使用 Windows Live ID 配置基于声明的身份验证 (SharePoint Server 2010)
适用于: SharePoint Foundation 2010, SharePoint Server 2010
上一次修改主题: 2016-11-30
Microsoft SharePoint Server 2010 中的基于声明的身份验证可将身份验证委派给 Windows Live ID 安全令牌服务 (STS)。如果要实现使用 Windows Live ID 进行密码管理的方案,这一点非常重要。Windows Live ID 服务配置为 SharePoint Server 2010 的身份提供程序。SharePoint Server 2010 和 Windows Live ID 服务之间建立了单向的基于证书的信任关系。当用户提供 Windows Live ID 凭据时,Windows Live ID 服务会返回在安全声明标记语言 (SAML) 版本 1.1 声明令牌中封装的 Passport 唯一标识 (PUID) 和电子邮件信息。作为 Windows Live ID 元数据 XML 的一部分的 Windows Live ID 公钥可加密此声明令牌。
有关 Windows Live ID 的详细信息,请参阅以下资源:
Windows Live ID 简介(该链接可能指向英文页面) (https://go.microsoft.com/fwlink/?linkid=201477&clcid=0x804)(该链接可能指向英文页面)
Microsoft 联合网关(该链接可能指向英文页面) (https://go.microsoft.com/fwlink/?linkid=150843&clcid=0x804)(该链接可能指向英文页面)
Windows Live 开发中心(该链接可能指向英文页面) (https://go.microsoft.com/fwlink/?linkid=191075&clcid=0x804)(该链接可能指向英文页面)
Windows Live ID Cookie 缓存在客户端计算机上,并通过对成功身份验证请求发送 POST 响应来发送至 SharePoint Server 2010。SharePoint Server 2010 可将 Windows Live ID SAML 令牌转换为 SharePoint Server 2010 SAML 令牌。用户的 PUID 是基于在 SAML 令牌中返回的用户主体名称 (UPN) 声明生成的。此值在 SharePoint Server 2010 中用于唯一标识用户并执行访问控制。SharePoint Server 2010 可使用其他声明扩充用户令牌,方法是使用在 SharePoint Server 2010 Web 应用程序中配置的自定义声明提供程序。SharePoint Server 2010 Cookie 还返回到客户端计算机,并针对后续请求缓存。当 Windows Live ID 或 SharePoint Server 2010 Cookie 到期时,用户会重定向到 Windows Live ID 服务器。
本文内容:
配置 Windows Live ID 安全令牌服务
对 Windows Live ID 身份验证配置 SharePoint
将 Windows Live ID 内部环境转换为生产环境
创建不同类型的 SharePoint 基于声明的 Web 应用程序
向所有 Windows Live ID 已验证用户授予权限
配置 Windows Live ID 安全令牌服务
WS 联合身份验证协议由 Windows Live ID 服务实现,提供指定为受信任身份提供程序的 Live ID STS 的基础结构。可从元数据 XML X509Certificate
节点提取 Windows Live ID 公用证书并将其保存到 Internet 安全证书(文件扩展名为 .cer)。如果元数据 XML 包含多个 X509Certificate
节点,则可使用任意一个。请提供对 Internet 安全证书(.cer 文件)中的 SharePoint Server 2010 服务器场应用程序池帐户的读取权限。
使用以下值配置 Microsoft 服务管理器 (MSM):
值 | 说明 |
---|---|
域名 |
将为其生成对 Live ID STS 的身份验证请求的域名。请使用完全限定的域名 (FQDN)。 |
默认返回 URL |
Windows Live ID STS 将在成功验证后将用户重定向到的 URL,例如:https://username.global.corp.contoso.com/_trust/default.aspx。 |
DNS 名称 |
在对 Windows Live ID STS 的身份验证请求中提供的唯一标识符。此唯一标识符支持默认返回 URL 的查询功能。DNS 名称必须与在 Windows Live ID 身份验证请求中指定的领域值相对应。 |
WRealm 参数 |
WRealm 参数必须与 MSM 网站配置中的 DNS 字段相匹配。必须使用以下任一格式创建 WRealm 参数:子域.域.顶级域或 Urn:域:名称。 |
替代身份验证策略 |
使用以下值来配置替代身份验证策略:MBI_FED_SSL。 |
对 Windows Live ID 身份验证配置 SharePoint
使用本节中的过程可对 Windows Live ID 身份验证配置 SharePoint Server 2010。
使用 Windows PowerShell 对 Windows Live ID 身份验证配置 SharePoint
确认您满足以下最低要求:请参阅 Add-SPShellAdmin。
在“开始”菜单上,单击“所有程序”。
单击“Microsoft SharePoint 2010 产品”。
单击“SharePoint 2010 Management Shell”。
从 Windows PowerShell 命令提示符处(即 PS C:\>),定义领域值以匹配 Microsoft 服务管理器中指定的 DNS 名称值。Windows Live ID 集成中的领域值应与正确的 DNS 名称相对应,如下例所示:
$realm = "urn:" + $env:ComputerName + ":ServerName"
获取将用作服务器场管理员帐户的帐户的 PUID 值,方法是:先登录到以下网站:Windows Live ID (https://accountservices.passport-int.net/?ru=https://accountservices.passport-int.net/Credentials.srf%3Fvv%3D750%26mkt%3DZH-CN%26lc%3D2052\&vv=750\&mkt=ZH-CN\&lc=2052\&id=10),然后在“凭据”页上找到
Unique ID
字段。使用以下格式指定 PUID 值:PUID@live.com。
找到以下源中的
<X509Certificate>
节点之一:元数据 XML URL (https://nexus.passport-int.com/federationmetadata2/2007-06/federationmetadata.xml)。复制两个
X509Certificate
节点之一的内容,如下例所示:MIICWzCCAcSgAwIBAgIJAJEzHoaEodSoMA0GCSqGSIb3DQEBBQUAMCkxJzAlBgNV BAMTHkxpdmUgSUQgU1RTIFNpZ25pbmcgUHVibGljIEtleTAeFw0wODEwMzAyMjA5 MjNaFw0xMzEwMjkyMjA5MjNaMCkxJzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25p bmcgUHVibGljIEtleTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArz97XPae GNAC4UnKl5zReyhgk3Bzf08U+CgD0R9+GZOahmpakJXFpI213gQWiHrUGaMN9nsK 4kzSfDPiquAMsV6vBYyWuPLZ0XrMzTAOV/WHSK3bCsYWWQZeH9Xn8G1Hkz+gQSC/ 92lBbq9oBCZfLv3OlkobOmT8d+ldRKGU4pUCAwEAAaOBijCBhzAdBgNVHQ4EFgQU VbJyIcGL0AjB4/Wm4DqUZux6uUkwWQYDVR0jBFIwUIAUVbJyIcGL0AjB4/Wm4DqU Zux6uUmhLaQrMCkxJzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25pbmcgUHVibGlj IEtleYIJAJEzHoaEodSoMAsGA1UdDwQEAwIBxjANBgkqhkiG9w0BAQUFAAOBgQAO /5vGfu+Vg1TKBuxsAIMqjqKXX7aRrANNZM/5ACdwAUtMDG/n8INoXgOKr851fbF6 4yBesmFjg2TbR8y0/ITAD+d+iyEpR7IO3/is9rWAj4ggbw8yqaDWn26eh3bAdoa+ p38qtqJHkUGF5vApeHiu6zO573bKs+nXcKVM8mNbjA==
将任一
X509Certificate
节点的内容复制到新记事本文件,并使用以下文件名保存该记事本文件:LiveID-INT.cer。配置 Windows Live ID 证书(从元数据 XML 提取),如下例所示:
$certloc = "C:\LiveIDWithSAML\LiveID-INT.cer"
在 SharePoint Server 2010 中定义新的受信任根证书颁发机构,如下例所示:
$rootcert = Get-PfxCertificate $certloc New-SPTrustedRootAuthority "NewRootAuthority" -Certificate $rootcert | Out-Null
使用 Windows Live ID 证书创建一个对象,如下例所示:
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certloc)
定义将用作用户的唯一标识符的声明。将 UPN 声明映射到保留的声明名称标识符。也可映射电子邮件地址声明,如下例所示:
$map1 = New-SPClaimTypeMapping -IncomingClaimType "https://schemas.xmlsoap.org/claims/EmailAddress" -IncomingClaimTypeDisplayName "https://schemas.xmlsoap.org/claims/EmailAddress" -SameAsIncoming $map2 = New-SPClaimTypeMapping -IncomingClaimType "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" -IncomingClaimTypeDisplayName "UPN" -LocalClaimType "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
为新的 Web 应用程序创建新的 SharePoint Server 2010 身份验证提供程序,如下例所示:
$apSAML = New-SPTrustedIdentityTokenIssuer -Name "LiveID" -Description "LiveID" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl "https://login.live-int.com/login.srf" -IdentifierClaim "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
创建新的 SharePoint Server 2010 Web 应用程序以使用上一步中创建的身份验证提供程序,如下例所示:
$waurl = https://" + $env:ComputerName - You might use FQDN url of your site here. $title = "Site Title" $waexe = New-SPWebApplication -Name $title -ApplicationPool $title -ApplicationPoolAccount $owner -Url $waurl -AuthenticationProvider $scexe = New-SPSite $siteurl -Name $title -Description $title -Template 'STS#1' -OwnerAlias
在命令提示符处键入 INETMGR 以启动 IIS 管理器。
转到 IIS 中的“声明 Web 应用程序”网站。
在左窗格中,右键单击“声明 Web 应用程序”,并选择“编辑绑定”。
选择“https”,并单击“编辑”。
在“SSL 证书”下,选择任意列出的证书。请考虑使用自签名证书。
将 Windows Live ID 公用证书导入“本地计算机”、SharePoint Server 2010 和“受信任人”文件夹。
将 Windows Live ID 内部环境转换为生产环境
使用本节中的过程将 Windows Live ID 内部环境转换为生产环境。
将 Windows Live ID 内部环境转换为生产环境
确保将网站迁移到 MSM 中的生产环境,并且完成合规性检查。如果 MSM 中的 Windows Live ID 环境是内部的,则不需要合规性检查。
确保使用以下值配置 Windows Live ID 生产环境的身份验证策略:MBI_FED_SSL。
确保 Windows Live ID 生产环境使用基于 HTTPS 的 URL,因为生产环境身份验证策略是针对 SSL 传输配置的。生产环境网站通过 SSL 将 POST 请求发送到 https://login.live.com。在 SPTrustedIdentityTokenIssuer 中,有一个应为 Live 登录 URI 的提供程序 URI。确保 Live 登录 URI 基于 HTTPS。
如果 Windows Live ID 声明提供程序配置为使用电子邮件地址,而不是 PUID,则生产环境网站应位于 Microsoft 策略组中。注意,此策略组自动审批内部合作伙伴,而外部合作伙伴需要显式审批。
创建不同类型的 SharePoint 基于声明的 Web 应用程序
使用本节中的过程运行 Windows PowerShell 脚本,以创建不同类型的 SharePoint Server 2010 基于声明的 Web 应用程序。
使用 Windows PowerShell 创建不同类型的 SharePoint 基于声明的 Web 应用程序
确认您满足以下最低要求:请参阅 Add-SPShellAdmin。
在“开始”菜单上,单击“所有程序”。
单击“Microsoft SharePoint 2010 产品”。
单击“SharePoint 2010 Management Shell”。
在 Windows PowerShell 命令提示符处,运行 DeployLiveIdWithSAML 脚本,如下例所示:
#.SYNOPSIS # Script for creating different types of claims web applications from the Windows PowerShell command line. #.DESCRIPTION # Script will create ANON, WIN, FBA, MULTI, MIXED, SAML and combinations of these web applications. #.NOTES # Script: ClaimsWA.ps1 # Remark: The script will load/unload additional snap-ins depending on where it's being executed from. # Update: 1/15/2010 (v2.0) #.PARAMETER type # Indicates the type of claims web app to create (see examples for full list of valid supported types) #If not specified, this will default to ALL and each of the supported types of claims web apps will be created #.PARAMETER port # Indicates the port number to create the web app on (See reserved ports at https://support.microsoft.com/kb/832017) #If not specified, this will default to port 201 and will be incremented in sequence for multiple web apps #.PARAMETER owner # Indicates the domain account that will be used for App Pool (should be registered as a SharePoint Server managed account) #If not specified, this will default to logged on user and will use USERDOMAIN & USERNAME environment values #.EXAMPLE # claimswa.ps1 WIN (create WIN-claims web app at port# 201 and use logged on user for app pool account) # Here are some more examples of HOWTO use the script: # claimswa.ps1 ANON (create ANON web app at port# 201) # claimswa.ps1 ANON/FBA 701 (create ANON/FBA web app at port# 701) # claimswa.ps1 FBA (create FBA web app at port# 201 using LDAP provider; default is REDMOND instance) # claimswa.ps1 FBA/IBM (create FBA web app at port# 201 using LDAP provider pointing to the IBM instance) # claimswa.ps1 FBA/SQL 851 (create forms-based authentication web app at port# 851 using SQL provider) # claimswa.ps1 WIN/FBA/MIXED 501 (create Windows/forms-based authentication mixed-mode web apps at port# 501) # claimswa.ps1 WIN/SAML/MULTI 901 (create Windows/SAML multi-auth web apps at port# 901) # Here is the full list of all the support TYPEs (combine options delimited with slash for your config): # Basic auth types: # WIN : create Windows claims web application on the port# specified on command line # FBA : create forms-based authentication claims web apps with the specified membership provider (SQL Server/LDAP listed below) # SAML : create SAML-claims web application on the default HTTPS port# 443 # ANON : indicator switch for creating the web application to allow ANON mode # Complex auth types: # MULTI : create claims web application with multiple auth types using a single URL to access # MIXED : create claims web application with multiple auth types using multiple URLs to access # FBA membership/rolemanager providers # RED : use the REDMOND domain LDAP provider; this is the default setting if a provider is not specified # SQL : use the SQL Server provider for connecting to forms-based authentication web apps (connects to the ASPNETDB instance on ZADANG) # PPL : use the PEOPLEDC domain LDAP provider that is a private domain used for testing PEOPLE features # SUN : use the SUNOne LDAP provider in the PEOPLEDC domain which is used for profile import/sync testing # IBM : use the IBM LDAP provider in the PEOPLEDC domain which is used for profile import/sync testing # NVL : use the Novell LDAP provider in the PEOPLEDC domain which is used for profile import/sync testing # TODO (no specific ETA for these updates): # 1. Set the default IIS cert bindings for SAML web # 2. Use IIS CMDlets instead of updating XML object # 3. We should be able to define MixedMode base auth # 4. Use the domain for logged on user for LDAP string # 5. Do not attempt to write to CA/STS if running on WFE # Define the args list that we will accept & work with param ([string]$type, [int]$port, [string]$owner) function main() { # Valid options list $auths = @("WIN", "FBA", "SAML", "ANON") $extnd = @("MULTI", "MIXED") $provs = @("SQL", "RED", "PPL", "SUN", "IBM", "NVL") $optns = @("APP", "FIX") $typeOK = $true # Do we have the minimum args data before we can proceed # I'm not doing extensive validation but at least minimum foreach ($arg in $type.split("/")) { if (($auths+$extnd+$optns+$provs) -notcontains $arg) { write-host -Fore Red "`nInvalid TYPE argument was specified; execution aborted!`nTo see a list of valid TYPEs, execute with -examples option`n" $typeOK=$false; break } } if ($typeOK) { $type = @($type.toupper().split("/") | Sort | Get-Unique) switch ($type.count) { 1 { foreach ($arg in $type) { if (($auths+$extnd+$optns) -notcontains $arg) { write-host -Fore Red "`nInvalid AUTH argument was specified; execution aborted!`nTo see a list of valid AUTHs, execute with -examples option`n" $typeOK=$false; break } } if (($type -eq "MULTI") -or ($type -eq "MIXED")) { $type += @("WIN", "FBA"); write-host -Fore Yellow "MULTI/MIXED auth combo not specified; defaulting to $type" } if ($type -eq "ANON") { $type += @("WIN"); write-host -Fore Yellow "ANON auth combo not specified; defaulting to $type" } } 2 { if ($type -contains "ANON") { foreach ($arg in $type) { if ($auths -notcontains $arg) { write-host -Fore Red "`nInvalid ANON combo was specified; execution aborted!`nTo see a list of valid PROVIDERs, execute with -examples option`n" $typeOK=$false; break } } } else { $multiOK=$true foreach ($arg in $type) { if ($auth -notcontains $arg) { $multiOK=$false; break } } if ($multiOK) {$type += @("MULTI"); write-host -Fore Yellow "Multiple auth types specified; defaulting to $type"} } } } if (($type -contains "MULTI") -or ($type -contains "MIXED") -and ($type.count -lt 3)) { write-host -Fore Red "`nMULTI/MIXED option requires 2 base auth types be specified!`nTo see a list of valid TYPEs, execute with -examples option`n" $typeOK=$false } } if ($typeOK) { # We seem to have the TYPE argument, let's check the others if (-not $port) { if ($type -contains "SAML") {$port=443} else {$port=201} write-host -Fore Yellow "PORT not specified; defaulting to $port" } if (-not $owner) { $owner = $env:UserDomain + "\" + $env:UserName.tolower() write-host -Fore Yellow "OWNER not specified; defaulting to $owner" } #In case somebody attempts to execute this script in the regular PS/ISE console, #let's load the IIS/SP snap-in to ensure we have everything we need to work with Manage-SnapIns (1) # check what flavor of SERVER we're running $product = Get-SPProduct | Where-Object {$_.ProductName.contains("SharePoint Server 2010")}; if ($product.ProductName.contains("Debug")) {$flavor="DEBUG"} else {$flavor="SHIP"} write-host -Fore Green "Detected $flavor flavor of MOSS installed on this farm!" if ($type -contains "APP") { Write-WEBConfigs 0 "APP" } elseif ($type -contains "FIX") { Fix-Environment } else { Create-WebApp $type $port } # We're done with the snap-ins, so let's unload them Manage-SnapIns (0) } } function Fix-Environment { # This is just a series of steps to clean up # Not recommended to use unless you know why! Remove-SPTrustedRootAuthority NewRootAuthority Remove-SPTrustedIdentityTokenIssuer ServerName # I need to add the other clean up stuff here... } # This is the core script block that creates the different web apps function Create-WebApp ([string]$type, [int]$port) { $waurl = http://" + $env:ComputerName if ($type.contains("SAML")) { $waurl = $waurl.replace("http", "https") } $siteurl = $waurl + ":" + $port $title = "ClaimsWA-$port-" + $type.replace(" ","-") # Let's construct the WA/SC CMDlet call that we'll invoke later $waexe = "New-SPWebApplication -Name $title -ApplicationPool $title -ApplicationPoolAccount $owner -Url $waurl -AuthenticationProvider" $scexe = "New-SPSite $siteurl -Name $title -Description $title -Template 'STS#1' -OwnerAlias" write-host -Fore Cyan "`nSetting up $title on port $port now:" if ($type.contains("WIN")) { $apWIN = New-SPAuthenticationProvider -DisableKerberos:$true $cpWIN = New-SPClaimsPrincipal -Identity $owner -IdentityType 1 } if ($type.contains("FBA")) { if ($type.contains("SQL")) { $membership="SQLms"; $rolemanager="SQLrm"; $identity = "sqlms:user1" } elseif ($type.contains("PPL")) { $membership="PPLms"; $rolemanager="PPLrm"; $identity = "pplms:fbauser1" } elseif ($type.contains("SUN")) { $membership="SUNms"; $rolemanager="SUNrm"; $identity = "sunms:fbauser1" } elseif ($type.contains("IBM")) { $membership="IBMms"; $rolemanager="IBMrm"; $identity = "ibmms:fbauser1" } elseif ($type.contains("NVL")) { $membership="NVLms"; $rolemanager="NVLrm"; $identity = "nvlms:fbauser1" } else { $membership="REDms"; $rolemanager="REDrm"; $identity = ("redms:$env:UserName").tolower() } $apFBA = New-SPAuthenticationProvider -ASPNETMembershipProvider $membership -ASPNETRoleProviderName $rolemanager; $cpFBA = New-SPClaimsPrincipal -Identity $identity -IdentityType 4 } if ($type.contains("SAML")) { $realm = "urn:" + $env:ComputerName + ":ServerName" $user = "000300008448E34D@live.com" $certloc = "C:\LiveIDWithSAML\LiveID-INT.cer" $rootcert = Get-PfxCertificate $certloc New-SPTrustedRootAuthority "NewRootAuthority" -Certificate $rootcert | Out-Null $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certloc) $map1 = New-SPClaimTypeMapping -IncomingClaimType "https://schemas.xmlsoap.org/claims/EmailAddress" -IncomingClaimTypeDisplayName "https://schemas.xmlsoap.org/claims/EmailAddress" -SameAsIncoming $map2 = New-SPClaimTypeMapping -IncomingClaimType "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" -IncomingClaimTypeDisplayName "UPN" -LocalClaimType "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" $apSAML = New-SPTrustedIdentityTokenIssuer -Name "LiveID" -Description "LiveID" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl "https://login.live-int.com/login.srf" -IdentifierClaim "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" $cpSAML = New-SPClaimsPrincipal -TrustedIdentityTokenIssuer $apSAML -Identity $user.tolower() } if ($type.contains("WIN")) { $waexe += " `$apWIN"; $scexe += " `$cpWIN.ToEncodedString()" } elseif ($type.contains("FBA")) { $waexe += " `$apFBA"; $scexe += " `$cpFBA.ToEncodedString()" } else { $waexe += " `$apSAML -SecureSocketsLayer"; $scexe += " `$cpSAML.ToEncodedString()" } if ($type.contains("MULTI")) { if ($type.contains("WIN")) { if ($type.contains("FBA")) { $waexe += ",`$apFBA"; $scexe += " -SecondaryOwnerAlias `$cpFBA.ToEncodedString()" } if ($type.contains("SAML")) { $waexe += ",`$apSAML -SecureSocketsLayer"; if (!$scexe.contains("Secondary")) { $scexe += " -SecondaryOwnerAlias `$cpSAML.ToEncodedString()" } } } else { $waexe += ",`$apSAML -SecureSocketsLayer"; $scexe += " -SecondaryOwnerAlias `$cpSAML.ToEncodedString()" } } # Check if we're creating the ANON web apps if ($type.contains("ANON")) { $waexe += " -AllowAnonymousAccess" } $waexe += " -Port $port | Out-Null"; $scexe += " | Out-Null" write-host -Fore Cyan "Deploying app..." -noNewLine Invoke-Expression $waexe # We could do this with a simple if/else but there may be other auth types too if ($type.contains("WIN")) { Create-UserPolicy $siteurl $cpWIN.ToEncodedString() } if ($type.contains("FBA")) { Create-UserPolicy $siteurl $cpFBA.ToEncodedString() } if ($type.contains("SAML")) { Create-UserPolicy $siteurl $cpSAML.ToEncodedString() } write-host -Fore Cyan "Creating site..." -noNewLine Invoke-Expression $scexe # If this is the ANON web app, then set the root site access to entire web if ($type.contains("ANON")) { $web = Get-SPWeb $siteurl; $web.AnonymousState="On"; $web.Update() } # At this time, let's also check if it's going to be a MixedMode web app if ($type.contains("MIXED")) { # If it's a Mixed-Mode web app we need to extend the base app to another auth type too $port++; write-host -Fore Cyan "Extending port $port..." -noNewLine $waurl = $waurl.replace("https", "http") $waexe = "Get-SPWebApplication $siteurl | New-SPWebApplicationExtension -Name $title-Ext -Zone `"Intranet`" -URL $waurl -Port $port -AuthenticationProvider" if ($type.contains("WIN")) { if ($type.contains("FBA")) { $waexe += " `$apFBA" } else { $waexe += " `$apSAML" } } else { $waexe += " `$apSAML" } Invoke-Expression $waexe } # If we've created a FBA web app, then it's time to update the CA/STS/FBA web.config files if ($type.contains("FBA")) { Write-WEBConfigs 0 $port.tostring() }; write-host -Fore Cyan "done!" } function Create-UserPolicy ([string]$weburl, [string]$encodeduser) { $webapp = Get-SPWebApplication $weburl $policy = $webapp.Policies.Add($encodeduser, "ClaimsWA.ps1 User") $role = $webapp.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullControl) $policy.PolicyRoleBindings.Add($role) $webapp.Update() } function Write-WEBConfigs ([int]$begin, [string]$vroot) { # For now I'm using the XML object to load/save the config files # Eventually we should use the IIS:CMDlets from WebAdministration write-host -Fore Cyan "Writing WEBConfig..." -noNewLine #$filei = "\\back\scratch\suntoshs\backup\webconfigs.xml" $filei = "\\back\scratch\suntoshs\scripts\oobinstall\webconfigs.xml" $xmli = [xml](get-content $filei) $root = $xmli.get_DocumentElement() for ($j=$begin; $j -le 2; $j++) { if ($j -eq 0) { [void][reflection.assembly]::LoadWithPartialName("Microsoft.SharePoint") $fileo = [Microsoft.SharePoint.Administration.SPAdministrationWebApplication]::Local.IisSettings.get_Item(0).Path.FullName + "\web.config" } elseif ($j -eq 1) { $fileo = $env:CommonProgramFiles + "\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken\web.config" if ($flavor -eq "DEBUG") { $fileo = $fileo.replace("Shared", "Shared Debug") } } else { if ($vroot -ne "APP") { $fileo = $env:HomeDrive + "\inetpub\wwwroot\wss\VirtualDirectories\$vroot\web.config" } } $xmlo = [xml](get-content $fileo) $perf = $xmlo.CreateElement("clear") if ($flavor -eq "DEBUG") { $ship = $root.config[1].tokens.token[0].value $debug = $root.config[1].tokens.token[1].value $token = $root.config[0]["system.web"].membership.providers.add[0].type $root.config[0]["system.web"].membership.providers.add[0].SetAttribute("type", $token.replace($ship,$debug)) | Out-Null $token = $root.config[0]["system.web"].rolemanager.providers.add[0].type $root.config[0]["system.web"].rolemanager.providers.add[0].SetAttribute("type", $token.replace($ship,$debug)) | Out-Null } if ($j -eq 0) { # Update the CA web config if (-not $xmlo.SelectSingleNode("/configuration/connectionStrings")) { $xmlo.configuration["system.web"].membership.ParentNode.RemoveChild($xmlo.configuration["system.web"].membership) | Out-Null $xmlo.configuration["system.web"].roleManager.ParentNode.RemoveChild($xmlo.configuration["system.web"].roleManager) | Out-Null $xmlo.SelectSingleNode("/configuration").AppendChild($xmlo.ImportNode($root.config[0]["connectionStrings"], $true)) | Out-Null $xmlo.SelectSingleNode("/configuration/system.web").AppendChild($xmlo.ImportNode($root.config[0]["system.web"].membership, $true)) | Out-Null $xmlo.SelectSingleNode("/configuration/system.web/membership/providers").PrependChild($xmlo.ImportNode($perf, $true)) | Out-Null $xmlo.SelectSingleNode("/configuration/system.web").AppendChild($xmlo.ImportNode($root.config[0]["system.web"].rolemanager, $true)) | Out-Null $xmlo.SelectSingleNode("/configuration/system.web/roleManager/providers").PrependChild($xmlo.ImportNode($perf, $true)) | Out-Null } } elseif ($j -eq 1) { # Update the STS web config if (-not $xmlo.SelectSingleNode("/configuration/system.web")) { $xmlo.SelectSingleNode("/configuration").AppendChild($xmlo.ImportNode($root.config[0]["connectionStrings"], $true)) | Out-Null $xmlo.SelectSingleNode("/configuration").AppendChild($xmlo.ImportNode($root.config[0]["system.web"], $true)) | Out-Null } } else { # Update the FBA web config if ($vroot -ne "APP") { if ($type.contains("PPL")) {$provider=1} elseif ($type.contains("SUN")) {$provider=2} elseif ($type.contains("IBM")) {$provider=3} elseif ($type.contains("NVL")) {$provider=4} elseif ($type.contains("SQL")) {$provider=5} else {$provider=0} $xmlo.SelectSingleNode("/configuration").AppendChild($xmlo.ImportNode($root.config[0]["connectionStrings"], $true)) | Out-Null $xmlo.SelectSingleNode("/configuration/system.web/membership/providers").PrependChild($xmlo.ImportNode($root.config[0]["system.web"].membership.providers.add[$provider], $true)) | Out-Null $xmlo.SelectSingleNode("/configuration/system.web/membership/providers").PrependChild($xmlo.ImportNode($perf, $true)) | Out-Null $xmlo.SelectSingleNode("/configuration/system.web/roleManager/providers").PrependChild($xmlo.ImportNode($root.config[0]["system.web"].rolemanager.providers.add[$provider], $true)) | Out-Null $xmlo.SelectSingleNode("/configuration/system.web/roleManager/providers").PrependChild($xmlo.ImportNode($perf, $true)) | Out-Null } } $xmlo.Save($fileo) } } function Manage-SnapIns ([int]$action) { #The OWSTimer process always causes an update conflict (known bug) while #creating multiple web apps; let's temporarily shut it down until we're done if ($action -eq 1) { Stop-Service "SPTimerV4" } # We need to do this only if we're running on ISE so check it if ($host.name.contains("ISE")) { if ($action -eq 1) { write-host -Fore Yellow "Detecting host and loading dependent snap-ins..." # Add-PSSnapIn WebAdministration (later!) Add-PSSnapIn Microsoft.Sharepoint.PowerShell } else { write-host -Fore Yellow "Unloading dependent snap-ins loaded earlier on..." # Remove-PSSnapIn WebAdministration (later!) Remove-PSSnapIn Microsoft.Sharepoint.PowerShell } } if ($action -eq 0) {Start-Service "SPTimerV4"; write-host -Fore Yellow "`nAll done; if there were errors please research PS database for known issues!`n"} } main
在命令提示符处键入 INETMGR 以启动 IIS 管理器。
转到 IIS 中的“声明 Web 应用程序”网站。
在左窗格中,右键单击“声明 Web 应用程序”,并选择“编辑绑定”。
选择“https”,并单击“编辑”。
在“SSL 证书”下,选择任意列出的证书。请考虑使用自签名证书。
将 Windows Live ID 公用证书导入“本地计算机”、SharePoint Server 2010 和“受信任人”文件夹。
执行 IIS 重置并浏览网站 URL。
向所有 Windows Live ID 已验证用户授予权限
使用本节中的过程向所有 Windows Live ID 已验证用户授予权限。
向所有 Windows Live ID 已验证用户授予权限
浏览至创建的 SharePoint Server 2010 网站,并使用管理员帐户登录。
在“网站操作”菜单上,单击“网站设置”。
在“用户和权限”部分,单击“网站权限”。
单击“Site Name Visitors”组,其中 Site Name 是网站的名称。
单击“新建”,然后单击“添加用户”。
在“授予权限”窗口中,单击浏览图标。
在“选择人员和组”窗口中,单击“所有用户”,然后单击右侧窗格中的“所有用户(LiveIDSTS)”。
单击“添加”。
单击“确定”。
验证“所有用户(LiveIDSTS)”现在是否为访问者组的成员。现在应能够使用任何其他 Live ID 用户的凭据登录 SharePoint Server 2010 网站。
关于作者
Birendra Acharya 是 Microsoft 的 MSIT 的高级软件设计工程师。
See Also
Other Resources
了解 WS 联合身份验证 (https://go.microsoft.com/fwlink/?linkid=192377&clcid=0x804)(该链接可能指向英文页面)