ADFS用于与多个AD森林联合 [英] ADFS for Federating with multiple AD Forests
问题描述
您好,
Hi,
我有一个要求,我们有一个管理AD林,其中包含所有管理员帐户,并且我们有多个客户AD林,需要使用管理林上的管理员帐户进行管理。客户
AD Forest中的管理任务包括创建用户,组,分配,修改客户AD等。我知道我们可以通过在Customer AD Forest和Administrative Ad Forest之间建立外部林信任来轻松实现这一目标,但我们有安全限制
来建立信托。
I have a requirement where we have one administrative AD Forest where all the Admin Accounts reside and we have multiple customer AD Forests which need to be managed using the Admin Accounts on the Administrative Forest. The administrative tasks in the customer AD Forest would include Creation of users, groups, assigning, modifying customer AD etc. I know we can easily achieve this by establishing an external forest trust between Customer AD Forest and Administrative Ad Forest, however we have security restrictions to establish a trust.
想知道我们是否可以在这种情况下使用ADFS来实现安全的单点登录进入所有客户AD森林并执行AD管理任务?如果是,MMC,RDP,AD管理工具SAML知道吗?如果不是,我们如何处理这种情况。
Would like to know if we can use ADFS in this scenario to achieve secure, single sign on into all the customer AD Forests and perform AD Administrative tasks? If yes are MMC, RDP, AD Management Tools SAML aware? If not how can we address this situation.
谢谢
推荐答案
如果在每个林中安装ADFS,则可以在每个ADFS服务器之间创建ADFS级别的信任。这允许与ADFS联合的应用程序存在各种类型的信任关系。这在堆栈中远高于常规的AD
林信托。
If you install ADFS in each forest then you can create an ADFS-level trust between each ADFS server. This allows various types of trust relationships to exist for applications that federate with ADFS. This is much higher up in the stack than a regular AD forest trust.
您提到的工具,MMC / RDP / AD工具/等,将不适用于ADFS。他们不会谈SAML。 ADFS实际上是为Web应用程序设计的。
The tools you mention, MMC/RDP/AD tools/etc, will NOT work with ADFS. They don't talk SAML. ADFS is really designed for web apps.
如果您有AD林,并且您只能在一个没有信任的林中拥有管理员,并且应用程序不会使用SAML,那么简短的回答是你是SOL。
If you have AD forests, and you can only have admins in one forest without a trust, and the apps don't talk SAML, the short answer is that you are SOL.
您要么必须在管理员和客户林之间建立信任,要么在每个具有管理员权限的林中创建用户。
You would either have to create trusts between your admin and customer forests, or create users in each forest with admin privileges.
这篇关于ADFS用于与多个AD森林联合的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
