Configure client certificate authentication for SharePoint Server

  • Статья

 

**Применимо к:**SharePoint Foundation 2013, SharePoint Server 2013 Enterprise, SharePoint Server 2013 Standard, SharePoint Server 2016

**Последнее изменение раздела:**2017-12-19

Summary: Learn how to configure SharePoint 2013 and SharePoint Server 2016 to support user authentication using a client certificate.

Client certificate authentication enables web-based clients to establish their identity to a server by using a digital certificate, which provides additional security for user authentication. SharePoint Server does not provide built-in support for client certificate authentication, but client certificate authentication is available through Security Assertion Markup Language (SAML)-based claims authentication. You can use Службы федерации Active Directory (AD FS) 2.0 as your security token service (STS) for SAML claims or any third-party identity management system that supports standard security protocols such as WS-Trust, WS-Federation, SAML 1.1, and SAML 2.0.

Примечание

For more information about SharePoint Server protocol requirements, see SharePoint Front-End Protocols.

Claims-based authentication in SharePoint Server allows you to use different STSs. If you configure AD FS as your STS, SharePoint Server can support any identity provider or authentication method that AD FS supports, which includes client certificate authentication.

Примечание

For more information about AD FS, see Active Directory Federation Services Overview and AD FS 2016.

For additional information on an overview of authentication in SharePoint, please see Планирование методов проверки подлинности для пользователей в SharePoint Server.

The following figure applies to SharePoint Server 2013 and SharePoint Server 2016, SharePoint Server is configured as a relying partner for an AD FS-based STS.

SharePoint Server 2010 с ADFS 2.0

AD FS can authenticate user accounts for several different types of authentication methods, such as forms-based authentication, Доменные службы Active Directory, client certificates, and smart cards. When you configure SharePoint Server as a relying partner of AD FS, SharePoint Server trusts the accounts that AD FS validates and the authentication methods that AD FS uses to validate those accounts. This is how SharePoint Server supports client certificate authentication.

Configure client certificate authentication

The following topics explain how to configure SharePoint Server with client certificate authentication or smart card authentication when you use AD FS as your STS:

  1. Configure AD FS to support claims-based authentication.

    For more information, see AD FS 2.0 - How to change the local authentication type.

  2. Configure SharePoint Server to support SAML-based claims authentication using AD FS.

    For more information, see Настройка проверки подлинности на основе утверждений SAML с помощью AD FS в SharePoint 2013 and Improved interiperability with SAML 2.0.

  3. Create a web application that uses SAML-based claims authentication.

    For more information, see Создание веб-приложений, основанных на утверждениях, в SharePoint 2013.

Примечание

These steps will be similar for a third-party STS.

See also

Настройка проверки подлинности на основе утверждений SAML с помощью AD FS в SharePoint 2013
Planning and Architecture: AD FS 2.0
AD FS 2.0 Deployment Guide
Using Active Directory Federation Services 2.0 in Identity Solutions