共用方式為


設定使用 Windows Live ID 的宣告式驗證 (SharePoint Server 2010)

 

適用版本: SharePoint Foundation 2010, SharePoint Server 2010

上次修改主題的時間: 2016-11-30

Microsoft SharePoint Server 2010 中的宣告式驗證可以將驗證委派給 Windows Live ID Security Token Service (STS)。這對需要實作使用 Windows Live ID 管理密碼的案例很重要。Windows Live ID 服務會設定為 SharePoint Server 2010 的身分識別提供者,並在 SharePoint Server 2010 與 Windows Live ID 服務之間建立單向、以憑證為基礎的信任關係。當使用者提供 Windows Live ID 認證時,Windows Live ID 服務會傳回以安全性聲明標記語言 (SAML) 1.1 版宣告權杖封裝的 Passport Unique Identity (PUID) 和電子郵件資訊。Windows Live ID 公開金鑰 (Windows Live ID 中繼資料 XML 的一部分) 則會加密此宣告權杖。

如需 Windows Live ID 的詳細資訊,請參考下列資源:

Windows Live ID Cookie 會在用戶端電腦上快取,然後透過成功驗證要求的 POST 回應傳送至 SharePoint Server 2010。SharePoint Server 2010 接著將 Windows Live ID SAML 權杖轉換為 SharePoint Server 2010 SAML 權杖,並根據 SAML 權杖中傳回的使用者主要名稱 (UPN) 宣告產生使用者的 PUID。此值會在整個 SharePoint Server 2010 中使用,以唯一識別使用者及執行存取控制。SharePoint Server 2010 可以使用 SharePoint Server 2010 Web 應用程式中設定的自訂宣告提供者,以其他宣告增強使用者權杖。SharePoint Server 2010 Cookie 也會傳回用戶端電腦並快取以供後續要求使用。當 Windows Live ID 或 SharePoint Server 2010 Cookie 到期時,會將使用者重新導向至 Windows Live ID 伺服器。

本文內容:

  • 設定 Windows Live ID Security Token Service

  • 設定 SharePoint 進行 Windows Live ID 驗證

  • 將 Windows Live ID 內部環境轉換為實際執行環境

  • 建立不同類型的 SharePoint 宣告式 Web 應用程式

  • 將權限授與所有 Windows Live ID 驗證使用者

設定 Windows Live ID Security Token Service

WS-同盟通訊協定是由 Windows Live ID 服務實作,並提供指定為信任的身分識別提供者之 Live ID STS 的基礎結構。您可以從中繼資料 XML X509Certificate 節點擷取 Windows Live ID 公開憑證,並以 .cer 副檔名儲存至網際網路安全憑證。如果中繼資料 XML 包含多個 X509Certificate 節點,您可以使用任何節點。請將讀取權限提供給網際網路安全憑證 (.cer 檔案) 中的 SharePoint Server 2010 伺服器陣列應用程式集區帳戶。

使用下列值設定 Microsoft Services Manager (MSM):

描述

網域名稱

會產生 Live ID STS 之驗證要求的網域名稱。請使用完整網域名稱 (FQDN)。

預設傳回 URL

驗證成功後,Windows Live ID STS 會將使用者重新導向的目標 URL,例如:https://username.global.corp.contoso.com/_trust/default.aspx

DNS 名稱

Windows Live ID STS 的驗證要求中所提供的唯一識別碼。此唯一識別碼會啟用 [預設傳回 URL] 的查閱功能。[DNS 名稱] 必須對應至 Windows Live ID 驗證要求中指定的領域值。

WRealm 參數

WRealm 參數必須符合 MSM 網站設定中的 DNS 欄位。WRealm 參數必須使用下列一種格式建立:sub.domain.topUrn:domain:name

覆寫驗證原則

使用下列值設定 [覆寫驗證原則]:MBI_FED_SSL。

設定 SharePoint 進行 Windows Live ID 驗證

使用本節中的程序設定 SharePoint Server 2010 進行 Windows Live ID 驗證。

使用 Windows PowerShell 設定 SharePoint 進行 Windows Live ID 驗證

  1. 請確認符合下列基本需求:請參閱<Add-SPShellAdmin>。

  2. 在 [開始] 功能表上,按一下 [所有程式]。

  3. 按一下 [Microsoft SharePoint 2010 產品]。

  4. 按一下 [SharePoint 2010 管理命令介面]。

  5. 在 Windows PowerShell 命令提示字元 (即 PS C:\>) 處,定義符合 Microsoft Services Manager 中所指定之 [DNS 名稱] 值的領域值。Windows Live ID 整合中的領域值應該對應至正確的 DNS 名稱,如以下範例所示:

    $realm = "urn:" + $env:ComputerName + ":ServerName"
    
  6. 首先登入 Windows Live ID(https://accountservices.passport.net) 網站,然後尋找 [認證] 頁面上的 Unique ID 欄位,以取得要當成伺服器陣列管理員帳戶之帳戶的 PUID 值。

  7. 使用下列格式指定 PUID 值:PUID@live.com。

  8. 在下列來源中尋找其中一個 <X509Certificate> 節點:中繼資料 XML URL (https://nexus.passport-int.com/federationmetadata2/2007-06/federationmetadata.xml)。

  9. 複製兩個 X509Certificate 節點之一的內容,如以下範例所示:

    MIICWzCCAcSgAwIBAgIJAJEzHoaEodSoMA0GCSqGSIb3DQEBBQUAMCkxJzAlBgNV
    BAMTHkxpdmUgSUQgU1RTIFNpZ25pbmcgUHVibGljIEtleTAeFw0wODEwMzAyMjA5
    MjNaFw0xMzEwMjkyMjA5MjNaMCkxJzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25p
    bmcgUHVibGljIEtleTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArz97XPae
    GNAC4UnKl5zReyhgk3Bzf08U+CgD0R9+GZOahmpakJXFpI213gQWiHrUGaMN9nsK
    4kzSfDPiquAMsV6vBYyWuPLZ0XrMzTAOV/WHSK3bCsYWWQZeH9Xn8G1Hkz+gQSC/
    92lBbq9oBCZfLv3OlkobOmT8d+ldRKGU4pUCAwEAAaOBijCBhzAdBgNVHQ4EFgQU
    VbJyIcGL0AjB4/Wm4DqUZux6uUkwWQYDVR0jBFIwUIAUVbJyIcGL0AjB4/Wm4DqU
    Zux6uUmhLaQrMCkxJzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25pbmcgUHVibGlj
    IEtleYIJAJEzHoaEodSoMAsGA1UdDwQEAwIBxjANBgkqhkiG9w0BAQUFAAOBgQAO
    /5vGfu+Vg1TKBuxsAIMqjqKXX7aRrANNZM/5ACdwAUtMDG/n8INoXgOKr851fbF6
    4yBesmFjg2TbR8y0/ITAD+d+iyEpR7IO3/is9rWAj4ggbw8yqaDWn26eh3bAdoa+
    p38qtqJHkUGF5vApeHiu6zO573bKs+nXcKVM8mNbjA==
    
  10. 將任一 X509Certificate 節點的內容貼至新的 [記事本] 檔案,然後以下列檔案名稱儲存 [記事本] 檔案:LiveID-INT.cer

  11. 設定 Windows Live ID 憑證 (擷取自中繼資料 XML),如以下範例所示:

    $certloc = "C:\LiveIDWithSAML\LiveID-INT.cer"
    
  12. 在 SharePoint Server 2010 中定義新的信任根授權,如以下範例所示:

    $rootcert = Get-PfxCertificate $certloc
    New-SPTrustedRootAuthority "NewRootAuthority" -Certificate $rootcert | Out-Null
    
  13. 使用 Windows Live ID 憑證建立物件,如以下範例所示:

    $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certloc)
    
  14. 定義要當成使用者唯一識別碼的宣告。將 UPN 宣告對應至保留的宣告名稱識別碼。您也可以對應電子郵件地址宣告,如以下範例所示:

    $map1 = New-SPClaimTypeMapping -IncomingClaimType "https://schemas.xmlsoap.org/claims/EmailAddress" -IncomingClaimTypeDisplayName "https://schemas.xmlsoap.org/claims/EmailAddress" -SameAsIncoming
    $map2 = New-SPClaimTypeMapping -IncomingClaimType "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" -IncomingClaimTypeDisplayName "UPN" -LocalClaimType "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
    
  15. 為新的 Web 應用程式建立新的 SharePoint Server 2010 驗證提供者,如以下範例所示:

    $apSAML = New-SPTrustedIdentityTokenIssuer -Name "LiveID" -Description "LiveID" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl "https://login.live-int.com/login.srf" -IdentifierClaim "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
    
  16. 建立新的 SharePoint Server 2010 Web 應用程式,以搭配上一個步驟所建立的驗證提供者使用,如以下範例所示:

    $waurl = https://" + $env:ComputerName - You might use FQDN url of your site here.
    $title = "Site Title"
    $waexe = New-SPWebApplication -Name $title -ApplicationPool $title -ApplicationPoolAccount $owner -Url $waurl -AuthenticationProvider
    $scexe = New-SPSite $siteurl -Name $title -Description $title -Template 'STS#1' -OwnerAlias
    
  17. 在命令提示字元中輸入 INETMGR,啟動 IIS 管理員。

  18. 前往 IIS 的 [宣告 Web 應用程式] 網站。

  19. 在左窗格中,以滑鼠右鍵按一下 [宣告 Web 應用程式],然後選取 [編輯繫結]。

  20. 選取 [https],然後按一下 [編輯]。

  21. 在 [SSL 憑證] 下,選取所列的憑證。請考慮使用自我簽署憑證。

  22. 將 Windows Live ID 公開憑證匯入 [本機電腦]、SharePoint Server 2010 及 [受信任的人] 資料夾。

將 Windows Live ID 內部環境轉換為實際執行環境

使用本節中的程序將 Windows Live ID 內部環境轉換為實際執行環境。

將 Windows Live ID 內部環境轉換為實際執行環境

  1. 確定網站已移轉至 MSM 中的實際執行環境,且完成規範。如果 MSM 中的 Windows Live ID 環境為內部環境,則不需要規範審查。

  2. 確定使用下列值設定 Windows Live ID 實際執行環境的驗證原則:MBI_FED_SSL。

  3. 確定 Windows Live ID 實際執行環境使用 HTTPS URL,因為已設定實際執行環境驗證原則進行 SSL 傳輸。實際執行環境網站會透過 SSL 將 POST 要求傳送至 https://login.live.com。在 SPTrustedIdentityTokenIssuer 中,Live 登入 URI 應該使用提供者 URI。確定 Live 登入 URI 為 HTTPS。

  4. 如果 Windows Live ID 宣告提供者設定為使用電子郵件地址,而不是 PUID,實際執行環境網站應該在 Microsoft 原則群組中。請注意,內部合作夥伴會自動核准此原則群組,但是外部合作夥伴需要明確核准。

建立不同類型的 SharePoint 宣告式 Web 應用程式

使用本節中的程序執行 Windows PowerShell 指令碼,以建立不同類型的 SharePoint Server 2010 宣告式 Web 應用程式。

使用 Windows PowerShell 建立不同類型的 SharePoint 宣告式 Web 應用程式

  1. 請確認符合下列基本需求:請參閱<Add-SPShellAdmin>。

  2. 在 [開始] 功能表上,按一下 [所有程式]。

  3. 按一下 [Microsoft SharePoint 2010 產品]。

  4. 按一下 [SharePoint 2010 管理命令介面]。

  5. 從 Windows PowerShell 命令提示字元處,執行 DeployLiveIdWithSAML 指令碼,如以下範例所示:

    #.SYNOPSIS
    #    Script for creating different types of claims web applications from the Windows PowerShell command line.
    #.DESCRIPTION
    #    Script will create ANON, WIN, FBA, MULTI, MIXED, SAML and combinations of these web applications.
    #.NOTES
    #    Script: ClaimsWA.ps1
    #    Remark: The script will load/unload additional snap-ins depending on where it's being executed from.
    #    Update: 1/15/2010 (v2.0)
    #.PARAMETER type
    #   Indicates the type of claims web app to create (see examples for full list of valid supported types)
    #If not specified, this will default to ALL and each of the supported types of claims web apps will be created
    #.PARAMETER port
    #   Indicates the port number to create the web app on (See reserved ports at https://support.microsoft.com/kb/832017)
    #If not specified, this will default to port 201 and will be incremented in sequence for multiple web apps
    #.PARAMETER owner
    #   Indicates the domain account that will be used for App Pool (should be registered as a SharePoint Server managed account)
    #If not specified, this will default to logged on user and will use USERDOMAIN & USERNAME environment values
    #.EXAMPLE
    #   claimswa.ps1 WIN (create WIN-claims web app at port# 201 and use logged on user for app pool account)
    #   Here are some more examples of HOWTO use the script:
    #      claimswa.ps1 ANON (create ANON web app at port# 201)
    #      claimswa.ps1 ANON/FBA 701 (create ANON/FBA web app at port# 701)
    #      claimswa.ps1 FBA (create FBA web app at port# 201 using LDAP provider; default is REDMOND instance)
    #      claimswa.ps1 FBA/IBM (create FBA web app at port# 201 using LDAP provider pointing to the IBM instance)
    #      claimswa.ps1 FBA/SQL 851 (create forms-based authentication web app at port# 851 using SQL provider)
    #      claimswa.ps1 WIN/FBA/MIXED 501 (create Windows/forms-based authentication mixed-mode web apps at port# 501)
    #      claimswa.ps1 WIN/SAML/MULTI 901 (create Windows/SAML multi-auth web apps at port# 901)
    #   Here is the full list of all the support TYPEs (combine options delimited with slash for your config):
    #   Basic auth types:
    #      WIN   : create Windows claims web application on the port# specified on command line
    #      FBA   : create forms-based authentication claims web apps with the specified membership provider (SQL Server/LDAP listed below)
    #      SAML  : create SAML-claims web application on the default HTTPS port# 443
    #      ANON  : indicator switch for creating the web application to allow ANON mode
    #   Complex auth types:
    #      MULTI : create claims web application with multiple auth types using a single URL to access
    #      MIXED : create claims web application with multiple auth types using multiple URLs to access
    #   FBA membership/rolemanager providers
    #      RED   : use the REDMOND domain LDAP provider; this is the default setting if a provider is not specified
    #      SQL   : use the SQL Server provider for connecting to forms-based authentication web apps (connects to the ASPNETDB instance on ZADANG)
    #      PPL   : use the PEOPLEDC domain LDAP provider that is a private domain used for testing PEOPLE features
    #      SUN   : use the SUNOne LDAP provider in the PEOPLEDC domain which is used for profile import/sync testing
    #      IBM   : use the IBM LDAP provider in the PEOPLEDC domain which is used for profile import/sync testing
    #      NVL   : use the Novell LDAP provider in the PEOPLEDC domain which is used for profile import/sync testing
    
    # TODO (no specific ETA for these updates):
    #    1. Set the default IIS cert bindings for SAML web
    #    2. Use IIS CMDlets instead of updating XML object
    #    3. We should be able to define MixedMode base auth
    #    4. Use the domain for logged on user for LDAP string
    #    5. Do not attempt to write to CA/STS if running on WFE
    
    
    # Define the args list that we will accept & work with
    param ([string]$type, [int]$port, [string]$owner)
    
    function main() {
        # Valid options list
        $auths  = @("WIN", "FBA", "SAML", "ANON")
        $extnd  = @("MULTI", "MIXED")
        $provs  = @("SQL", "RED", "PPL", "SUN", "IBM", "NVL")
        $optns  = @("APP", "FIX")
        $typeOK = $true
    
        # Do we have the minimum args data before we can proceed
        # I'm not doing extensive validation but at least minimum
        foreach ($arg in $type.split("/")) {
            if (($auths+$extnd+$optns+$provs) -notcontains $arg) {
                write-host -Fore Red "`nInvalid TYPE argument was specified; execution aborted!`nTo see a list of valid TYPEs, execute with -examples option`n"
                $typeOK=$false; break
            }
        }
    
        if ($typeOK) {
            $type = @($type.toupper().split("/") | Sort | Get-Unique)
            switch ($type.count) {
                1 {
                    foreach ($arg in $type) {
                        if (($auths+$extnd+$optns) -notcontains $arg) {
                            write-host -Fore Red "`nInvalid AUTH argument was specified; execution aborted!`nTo see a list of valid AUTHs, execute with -examples option`n"
                            $typeOK=$false; break
                        }
                    }
                    if (($type -eq "MULTI") -or ($type -eq "MIXED")) {
                        $type += @("WIN", "FBA"); write-host -Fore Yellow "MULTI/MIXED auth combo not specified; defaulting to $type"
                    }
                    if ($type -eq "ANON") {
                        $type += @("WIN"); write-host -Fore Yellow "ANON auth combo not specified; defaulting to $type"
                    }
                }
    
                2 {
                    if ($type -contains "ANON") {
                        foreach ($arg in $type) {
                            if ($auths -notcontains $arg) {
                                write-host -Fore Red "`nInvalid ANON combo was specified; execution aborted!`nTo see a list of valid PROVIDERs, execute with -examples option`n"
                                $typeOK=$false; break
                            }
                        }
                    }
                    else {
                        $multiOK=$true
                        foreach ($arg in $type) {
                            if ($auth -notcontains $arg) {
                                $multiOK=$false; break
                            }
                        }
                        if ($multiOK) {$type += @("MULTI"); write-host -Fore Yellow "Multiple auth types specified; defaulting to $type"}
                    }
                }
            }
    
            if (($type -contains "MULTI") -or ($type -contains "MIXED") -and ($type.count -lt 3)) {
                write-host -Fore Red "`nMULTI/MIXED option requires 2 base auth types be specified!`nTo see a list of valid TYPEs, execute with -examples option`n"
                $typeOK=$false
            }
        }
    
        if ($typeOK) {
            # We seem to have the TYPE argument, let's check the others
    
            if (-not $port) {
                if ($type -contains "SAML") {$port=443} else {$port=201}
                write-host -Fore Yellow "PORT not specified; defaulting to $port"
            }
    
            if (-not $owner) {
                $owner = $env:UserDomain + "\" + $env:UserName.tolower()
                write-host -Fore Yellow "OWNER not specified; defaulting to $owner"
            }
    
            #In case somebody attempts to execute this script in the regular PS/ISE console,
            #let's load the IIS/SP snap-in to ensure we have everything we need to work with
            Manage-SnapIns (1)
    
            # check what flavor of SERVER we're running
            $product = Get-SPProduct | Where-Object {$_.ProductName.contains("SharePoint Server 2010")};
            if ($product.ProductName.contains("Debug")) {$flavor="DEBUG"} else {$flavor="SHIP"}
            write-host -Fore Green "Detected $flavor flavor of MOSS installed on this farm!"
    
            if ($type -contains "APP") {
                Write-WEBConfigs 0 "APP"
            }
            elseif ($type -contains "FIX") {
                Fix-Environment
            }
            else {
                Create-WebApp $type $port
            }
    
            # We're done with the snap-ins, so let's unload them
            Manage-SnapIns (0)
        }
    }
    
    function Fix-Environment {
        # This is just a series of steps to clean up
        # Not recommended to use unless you know why!
        Remove-SPTrustedRootAuthority NewRootAuthority
        Remove-SPTrustedIdentityTokenIssuer ServerName
    
        # I need to add the other clean up stuff here...
    }
    
    # This is the core script block that creates the different web apps
    function Create-WebApp ([string]$type, [int]$port) {
        $waurl = http://" + $env:ComputerName
    
        if ($type.contains("SAML")) { $waurl = $waurl.replace("http", "https") }
        $siteurl = $waurl + ":" + $port
        $title = "ClaimsWA-$port-" + $type.replace(" ","-")
    
        # Let's construct the WA/SC CMDlet call that we'll invoke later
        $waexe = "New-SPWebApplication -Name $title -ApplicationPool $title -ApplicationPoolAccount $owner -Url $waurl -AuthenticationProvider"
        $scexe = "New-SPSite $siteurl -Name $title -Description $title -Template 'STS#1' -OwnerAlias"
    
        write-host -Fore Cyan "`nSetting up $title on port $port now:"
    
        if ($type.contains("WIN")) {
            $apWIN = New-SPAuthenticationProvider -DisableKerberos:$true
            $cpWIN = New-SPClaimsPrincipal -Identity $owner -IdentityType 1
        }
    
        if ($type.contains("FBA")) {
            if ($type.contains("SQL")) {
                $membership="SQLms"; $rolemanager="SQLrm"; $identity = "sqlms:user1"
            }
            elseif ($type.contains("PPL")) {
                $membership="PPLms"; $rolemanager="PPLrm"; $identity = "pplms:fbauser1"
            }
            elseif ($type.contains("SUN")) {
                $membership="SUNms"; $rolemanager="SUNrm"; $identity = "sunms:fbauser1"
            }
            elseif ($type.contains("IBM")) {
                $membership="IBMms"; $rolemanager="IBMrm"; $identity = "ibmms:fbauser1"
            }
            elseif ($type.contains("NVL")) {
                $membership="NVLms"; $rolemanager="NVLrm"; $identity = "nvlms:fbauser1"
            }
            else {
                $membership="REDms"; $rolemanager="REDrm"; $identity = ("redms:$env:UserName").tolower()
            }
    
            $apFBA = New-SPAuthenticationProvider -ASPNETMembershipProvider $membership -ASPNETRoleProviderName $rolemanager;
            $cpFBA = New-SPClaimsPrincipal -Identity $identity -IdentityType 4
        }
    
        if ($type.contains("SAML")) {                
            $realm = "urn:" + $env:ComputerName + ":ServerName"
            $user  = "000300008448E34D@live.com" 
            $certloc = "C:\LiveIDWithSAML\LiveID-INT.cer"
    
            $rootcert = Get-PfxCertificate $certloc
            New-SPTrustedRootAuthority "NewRootAuthority" -Certificate $rootcert | Out-Null
    
           $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certloc)
           $map1 = New-SPClaimTypeMapping -IncomingClaimType "https://schemas.xmlsoap.org/claims/EmailAddress" -IncomingClaimTypeDisplayName "https://schemas.xmlsoap.org/claims/EmailAddress" -SameAsIncoming
           $map2 = New-SPClaimTypeMapping -IncomingClaimType "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" -IncomingClaimTypeDisplayName "UPN" -LocalClaimType "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
    
           $apSAML = New-SPTrustedIdentityTokenIssuer -Name "LiveID" -Description "LiveID" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl "https://login.live-int.com/login.srf" -IdentifierClaim "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
           $cpSAML = New-SPClaimsPrincipal -TrustedIdentityTokenIssuer $apSAML -Identity $user.tolower()
        }
    
        if ($type.contains("WIN")) {
            $waexe += " `$apWIN"; $scexe += " `$cpWIN.ToEncodedString()"
        }
        elseif ($type.contains("FBA")) {
            $waexe += " `$apFBA"; $scexe += " `$cpFBA.ToEncodedString()"
        }
        else {
            $waexe += " `$apSAML -SecureSocketsLayer"; $scexe += " `$cpSAML.ToEncodedString()"
        }
    
        if ($type.contains("MULTI")) {
            if ($type.contains("WIN")) {
                if ($type.contains("FBA")) {
                    $waexe += ",`$apFBA"; $scexe += " -SecondaryOwnerAlias `$cpFBA.ToEncodedString()"
                }
                if ($type.contains("SAML")) {
                    $waexe += ",`$apSAML -SecureSocketsLayer"; if (!$scexe.contains("Secondary")) { $scexe += " -SecondaryOwnerAlias `$cpSAML.ToEncodedString()" }
                }
            }
            else {
                $waexe += ",`$apSAML -SecureSocketsLayer"; $scexe += " -SecondaryOwnerAlias `$cpSAML.ToEncodedString()"
            }
        }
    
        # Check if we're creating the ANON web apps
        if ($type.contains("ANON")) { $waexe += " -AllowAnonymousAccess" }
    
        $waexe += " -Port $port | Out-Null"; $scexe += " | Out-Null"
    
        write-host -Fore Cyan "Deploying app..." -noNewLine
        Invoke-Expression $waexe
    
        # We could do this with a simple if/else but there may be other auth types too
        if ($type.contains("WIN"))  { Create-UserPolicy $siteurl $cpWIN.ToEncodedString()  }
        if ($type.contains("FBA"))  { Create-UserPolicy $siteurl $cpFBA.ToEncodedString()  }
        if ($type.contains("SAML")) { Create-UserPolicy $siteurl $cpSAML.ToEncodedString() }
    
        write-host -Fore Cyan "Creating site..." -noNewLine
        Invoke-Expression $scexe
    
        # If this is the ANON web app, then set the root site access to entire web
        if ($type.contains("ANON")) { $web = Get-SPWeb $siteurl; $web.AnonymousState="On"; $web.Update() }
    
        # At this time, let's also check if it's going to be a MixedMode web app
        if ($type.contains("MIXED")) {
            # If it's a Mixed-Mode web app we need to extend the base app to another auth type too
            $port++; write-host -Fore Cyan "Extending port $port..." -noNewLine
            $waurl = $waurl.replace("https", "http")
            $waexe = "Get-SPWebApplication $siteurl | New-SPWebApplicationExtension -Name $title-Ext -Zone `"Intranet`" -URL $waurl -Port $port -AuthenticationProvider"
            if ($type.contains("WIN")) {
                if ($type.contains("FBA")) { $waexe += " `$apFBA" } else { $waexe += " `$apSAML" }
            }
            else {
                $waexe += " `$apSAML"
            }
            Invoke-Expression $waexe
        }
    
        # If we've created a FBA web app, then it's time to update the CA/STS/FBA web.config files
        if ($type.contains("FBA")) { Write-WEBConfigs 0 $port.tostring() }; write-host -Fore Cyan "done!"
    }
    
    function Create-UserPolicy ([string]$weburl, [string]$encodeduser) {
        $webapp = Get-SPWebApplication $weburl
        $policy = $webapp.Policies.Add($encodeduser, "ClaimsWA.ps1 User")
        $role = $webapp.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullControl)
        $policy.PolicyRoleBindings.Add($role)
        $webapp.Update()
    }
    
    function Write-WEBConfigs ([int]$begin, [string]$vroot) {
        # For now I'm using the XML object to load/save the config files
        # Eventually we should use the IIS:CMDlets from WebAdministration
    
        write-host -Fore Cyan "Writing WEBConfig..." -noNewLine
        #$filei = "\\back\scratch\suntoshs\backup\webconfigs.xml"
        $filei = "\\back\scratch\suntoshs\scripts\oobinstall\webconfigs.xml"
    
        $xmli = [xml](get-content $filei)
        $root = $xmli.get_DocumentElement()
    
        for ($j=$begin; $j -le 2; $j++) {
            if ($j -eq 0) {
                [void][reflection.assembly]::LoadWithPartialName("Microsoft.SharePoint")
                $fileo = [Microsoft.SharePoint.Administration.SPAdministrationWebApplication]::Local.IisSettings.get_Item(0).Path.FullName + "\web.config"
            }
            elseif ($j -eq 1) {
                $fileo = $env:CommonProgramFiles + "\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken\web.config"
                if ($flavor -eq "DEBUG") { $fileo = $fileo.replace("Shared", "Shared Debug") }
            }
            else {
                if ($vroot -ne "APP") { $fileo = $env:HomeDrive + "\inetpub\wwwroot\wss\VirtualDirectories\$vroot\web.config" }
            }
    
            $xmlo = [xml](get-content $fileo)
            $perf = $xmlo.CreateElement("clear")
    
            if ($flavor -eq "DEBUG") {
                $ship = $root.config[1].tokens.token[0].value
                $debug = $root.config[1].tokens.token[1].value
                $token = $root.config[0]["system.web"].membership.providers.add[0].type
                $root.config[0]["system.web"].membership.providers.add[0].SetAttribute("type", $token.replace($ship,$debug)) | Out-Null
                $token = $root.config[0]["system.web"].rolemanager.providers.add[0].type
                $root.config[0]["system.web"].rolemanager.providers.add[0].SetAttribute("type", $token.replace($ship,$debug)) | Out-Null
            }
    
            if ($j -eq 0) {
                # Update the CA web config
                if (-not $xmlo.SelectSingleNode("/configuration/connectionStrings")) {
                    $xmlo.configuration["system.web"].membership.ParentNode.RemoveChild($xmlo.configuration["system.web"].membership) | Out-Null
                    $xmlo.configuration["system.web"].roleManager.ParentNode.RemoveChild($xmlo.configuration["system.web"].roleManager) | Out-Null
                    $xmlo.SelectSingleNode("/configuration").AppendChild($xmlo.ImportNode($root.config[0]["connectionStrings"], $true)) | Out-Null
                    $xmlo.SelectSingleNode("/configuration/system.web").AppendChild($xmlo.ImportNode($root.config[0]["system.web"].membership, $true)) | Out-Null
                    $xmlo.SelectSingleNode("/configuration/system.web/membership/providers").PrependChild($xmlo.ImportNode($perf, $true)) | Out-Null
                    $xmlo.SelectSingleNode("/configuration/system.web").AppendChild($xmlo.ImportNode($root.config[0]["system.web"].rolemanager, $true)) | Out-Null
                    $xmlo.SelectSingleNode("/configuration/system.web/roleManager/providers").PrependChild($xmlo.ImportNode($perf, $true)) | Out-Null
                }
            }
            elseif ($j -eq 1) {
                # Update the STS web config
                if (-not $xmlo.SelectSingleNode("/configuration/system.web")) {
                    $xmlo.SelectSingleNode("/configuration").AppendChild($xmlo.ImportNode($root.config[0]["connectionStrings"], $true)) | Out-Null
                    $xmlo.SelectSingleNode("/configuration").AppendChild($xmlo.ImportNode($root.config[0]["system.web"], $true)) | Out-Null
                }
            }
            else {
                # Update the FBA web config
                if ($vroot -ne "APP") {
                    if ($type.contains("PPL")) {$provider=1} elseif ($type.contains("SUN")) {$provider=2} elseif ($type.contains("IBM")) {$provider=3} elseif ($type.contains("NVL")) {$provider=4} elseif ($type.contains("SQL")) {$provider=5} else {$provider=0}
                    $xmlo.SelectSingleNode("/configuration").AppendChild($xmlo.ImportNode($root.config[0]["connectionStrings"], $true)) | Out-Null
                    $xmlo.SelectSingleNode("/configuration/system.web/membership/providers").PrependChild($xmlo.ImportNode($root.config[0]["system.web"].membership.providers.add[$provider], $true)) | Out-Null
                    $xmlo.SelectSingleNode("/configuration/system.web/membership/providers").PrependChild($xmlo.ImportNode($perf, $true)) | Out-Null
                    $xmlo.SelectSingleNode("/configuration/system.web/roleManager/providers").PrependChild($xmlo.ImportNode($root.config[0]["system.web"].rolemanager.providers.add[$provider], $true)) | Out-Null
                    $xmlo.SelectSingleNode("/configuration/system.web/roleManager/providers").PrependChild($xmlo.ImportNode($perf, $true)) | Out-Null
                }
            }
            $xmlo.Save($fileo)
        }
    }
    
    function Manage-SnapIns ([int]$action) {
        #The OWSTimer process always causes an update conflict (known bug) while
        #creating multiple web apps; let's temporarily shut it down until we're done
    
        if ($action -eq 1) { Stop-Service "SPTimerV4" }
    
        # We need to do this only if we're running on ISE so check it
        if ($host.name.contains("ISE")) {
            if ($action -eq 1) {
                write-host -Fore Yellow "Detecting host and loading dependent snap-ins..."
                # Add-PSSnapIn WebAdministration (later!)
                Add-PSSnapIn Microsoft.Sharepoint.PowerShell
            }
            else {
                write-host -Fore Yellow "Unloading dependent snap-ins loaded earlier on..."
                # Remove-PSSnapIn WebAdministration (later!)
                Remove-PSSnapIn Microsoft.Sharepoint.PowerShell
            }
        }
        if ($action -eq 0) {Start-Service "SPTimerV4"; write-host -Fore Yellow "`nAll done; if there were errors please research PS database for known issues!`n"}
    }
    
    main
    
  6. 在命令提示字元中輸入 INETMGR,啟動 IIS 管理員。

  7. 前往 IIS 的 [宣告 Web 應用程式] 網站。

  8. 在左窗格中,以滑鼠右鍵按一下 [宣告 Web 應用程式],然後選取 [編輯繫結]。

  9. 選取 [https],然後按一下 [編輯]。

  10. 在 [SSL 憑證] 下,選取所列的憑證。請考慮使用自我簽署憑證。

  11. 將 Windows Live ID 公開憑證匯入 [本機電腦]、SharePoint Server 2010 及 [受信任的人] 資料夾。

  12. 執行 IIS 重設並瀏覽網站 URL。

將權限授與所有 Windows Live ID 驗證使用者

使用本節中的程序將權限授與所有 Windows Live ID 驗證使用者。

將權限授與所有 Windows Live ID 驗證使用者

  1. 瀏覽至您建立的 SharePoint Server 2010 網站,然後使用管理員帳戶登入。

  2. 在 [網站動作] 功能表上,按一下 [網站設定]。

  3. 在 [使用者與權限] 區段中,按一下 [網站權限]。

  4. 按一下 [網站名稱訪客] 群組,其中「網站名稱」是網站的名稱。

  5. 按一下 [新增],然後按一下 [新增使用者]。

  6. 在 [授與權限] 視窗中,按一下瀏覽圖示。

  7. 在 [選取人員與群組] 視窗中,按一下 [所有使用者],然後按一下右窗格中的 [所有使用者 (LiveIDSTS)]。

  8. 按一下 [新增]。

  9. 按一下 [確定]。

  10. 確認 [所有使用者 (LiveIDSTS)] 目前屬於訪客群組。您現在應該可以使用其他任何 Live ID 使用者認證登入 SharePoint Server 2010 網站。

關於作者

Birendra Acharya 是 Microsoft MSIT 的資深軟體設計工程師。

See Also

Other Resources

了解 WS-同盟 (https://go.microsoft.com/fwlink/?linkid=192377&clcid=0x404)(可能為英文網頁)