续订 Office 365 和 Azure Active Directory 的联合身份验证证书Renew federation certificates for Office 365 and Azure Active Directory

概述Overview

为使 Azure Active Directory (Azure AD) 与 Active Directory 联合身份验证服务 (AD FS) 之间能够成功联合,AD FS 用来为 Azure AD 签名安全令牌的证书应该与在 Azure AD 中所配置的证书相匹配。For successful federation between Azure Active Directory (Azure AD) and Active Directory Federation Services (AD FS), the certificates used by AD FS to sign security tokens to Azure AD should match what is configured in Azure AD. 任何不匹配情况都可能导致信任破坏。Any mismatch can lead to broken trust. Azure AD 可确保此信息在部署 AD FS 和 Web 应用程序代理(用于 Extranet 访问)时保持同步。Azure AD ensures that this information is kept in sync when you deploy AD FS and Web Application Proxy (for extranet access).

本文提供了一些附加信息,帮助在以下情况下管理令牌签名证书,并使证书与 Azure AD 保持同步:This article provides you additional information to manage your token signing certificates and keep them in sync with Azure AD, in the following cases:

  • 未部署 Web 应用程序代理,因此无法在 Extranet 中获取联合元数据。You are not deploying the Web Application Proxy, and therefore the federation metadata is not available in the extranet.
  • 未对令牌签名证书使用默认的 AD FS 配置。You are not using the default configuration of AD FS for token signing certificates.
  • 正在使用第三方标识提供者。You are using a third-party identity provider.

令牌签名证书的默认 AD FS 配置Default configuration of AD FS for token signing certificates

令牌签名证书和令牌解密证书通常是自签名证书,有效期为一年。The token signing and token decrypting certificates are usually self-signed certificates, and are good for one year. 默认情况下,AD FS 包含名为 AutoCertificateRollover的自动续订进程。By default, AD FS includes an auto-renewal process called AutoCertificateRollover. 如果使用的是 AD FS 2.0 或更高版本,Office 365 和 Azure AD 会在证书过期之前自动对其进行更新。If you are using AD FS 2.0 or later, Office 365 and Azure AD automatically update your certificate before it expires.

来自 Microsoft 365 管理中心或电子邮件的续订通知Renewal notification from the Microsoft 365 admin center or an email

Note

如果收到电子邮件或门户通知,要求续订 Office 证书,请参阅管理对令牌签名证书的更改,检查是否需要采取任何操作。If you received an email or a portal notification asking you to renew your certificate for Office, see Managing changes to token signing certificates to check if you need to take any action. Microsoft 已知可能有问题会导致发送证书续订通知,即使并不需要用户采取任何操作。Microsoft is aware of a possible issue that can lead to notifications for certificate renewal being sent, even when no action is required.

Azure AD 将尝试监视联合元数据,并按照此元数据的指示更新令牌签名证书。Azure AD attempts to monitor the federation metadata, and update the token signing certificates as indicated by this metadata. 在令牌签名证书过期前 30 天,Azure AD 会通过轮询联合元数据,检查是否已有新的证书。30 days before the expiration of the token signing certificates, Azure AD checks if new certificates are available by polling the federation metadata.

  • 如果它能成功轮询联合元数据并检索到新证书,则不会向用户发送电子邮件通知,或者在 Microsoft 365 管理中心内显示警告。If it can successfully poll the federation metadata and retrieve the new certificates, no email notification or warning in the Microsoft 365 admin center is issued to the user.
  • 如果由于无法访问联合元数据或者未启用自动证书滚动更新而无法检索新的令牌签名证书,Azure AD 会发出电子邮件通知,并在 Microsoft 365 管理中心内显示警告。If it cannot retrieve the new token signing certificates, either because the federation metadata is not reachable or automatic certificate rollover is not enabled, Azure AD issues an email notification and a warning in the Microsoft 365 admin center.

Office 365 门户通知

Important

如果使用 AD FS,为确保业务连续性,请确认服务器具有以下更新,以免因已知问题而导致身份验证失败。If you are using AD FS, to ensure business continuity, please verify that your servers have the following updates so that authentication failures for known issues do not occur. 这可以减少在此续订期间和未来续订期间出现已知的 AD FS 代理服务器问题:This mitigates known AD FS proxy server issues for this renewal and future renewal periods:

Server 2012 R2 — Windows Server 2014 年 5 月汇总Server 2012 R2 - Windows Server May 2014 rollup

Server 2008 R2 和 2012 — 在 Windows Server 2012 或 Windows 2008 R2 SP1 中通过代理进行身份验证失败Server 2008 R2 and 2012 - Authentication through proxy fails in Windows Server 2012 or Windows 2008 R2 SP1

检查是否需要更新证书 Check if the certificates need to be updated

步骤 1:检查 AutoCertificateRollover 状态Step 1: Check the AutoCertificateRollover state

在 AD FS 服务器上打开 PowerShell。On your AD FS server, open PowerShell. 检查 AutoCertRollover 值是否设置为 True。Check that the AutoCertificateRollover value is set to True.

Get-Adfsproperties

AutoCertificateRollover

Note

如果使用的是 AD FS 2.0,请先运行 Add-Pssnapin Microsoft.Adfs.Powershell。If you are using AD FS 2.0, first run Add-Pssnapin Microsoft.Adfs.Powershell.

步骤 2:确认 AD FS 和 Azure AD 已同步Step 2: Confirm that AD FS and Azure AD are in sync

在 AD FS 服务器上,打开 MSOnline PowerShell 提示符,并连接到 Azure AD。On your AD FS server, open the MSOnline PowerShell prompt, and connect to Azure AD.

Note

MSOL-Cmdlet 是 MSOnline PowerShell 模块的一部分。MSOL-Cmdlets are part of the MSOnline PowerShell module. 可以直接从 PowerShell 库下载 MSOnline PowerShell 模块。You can download the MSOnline PowerShell Module directly from the PowerShell Gallery.

Install-Module MSOnline

使用 MSOnline PowerShell-Module 连接到 Azure AD。Connect to Azure AD using the MSOnline PowerShell-Module.

Import-Module MSOnline
Connect-MsolService -AzureEnvironment AzureChinaCloud

检查 AD FS 和 Azure AD 信任属性中针对指定域配置的证书。Check the certificates configured in AD FS and Azure AD trust properties for the specified domain.

Get-MsolFederationProperty -DomainName <domain.name> | FL Source, TokenSigningCertificate

Get-MsolFederationProperty

如果这两个输出中的指纹匹配,则表示证书已与 Azure AD 同步。If the thumbprints in both the outputs match, your certificates are in sync with Azure AD.

步骤 3:检查证书是否即将到期Step 3: Check if your certificate is about to expire

在 Get-MsolFederationProperty 或 Get-AdfsCertificate 输出中的“Not After”下面检查日期。In the output of either Get-MsolFederationProperty or Get-AdfsCertificate, check for the date under "Not After." 如果日期相隔不到 30 天,则应该采取操作。If the date is less than 30 days away, you should take action.

AutoCertificateRolloverAutoCertificateRollover 证书与 Azure AD 同步Certificates in sync with Azure AD 可公开访问联盟元数据Federation metadata is publicly accessible 有效期Validity 操作Action
Yes Yes Yes - 无需执行任何操作。No action needed. 请参阅 自动续订令牌签名证书See Renew token signing certificate automatically.
Yes No - 小于 15 天Less than 15 days 立即续订。Renew immediately. 请参阅 手动续订令牌签名证书See Renew token signing certificate manually.
No - - 小于 30 天Less than 30 days 立即续订。Renew immediately. 请参阅 手动续订令牌签名证书See Renew token signing certificate manually.

[-] 无关紧要[-] Does not matter

如果同时满足以下两个条件,则不需要执行任何手动步骤:You don't need to perform any manual steps if both of the following are true:

  • 已部署 Web 应用程序代理,能够从 Extranet 访问联合元数据。You have deployed Web Application Proxy, which can enable access to the federation metadata from the extranet.
  • 所使用的是 AD FS 默认配置(已启用 AutoCertificateRollover)。You are using the AD FS default configuration (AutoCertificateRollover is enabled).

检查以下事项以确认能够自动更新证书。Check the following to confirm that the certificate can be automatically updated.

1.AD FS 属性 AutoCertificateRollover 必须设置为 True。1. The AD FS property AutoCertificateRollover must be set to True. 这表示 AD FS 会在旧证书到期之前,自动生成新的令牌签名证书和令牌解密证书。This indicates that AD FS will automatically generate new token signing and token decryption certificates, before the old ones expire.

2.AD FS 联合元数据可公开访问。2. The AD FS federation metadata is publicly accessible. 从公共 Internet(企业网络之外)上的计算机导航到以下 URL,查看你的联合元数据是否可以公开访问:Check that your federation metadata is publicly accessible by navigating to the following URL from a computer on the public internet (off of the corporate network):

https://(your_FS_name)/federationmetadata/2007-06/federationmetadata.xmlhttps://(your_FS_name)/federationmetadata/2007-06/federationmetadata.xml

其中,(your_FS_name) 将替换为你的组织使用的联合身份验证服务主机名,例如 fs.contoso.com。where (your_FS_name) is replaced with the federation service host name your organization uses, such as fs.contoso.com. 如果能够成功验证这两项设置,则无需执行任何其他操作。If you are able to verify both of these settings successfully, you do not have to do anything else.

示例: https://fs.contoso.com/federationmetadata/2007-06/federationmetadata.xmlExample: https://fs.contoso.com/federationmetadata/2007-06/federationmetadata.xml

手动续订令牌签名证书 Renew the token signing certificate manually

可以选择手动续订令牌签名证书。You may choose to renew the token signing certificates manually. 例如,在以下情况下,可能更合适手动续订:For example, the following scenarios might work better for manual renewal:

  • 令牌签名证书不是自签名证书。Token signing certificates are not self-signed certificates. 这种情况最常见的原因是,组织通过组织证书颁发机构来管理注册的 AD FS 证书。The most common reason for this is that your organization manages AD FS certificates enrolled from an organizational certificate authority.
  • 网络安全性不允许公开提供联合元数据。Network security does not allow the federation metadata to be publicly available.

在这些案例中,每当更新令牌签名证书时,还必须使用 PowerShell 命令 Update-MsolFederatedDomain 更新 Office 365 域。In these scenarios, every time you update the token signing certificates, you must also update your Office 365 domain by using the PowerShell command, Update-MsolFederatedDomain.

步骤 1:确保 AD FS 具有新的令牌签名证书Step 1: Ensure that AD FS has new token signing certificates

非默认配置Non-default configuration

若使用 AD FS 的非默认配置(即 AutoCertificateRollover 设置为 False),则很有可能你使用的是自定义证书(非自签名)。If you are using a non-default configuration of AD FS (where AutoCertificateRollover is set to False), you are probably using custom certificates (not self-signed). 有关如何续订 AD FS 令牌签名证书的详细信息,请阅读 Guidance for customers not using AD FS self-signed certificates(针对未使用 AD FS 自签名证书的客户的指南)。For more information about how to renew the AD FS token signing certificates, see Guidance for customers not using AD FS self-signed certificates.

联合元数据不可公开访问Federation metadata is not publicly available

另一方面,如果 AutoCertificateRollover 设置为 True,但无法公开访问联合元数据,请先确保 AD FS 已生成新的令牌签名证书。On the other hand, if AutoCertificateRollover is set to True, but your federation metadata is not publicly accessible, first make sure that new token signing certificates have been generated by AD FS. 执行以下步骤,确认有新的令牌签名证书:Confirm you have new token signing certificates by taking the following steps:

  1. 确认是否已登录到主 AD FS 服务器。Verify that you are logged on to the primary AD FS server.

  2. 通过打开 PowerShell 命令窗口并运行以下命令,检查 AD FS 中的当前签名证书:Check the current signing certificates in AD FS by opening a PowerShell command window, and running the following command:

    PS C:>Get-ADFSCertificate -CertificateType token-signingPS C:>Get-ADFSCertificate -CertificateType token-signing

    Note

    如果使用的是 AD FS 2.0,应该先运行 Add-Pssnapin Microsoft.Adfs.Powershell。If you are using AD FS 2.0, you should run Add-Pssnapin Microsoft.Adfs.Powershell first.

  3. 查看命令输出中是否存在任何已列出的证书。Look at the command output at any certificates listed. 如果 AD FS 已生成新证书,则会在输出中看到两个证书:一个证书的 IsPrimary 值为 TrueNotAfter 日期为 5 天内;另一个证书的 IsPrimaryFalseNotAfter 大约为未来的 1 年。If AD FS has generated a new certificate, you should see two certificates in the output: one for which the IsPrimary value is True and the NotAfter date is within 5 days, and one for which IsPrimary is False and NotAfter is about a year in the future.

  4. 如果只看到一个证书,且 NotAfter 日期在 5 天内,则需要生成新的证书。If you only see one certificate, and the NotAfter date is within 5 days, you need to generate a new certificate.

  5. 若要生成新的证书,请在 PowerShell 命令提示符下执行以下命令: PS C:\>Update-ADFSCertificate -CertificateType token-signingTo generate a new certificate, execute the following command at a PowerShell command prompt: PS C:\>Update-ADFSCertificate -CertificateType token-signing.

  6. 通过再次运行以下命令来验证更新:PS C:>Get-ADFSCertificate -CertificateType token-signingVerify the update by running the following command again: PS C:>Get-ADFSCertificate -CertificateType token-signing

此时会列出两个证书,其中一个的 NotAfter 日期大约为未来的 1 年,其 IsPrimary 值为 FalseTwo certificates should be listed now, one of which has a NotAfter date of approximately one year in the future, and for which the IsPrimary value is False.

步骤 2:更新 Office 365 信任的新令牌签名证书Step 2: Update the new token signing certificates for the Office 365 trust

按如下方式,使用要用于信任的新令牌签名证书更新 Office 365。Update Office 365 with the new token signing certificates to be used for the trust, as follows.

  1. 打开用于 Windows PowerShell 的 Azure Active Directory 模块。Open the Azure Active Directory Module for Windows PowerShell.
  2. 运行 $cred=Get-Credential。Run $cred=Get-Credential. 当此 cmdlet 提示输入凭据时,键入云服务管理员帐户凭据。When this cmdlet prompts you for credentials, type your cloud service administrator account credentials.
  3. 运行 Connect-MsolService -Credential $cred -AzureEnvironment AzureChinaCloud。Run Connect-MsolService -Credential $cred -AzureEnvironment AzureChinaCloud. 此 cmdlet 会将你连接到云服务。This cmdlet connects you to the cloud service. 通过工具运行任何其他已安装的 cmdlet 之前,必须创建你将连接到云服务的上下文。Creating a context that connects you to the cloud service is required before running any of the additional cmdlets installed by the tool.
  4. 如果在并非用作 AD FS 主联合服务器的计算机上运行这些命令,请运行 Set-MSOLAdfscontext -Computer <AD FS primary server>,其中 <AD FS primary server> 是主 AD FS 服务器的内部 FQDN 名称。If you are running these commands on a computer that is not the AD FS primary federation server, run Set-MSOLAdfscontext -Computer <AD FS primary server>, where <AD FS primary server> is the internal FQDN name of the primary AD FS server. 此 cmdlet 会创建你将连接到 AD FS 的上下文。This cmdlet creates a context that connects you to AD FS.
  5. 运行 Update-MSOLFederatedDomain -DomainName <domain>。Run Update-MSOLFederatedDomain -DomainName <domain>. 此 cmdlet 会将 AD FS 的设置更新到云服务中,并配置两者之间的信任关系。This cmdlet updates the settings from AD FS into the cloud service, and configures the trust relationship between the two.

Note

如果需要支持多个顶级域(例如 contoso.com 和 fabrikam.com),则必须将 SupportMultipleDomain 开关用于任何 cmdlet。If you need to support multiple top-level domains, such as contoso.com and fabrikam.com, you must use the SupportMultipleDomain switch with any cmdlets. 有关详细信息,请参阅支持多个顶级域For more information, see Support for Multiple Top Level Domains.

使用 Azure AD Connect 修复 Azure AD 信任 Repair Azure AD trust by using Azure AD Connect

如果已使用 Azure AD Connect 配置了 AD FS 场和 Azure AD 信任,则可以使用 Azure AD Connect 来检测是否需要对令牌签名证书采取任何操作。If you configured your AD FS farm and Azure AD trust by using Azure AD Connect, you can use Azure AD Connect to detect if you need to take any action for your token signing certificates. 如果需要续订证书,可以使用 Azure AD Connect 来执行此操作。If you need to renew the certificates, you can use Azure AD Connect to do so.

有关详细信息,请参阅修复信任For more information, see Repairing the trust.

AD FS 和 Azure AD 证书更新步骤AD FS and Azure AD certificate update steps

令牌签名证书是标准 X509 证书,用于安全地对联合服务器颁发的所有令牌进行签名。Token signing certificates are standard X509 certificates that are used to securely sign all tokens that the federation server issues. 令牌解密证书是标准 X509 证书,用于对任何传入令牌进行解密。Token decryption certificates are standard X509 certificates that are used to decrypt any incoming tokens.

默认情况下,AD FS 配置为在初始配置时以及在证书接近到期日期时自动生成令牌签名证书和令牌解密证书。By default, AD FS is configured to generate token signing and token decryption certificates automatically, both at the initial configuration time and when the certificates are approaching their expiration date.

在当前证书到期 30 天前,Azure AD 会尝试从联合身份验证服务元数据中检索新证书。Azure AD tries to retrieve a new certificate from your federation service metadata 30 days before the expiry of the current certificate. 如果新证书在该时间不可用,Azure AD 会继续每日定期监视元数据。In case a new certificate is not available at that time, Azure AD will continue to monitor the metadata on regular daily intervals. 在元数据中获得新证书后,将立即使用新的证书信息更新域的联合身份验证设置。As soon as the new certificate is available in the metadata, the federation settings for the domain are updated with the new certificate information. 如果在 NextSigningCertificate/SigningCertificate 中看到新证书,可以使用 Get-MsolDomainFederationSettings 进行验证。You can use Get-MsolDomainFederationSettings to verify if you see the new certificate in the NextSigningCertificate / SigningCertificate.

有关 AD FS 中令牌签名证书的详细信息,请参阅获取和配置 AD FS 令牌签名证书和令牌解密证书For more information on Token Signing certificates in AD FS see Obtain and Configure Token Signing and Token Decryption Certificates for AD FS