使用 Azure AD Connect 管理和自定义 Active Directory 联合身份验证服务Manage and customize Active Directory Federation Services by using Azure AD Connect

本文介绍如何使用 Azure Active Directory (Azure AD) Connect 管理和自定义 Active Directory 联合身份验证服务 (AD FS)。This article describes how to manage and customize Active Directory Federation Services (AD FS) by using Azure Active Directory (Azure AD) Connect. 另外,还介绍了可能需要针对完整的 AD FS 场配置执行的其他常见 AD FS 任务。It also includes other common AD FS tasks that you might need to do for a complete configuration of an AD FS farm.

主题Topic 内容What it covers
管理 AD FSManage AD FS
修复信任Repair the trust 如何修复与 Office 365 的联合信任。How to repair the federation trust with Office 365.
使用备用登录 ID 与 Azure AD 联合Federate with Azure AD using alternate login ID 使用备用登录 ID 配置联合Configure federation using alternate login ID
添加 AD FS 服务器Add an AD FS server 如何使用附加的 AD FS 服务器扩展 AD FS 场。How to expand an AD FS farm with an additional AD FS server.
添加 AD FS Web 应用程序代理服务器Add an AD FS Web Application Proxy server 如何使用附加的 Web 应用程序代理 (WAP) 服务器扩展 AD FS 场。How to expand an AD FS farm with an additional Web Application Proxy (WAP) server.
添加联合域Add a federated domain 如何添加联合域。How to add a federated domain.
更新 SSL 证书Update the SSL certificate 如何更新 AD FS 场的 SSL 证书。How to update the SSL certificate for an AD FS farm.
自定义 AD FSCustomize AD FS
添加自定义公司徽标或插图Add a custom company logo or illustration 如何使用公司徽标和插图自定义 AD FS 登录页。How to customize an AD FS sign-in page with a company logo and illustration.
添加登录说明Add a sign-in description 如何添加登录页说明。How to add a sign-in page description.
修改 AD FS 声明规则Modify AD FS claim rules 如何修改各种联合方案的 AD FS 声明。How to modify AD FS claims for various federation scenarios.

管理 AD FS Manage AD FS

使用 Azure AD Connect 向导,可以在最少的用户干预的 Azure AD Connect 中执行各种 AD FS 相关任务。You can perform various AD FS-related tasks in Azure AD Connect with minimal user intervention by using the Azure AD Connect wizard. 在通过运行向导来完成安装 Azure AD Connect 后,可以再次运行向导,以执行其他任务。After you've finished installing Azure AD Connect by running the wizard, you can run the wizard again to perform additional tasks.

修复信任Repair the trust

可以使用 Azure AD Connect 检查 AD FS 和 Azure AD 信任的当前运行状况并采取适当措施来修复信任。You can use Azure AD Connect to check the current health of the AD FS and Azure AD trust and take appropriate actions to repair the trust. 请按照以下步骤修复 Azure AD 和 AD FS 信任。Follow these steps to repair your Azure AD and AD FS trust.

  1. 从其他任务列表中选择“修复 AAD 和 ADFS 信任”。Select Repair AAD and ADFS Trust from the list of additional tasks. 修复 AAD 和 ADFS 信任Repair AAD and ADFS Trust

  2. 在“连接到 Azure AD”页上,提供 Azure AD 的全局管理员凭据,并单击“下一步”。On the Connect to Azure AD page, provide your global administrator credentials for Azure AD, and click Next. 连接到 Azure ADConnect to Azure AD

  3. 在“远程访问凭据”页上,输入域管理员的凭据。On the Remote access credentials page, enter the credentials for the domain administrator.

    远程访问凭据

    单击“下一步”后,Azure AD Connect 会检查证书运行状况,并显示任何问题。After you click Next, Azure AD Connect checks for certificate health and shows any issues.

    证书状态

    “已准备好配置”页会显示为修复信任而将要执行的操作列表。The Ready to configure page shows the list of actions that will be performed to repair the trust.

    已准备好配置

  4. 单击“安装”修复信任。Click Install to repair the trust.

Note

Azure AD Connect 只能对自签名的证书进行修复或采取措施。Azure AD Connect can only repair or act on certificates that are self-signed. Azure AD Connect 无法修复第三方证书。Azure AD Connect can't repair third-party certificates.

使用 AlternateID 与 Azure AD 进行联合Federate with Azure AD using AlternateID

建议使本地用户主体名称 (UPN) 和云用户主体名称保持相同。It is recommended that the on-premises User Principal Name(UPN) and the cloud User Principal Name are kept the same. 如果本地 UPN 使用不可路由的域(例如If the on-premises UPN uses a non-routable domain (ex. Contoso.local),或由于本地应用程序依赖关系而无法更改,建议设置备用登录 ID。Contoso.local) or cannot be changed due to local application dependencies, we recommend setting up alternate login ID. 备用登录 ID 允许配置登录体验,用户可以使用其 UPN 以外的属性(如邮件)登录。Alternate login ID allows you to configure a sign-in experience where users can sign in with an attribute other than their UPN, such as mail. 用于 Azure AD Connect 中用户主体名称的属性默认为 Active Directory 中的 userPrincipalName 属性。The choice for User Principal Name in Azure AD Connect defaults to the userPrincipalName attribute in Active Directory. 如果为用户主体名称选择任何其他属性,并使用 AD FS 进行联合,则 Azure AD Connect 为备用登录 ID 配置 AD FS。If you choose any other attribute for User Principal Name and are federating using AD FS, then Azure AD Connect will configure AD FS for alternate login ID. 以下是为用户主体名称选择其他属性的一个示例:An example of choosing a different attribute for User Principal Name is shown below:

备用 ID 属性选择

为 AD FS 配置备用登录 ID 包括两个主要步骤:Configuring alternate login ID for AD FS consists of two main steps:

  1. 配置正确的颁发声明集:已将 Azure AD 信赖方信任中的颁发声明规则修改为使用所选的 UserPrincipalName 属性作为用户的备用 ID。Configure the right set of issuance claims: The issuance claim rules in the Azure AD relying party trust are modified to use the selected UserPrincipalName attribute as the alternate ID of the user.

  2. 在 AD FS 配置中启用备用登录 ID:已更新 AD FS 配置,以便 AD FS 可以使用备用 ID 查找相应林中的用户。Enable alternate login ID in the AD FS configuration: The AD FS configuration is updated so that AD FS can look up users in the appropriate forests using the alternate ID. 此配置支持 Windows Server 2012 R2(带 KB2919355)或更高版本上的 AD FS。This configuration is supported for AD FS on Windows Server 2012 R2 (with KB2919355) or later. 如果 AD FS 服务器为 2012 R2,则 Azure AD Connect 会检查是否存在所需的知识库 (KB)。If the AD FS servers are 2012 R2, Azure AD Connect checks for the presence of the required KB. 如果未检测到知识库 (KB),则在配置完成后会显示一条警告,如下所示:If the KB is not detected, a warning will be displayed after configuration completes, as shown below:

    警告:2012R2 上缺少知识库 (KB)

    要纠正缺少知识库 (KB) 情况下的配置,请安装所需的 KB2919355,并借助修复 AAD 和 AD FS 信任修复信任。To rectify the configuration in case of missing KB, install the required KB2919355 and then repair the trust using Repair AAD and AD FS Trust.

Note

有关 AlternateID 和手动配置步骤的详细信息,请阅读配置备用登录 IDFor more information on alternateID and steps to manually configure, read Configuring Alternate Login ID

添加 AD FS 服务器Add an AD FS server

Note

若要添加 AD FS 服务器,Azure AD Connect 需要 PFX 证书。To add an AD FS server, Azure AD Connect requires the PFX certificate. 因此,只有使用 Azure AD Connect 配置了 AD FS 场,才能执行此操作。Therefore, you can perform this operation only if you configured the AD FS farm by using Azure AD Connect.

  1. 选择“部署其他联合服务器”,并单击“下一步”。Select Deploy an additional Federation Server, and click Next.

    其他联合服务器

  2. 在“连接到 Azure AD”页上,输入 Azure AD 的全局管理员凭据,并单击“下一步”。On the Connect to Azure AD page, enter your global administrator credentials for Azure AD, and click Next.

    连接到 Azure AD

  3. 提供域管理员凭据。Provide the domain administrator credentials.

    域管理员凭据

  4. Azure AD Connect 会要求你提供在使用 Azure AD Connect 配置新的 AD FS 场时提供的 PFX 文件的密码。Azure AD Connect asks for the password of the PFX file that you provided while configuring your new AD FS farm with Azure AD Connect. 单击“输入密码”提供 PFX 文件的密码。Click Enter Password to provide the password for the PFX file.

    证书密码

    指定 SSL 证书

  5. 在“AD FS 服务器”页上,输入要添加到 AD FS 场的服务器名称或 IP 地址。On the AD FS Servers page, enter the server name or IP address to be added to the AD FS farm.

    AD FS 服务器

  6. 单击“下一步”并完成最终“配置”页。Click Next, and go through the final Configure page. Azure AD Connect 完成将服务器添加到 AD FS 场后,将提供验证连接性的选项。After Azure AD Connect has finished adding the servers to the AD FS farm, you will be given the option to verify the connectivity.

    已准备好配置

    安装完成

添加 AD FS WAP 服务器Add an AD FS WAP server

Note

若要添加 WAP 服务器,Azure AD Connect 需要 PFX 证书。To add a WAP server, Azure AD Connect requires the PFX certificate. 因此,只有使用 Azure AD Connect 配置了 AD FS 场,才能执行此操作。Therefore, you can only perform this operation if you configured the AD FS farm by using Azure AD Connect.

  1. 从可用任务列表中选择“部署 Web 应用程序代理”。Select Deploy Web Application Proxy from the list of available tasks.

    部署 Web 应用程序代理

  2. 提供 Azure 全局管理员凭据。Provide the Azure global administrator credentials.

    连接到 Azure AD

  3. 在“指定 SSL 证书”页上,为使用 Azure AD Connect 配置 AD FS 场时提供的 PFX 文件提供密码。On the Specify SSL certificate page, provide the password for the PFX file that you provided when you configured the AD FS farm with Azure AD Connect. 证书密码Certificate password

    指定 SSL 证书

  4. 添加要用作 WAP 服务器的服务器。Add the server to be added as a WAP server. 由于 WAP 服务器可能未加入域,因此向导将要求为要添加的服务器提供管理凭据。Because the WAP server might not be joined to the domain, the wizard asks for administrative credentials to the server being added.

    管理服务器凭据

  5. 在“代理信任凭据”页上,提供管理凭据用于配置代理信任和访问 AD FS 场中的主服务器。On the Proxy trust credentials page, provide administrative credentials to configure the proxy trust and access the primary server in the AD FS farm.

    代理信任凭据

  6. 在“已准备好配置”页上,向导显示将要执行的操作列表。On the Ready to configure page, the wizard shows the list of actions that will be performed.

    已准备好配置

  7. 单击“安装”完成配置。Click Install to finish the configuration. 完成配置后,向导提供验证到服务器的连接性的选项。After the configuration is complete, the wizard gives you the option to verify the connectivity to the servers. 单击“验证”检查连接性。Click Verify to check connectivity.

    安装完成

添加联合域Add a federated domain

使用 Azure AD Connect 可以轻松添加要与 Azure AD 联合的域。It's easy to add a domain to be federated with Azure AD by using Azure AD Connect. Azure AD Connect 将添加域用于联合身份验证,并修改声明规则,以便在有多个域与 Azure AD 联合时,正确反映发布者。Azure AD Connect adds the domain for federation and modifies the claim rules to correctly reflect the issuer when you have multiple domains federated with Azure AD.

  1. 若要添加联合域,请选择任务“添加其他 Azure AD 域”。To add a federated domain, select the task Add an additional Azure AD domain.

    其他 Azure AD 域

  2. 在向导的下一页上,提供 Azure AD 的全局管理员凭据。On the next page of the wizard, provide the global administrator credentials for Azure AD.

    连接到 Azure AD

  3. 在“远程访问凭据”页上,提供域管理员凭据。On the Remote access credentials page, provide the domain administrator credentials.

    远程访问凭据

  4. 在下一页上,向导将提供可与本地目录联合的 Azure AD 域的列表。On the next page, the wizard provides a list of Azure AD domains that you can federate your on-premises directory with. 从列表中选择域。Choose the domain from the list.

    Azure AD 域

    选择域后,向导将提供有关向导将采取的进一步操作以及配置产生的影响的适当信息。After you choose the domain, the wizard provides you with appropriate information about further actions that the wizard will take and the impact of the configuration. 在某些情况下,如果选择的域尚未在 Azure AD 中进行验证,则向导将提供帮助验证域的信息。In some cases, if you select a domain that isn't yet verified in Azure AD, the wizard provides you with information to help you verify the domain. 有关更多详细信息,请参阅将自定义域名添加到 Azure Active DirectorySee Add your custom domain name to Azure Active Directory for more details.

  5. 单击“下一步”。Click Next. “已准备好配置”页会显示 Azure AD Connect 将要执行的操作列表。The Ready to configure page shows the list of actions that Azure AD Connect will perform. 单击“安装”完成配置。Click Install to finish the configuration.

    已准备好配置

Note

已添加的联合域中的用户必须在同步之后才能登录到 Azure AD。Users from the added federated domain must be synchronized before they will be able to login to Azure AD.

AD FS 自定义AD FS customization

以下部分提供有关自定义 AD FS 登录页时可能必须执行的一些常见任务的详细信息。The following sections provide details about some of the common tasks that you might have to perform when you customize your AD FS sign-in page.

若要更改“登录”页上显示的公司徽标,请使用以下 Windows PowerShell cmdlet 和语法。To change the logo of the company that's displayed on the Sign-in page, use the following Windows PowerShell cmdlet and syntax.

Note

建议徽标维度为 260 x 35 @ 96 dpi,且文件大小不应超过 10 KB。The recommended dimensions for the logo are 260 x 35 @ 96 dpi with a file size no greater than 10 KB.

Set-AdfsWebTheme -TargetName default -Logo @{path="c:\Contoso\logo.PNG"}

Note

TargetName 参数是必填参数。The TargetName parameter is required. 随 AD FS 一起发布的默认主题名为“默认”。The default theme that's released with AD FS is named Default.

添加登录说明Add a sign-in description

若要将登录页说明添加到“登录”页,请使用以下 Windows PowerShell cmdlet 和语法。To add a sign-in page description to the Sign-in page, use the following Windows PowerShell cmdlet and syntax.

Set-AdfsGlobalWebContent -SignInPageDescriptionText "<p>Sign-in to Contoso requires device registration. Click <A href='http://fs1.contoso.com/deviceregistration/'>here</A> for more information.</p>"

修改 AD FS 声明规则Modify AD FS claim rules

AD FS 支持丰富的声明语言,让你用来创建自定义声明规则。AD FS supports a rich claim language that you can use to create custom claim rules. 有关详细信息,请参阅声明规则语言的作用For more information, see The Role of the Claim Rule Language.

以下部分详细介绍了如何针对与 Azure AD 和 AD FS 联合身份验证有关的某些情况编写自定义规则。The following sections describe how you can write custom rules for some scenarios that relate to Azure AD and AD FS federation.

属性中存在的值上的不可变 ID 条件Immutable ID conditional on a value being present in the attribute

当对象将同步到 Azure AD 时,通过 Azure AD Connect,可以指定一个属性以用作源锚点。Azure AD Connect lets you specify an attribute to be used as a source anchor when objects are synced to Azure AD. 如果自定义属性中的值非空,可能需要发出不可变的 ID 声明。If the value in the custom attribute is not empty, you might want to issue an immutable ID claim.

例如,可以选择“ms-ds-consistencyguid”作为源锚点的属性,并且需要发出 ImmutableID 作为 ms-ds-consistencyguid 以防属性具有反对自身的值。For example, you might select ms-ds-consistencyguid as the attribute for the source anchor and issue ImmutableID as ms-ds-consistencyguid in case the attribute has a value against it. 如果没有反对属性的值,则发出 objectGuid 作为不可变 ID。If there's no value against the attribute, issue objectGuid as the immutable ID. 可以按以下部分中所述构造自定义声明规则集。You can construct the set of custom claim rules as described in the following section.

规则 1:查询属性Rule 1: Query attributes

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> add(store = "Active Directory", types = ("http://contoso.com/ws/2016/02/identity/claims/objectguid", "http://contoso.com/ws/2016/02/identity/claims/msdsconsistencyguid"), query = "; objectGuid,ms-ds-consistencyguid;{0}", param = c.Value);

在此规则中,将从 Active Directory 为用户查询 ms-ds-consistencyguidobjectGuid 的值。In this rule, you're querying the values of ms-ds-consistencyguid and objectGuid for the user from Active Directory. 请将应用商店名称更改为 AD FS 部署中可用的适当应用商店名称。Change the store name to an appropriate store name in your AD FS deployment. 此外,根据对 objectGuidms-ds-consistencyguid 的定义,将声明类型更改为联合的正确声明类型。Also change the claims type to a proper claims type for your federation, as defined for objectGuid and ms-ds-consistencyguid.

此外,通过使用 add 而不使用 issue,避免为实体添加向外发出,并且可以使用这些值作为中间值。Also, by using add and not issue, you avoid adding an outgoing issue for the entity, and can use the values as intermediate values. 确定了要用作不可变 ID 的值后,就可以在稍后的规则中发出声明。You will issue the claim in a later rule after you establish which value to use as the immutable ID.

规则 2:检查用户是否存在 ms-ds-consistencyguidRule 2: Check if ms-ds-consistencyguid exists for the user

NOT EXISTS([Type == "http://contoso.com/ws/2016/02/identity/claims/msdsconsistencyguid"])
=> add(Type = "urn:anandmsft:tmp/idflag", Value = "useguid");

此规则定义名为 idflag 的临时标志,当没有为用户填充的 ms-ds-consistencyguid 时,该标志设置为 useguidThis rule defines a temporary flag called idflag that is set to useguid if there's no ms-ds-consistencyguid populated for the user. 这背后的逻辑在于 AD FS 不允许空的声明。The logic behind this is the fact that AD FS doesn't allow empty claims. 因此,在规则 1 中添加声明 http://contoso.com/ws/2016/02/identity/claims/objectguidhttp://contoso.com/ws/2016/02/identity/claims/msdsconsistencyguid 时,仅当填充了用户值时,才会获得 msdsconsistencyguid 声明。So when you add claims http://contoso.com/ws/2016/02/identity/claims/objectguid and http://contoso.com/ws/2016/02/identity/claims/msdsconsistencyguid in Rule 1, you end up with an msdsconsistencyguid claim only if the value is populated for the user. 如果未填充该值,在 AD FS 中它就会作为空值出现,并立即删除。If it isn't populated, AD FS sees that it will have an empty value and drops it immediately. 所有对象都具有 objectGuid,因此在执行规则 1 后声明始终存在。All objects will have objectGuid, so that claim will always be there after Rule 1 is executed.

规则 3:如果存在,将 ms-ds-consistencyguid 作为不可变 ID 发出Rule 3: Issue ms-ds-consistencyguid as immutable ID if it's present

c:[Type == "http://contoso.com/ws/2016/02/identity/claims/msdsconsistencyguid"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c.Value);

这是隐式的 Exist 检查。This is an implicit Exist check. 如果声明的值存在,则将其作为不可变 ID 发布。If the value for the claim exists, then issue that as the immutable ID. 之前的示例使用 nameidentifier 声明。The previous example uses the nameidentifier claim. 需要将其更改为环境中不可变 ID 的适当声明类型。You'll have to change this to the appropriate claim type for the immutable ID in your environment.

规则 4:如果 ms-ds-consistencyGuid 不存在,则将 objectGuid 作为不可变 ID 发出Rule 4: Issue objectGuid as immutable ID if ms-ds-consistencyGuid is not present

c1:[Type == "urn:anandmsft:tmp/idflag", Value =~ "useguid"]
&& c2:[Type == "http://contoso.com/ws/2016/02/identity/claims/objectguid"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c2.Value);

在此规则中,只检查临时标志 idflagIn this rule, you're simply checking the temporary flag idflag. 根据该标志的值决定是否发出声明。You decide whether to issue the claim based on its value.

Note

这些规则的顺序非常重要。The sequence of these rules is important.

具有子域 UPN 的 SSOSSO with a subdomain UPN

可以使用 Azure AD Connect 添加要联合的多个域(如添加新联合域中所述)。You can add more than one domain to be federated by using Azure AD Connect, as described in Add a new federated domain. Azure AD Connect 版本 1.1.553.0 和最新版本会自动为 issuerID 创建正确的声明规则。Azure AD Connect version 1.1.553.0 and latest creates the correct claim rule for issuerID automatically. 如果不能使用 Azure AD Connect 版本 1.1.553.0 或最新版本,则建议使用 Azure AD RPT 声明规则工具来为 Azure AD 信赖方信任生成和设置正确的声明规则。If you cannot use Azure AD Connect version 1.1.553.0 or latest, it is recommended that Azure AD RPT Claim Rules tool is used to generate and set correct claim rules for the Azure AD relying party trust.

后续步骤Next steps

了解有关用户登录选项的详细信息。Learn more about user sign-in options.