更新 Active Directory 联合身份验证服务 (AD FS) 场的 SSL 证书Update the SSL certificate for an Active Directory Federation Services (AD FS) farm

概述Overview

本文介绍如何使用 Azure AD Connect 更新 Active Directory 联合身份验证服务 (AD FS) 场的 SSL 证书。This article describes how you can use Azure AD Connect to update the SSL certificate for an Active Directory Federation Services (AD FS) farm. 即使所选的用户登录方法不是 AD FS,也可以使用 Azure AD Connect 工具轻松更新 AD FS 场的 SSL 证书。You can use the Azure AD Connect tool to easily update the SSL certificate for the AD FS farm even if the user sign-in method selected is not AD FS.

可以通过三个简单步骤在所有联合服务器和 Web 应用程序代理 (WAP) 服务器上执行整个更新 AD FS 场的 SSL 证书的操作:You can perform the whole operation of updating SSL certificate for the AD FS farm across all federation and Web Application Proxy (WAP) servers in three simple steps:

三个步骤

Note

若要详细了解 AD FS 所使用的证书,请参阅了解 AD FS 所使用的证书To learn more about certificates that are used by AD FS, see Understanding certificates used by AD FS.

先决条件Prerequisites

  • AD FS 场:确保 AD FS 场基于 Windows Server 2012 R2 或更高版本。AD FS Farm: Make sure that your AD FS farm is Windows Server 2012 R2-based or later.
  • Azure AD Connect:确保 Azure AD Connect 的版本为 1.1.553.0 或更高版本。Azure AD Connect: Ensure that the version of Azure AD Connect is 1.1.553.0 or higher. 将使用任务“更新 AD FS SSL 证书”。You'll use the task Update AD FS SSL certificate.

更新 SSL 任务

步骤 1:提供 AD FS 场信息Step 1: Provide AD FS farm information

Azure AD Connect 会尝试通过以下方式自动获取有关 AD FS 场的信息:Azure AD Connect attempts to obtain information about the AD FS farm automatically by:

  1. 从 AD FS(Windows Server 2016 或更高版本)查询场信息。Querying the farm information from AD FS (Windows Server 2016 or later).
  2. 引用之前运行的信息(通过 Azure AD Connect 存储在本地)。Referencing the information from previous runs, which are stored locally with Azure AD Connect.

可以根据 AD FS 场的当前配置添加或删除服务器,以修改显示的服务器列表。You can modify the list of servers that are displayed by adding or removing the servers to reflect the current configuration of the AD FS farm. 只要提供了服务器信息,Azure AD Connect 就会显示连接情况和当前的 SSL 证书状态。As soon as the server information is provided, Azure AD Connect displays the connectivity and current SSL certificate status.

AD FS 服务器信息

如果列表中包含的服务器不再属于 AD FS 场,则可单击“删除”将该服务器从 AD FS 场的服务器列表中删除。If the list contains a server that's no longer part of the AD FS farm, click Remove to delete the server from the list of servers in your AD FS farm.

列表中的脱机服务器

Note

从 Azure AD Connect 的 AD FS 场的服务器列表中删除服务器属于本地操作,更新的是 Azure AD Connect 保留在本地的 AD FS 场的信息。Removing a server from the list of servers for an AD FS farm in Azure AD Connect is a local operation and updates the information for the AD FS farm that Azure AD Connect maintains locally. Azure AD Connect 不会根据所做的更改修改 AD FS 的配置。Azure AD Connect doesn't modify the configuration on AD FS to reflect the change.

步骤 2:提供新的 SSL 证书Step 2: Provide a new SSL certificate

确认有关 AD FS 场服务器的信息后,Azure AD Connect 会要求提供新的 SSL 证书。After you've confirmed the information about AD FS farm servers, Azure AD Connect asks for the new SSL certificate. 请提供受密码保护的 PFX 证书以继续安装。Provide a password-protected PFX certificate to continue the installation.

SSL 证书

提供证书后,Azure AD Connect 将进行一系列先决条件检查。After you provide the certificate, Azure AD Connect goes through a series of prerequisites. 验证证书,确保 AD FS 场的证书正确:Verify the certificate to ensure that the certificate is correct for the AD FS farm:

  • 证书的使用者名称/备用使用者名称与联合身份验证服务名称相同,或者证书是通配符证书。The subject name/alternate subject name for the certificate is either the same as the federation service name, or it's a wildcard certificate.
  • 证书的有效期超过 30 天。The certificate is valid for more than 30 days.
  • 证书信任链有效。The certificate trust chain is valid.
  • 证书受密码保护。The certificate is password protected.

步骤 3:选择要更新的服务器Step 3: Select servers for the update

在下一步中,选择需要更新 SSL 证书的服务器。In the next step, select the servers that need to have the SSL certificate updated. 不能选择脱机的服务器进行更新。Servers that are offline can't be selected for the update.

选择要更新的服务器

完成配置后,Azure AD Connect 会显示一条指示更新状态的消息,并会提供一个验证 AD FS 登录的选项。After you complete the configuration, Azure AD Connect displays the message that indicates the status of the update and provides an option to verify the AD FS sign-in.

配置完成

常见问题FAQs

  • 对于新的 AD FS SSL 证书,证书的使用者名称应该是什么?What should be the subject name of the certificate for the new AD FS SSL certificate?

    Azure AD Connect 会检查证书的使用者名称/备用使用者名称是否包含联合身份验证服务名称。Azure AD Connect checks if the subject name/alternate subject name of the certificate contains the federation service name. 例如,如果联合身份验证服务名称为 fs.contoso.com,则使用者名称/备用使用者名称必须为 fs.contoso.com。For example, if your federation service name is fs.contoso.com, the subject name/alternate subject name must be fs.contoso.com. 也接受通配符证书。Wildcard certificates are also accepted.

  • 为什么在 WAP 服务器页上又要求我提供凭据?Why am I asked for credentials again on the WAP server page?

    如果连接到 AD FS 服务器时提供的凭据也没有管理 WAP 服务器的特权,则 Azure AD Connect 会要求用户提供在 WAP 服务器上具有管理特权的凭据。If the credentials you provide for connecting to AD FS servers don't also have the privilege to manage the WAP servers, then Azure AD Connect asks for credentials that have administrative privilege on the WAP servers.

  • 服务器显示为脱机。The server is shown as offline. What should I do?

    如果服务器处于脱机状态,Azure AD Connect 无法执行任何操作。Azure AD Connect can't perform any operation if the server is offline. 如果该服务器属于 AD FS 场,则检查与该服务器的连接。If the server is part of the AD FS farm, then check the connectivity to the server. 解决该问题之后,请按“刷新”图标以更新向导中的状态。After you've resolved the issue, press the refresh icon to update the status in the wizard. 如果该服务器此前属于场,但现在不再存在,请单击“删除”,将其从 Azure AD Connect 保留的服务器列表中删除。If the server was part of the farm earlier but now no longer exists, click Remove to delete it from the list of servers that Azure AD Connect maintains. 从 Azure AD Connect 的列表中删除服务器不会变更 AD FS 本身的配置。Removing the server from the list in Azure AD Connect doesn't alter the AD FS configuration itself. 如果使用的是 Windows Server 2016 或更高版本中的 AD FS,该服务器将保留在配置设置中,并会在下次运行此任务时再次显示该服务器。If you're using AD FS in Windows Server 2016 or later, the server remains in the configuration settings and will be shown again the next time the task is run.

  • 能否使用新的 SSL 证书更新一部分场服务器?Can I update a subset of my farm servers with the new SSL certificate?

    是的。Yes. 始终可以再次运行“更新 SSL 证书”任务,以更新剩余的服务器。You can always run the task Update SSL Certificate again to update the remaining servers. 在“选择要更新 SSL 证书的服务器”页上,可以根据“SSL 到期日期”对服务器列表进行排序,以轻松访问尚未更新的服务器。On the Select servers for SSL certificate update page, you can sort the list of servers on SSL Expiry date to easily access the servers that aren't updated yet.

  • 我在上次运行时删除了服务器,但该服务器仍显示为脱机并且在“AD FS 服务器”页中列出。为什么删除该脱机服务器后它仍会显示?I removed the server in the previous run, but it's still being shown as offline and listed on the AD FS Servers page. Why is the offline server still there even after I removed it?

    从 Azure AD Connect 的列表中删除服务器并不会将其从 AD FS 配置中删除。Removing the server from the list in Azure AD Connect doesn't remove it in the AD FS configuration. Azure AD Connect 引用 AD FS(Windows Server 2016 或更高版本)中有关场的任何信息。Azure AD Connect references AD FS (Windows Server 2016 or higher) for any information about the farm. 如果服务器仍然存在于 AD FS 配置中,它将列回到列表中。If the server is still present in the AD FS configuration, it will be listed back in the list.

后续步骤Next steps