less secure than SHA-256. 在下一个可能的配置操作中,它会将设置更新为 SHA-256。It will update the setting to SHA-256 in the next possible configuration operation. 必须更新其他信赖方信任,才能使用新的令牌签名证书。Other relying party trust must be updated to use the new token signing certificate.
Azure AD 信任标识符Azure AD trust identifier Azure AD Connect 为 Azure AD 信任设置正确的标识符值。Azure AD Connect sets the correct identifier value for the Azure AD trust. AD FS 使用该标识符值唯一标识 Azure AD 信任。AD FS uniquely identifies the Azure AD trust using the identifier value.
Azure AD 终结点Azure AD endpoints Azure AD Connect 确保为 Azure AD 信任配置的终结点始终符合最新建议的复原能力和性能值。Azure AD Connect makes sure that the endpoints configured for the Azure AD trust are always as per the latest recommended values for resiliency and performance.
颁发转换规则Issuance transform rules 为确保联合设置中的 Azure AD 性能和功能达到最佳,需要用到许多的声明规则。There are numbers of claim rules which are needed for optimal performance of features of Azure AD in a federated setting. Azure AD Connect 确保始终使用适当的建议声明规则集来配置 Azure AD 信任。Azure AD Connect makes sure that the Azure AD trust is always configured with the right set of recommended claim rules.
Alternate-idAlternate-id 如果同步配置为使用 alternate-id,Azure AD Connect 会将 AD FS 配置为使用 alternate-id 来执行身份验证。If sync is configured to use alternate-id, Azure AD Connect configures AD FS to perform authentication using alternate-id.
自动元数据更新Automatic metadata update 为 Azure AD 信任配置自动元数据更新。Trust with Azure AD is configured for automatic metadata update. AD FS 定期检查 Azure AD 信任的元数据,如果这些元数据在 Azure AD 端发生更改,则 AD FS 会将其保持最新状态。AD FS periodically checks the metadata of Azure AD trust and keeps it up-to-date in case it changes on the Azure AD side.
Windows 集成身份验证 (IWA)Integrated Windows Authentication (IWA) 在执行混合 Azure AD 加入操作期间,将启用 IWA 来进行设备注册,以方便下层设备完成混合 Azure AD 加入During Hybrid Azure AD join operation, IWA is enabled for device registration to facilitate Hybrid Azure AD join for downlevel devices

Azure AD Connect 配置的执行流和联合设置Execution flows and federation settings configured by Azure AD Connect

在执行配置流期间,Azure AD Connect 不会更新 Azure AD 信任的所有设置。Azure AD connect does not update all settings for Azure AD trust during configuration flows. 修改的设置取决于正在执行的任务或执行流。The settings modified depend on which task or execution flow is being executed. 下表列出了不同执行流中受影响的设置。The following table lists the settings impacted in different execution flows.

执行流Execution flow 受影响的设置Settings impacted
第一轮安装(快速)First pass installation (express) None
第一轮安装(新 AD FS 场)First pass installation (new AD FS farm) 创建新的 AD FS 场,并从头开始创建与 Azure AD 之间的信任关系。A new AD FS farm is created and a trust with Azure AD is created from scratch.
第一轮安装(现有 AD FS 场,现有 Azure AD 信任)First pass installation (existing AD FS farm, existing Azure AD trust) Azure AD 信任标识符、颁发转换规则、Azure AD 终结点、Alternate-id(如果需要)、自动元数据更新Azure AD trust identifier, Issuance transform rules, Azure AD endpoints, Alternate-id (if necessary), automatic metadata update
重置 Azure AD 信任Reset Azure AD trust 令牌签名证书、令牌签名算法、Azure AD 信任标识符、颁发转换规则、Azure AD 终结点、Alternate-id(如果需要)、自动元数据更新Token signing certificate, Token signing algorithm, Azure AD trust identifier, Issuance transform rules, Azure AD endpoints, Alternate-id (if necessary), automatic metadata update
添加联合服务器Add federation server None
添加 WAP 服务器Add WAP server None
设备选项Device options 颁发转换规则、用于设备注册的 IWAIssuance transform rules, IWA for device registration
添加联合域Add federated domain 首次添加域时(即,设置从单域联合身份验证更改为多域联合身份验证),Azure AD Connect 会从头开始重新创建信任。If the domain is being added for the first time, that is, the setup is changing from single domain federation to multi-domain federation - Azure AD Connect will recreate the trust from scratch. 如果为多个域配置了 Azure AD 信任,则只修改颁发转换规则If the trust with Azure AD is already configured for multiple domains, only Issuance transform rules are modified
更新 TLSUpdate TLS None

在执行所有操作期间(修改了任何设置),Azure AD Connect 会在 %ProgramData%\AADConnect\ADFS 位置创建当前信任设置的备份During all operations, in which, any setting is modified, Azure AD Connect makes a backup of the current trust settings at %ProgramData%\AADConnect\ADFS

Azure AD Connect 页,其中显示了有关现有 Azure AD 信任备份的消息


在低于 1.1.873.0 的版本中,备份仅包括颁发转换规则,并且这些规则备份在向导跟踪日志文件中。Prior to version 1.1.873.0, the backup consisted of only issuance transform rules and they were backed up in the wizard trace log file.

Azure AD Connect 设置的颁发转换规则Issuance transform rules set by Azure AD Connect

Azure AD Connect 确保始终使用适当的建议声明规则集来配置 Azure AD 信任。Azure AD Connect makes sure that the Azure AD trust is always configured with the right set of recommended claim rules. Microsoft 建议使用 Azure AD Connect 来管理 Azure AD 信任。Microsoft recommends using Azure AD connect for managing your Azure AD trust. 本部分列出颁发转换规则集及其说明。This section lists the issuance transform rules set and their description.

规则名称Rule name 说明Description
颁发 UPNIssue UPN 此规则从 userprincipalname 的同步设置中配置的属性查询 userprincipalname 的值。This rule queries the value of userprincipalname as from the attribute configured in sync settings for userprincipalname.
查询自定义 ImmutableId 声明的 objectguid 和 msdsconsistencyguidQuery objectguid and msdsconsistencyguid for custom ImmutableId claim 此规则在 objectguid 和 msdsconsistencyguid 值(如果存在)的管道中添加一个临时值This rule adds a temporary value in the pipeline for objectguid and msdsconsistencyguid value if it exists
检查是否存在 msdsconsistencyguidCheck for the existence of msdsconsistencyguid 基于 msdsconsistencyguid 的值是否存在,设置一个临时标志用于指示要将哪个值用作 ImmutableIdBased on whether the value for msdsconsistencyguid exists or not, we set a temporary flag to direct what to use as ImmutableId
如果 msdsconsistencyguid 存在,则颁发 msdsconsistencyguid 作为不可变 IDIssue msdsconsistencyguid as Immutable ID if it exists 如果 msdsconsistencyguid 值存在,则颁发 msdsconsistencyguid 作为 ImmutableIdIssue msdsconsistencyguid as ImmutableId if the value exists
如果 msdsConsistencyGuid 规则不存在,则颁发 objectGuidRuleIssue objectGuidRule if msdsConsistencyGuid rule does not exist 如果 msdsconsistencyguid 的值不存在,将颁发 objectguid 的值作为 ImmutableIdIf the value for msdsconsistencyguid does not exist, the value of objectguid will be issued as ImmutableId
颁发 nameidentifierIssue nameidentifier 此规则颁发 nameidentifier 声明的值。This rule issues value for the nameidentifier claim.
颁发已加入域的计算机的 accounttypeIssue accounttype for domain-joined computers 如果进行身份验证的实体是已加入域的设备,则此规则颁发帐户类型,作为表示已加入的域的设备的 DJIf the entity being authenticated is a domain joined device, this rule issues the account type as DJ signifying a domain joined device
如果 AccountType 不是计算机帐户,则颁发值为 USER 的 AccountTypeIssue AccountType with the value USER when it is not a computer account 如果进行身份验证的实体是用户,则此规则颁发 User 帐户类型If the entity being authenticated is a user, this rule issues the account type as User
如果 AccountType 不是计算机帐户,则颁发 issueridIssue issuerid when it is not a computer account 如果身份验证实体不是设备,则此规则颁发 issuerId 值。This rule issues the issuerId value when the authenticating entity is not a device. 该值通过 Azure AD Connect 配置的正则表达式创建。The value is created via a regex, which is configured by Azure AD Connect. 该正则表达式是在考虑到使用 Azure AD Connect 联合的所有域后创建的。The regex is created after taking into consideration all the domains federated using Azure AD Connect.
颁发用于 DJ 计算机身份验证的 issueridIssue issuerid for DJ computer auth 如果身份验证实体是设备,则此规则颁发 issuerId 值This rule issues the issuerId value when the authenticating entity is a device
颁发已加入域的计算机的 onpremobjectguidIssue onpremobjectguid for domain-joined computers 如果进行身份验证的实体是已加入的域的设备,则此规则颁发该设备的本地 objectguidIf the entity being authenticated is a domain joined device, this rule issues the on-premises objectguid for the device
直通主要 SIDPass through primary SID 此规则颁发身份验证实体的主要 SIDThis rule issues the primary SID of the authenticating entity
直通声明 - insideCorporateNetworkPass through claim - insideCorporateNetwork 此规则颁发一个声明,帮助 Azure AD 确定身份验证是来自企业网络的内部还是外部This rule issues a claim that helps Azure AD know if the authentication is coming from inside corporate network or externally
直通声明 - PssoPass Through Claim - Psso
颁发密码过期声明Issue Password Expiry Claims 此规则颁发三个声明,它们对应于密码过期时间、进行身份验证的实体的密码过期天数,以及用于更改密码的路由 URL。This rule issues three claims for password expiration time, number of days for the password to expire of the entity being authenticated and URL where to route for changing the password.
直通声明 - authnmethodsreferencesPass through claim - authnmethodsreferences 根据此规则颁发的声明中的值指示对实体执行的身份验证类型The value in the claim issued under this rule indicates what type of authentication was performed for the entity
直通声明 - multifactorauthenticationinstantPass through claim - multifactorauthenticationinstant 此声明的值指定用户上次执行多重身份验证的 UTC 时间。The value of this claim specifies the time, in UTC, when the user last performed multiple factor authentication.
直通声明 - AlternateLoginIDPass through claim - AlternateLoginID 如果使用备用登录 ID 执行了身份验证,则此规则颁发 AlternateLoginID 声明。This rule issues the AlternateLoginID claim if the authentication was performed using alternate login ID.


如果在 Azure AD Connect 配置期间使用了非默认选项,“颁发 UPN”和 ImmutableId 的声明规则将会不同The claim rules for Issue UPN and ImmutableId will differ if you use non-default choice during Azure AD Connect configuration

还原颁发转换规则Restore issuance transform rules

每当对 Azure AD 信任设置进行更新时,Azure AD Connect 1.1.873.0 或更高版本都会创建 Azure AD 信任设置的备份。Azure AD Connect version 1.1.873.0 or later makes a backup of the Azure AD trust settings whenever an update is made to the Azure AD trust settings. Azure AD 信任设置将备份到 %ProgramData%\AADConnect\ADFSThe Azure AD trust settings are backed up at %ProgramData%\AADConnect\ADFS. 文件名采用以下格式:AadTrust-<日期>-<时间>.txt,例如 AadTrust-20180710-150216.txtThe file name is in the following format AadTrust-<date>-<time>.txt, for example - AadTrust-20180710-150216.txt

Azure AD 信任示例备份的快照

可以使用下面建议的步骤还原颁发转换规则You can restore the issuance transform rules using the suggested steps below

  1. 在服务器管理器中打开 AD FS 管理 UIOpen the AD FS management UI in Server Manager
  2. 转到“AD FS”>“信赖方信任”>“Microsoft Office 365 标识平台”>“编辑声明颁发策略”,打开 Azure AD 信任属性 Open the Azure AD trust properties by going AD FS > Relying Party Trusts > Microsoft Office 365 Identity Platform > Edit Claims Issuance Policy
  3. 单击“添加规则” Click on Add rule
  4. 在声明规则模板中,选择“使用自定义规则发送声明”并单击“下一步” In the claim rule template, select Send Claims Using a Custom Rule and click Next
  5. 从备份文件复制声明规则的名称,并将其粘贴到“声明规则名称”字段中 Copy the name of the claim rule from backup file and paste it in the field Claim rule name
  6. 将备份文件中的声明规则复制到“自定义规则”的文本字段中,并单击“完成” Copy the claim rule from backup file into the text field for Custom rule and click Finish


确保其他规则不与 Azure AD Connect 配置的规则相冲突。Make sure that your additional rules do not conflict with the rules configured by Azure AD Connect.

后续步骤Next steps