在 Azure 文件存储上启用 Azure Active Directory 域服务身份验证Enable Azure Active Directory Domain Services authentication on Azure Files

Azure 文件存储 借助以下两种类型的域服务,通过服务器消息块 (SMB) 支持基于标识的身份验证:本地 Active Directory 域服务 (AD DS) 和 Azure Active Directory (Azure AD DS)。强烈建议查看“工作原理”部分,以选择适当的域服务进行身份验证。Azure Files supports identity-based authentication over Server Message Block (SMB) through two types of Domain Services: on-premises Active Directory Domain Services (AD DS) and Azure Active Directory Domain Services (Azure AD DS).We strongly recommend you to review the How it works section to select the right domain service for authentication. 选择域服务不同,设置也会不同。The setup is different depending on the domain service you choose. 本文重点介绍如何启用和配置 Azure AD DS,以便通过 Azure 文件共享进行身份验证。This article focuses on enabling and configuring Azure AD DS for authentication with Azure file shares.

如果你不熟悉 Azure 文件共享,建议在阅读以下系列文章之前阅读我们的规划指南If you are new to Azure file shares, we recommend reading our planning guide before reading the following series of articles.

备注

Azure 文件存储仅支持通过具有 RC4-HMAC 的 Azure AD DS 进行 Kerberos 身份验证。Azure Files supports Kerberos authentication with Azure AD DS with RC4-HMAC only. 尚不支持 AES Kerberos 加密。AES Kerberos encryption is not yet supported. Azure 文件存储支持通过与 Azure AD 完全同步对 Azure AD DS 进行身份验证。Azure Files supports authentication for Azure AD DS with full synchronization with Azure AD. 如果已在 Azure AD DS 中启用仅同步 Azure AD 的一组有限标识的作用域内同步,则不支持身份验证和授权。If you have enabled scoped synchronization in Azure AD DS which only sync a limited set of identities from Azure AD, authentication and authorization is not supported.

先决条件Prerequisites

在通过 SMB 为 Azure 文件共享启用 Azure AD 之前,请确保满足以下先决条件:Before you enable Azure AD over SMB for Azure file shares, make sure you have completed the following prerequisites:

  1. 选择或创建 Azure AD 租户。Select or create an Azure AD tenant.

    可以使用新的或现有的租户进行通过 SMB 的 Azure AD 身份验证。You can use a new or existing tenant for Azure AD authentication over SMB. 要访问的租户和文件共享必须与同一订阅相关联。The tenant and the file share that you want to access must be associated with the same subscription.

    若要创建一个新的 Azure AD 租户,可以添加 Azure AD 租户和 Azure AD 订阅To create a new Azure AD tenant, you can Add an Azure AD tenant and an Azure AD subscription. 如果已有一个 Azure AD 租户,但想要创建新租户以便与 Azure 文件共享一同使用,请参阅创建 Azure Active Directory 租户If you have an existing Azure AD tenant but want to create a new tenant for use with Azure file shares, see Create an Azure Active Directory tenant.

  2. 启用 Azure AD 租户上的 Azure AD 域服务。Enable Azure AD Domain Services on the Azure AD tenant.

    若要支持使用 Azure AD 凭据进行身份验证,必须启用 Azure AD 租户的 Azure AD 域服务。To support authentication with Azure AD credentials, you must enable Azure AD Domain Services for your Azure AD tenant. 如果你不是 Azure AD 租户的管理员,请与管理员联系并按照分步指南操作,以使用 Azure 门户启用 Azure Active Directory 域服务If you aren't the administrator of the Azure AD tenant, contact the administrator and follow the step-by-step guidance to Enable Azure Active Directory Domain Services using the Azure portal.

    Azure AD DS 部署通常需要大约 15 分钟才能完成。It typically takes about 15 minutes for an Azure AD DS deployment to complete. 在继续执行下一步之前,请验证 Azure AD DS 的运行状况状态是否显示“正在运行”,以及是否启用了密码哈希同步。Verify that the health status of Azure AD DS shows Running, with password hash synchronization enabled, before proceeding to the next step.

  3. 使用 Azure AD DS 将 Azure VM 加入域。Domain-join an Azure VM with Azure AD DS.

    要使用来自 VM 的 Azure AD 凭据访问文件共享,你的 VM 必须已通过 Azure AD DS 加入域。To access a file share by using Azure AD credentials from a VM, your VM must be domain-joined to Azure AD DS. 有关如何将 VM 加入域的详细信息,请参阅将 Windows Server 虚拟机加入托管域For more information about how to domain-join a VM, see Join a Windows Server virtual machine to a managed domain.

    备注

    只有在运行于高于 Windows 7 或 Windows Server 2008 R2 版本的 OS 上的 Azure VM 上才支持通过 SMB 为 Azure 文件共享启用 Azure AD DS 身份验证。Azure AD DS authentication over SMB with Azure file shares is supported only on Azure VMs running on OS versions above Windows 7 or Windows Server 2008 R2.

  4. 选择或创建 Azure 文件共享。Select or create an Azure file share.

    选择与 Azure AD 租户相同订阅关联的新的或现有文件共享。Select a new or existing file share that's associated with the same subscription as your Azure AD tenant. 有关创建新的文件共享的信息,请参阅在 Azure 文件中创建文件共享For information about creating a new file share, see Create a file share in Azure Files. 为获得最佳性能,建议将文件共享与计划访问共享的 VM 放置在同一区域。For optimal performance, we recommend that your file share be in the same region as the VM from which you plan to access the share.

  5. 通过使用存储帐户密钥装载 Azure 文件共享来验证 Azure 文件连接。Verify Azure Files connectivity by mounting Azure file shares using your storage account key.

    要验证是否已正确配置 VM 和文件共享,请尝试使用存储帐户密钥装载文件共享。To verify that your VM and file share are properly configured, try mounting the file share using your storage account key. 有关详细信息,请参阅在 Windows 中装载 Azure 文件共享并对其进行访问For more information, see Mount an Azure file share and access the share in Windows.

工作流概述Overview of the workflow

通过 SMB 为 Azure 文件共享启用 Azure AD DS 身份验证之前,请验证已正确配置 Azure AD 和 Azure 存储环境。Before you enable Azure AD DS Authentication over SMB for Azure file shares, verify that your Azure AD and Azure Storage environments are properly configured. 建议逐步完成先决条件,确保已完成所有必需步骤。We recommend that you walk through the prerequisites to make sure you've completed all the required steps.

接下来,执行以下操作授予使用 Azure AD 凭据访问 Azure 文件存储资源的权限:Next, do the following things to grant access to Azure Files resources with Azure AD credentials:

  1. 通过 SMB 为存储帐户启用 Azure AD DS 身份验证,使用关联的 Azure AD DS 部署注册存储帐户。Enable Azure AD DS authentication over SMB for your storage account to register the storage account with the associated Azure AD DS deployment.
  2. 将共享的访问权限分配给 Azure AD 标识(用户、组或服务主体)。Assign access permissions for a share to an Azure AD identity (a user, group, or service principal).
  3. 通过 SMB 为目录和文件配置 NTFS 权限。Configure NTFS permissions over SMB for directories and files.
  4. 从加入域的 VM 装载 Azure 文件共享。Mount an Azure file share from a domain-joined VM.

下图说明了通过 SMB 为 Azure 文件存储启用 Azure AD DS 身份验证的端到端工作流。The following diagram illustrates the end-to-end workflow for enabling Azure AD DS authentication over SMB for Azure Files.

显示通过 SMB 为 Azure 文件启用 Azure AD 的工作流的图表

为帐户启用 Azure AD DS 身份验证Enable Azure AD DS authentication for your account

若要通过 SMB 为 Azure 文件存储启用 Azure AD DS 身份验证,可以使用 Azure 门户、Azure PowerShell 或 Azure CLI 为存储帐户设置属性。To enable Azure AD DS authentication over SMB for Azure Files, you can set a property on storage accounts by using the Azure portal, Azure PowerShell, or Azure CLI. 设置此属性会通过关联的 Azure AD DS 部署隐式“域加入”存储帐户。Setting this property implicitly "domain joins" the storage account with the associated Azure AD DS deployment. 然后,为存储帐户中的所有新文件和现有文件共享启用通过 SMB 的 Azure AD DS 身份验证。Azure AD DS authentication over SMB is then enabled for all new and existing file shares in the storage account.

请注意,只有在将 Azure AD DS 成功部署到 Azure AD 租户后,才能通过 SMB 启用 Azure AD DS 身份验证。Keep in mind that you can enable Azure AD DS authentication over SMB only after you have successfully deployed Azure AD DS to your Azure AD tenant. 有关详细信息,请参阅先决条件For more information, see the prerequisites.

若要使用 Azure 门户通过 SMB 启用 Azure AD DS 身份验证,请执行以下步骤:To enable Azure AD DS authentication over SMB with the Azure portal, follow these steps:

  1. 在 Azure 门户中,转到现有的存储帐户或创建存储帐户In the Azure portal, go to your existing storage account, or create a storage account.
  2. 在“设置”部分选择“配置”。In the Settings section, select Configuration.
  3. 在“对文件共享的基于标识的访问”下,将“Azure Active Directory 域服务 (AAD DS)”的开关切换到“已启用”。Under Identity-based access for file shares switch the toggle for Azure Active Directory Domain Service (AAD DS) to Enabled.
  4. 选择“保存”。Select Save.

下图显示了如何通过 SMB 为存储帐户启用 Azure AD DS 身份验证。The following image shows how to enable Azure AD DS authentication over SMB for your storage account.

在 Azure 门户中通过 SMB 启用 Azure AD DS 身份验证

为标识分配访问权限Assign access permissions to an identity

要通过基于标识的身份验证访问 Azure 文件存储资源,标识(用户、组或服务主体)必须具有共享级别的必要权限。To access Azure Files resources with identity based authentication, an identity (a user, group, or service principal) must have the necessary permissions at the share level. 此过程类似于指定 Windows 共享权限,可以在其中指定特定用户对文件共享的访问类型。This process is similar to specifying Windows share permissions, where you specify the type of access that a particular user has to a file share. 本部分中的指导演示如何将文件共享的读取、写入或删除权限分配给标识。The guidance in this section demonstrates how to assign read, write, or delete permissions for a file share to an identity.

我们引入了三个用于向用户授予共享级别权限的 Azure 内置角色:We have introduced three Azure built-in roles for granting share-level permissions to users:

  • “存储文件数据 SMB 共享读取者”可以通过 SMB 在 Azure 存储文件共享中进行读取访问。Storage File Data SMB Share Reader allows read access in Azure Storage file shares over SMB.
  • “存储文件数据 SMB 共享参与者”可以通过 SMB 在 Azure 存储文件共享中进行读取、写入和删除访问。Storage File Data SMB Share Contributor allows read, write, and delete access in Azure Storage file shares over SMB.
  • “存储文件数据 SMB 共享提升的参与者”可以通过 SMB 在 Azure 存储文件共享中读取、写入、删除和修改 NTFS 权限。Storage File Data SMB Share Elevated Contributor allows read, write, delete and modify NTFS permissions in Azure Storage file shares over SMB.

重要

对文件共享进行完全管理控制(包括取得文件所有权的能力)需要使用存储帐户密钥。Full administrative control of a file share, including the ability to take ownership of a file, requires using the storage account key. Azure AD 凭据不支持管理控制。Administrative control is not supported with Azure AD credentials.

你可以使用 Azure 门户、PowerShell 或 Azure CLI 将内置角色分配给用户的 Azure AD 标识,以便授予共享级别权限。You can use the Azure portal, PowerShell, or Azure CLI to assign the built-in roles to the Azure AD identity of a user for granting share-level permissions. 请注意,共享级别 Azure 角色分配可能需要一些时间才能生效。Be aware that the share level Azure role assignment can take some time to be in effect.

备注

如果计划使用你的本地 AD DS 进行身份验证,请记得将 AD DS 凭据同步到 Azure ADRemember to sync your AD DS credentials to Azure AD if you plan to use your on-premises AD DS for authentication. 从 AD DS 到 Azure AD 的密码哈希同步是可选的。Password hash sync from AD DS to Azure AD is optional. 将向从本地 AD DS 同步的 Azure AD 标识授予共享级别权限。Share level permission will be granted to the Azure AD identity that is synced from your on-premises AD DS.

一般建议使用共享级别权限对代表一组用户和标识的 AD 组进行高级访问管理,然后利用 NTFS 权限在目录/文件级别上进行精细访问控制。The general recommendation is to use share level permission for high level access management to an AD group representing a group of users and identities, then leverage NTFS permissions for granular access control on directory/file level.

将 Azure AD 角色分配给 AD 标识Assign an Azure role to an AD identity

若要使用 Azure 门户将 Azure 角色分配给 Azure AD 标识,请执行以下步骤:To assign an Azure role to an Azure AD identity, using the Azure portal, follow these steps:

  1. 在 Azure 门户中,转到文件共享,或创建文件共享In the Azure portal, go to your file share, or Create a file share.
  2. 选择“访问控制 (IAM)”。Select Access Control (IAM).
  3. 选择“添加角色分配”Select Add a role assignment
  4. 在“添加角色分配”边栏选项卡中,从“角色”列表中选择适当的内置角色(“存储文件数据 SMB 共享读取者”和“存储文件数据 SMB 共享参与者”) 。In the Add role assignment blade, select the appropriate built-in role (Storage File Data SMB Share Reader, Storage File Data SMB Share Contributor) from the Role list. 将“分配访问权限至”保留为默认设置:“Azure AD 用户、组或服务主体” 。Leave Assign access to at the default setting: Azure AD user, group, or service principal. 按名称或电子邮件地址选择目标 Azure AD 标识。Select the target Azure AD identity by name or email address.
  5. 选择“保存”以完成角色分配操作。Select Save to complete the role assignment operation.

通过 SMB 配置 NTFS 权限Configure NTFS permissions over SMB

使用 RBAC 分配共享级别权限后,必须在根目录、目录或文件级别分配正确的 NTFS 权限。After you assign share-level permissions with RBAC, you must assign proper NTFS permissions at the root, directory, or file level. 将共享级别权限视为确定用户是否可以访问共享的高级网关守卫。Think of share-level permissions as the high-level gatekeeper that determines whether a user can access the share. 而 NTFS 权限则在更精细的级别上发挥作用,确定用户可以在目录或文件级别执行的操作。Whereas NTFS permissions act at a more granular level to determine what operations the user can do at the directory or file level.

Azure 文件支持全套 NTFS 基本和高级权限。Azure Files supports the full set of NTFS basic and advanced permissions. 可以通过装载共享,然后使用 Windows 文件资源管理器或运行 Windows icaclsSet-ACL 命令,在 Azure 文件共享中查看和配置对目录和文件的 NTFS 权限。You can view and configure NTFS permissions on directories and files in an Azure file share by mounting the share and then using Windows File Explorer or running the Windows icacls or Set-ACL command.

若要使用超级用户权限配置 NTFS,必须使用存储帐户密钥从已加入域的 VM 装载共享。To configure NTFS with superuser permissions, you must mount the share by using your storage account key from your domain-joined VM. 请按照下一部分中的说明操作,从命令提示符装载 Azure 文件共享,并相应地配置 NTFS 权限。Follow the instructions in the next section to mount an Azure file share from the command prompt and to configure NTFS permissions accordingly.

文件共享的根目录支持以下权限集:The following sets of permissions are supported on the root directory of a file share:

  • BUILTIN\Administrators:(OI)(CI)(F)BUILTIN\Administrators:(OI)(CI)(F)
  • NT AUTHORITY\SYSTEM:(OI)(CI)(F)NT AUTHORITY\SYSTEM:(OI)(CI)(F)
  • BUILTIN\Users:(RX)BUILTIN\Users:(RX)
  • BUILTIN\Users:(OI)(CI)(IO)(GR,GE)BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
  • NT AUTHORITY\Authenticated Users:(OI)(CI)(M)NT AUTHORITY\Authenticated Users:(OI)(CI)(M)
  • NT AUTHORITY\SYSTEM:(F)NT AUTHORITY\SYSTEM:(F)
  • CREATOR OWNER:(OI)(CI)(IO)(F)CREATOR OWNER:(OI)(CI)(IO)(F)

从命令提示符装载文件共享Mount a file share from the command prompt

使用 Windows net use 命令装载 Azure 文件共享。Use the Windows net use command to mount the Azure file share. 请务必将下面示例中的占位符值替换为你自己的值。Remember to replace the placeholder values in the following example with your own values. 有关装载文件共享的详细信息,请参阅将 Azure 文件共享与 Windows 配合使用For more information about mounting file shares, see Use an Azure file share with Windows.

$connectTestResult = Test-NetConnection -ComputerName <storage-account-name>.file.core.chinacloudapi.cn -Port 445
if ($connectTestResult.TcpTestSucceeded)
{
 net use <desired-drive letter>: \\<storage-account-name>.file.core.chinacloudapi.cn\<fileshare-name>
} 
else 
{
 Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."
}

如果在连接到 Azure 文件存储时遇到问题,请查看我们在 Windows 上发布的 Azure 文件存储装载错误排查工具If you experience issues in connecting to Azure Files, please refer to the troubleshooting tool we published for Azure Files mounting errors on Windows. 我们还提供了指南来解决端口 445 被阻止时的情况。We also provide guidance to work around scenarios when port 445 is blocked.

使用 Windows 文件资源管理器配置 NTFS 权限Configure NTFS permissions with Windows File Explorer

使用 Windows 文件资源管理器为文件共享(包括根目录)下的所有目录和文件授予完全权限。Use Windows File Explorer to grant full permission to all directories and files under the file share, including the root directory.

  1. 打开 Windows 文件资源管理器,右键单击文件/目录,然后选择“属性”。Open Windows File Explorer and right click on the file/directory and select Properties.
  2. 选择“安全”选项卡。Select the Security tab.
  3. 选择“编辑…”Select Edit.. 更改权限。to change permissions.
  4. 可以更改现有用户的权限,或选择“添加…”向新用户授予权限。You can change the permissions of existing users or select Add... to grant permissions to new users.
  5. 在添加新用户的提示窗口中,在“输入要选择的对象名称”框中输入要向其授予权限的目标用户名,然后选择“检查名称”以查找目标用户的完整 UPN 名称 。In the prompt window for adding new users, enter the target user name you want to grant permission to in the Enter the object names to select box, and select Check Names to find the full UPN name of the target user.
  6. 选择“确定”。Select OK.
  7. 在“安全性”选项卡中,选择要授予新用户的所有权限。In the Security tab, select all permissions you want to grant your new user.
  8. 选择“应用”。Select Apply.

使用 icacls 配置 NTFS 权限Configure NTFS permissions with icacls

使用以下 Windows 命令为文件共享(包括根目录)下的所有目录和文件授予完全权限。Use the following Windows command to grant full permissions to all directories and files under the file share, including the root directory. 请务必将示例中的占位符值替换为你自己的值。Remember to replace the placeholder values in the example with your own values.

icacls <mounted-drive-letter>: /grant <user-email>:(f)

若要详细了解如何使用 icacls 设置 NTFS 权限,以及不同类型的受支持权限,请参阅 icacls 的命令行参考For more information on how to use icacls to set NTFS permissions and on the different types of supported permissions, see the command-line reference for icacls.

从加入域的 VM 装载文件共享Mount a file share from a domain-joined VM

以下过程验证是否正确设置了文件共享和访问权限,以及你是否可以从加入域的 VM 访问 Azure 文件共享。The following process verifies that your file share and access permissions were set up correctly and that you can access an Azure File share from a domain-joined VM. 请注意,共享级别 Azure 角色分配可能需要一些时间才能生效。Be aware that the share level Azure role assignment can take some time to be in effect.

使用已授予权限的 Azure AD 标识登录 VM,如下图所示。Sign in to the VM by using the Azure AD identity to which you have granted permissions, as shown in the following image. 如果已为 Azure 文件存储启用了本地 AD DS 身份验证,请使用 AD DS 凭据。If you have enabled on-premises AD DS authentication for Azure Files, use your AD DS credentials. 对于 Azure AD DS 身份验证,请使用 Azure AD 凭据登录。For Azure AD DS authentication, sign in with Azure AD credentials.

显示用户身份验证的 Azure AD 登录屏幕的屏幕截图

使用以下命令装载 Azure 文件共享。Use the following command to mount the Azure file share. 请务必将占位符值替换为你自己的值。Remember to replace the placeholder values with your own values. 由于你已经过身份验证,因此无需提供存储帐户密钥、本地 AD DS 凭据或 Azure AD DS 凭据。Because you've been authenticated, you don't need to provide the storage account key, the on-premises AD DS credentials, or the Azure AD DS credentials. 使用本地 AD DS 或 Azure AD DS 进行身份验证时支持单一登录体验。Single sign-on experience is supported for authentication with either on-premises AD DS or Azure AD DS. 如果装载 AD DS 凭据时遇到问题,请参阅在 Windows 中排查 Azure 文件存储问题以获得指导。If you run into issues mounting with AD DS credentials, refer to Troubleshoot Azure Files problems in Windows for guidance.

$connectTestResult = Test-NetConnection -ComputerName <storage-account-name>.file.core.chinacloudapi.cn -Port 445
if ($connectTestResult.TcpTestSucceeded)
{
 net use <desired-drive letter>: \\<storage-account-name>.file.core.chinacloudapi.cn\<fileshare-name>
} 
else 
{
 Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."
}

现在,你已经成功地通过 SMB 启用了 Azure AD DS 身份验证,并分配了一个自定义角色,该角色提供对具有 Azure AD 标识的 Azure 文件共享的访问。You have now successfully enabled Azure AD DS authentication over SMB and assigned a custom role that provides access to an Azure file share with an Azure AD identity. 若要授予其他用户对文件共享的访问权限,请按照分配访问权限中的说明使用标识,并通过 SMB 部分配置 NTFS 权限To grant additional users access to your file share, follow the instructions in the Assign access permissions to use an identity and Configure NTFS permissions over SMB sections.

后续步骤Next steps

有关 Azure 文件存储以及如何通过 SMB 使用 Azure AD 的详细信息,请参阅以下资源:For more information about Azure Files and how to use Azure AD over SMB, see these resources: