验证 Azure Stack Hub 的 AD FS 集成Validate AD FS integration for Azure Stack Hub

使用 Azure Stack Hub 就绪性检查器工具 (AzsReadinessChecker) 来验证环境是否已准备好将 Azure Stack Hub 与 Active Directory 联合身份验证服务 (AD FS) 相集成。Use the Azure Stack Hub Readiness Checker tool (AzsReadinessChecker) to validate that your environment is ready for Active Directory Federation Services (AD FS) integration with Azure Stack Hub. 在开始数据中心集成或 Azure Stack Hub 部署之前,请先验证 AD FS 集成。Validate AD FS integration before you begin datacenter integration or before an Azure Stack Hub deployment.

就绪性检查器会验证下列项:The readiness checker validates:

  • 联合元数据包含用于联合身份验证的有效 XML 元素。 The federation metadata contains the valid XML elements for federation.
  • 可以检索 AD FS SSL 证书,并可以生成信任链。 The AD FS SSL certificate can be retrieved and a chain of trust can be built. 在戳记上,AD FS 必须信任 SSL 证书链。On stamp, AD FS must trust the SSL certificate chain. 证书必须由签署 Azure Stack Hub 部署证书的同一证书颁发机构 签名,或者由受信任的根颁发机构合作伙伴签名。The certificate must be signed by the same certificate authority used for the Azure Stack Hub deployment certificates or by a trusted root authority partner. 有关受信任根颁发机构合作伙伴的完整列表,请参阅 TechNetFor the full list of trusted root authority partners, see TechNet.
  • AD FS 签名证书受信任且不会在近期过期。 The AD FS signing certificate is trusted and not nearing expiration.

有关 Azure Stack Hub 数据中心集成的详细信息,请参阅 Azure Stack Hub 数据中心集成 - 标识For more information about Azure Stack Hub datacenter integration, see Azure Stack Hub datacenter integration - Identity.

获取就绪性检查器工具Get the readiness checker tool

PowerShell 库下载最新版本的 Azure Stack Hub 就绪性检查器工具 (AzsReadinessChecker)。Download the latest version of the Azure Stack Hub Readiness Checker tool (AzsReadinessChecker) from the PowerShell Gallery.

先决条件Prerequisites

必须满足以下先决条件。The following prerequisites must be in place.

运行该工具的计算机:The computer where the tool runs:

  • 已建立域连接的 Windows 10 或 Windows Server 2016。Windows 10 or Windows Server 2016 with domain connectivity.
  • PowerShell 5.1 或更高版本。PowerShell 5.1 or later. 若要检查版本,请运行以下 PowerShell 命令,然后查看主要版本和次要版本: To check your version, run the following PowerShell command and then review the Major version and Minor versions:
    $PSVersionTable.PSVersion
    
  • 最新版本的 Microsoft Azure Stack Hub 就绪性检查器工具。Latest version of the Microsoft Azure Stack Hub Readiness Checker tool.

Active Directory 联合身份验证服务环境:Active Directory Federation Services environment:

至少需要下列其中一种形式的元数据:You need at least one of the following forms of metadata:

  • AD FS 联合元数据的 URL。The URL for AD FS federation metadata. 例如:https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xmlFor example: https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml.
  • 联合元数据 XML 文件。The federation metadata XML file. 例如:FederationMetadata.xml。For example: FederationMetadata.xml.

验证 AD FS 集成Validate AD FS integration

  1. 在满足先决条件的计算机上,打开一个管理 PowerShell 提示符,然后运行以下命令来安装 AzsReadinessChecker:On a computer that meets the prerequisites, open an administrative PowerShell prompt and then run the following command to install AzsReadinessChecker:

    Install-Module Microsoft.AzureStack.ReadinessChecker -Force
    
  2. 在 PowerShell 提示符下,运行以下命令开始验证。From the PowerShell prompt, run the following command to start validation. 指定 -CustomADFSFederationMetadataEndpointUri 的值作为联合元数据的 URI。Specify the value for -CustomADFSFederationMetadataEndpointUri as the URI for the federation metadata.

    Invoke-AzsADFSValidation -CustomADFSFederationMetadataEndpointUri https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml
    
  3. 运行该工具后,查看输出。After the tool runs, review the output. 确认状态是否为 OK(表示符合 AD FS 集成要求)。Confirm that the status is OK for AD FS integration requirements. 验证成功时会显示类似于以下示例的输出:A successful validation is similar to the following example:

    Invoke-AzsADFSValidation v1.1809.1001.1 started.
    
    Testing ADFS Endpoint https://sts.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml
    
            Read Metadata:                         OK
            Test Metadata Elements:                OK
            Test SSL ADFS Certificate:             OK
            Test Certificate Chain:                OK
            Test Certificate Expiry:               OK
    
    Details:
    [-] In standalone mode, some tests should not be considered fully indicative of connectivity or readiness the Azure Stack Hub Stamp requires prior to Datacenter Integration.
    Additional help URL: https://aka.ms/AzsADFSIntegration
    
    Log location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log
    Report location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.json
    
    Invoke-AzsADFSValidation Completed
    

在生产环境中,从操作员工作站测试证书信任链无法完全指示 Azure Stack Hub 基础结构中的 PKI 信任状态。In production environments, testing certificate chains of trust from an operator's workstation isn't fully indicative of the PKI trust posture in the Azure Stack Hub infrastructure. Azure Stack Hub 标记的公共 VIP 网络需要与 PKI 基础结构的 CRL 建立连接。The Azure Stack Hub stamp's public VIP network needs the connectivity to the CRL for the PKI infrastructure.

报表和日志文件Report and log file

每次运行验证时,它都会将结果记录到 AzsReadinessChecker.logAzsReadinessCheckerReport.json 中。Each time validation runs, it logs results to AzsReadinessChecker.log and AzsReadinessCheckerReport.json. 这些文件的位置会随验证结果一起显示在 PowerShell 中。The location of these files appears with the validation results in PowerShell.

验证文件可以帮助你在部署 Azure Stack Hub 之前共享状态,或者调查验证问题。The validation files can help you share status before you deploy Azure Stack Hub or investigate validation problems. 这两个文件都会持久保留每个后续验证检查的结果。Both files persist the results of each subsequent validation check. 报告将向部署团队提供标识配置确认。The report gives your deployment team confirmation of the identity configuration. 日志文件可以帮助你的部署或支持团队调查验证问题。The log file can help your deployment or support team investigate validation issues.

这两个文件默认写入到 C:\Users\<username>\AppData\Local\Temp\AzsReadinessChecker\By default, both files are written to C:\Users\<username>\AppData\Local\Temp\AzsReadinessChecker\.

使用:Use:

  • -OutputPath:在 run 命令的末尾使用 path 参数可以指定不同的报告位置。-OutputPath: The path parameter at the end of the run command to specify a different report location.
  • -CleanReport:在 run 命令的末尾使用该参数可以清除先前报告信息的 AzsReadinessCheckerReport.json。-CleanReport: The parameter at the end of the run command to clear AzsReadinessCheckerReport.json of previous report information. 有关详细信息,请参阅 Azure Stack Hub 验证报告For more information, see Azure Stack Hub validation report.

验证失败Validation failures

如果验证检查失败,则有关失败的详细信息将显示在 PowerShell 窗口中。If a validation check fails, details about the failure appear in the PowerShell window. 该工具还会将信息记录到 AzsReadinessChecker.log 中。The tool also logs information to AzsReadinessChecker.log.

下面的示例针对常见的验证失败提供了指导。The following examples provide guidance on common validation failures.

找不到命令Command Not Found

Invoke-AzsADFSValidation : The term 'Invoke-AzsADFSValidation' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

原因:PowerShell Autoload 无法正常加载就绪性检查器模块。Cause: PowerShell Autoload failed to load the Readiness Checker module correctly.

解决方法:显式导入就绪性检查器模块。Resolution: Import the Readiness Checker module explicitly. 复制以下代码并将其粘贴到 PowerShell 中,然后使用当前安装的版本号更新 <version>Copy and paste the following code into PowerShell and update <version> with the number for the currently installed version.

Import-Module "c:\Program Files\WindowsPowerShell\Modules\Microsoft.AzureStack.ReadinessChecker\<version>\Microsoft.AzureStack.ReadinessChecker.psd1" -Force

后续步骤Next steps

查看就绪性报表View the readiness report
有关 Azure Stack Hub 集成的一般注意事项General Azure Stack Hub integration considerations