提供对 Azure Stack 的应用程序访问权限Provide applications access to Azure Stack

适用于:Azure Stack 集成系统和 Azure Stack 开发工具包Applies to: Azure Stack integrated systems and Azure Stack Development Kit

当应用程序需要在 Azure Stack 通过Azure 资源管理器部署或配置资源的访问权限时,请创建服务主体(它是应用程序的凭据)。When an application needs access to deploy or configure resources through Azure Resource Manager in Azure Stack, you create a service principal, which is a credential for your application. 然后可以仅将必需的权限委派给该服务主体。You can then delegate only the necessary permissions to that service principal.

例如,你可能有一个使用 Azure 资源管理器来清点 Azure 资源的配置管理工具。As an example, you may have a configuration management tool that uses Azure Resource Manager to inventory Azure resources. 在此方案中,可以创建服务主体,向该服务主体授予读者角色,并将配置管理工具限制为只能进行只读访问。In this scenario, you can create a service principal, grant the reader role to that service principal, and limit the configuration management tool to read-only access.

与使用自己的凭据运行应用相比,服务主体更优,原因在于:Service principals are preferable to running the app under your own credentials because:

  • 可以向服务主体分配不同于自己的帐户权限的权限。You can assign permissions to the service principal that are different than your own account permissions. 通常情况下,这些权限仅限于应用需执行的操作。Typically, these permissions are restricted to exactly what the app needs to do.
  • 职责变化时,无需更改应用的凭据。You do not have to change the app's credentials if your responsibilities change.
  • 执行无人参与的脚本时,可以使用证书自动执行身份验证。You can use a certificate to automate authentication when executing an unattended script.

入门Getting started

根据部署 Azure Stack 的方式,可以首先创建服务主体。Depending on how you have deployed Azure Stack, you start by creating a service principal. 本文档介绍如何为以下对象创建服务主体:This document describes creating a service principal for:

  • Azure Active Directory (Azure AD)。Azure Active Directory (Azure AD). Azure AD 是基于云的多租户目录和标识管理服务。Azure AD is a multi-tenant, cloud-based directory, and identity management service. 可将 Azure AD 与联网 Azure Stack 配合使用。You can use Azure AD with a connected Azure Stack.
  • Active Directory 联合身份验证服务 (AD FS)。Active Directory Federation Services (AD FS). AD FS 提供简化、安全的标识联合与 Web 单一登录 (SSO) 功能。AD FS provides simplified, secured identity federation, and Web single sign-on (SSO) capabilities. 可将 AD FS 与联网和离线 Azure Stack 实例配合使用。You can use AD FS with both connected and disconnected Azure Stack instances.

创建服务主体后,将使用普遍适用于 AD FS 和 Azure Active Directory 的一组步骤向角色委派权限。Once you've created the service principal, a set of steps common to both AD FS and Azure Active Directory are used to delegate permissions to the role.

管理 Azure AD 的服务主体Manage service principal for Azure AD

如果在使用 Azure Active Directory (Azure AD) 作为标识管理服务的情况下部署了 Azure Stack,可以像在 Azure 中那样创建服务主体。If you have deployed Azure Stack with Azure Active Directory (Azure AD) as your identity management service, you can create service principals just like you do for Azure. 本部分演示如何通过门户执行这些步骤。This section shows you how to perform the steps through the portal. 在开始之前,请检查是否具有所需的 Azure AD 权限Check that you have the required Azure AD permissions before beginning.

创建服务主体Create service principal

在本部分中,将在 Azure AD 中创建表示你的应用程序的应用程序(服务主体)。In this section, you create an application (service principal) in Azure AD that represents your application.

  1. 通过 Azure 门户登录到 Azure 帐户。Sign in to your Azure Account through the Azure portal.
  2. 选择“Azure Active Directory” > “应用注册” > “新建应用程序注册”Select Azure Active Directory > App registrations > New application registration
  3. 为应用提供名称和 URL。Provide a name and URL for the application. 选择“Web 应用/API”或“本机”作为要创建的应用程序的类型。Select either Web app / API or Native for the type of application you want to create. 设置这些值后,选择“创建”。After setting the values, select Create.

已为应用程序创建服务主体。You have created a service principal for your application.

获取凭据Get credentials

以编程方式登录时,需要使用应用程序、Web 应用/API 的 ID 和身份验证密钥。When programmatically logging in, you use the ID for your application, and for a Web app / API, an authentication key. 若要获取这些值,请使用以下步骤:To get those values, use the following steps:

  1. 从 Active Directory 中的“应用注册”,选择应用程序。From App registrations in Active Directory, select your application.

  2. 复制“应用程序 ID”并将其存储在应用程序代码中。Copy the Application ID and store it in your application code. “示例应用程序”部分的应用程序引用此值作为客户端 ID。The applications in the sample applications section refer to this value as the client ID.

    客户端 ID

  3. 若要为 Web 应用/API 生成身份验证密钥,请选择“设置” > “密钥”。To generate an authentication key for a Web app / API, select Settings > Keys.

  4. 提供密钥说明和密钥持续时间。Provide a description of the key, and a duration for the key. 完成后,选择“保存” 。When done, select Save.

保存密钥后,密钥的值显示。After saving the key, the value of the key is displayed. 将此值复制到记事本或其他某个临时位置,因为以后无法检索该密钥。Copy this value to Notepad or some other temporary location, because you cannot retrieve the key later. 提供密钥值及应用程序 ID 登录为该应用程序。You provide the key value with the application ID to sign as the application. 将密钥值存储在应用程序可检索的位置。Store the key value in a place where your application can retrieve it.

保存的密钥

完成后,可为应用程序分配角色。Once complete, you can assign your application a role.

管理 AD FS 的服务主体Manage service principal for AD FS

如果在使用 Active Directory 联合身份验证服务 (AD FS) 作为标识管理服务的情况下部署了 Azure Stack,请使用 PowerShell 创建服务主体,分配用于进行访问的角色,然后使用该标识登录。If you have deployed Azure Stack with Active Directory Federation Services (AD FS) as your identity management service, use PowerShell to create a service principal, assign a role for access, and sign in with that identity.

可以使用两种方法之一通过 AD FS 创建服务主体。You can use one of two methods to create your service principal with AD FS. 方法:You can:

用于管理 AD FS 服务主体的任务。Tasks for managing AD FS service principals.

类型Type 操作Action
AD FS 证书AD FS Certificate 创建Create
AD FS 证书AD FS Certificate 更新Update
AD FS 证书AD FS Certificate RemoveRemove
AD FS 客户端机密AD FS Client Secret 创建Create
AD FS 客户端机密AD FS Client Secret 更新Update
AD FS 客户端机密AD FS Client Secret RemoveRemove

使用证书创建服务主体Create a service principal using a certificate

在使用 AD FS 作为标识创建服务主体时,可以使用证书。When creating a service principal while using AD FS for identity, you can use a certificate.

证书Certificate

需要证书。A certificate is required.

证书要求Certificate Requirements

  • 加密服务提供程序 (CSP) 必须是旧密钥提供程序。The Cryptographic Service Provider (CSP) must be legacy key provider.
  • 证书格式必须是 PFX 文件,因为公钥和私钥都是必需的。The certificate format must be in PFX file, as both the public and private keys are required. Windows 服务器使用包含公钥文件(SSL 证书文件)和关联的私钥文件的 .pfx 文件。Windows servers use .pfx files that contain the public key file (SSL certificate file) and the associated private key file.
  • 对于生产环境,证书必须由内部证书颁发机构或公共证书颁发机构颁发。For production, the certificate must be issued from either an internal Certificate Authority or a Public Certificate Authority. 如果你使用公共证书颁发机构,则必须将基础操作系统映像中的颁发机构包括为 Microsoft 信任根颁发机构计划的一部分。If you use a public certificate authority, you must included the authority in the base operating system image as part of the Microsoft Trusted Root Authority Program. 可以在 Microsoft 信任根证书计划:参与者中找到完整列表。You can find the full list at Microsoft Trusted Root Certificate Program: Participants.
  • Azure Stack 基础结构必须能够通过网络访问证书中发布的证书颁发机构的证书吊销列表 (CRL) 位置。Your Azure Stack infrastructure must have network access to the certificate authority's Certificate Revocation List (CRL) location published in the certificate. 此 CRL 必须是一个 HTTP 终结点。This CRL must be an HTTP endpoint.

parametersParameters

以下信息是作为自动化参数的输入所必需的:The following information is required as input for the automation parameters:

参数Parameter 说明Description 示例Example
NameName SPN 帐户的名称Name for the SPN account MyAPPMyAPP
ClientCertificatesClientCertificates 证书对象的数组Array of certificate objects X509 证书X509 certificate
ClientRedirectUrisClientRedirectUris
(可选)(Optional)
应用程序重定向 URIApplication redirect URI -

使用 PowerShell 创建服务主体Use PowerShell to create a service principal

  1. 打开权限提升的 Windows PowerShell 会话,并运行以下 cmdlet:Open an elevated Windows PowerShell session, and run the following cmdlets:

     # Credential for accessing the ERCS PrivilegedEndpoint, typically domain\cloudadmin
     $Creds = Get-Credential
    
     # Creating a PSSession to the ERCS PrivilegedEndpoint
     $Session = New-PSSession -ComputerName <ERCS IP> -ConfigurationName PrivilegedEndpoint -Credential $Creds
    
     # If you have a managed certificate use the Get-Item command to retrieve your certificate from your certificate location.
     # If you don't want to use a managed certificate, you can produce a self signed cert for testing purposes: 
     # $Cert = New-SelfSignedCertificate -CertStoreLocation "cert:\CurrentUser\My" -Subject "CN=<YourAppName>" -KeySpec KeyExchange
     $Cert = Get-Item "<YourCertificateLocation>"
    
     $ServicePrincipal = Invoke-Command -Session $Session -ScriptBlock {New-GraphApplication -Name '<YourAppName>' -ClientCertificates $using:cert}
     $AzureStackInfo = Invoke-Command -Session $Session -ScriptBlock {Get-AzureStackStampInformation}
     $Session | Remove-PSSession
    
     # For Azure Stack development kit, this value is set to https://management.local.azurestack.external. This is read from the AzureStackStampInformation output of the ERCS VM.
     $ArmEndpoint = $AzureStackInfo.TenantExternalEndpoints.TenantResourceManager
    
     # For Azure Stack development kit, this value is set to https://graph.local.azurestack.external/. This is read from the AzureStackStampInformation output of the ERCS VM.
     $GraphAudience = "https://graph." + $AzureStackInfo.ExternalDomainFQDN + "/"
    
     # TenantID for the stamp. This is read from the AzureStackStampInformation output of the ERCS VM.
     $TenantID = $AzureStackInfo.AADTenantID
    
     # Register an AzureRM environment that targets your Azure Stack instance
     Add-AzureRMEnvironment `
     -Name "AzureStackUser" `
     -ArmEndpoint $ArmEndpoint
    
     # Set the GraphEndpointResourceId value
     Set-AzureRmEnvironment `
     -Name "AzureStackUser" `
     -GraphAudience $GraphAudience `
     -EnableAdfsAuthentication:$true
    
     Add-AzureRmAccount -EnvironmentName "AzureStackUser" `
     -ServicePrincipal `
     -CertificateThumbprint $ServicePrincipal.Thumbprint `
     -ApplicationId $ServicePrincipal.ClientId `
     -TenantId $TenantID
    
     # Output the SPN details
     $ServicePrincipal
    
    

    Note

    出于验证目的,可以使用以下示例创建一个自签名证书:For validation purposes a self-signed certificate can be created using the below example:

    $Cert = New-SelfSignedCertificate -CertStoreLocation "cert:\CurrentUser\My" -Subject "CN=<yourappname>" -KeySpec KeyExchange
    
  2. 自动化完成后,它将显示使用该 SPN 所需的详细信息。After the automation finishes, it displays the required details to use the SPN. 建议存储该输出以供稍后使用。It is recommended to store the output for later use.

    例如:For example:

    ApplicationIdentifier : S-1-5-21-1512385356-3796245103-1243299919-1356
    ClientId              : 3c87e710-9f91-420b-b009-31fa9e430145
    Thumbprint            : 30202C11BE6864437B64CE36C8D988442082A0F1
    ApplicationName       : Azurestack-MyApp-c30febe7-1311-4fd8-9077-3d869db28342
    PSComputerName        : azs-ercs01
    RunspaceId            : a78c76bb-8cae-4db4-a45a-c1420613e01b
    

更新 AD FS 服务主体的证书Update certificate for service principal for AD FS

如果已结合 AD FS 部署 Azure Stack,可以使用 PowerShell 来更新服务主体的机密。If you have deployed Azure Stack with AD FS, you can use PowerShell to update the secret for a service principal.

从 ERCS 虚拟机上的特权终结点运行脚本。The script is run from the privileged endpoint on an ERCS virtual machine.

parametersParameters

以下信息是作为自动化参数的输入所必需的:The following information is required as input for the automation parameters:

参数Parameter 说明Description 示例Example
NameName SPN 帐户的名称Name for the SPN account MyAPPMyAPP
ApplicationIdentifierApplicationIdentifier 唯一标识符Unique identifier S-1-5-21-1634563105-1224503876-2692824315-2119S-1-5-21-1634563105-1224503876-2692824315-2119
ClientCertificateClientCertificate 证书对象的数组Array of certificate objects X509 证书X509 certificate

更新 AD FS 服务主体的示例Example of updating service principal for AD FS

该示例创建一个自签名证书。The example creates a self-signed certificate. 在生产部署中运行 cmdlet 时,请使用 Get-Item 检索要使用的证书的证书对象。When you run the cmdlets in a production deployment, use Get-Item to retrieve the certificate object for the certificate you want to use.

  1. 打开权限提升的 Windows PowerShell 会话,并运行以下 cmdlet:Open an elevated Windows PowerShell session, and run the following cmdlets:

         # Creating a PSSession to the ERCS PrivilegedEndpoint
         $Session = New-PSSession -ComputerName <ERCS IP> -ConfigurationName PrivilegedEndpoint -Credential $Creds
    
         # This produces a self signed cert for testing purposes. It is preferred to use a managed certificate for this.
         $NewCert = New-SelfSignedCertificate -CertStoreLocation "cert:\CurrentUser\My" -Subject "CN=<YourAppName>" -KeySpec KeyExchange
    
         $RemoveServicePrincipal = Invoke-Command -Session $Session -ScriptBlock {Set-GraphApplication -ApplicationIdentifier  S-1-5-21-1634563105-1224503876-2692824315-2120 -ClientCertificates $NewCert}
    
         $Session | Remove-PSSession
    
  2. 自动化完成之后,会显示 SPN 身份验证所需的已更新指纹值。After the automation finishes, it displays the updated thumbprint value required for SPN authentication.

         ClientId              : 
         Thumbprint            : AF22EE716909041055A01FE6C6F5C5CDE78948E9
         ApplicationName       : Azurestack-ThomasAPP-3e5dc4d2-d286-481c-89ba-57aa290a4818
         ClientSecret          : 
         RunspaceId            : a580f894-8f9b-40ee-aa10-77d4d142b4e5
    

使用客户端机密创建服务主体Create a service principal using a client secret

在使用 AD FS 作为标识创建服务主体时,可以使用证书。When creating a service principal while using AD FS for identity, you can use a certificate. 使用特权终结点运行 cmdlet。You will use the privileged end point to run the cmdlets.

从 ERCS 虚拟机上的特权终结点运行这些脚本。These scripts are run from the privileged endpoint on an ERCS virtual machine. 有关特权终结点的详细信息,请参阅使用 Azure Stack 中的特权终结点For more information about the privileged end point, see Using the privileged endpoint in Azure Stack.

parametersParameters

以下信息是作为自动化参数的输入所必需的:The following information is required as input for the automation parameters:

参数Parameter 说明Description 示例Example
NameName SPN 帐户的名称Name for the SPN account MyAPPMyAPP
GenerateClientSecretGenerateClientSecret 创建机密Create secret

使用 ERCS PrivilegedEndpoint 创建服务主体Use the ERCS PrivilegedEndpoint to create the service principal

  1. 打开权限提升的 Windows PowerShell 会话,并运行以下 cmdlet:Open an elevated Windows PowerShell session, and run the following cmdlets:

     # Credential for accessing the ERCS PrivilegedEndpoint, typically domain\cloudadmin
    $Creds = Get-Credential
    
    # Creating a PSSession to the ERCS PrivilegedEndpoint
    $Session = New-PSSession -ComputerName <ERCS IP> -ConfigurationName PrivilegedEndpoint -Credential $Creds
    
    # Creating a SPN with a secre
    $ServicePrincipal = Invoke-Command -Session $Session -ScriptBlock {New-GraphApplication -Name '<YourAppName>' -GenerateClientSecret}
    $AzureStackInfo = Invoke-Command -Session $Session -ScriptBlock {Get-AzureStackStampInformation}
    $Session | Remove-PSSession
    
    # Output the SPN details
    $ServicePrincipal
    
  2. 运行 cmdlet 后,shell 会显示使用 SPN 所需的详细信息。After cmdlets run, the shell displays the required details to use the SPN. 请务必存储客户端机密。Make sure you store the client secret.

    ApplicationIdentifier : S-1-5-21-1634563105-1224503876-2692824315-2623
    ClientId              : 8e0ffd12-26c8-4178-a74b-f26bd28db601
    Thumbprint            : 
    ApplicationName       : Azurestack-YourApp-6967581b-497e-4f5a-87b5-0c8d01a9f146
    ClientSecret          : 6RUZLRoBw3EebMDgaWGiowCkoko5_j_ujIPjA8dS
    PSComputerName        : 192.168.200.224
    RunspaceId            : 286daaa1-c9a6-4176-a1a8-03f543f90998
    

更新 AD FS 服务主体的客户端机密Update client secret for a service principal for AD FS

新的客户端机密由 PowerShell cmdlet 自动生成。A new client secret is auto generated by the PowerShell cmdlet.

从 ERCS 虚拟机上的特权终结点运行脚本。The script is run from the privileged endpoint on an ERCS virtual machine.

parametersParameters

以下信息是作为自动化参数的输入所必需的:The following information is required as input for the automation parameters:

参数Parameter 说明Description 示例Example
ApplicationIdentifierApplicationIdentifier 唯一标识符。Unique identifier. S-1-5-21-1634563105-1224503876-2692824315-2119S-1-5-21-1634563105-1224503876-2692824315-2119
ChangeClientSecretChangeClientSecret 在旧机密仍然有效的情况下,使用 2880 分钟的滚动更新期限来更改客户端机密。Changes the client secret with a rollover period of 2880 minutes where the old secret is still valid.
ResetClientSecretResetClientSecret 立即更改客户端机密Change the client secret immediately
更新 AD FS 客户端机密的示例Example of updating a client secret for AD FS

该示例使用 ResetClientSecret 参数,该参数可立即更改客户端密码。The example uses the ResetClientSecret parameter, which immediately changes the client secret.

  1. 打开权限提升的 Windows PowerShell 会话,并运行以下 cmdlet:Open an elevated Windows PowerShell session, and run the following cmdlets:

         # Creating a PSSession to the ERCS PrivilegedEndpoint
         $Session = New-PSSession -ComputerName <ERCS IP> -ConfigurationName PrivilegedEndpoint -Credential $Creds
    
         # This produces a self signed cert for testing purposes. It is preferred to use a managed certificate for this.
         $NewCert = New-SelfSignedCertificate -CertStoreLocation "cert:\CurrentUser\My" -Subject "CN=<YourAppName>" -KeySpec KeyExchange
    
         $UpdateServicePrincipal = Invoke-Command -Session $Session -ScriptBlock {Set-GraphApplication -ApplicationIdentifier  S-1-5-21-1634563105-1224503876-2692824315-2120 -ResetClientSecret}
    
         $Session | Remove-PSSession
    
  2. 自动化完成之后,会显示 SPN 身份验证所需的新生成机密。After the automation finishes, it displays the newly generated secret required for SPN authentication. 请务必存储新的客户端机密。Make sure you store the new client secret.

         ApplicationIdentifier : S-1-5-21-1634563105-1224503876-2692824315-2120
         ClientId              :  
         Thumbprint            : 
         ApplicationName       : Azurestack-Yourapp-6967581b-497e-4f5a-87b5-0c8d01a9f146
         ClientSecret          : MKUNzeL6PwmlhWdHB59c25WDDZlJ1A6IWzwgv_Kn
         RunspaceId            : 6ed9f903-f1be-44e3-9fef-e7e0e3f48564
    

删除 AD FS 的服务主体Remove a service principal for AD FS

如果已结合 AD FS 部署 Azure Stack,可以使用 PowerShell 来删除服务主体。If you have deployed Azure Stack with AD FS, you can use PowerShell to delete a service principal.

从 ERCS 虚拟机上的特权终结点运行脚本。The script is run from the privileged endpoint on an ERCS virtual machine.

parametersParameters

以下信息是作为自动化参数的输入所必需的:The following information is required as input for the automation parameters:

参数Parameter 说明Description 示例Example
参数Parameter 说明Description 示例Example
ApplicationIdentifierApplicationIdentifier 唯一标识符Unique identifier S-1-5-21-1634563105-1224503876-2692824315-2119S-1-5-21-1634563105-1224503876-2692824315-2119

Note

若要查看所有现有服务主体及其应用程序标识符的列表,可以使用 get-graphapplication 命令。To view a list of all existing service principals and their Application Identifier, the get-graphapplication command can be used.

删除 AD FS 服务主体的示例Example of removing the service principal for AD FS

     Credential for accessing the ERCS PrivilegedEndpoint, typically domain\cloudadmin
     $Creds = Get-Credential

     # Creating a PSSession to the ERCS PrivilegedEndpoint
     $Session = New-PSSession -ComputerName <ERCS IP> -ConfigurationName PrivilegedEndpoint -Credential $Creds

     $UpdateServicePrincipal = Invoke-Command -Session $Session -ScriptBlock {Remove-GraphApplication -ApplicationIdentifier S-1-5-21-1634563105-1224503876-2692824315-2119}

     $Session | Remove-PSSession

分配角色Assign a role

要访问订阅中的资源,必须将应用程序分配到角色。To access resources in your subscription, you must assign the application to a role. 决定哪个角色表示应用程序的相应权限。Decide which role represents the right permissions for the application. 若要了解有关可用角色的信息,请参阅 RBAC:内置角色To learn about the available roles, see RBAC: Built in Roles.

可将作用域设置为订阅、资源组或资源级别。You can set the scope at the level of the subscription, resource group, or resource. 较低级别的作用域会继承权限。Permissions are inherited to lower levels of scope. 例如,将某个应用程序添加到资源组的“读取者”角色意味着该应用程序可以读取该资源组及其包含的所有资源。For example, adding an application to the Reader role for a resource group means it can read the resource group and any resources it contains.

  1. 在 Azure Stack 门户中,导航到要将应用程序分配到的作用域级别。In the Azure Stack portal, navigate to the level of scope you wish to assign the application to. 例如,若要在订阅范围内分配角色,选择“订阅” 。For example, to assign a role at the subscription scope, select Subscriptions. 可改为选择资源组或资源。You could instead select a resource group or resource.

  2. 选择要将应用程序分配到的特定订阅(资源组或资源)。Select the particular subscription (resource group or resource) to assign the application to.

    选择要分配的订阅

  3. 选择“访问控制(IAM)”。Select Access Control (IAM).

    选择访问权限

  4. 选择“添加角色分配”。Select Add role assignment.

  5. 选择要分配到应用程序的角色。Select the role you wish to assign to the application.

  6. 搜索用户的应用程序,并选择它。Search for your application, and select it.

  7. 选择“确定” 完成角色分配。Select OK to finish assigning the role. 该应用程序会显示在分配到该范围角色的用户列表中。You see your application in the list of users assigned to a role for that scope.

既然已创建服务主体并已分配角色,可以开始在应用程序中使用此服务主体访问 Azure Stack 资源。Now that you've created a service principal and assigned a role, you can begin using this within your application to access Azure Stack resources.

后续步骤Next steps

为 AD FS 添加用户Add users for AD FS
管理用户权限Manage user permissions
Azure Active Directory 文档Azure Active Directory Documentation
Active Directory 联合身份验证服务Active Directory Federation Services