ADFS配置文档-sharepoint探究.docxVIP

ADFS配置文档硬件要求：1台AD机器1台ADFS机器1台WebServer机器基本条件1 所有机器加入域2需要证书：AD建立证书，导出证书3 所有Web服务器都需要在IIs导入（pfx证书）安装步骤安装证书进入AD服务器添加角色与功能选择AD证书服务配置证书2.2 生成证书 3.1 进入AD 服务器，然后进入IIS，选择服务器证书（下图Ad和SharePoint安装一起）3.2 执行命令certreq -submit -attrib CertificateTemplate:WebServer C:\reg.txt自动弹出点击完成证书申请导出证书导出ADFS认证服务器安装安装ADFS组件2.1 导入证书配置ADFS填写当前域中机器名填写域用户名与密码验证ADFShttps://机器名全称()/federationmetadata/2007-06/federationmetadata.xmlSharePointADFS操作步骤首先在SharePoint服务器 IIS导入证书（ad证书服务器IIs导出的*.pfx）配置SharePoint域名首先进入dns服务器申请域名IIS绑定域名（https）进去SharePoint管理中心配置备用访问映射SharePointADFS配置进入ADFS服务器，打开ADFS功能程序，展开点击信赖方信任-添加信赖方信任如下图：点击启动进入欢迎界面，选择“手动输入…”点击下一步指定信赖方名称和注释如下图选择“ADFS配置文件”信赖方地址是配置的SharePointhttps网址（需要在dns服务器申请域名绑定在IIS和sharepoint备用访问映射做映射）ADFS导出2个证书需要导出“服务通信”和“令牌签名”2个证书导出完成之后开始在SharePoint服务器站点开始配置，需要提前把这2个证书复制到SharePoint服务器导入证书在SharePoint 控制台执行编辑如下脚本：$root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(c:\ServiceCom.cer)New-SPTrustedRootAuthority -Name Service comm -Certificate $root$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(c:\ADFSSigning.cer)New-SPTrustedRootAuthority -Name Token Signing Cert -Certificate $cert$emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType /ws/2005/05/identity/claims/emailaddress -IncomingClaimTypeDisplayName 电子邮件地址 -SameAsIncoming$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType /ws/2005/05/identity/claims/upn -IncomingClaimTypeDisplayName UPN -SameAsIncoming$roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType /ws/2008/06/identity/claims/role -IncomingClaimTypeDisplayName 角色 -SameAsIncoming$sidClaimMap = New-SPClaimTypeMapping -IncomingClaimType /ws/2008/06/identity/claims/primarysid -IncomingClaimTypeDisplayName SID -SameAsIncoming$realm = urn:seo:sharepoint$signInURL = /adfs/ls$ap = New-SPTrustedIdentityTokenIssuer -Name ABCDProvider -Description ABC -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $emailClaimMap,$upnClaimMap,$roleClaimMap,$sidClaimMap -SignInUrl $signInURL -IdentifierCla