宣告在 SharePoint Server 驗證不驗證使用者Claims authentication does not validate user in SharePoint Server

摘要: 由於 SharePoint Server 2016 和 SharePoint 2013 建議使用者以宣告式驗證來存取 Web 應用程式,因此本文說明您可以用來疑難排解宣告式使用者驗證嘗試失敗的工具和技巧。Summary: Because SharePoint Server 2016 and SharePoint 2013 recommend claims-based authentication for user access to web applications, this article describes the tools and techniques that you can use to troubleshoot failed claims-based user authentication attempts.

當使用者嘗試連接至 Web 應用程式時,記錄檔會記錄失敗的驗證事件。如果您使用 Microsoft 提供的工具,並使用系統化的方法來檢查失敗,就可以了解有關宣告式驗證的一般問題,並加以解決。When users try to connect to a web application, logs record failed authentication events. If you use tools that Microsoft provides and use a systematic approach to examine failures, you can learn about common issues that relate to claims-based authentication and resolve them.

成功存取 SharePoint 資源需要驗證及授權。當您使用宣告時,驗證會確認安全性憑證是否有效。授權會依據安全性憑證中的宣告組,以及為資源設定的權限,確認可允許存取資源。Successful access to a SharePoint resource requires both authentication and authorization. When you are using claims, authentication verifies that the security token is valid. Authorization verifies that access to the resource is allowed, based on the set of claims in the security token and the configured permissions for the resource.

若要判斷是否為驗證或授權造成存取問題,請仔細查看瀏覽器視窗中的錯誤訊息。To determine whether authentication or authorization causes an access issue, look closely at the error message in the browser window.

  • 如果錯誤訊息指出使用者沒有網站的存取權,則表示驗證成功,而授權失敗。若要疑難排解授權問題,請嘗試下列解決方案:If the error message indicates that the user does not have access to the site, then the authentication was successful and the authorization failed. To troubleshoot authorization, try the following solutions:

    • 使用安全性聲明標記語言 (SAML) 宣告式驗證時,授權失敗最常見的原因,就是權限是指派給使用者的 Windows 帳戶 (網域\使用者),而不是使用者的 SAML 身分宣告。The most common reason for failed authorization when you are using Security Assertion Markup Language (SAML) claims-based authentication is that the permissions were assigned to a user's Windows-based account (domain\user) instead of the user's SAML identity claim.

    • 確認使用者或使用者所屬的群組已設定為使用適當的權限。如需詳細資訊,請參閱<使用者權限與 SharePoint Server 中的權限層級>。Verify that the user or a group to which the user belongs has been configured to use the appropriate permissions. For more information, see User permissions and permission levels in SharePoint Server.

    • 使用本文中的工具和技巧來判斷使用者安全性憑證中的宣告組,這樣您就可以將其與所設定的權限做比較。Use the tools and techniques in this article to determine the set of claims in the user's security token so that you can compare it with the configured permissions.

  • 如果訊息指出驗證失敗,則您有驗證問題。如果資源包含在使用宣告式驗證的 SharePoint Web 應用程式中,請使用本文中的資訊開始疑難排解。If the message indicates that authentication failed, you have an authentication problem. If the resource is contained within a SharePoint web application that uses claims-based authentication, use the information in this article to start troubleshooting.

疑難排解工具Troubleshooting tools

下列是 Microsoft 提供的主要疑難排解工具,可收集 SharePoint Server 中宣告驗證的詳細資訊:The following are the primary troubleshooting tools that Microsoft provides to collect information about claims authentication in SharePoint Server:

  • 使用 統一記錄系統 (ULS) 記錄檔來取得驗證交易的詳細資料。Use Unified Logging System (ULS) logs to obtain the details of authentication transactions.

  • 使用 管理中心來確認 SharePoint Web 應用程式和區域的使用者驗證設定詳細資料,以及設定 ULS 記錄的層級。Use Central Administration to verify the details of user authentication settings for SharePoint web applications and zones and configure levels of ULS logging.

  • 如果您是使用 Active Directory Federation Services 2.0 (AD FS) 做為安全性聲明標記語言 (SAML) 宣告驗證的同盟提供者,您可以使用 AD FS 記錄來判斷 AD FS 發行至網頁用戶端電腦之安全性憑證中的宣告。If you are using Active Directory Federation Services 2.0 (AD FS) as your federation provider for Security Assertion Markup Language (SAML)-based claims authentication, you can use AD FS logging to determine the claims that are in security tokens that AD FS issues to web client computers.

  • 使用 Network Monitor 3.4 來擷取及檢查使用者驗證網路流量的詳細資料。Use Network Monitor 3.4 to capture and examine the details of user authentication network traffic.

設定使用者驗證的 ULS 記錄層級Setting the level of ULS logging for user authentication

下列程序會設定 SharePoint Server,以記錄宣告驗證嘗試的最高資訊量。The following procedure configures SharePoint Server to log the maximum amount of information for claims authentication attempts.

若要為 SharePoint Server 設定使用者驗證記錄的最大量To configure SharePoint Server for the maximum amount of user authentication logging

  1. 從管理中心,按一下 [快速啟動] 上的 [監視]*,然後按一下 [設定診斷記錄]*。From CentralAdmin_2nd, click Monitoring on the Quick Launch, and then click Configure diagnostic logging.

  2. 在類別清單中,展開 [SharePoint Foundation]*,然後選取 [驗證授權]* 和 [宣告驗證]*In the list of categories, expand *SharePoint Foundation, and then select Authentication Authorization and Claims Authentication.

  3. 在 [回報至事件記錄的最低緊急事件]**** 中,選取 [詳細資訊]*In *Least critical event to report to the event log, select Verbose.

  4. 在 [回報至追蹤記錄的最低緊急事件]**** 中,選取 [詳細資訊]*In *Least critical event to report to the trace log, select Verbose.

  5. 按一下 [確定]*Click *OK.

在未執行宣告驗證疑難排解的情況下,若要最佳化效能,請遵循下列步驟,將使用者驗證記錄設為其預設值。To optimize performance when you are not performing claims authentication troubleshooting, follow these steps to set user authentication logging to its default values.

若要為 SharePoint Server 設定使用者驗證記錄的預設量To configure SharePoint Server for the default amount of user authentication logging

  1. 從管理中心,按一下 [快速啟動] 上的 [監視]*,然後按一下 [設定診斷記錄]*。From CentralAdmin_2nd, click Monitoring on the Quick Launch, and then click Configure diagnostic logging.

  2. 在類別清單中,展開 [SharePoint Foundation]*,然後選取 [驗證授權]* 和 [宣告驗證]*In the list of categories, expand *SharePoint Foundation, and then select Authentication Authorization and Claims Authentication.

  3. 在 [回報至事件記錄的最低緊急事件]**** 中,選取 [資訊]*In *Least critical event to report to the event log, select Information.

  4. 在 [回報至追蹤記錄的最低緊急事件]**** 中,選取 [中等]*In *Least critical event to report to the trace log, select Medium.

  5. 按一下 [確定]*Click *OK.

設定 AD FS 記錄Configuring AD FS logging

即使在您啟用 ULS 記錄的最高層級之後,SharePoint Server 還是沒有將宣告組記錄在其收到的安全性憑證中。如果您將 AD FS 用於 SAML 宣告驗證,則可以啟用 AD FS 記錄,並使用事件檢視器來檢查 SharePoint Server 發行之安全性憑證的宣告。Even after you enable the maximum level of ULS logging, SharePoint Server doesn't record the set of claims in a security token that it receives. If you use AD FS for SAML-based claims authentication, you can enable AD FS logging and use Event Viewer to examine the claims for security tokens that SharePoint Server issues.

啟用 AD FS 記錄To enable AD FS logging

  1. 在 AD FS 伺服器上,從事件檢視器按一下 [檢視]*,然後按一下 [顯示分析與偵錯記錄檔]On the AD FS server, from Event Viewer, click **View, and then click **Show Analytic and Debug Logs*.

  2. 在事件檢視器主控台樹狀目錄中,展開 [應用程式及服務記錄檔/AD FS 2.0 追蹤]*In the Event Viewer console tree, expand *Applications and Services Logs/AD FS 2.0 Tracing.

  3. 以滑鼠右鍵按一下 [偵錯]*,然後按一下 [啟用記錄]Right-click **Debug, and then click **Enable Log*.

  4. 開啟 %ProgramFiles% \Active Directory Federation Services 2.0 資料夾。Open the %ProgramFiles% \Active Directory Federation Services 2.0 folder.

  5. 使用 [記事本] 來開啟 Microsoft.IdentityServer.ServiceHost.Exe.Config 檔案。Use Notepad to open the Microsoft.IdentityServer.ServiceHost.Exe.Config file.

  6. 依序按一下 [編輯]**** 和 [尋找]*,輸入 *<<source name=“Microsoft.IdentityModel“ switchValue="Off">>,然後按一下 [確定]****。Click Edit, click Find, type <source name=“Microsoft.IdentityModel“ switchValue="Off">, and then click OK.

  7. switchValue="Off" 變更為 switchValue="Verbose"Change switchValue="Off" to switchValue="Verbose".

  8. 依序按一下 [檔案]**** 和 [儲存]*,然後結束 [記事本]。Click *File, click Save, and then exit Notepad.

  9. 在 [服務] 嵌入式管理單元中,以滑鼠右鍵按一下 [AD FS 2.0 服務]*,然後按一下 [重新啟動]From the Services snap-in, right-click the* AD FS 2.0 service**, and then click Restart.

您現在可以在 AD FS 伺服器上使用事件檢視器,從 [應用程式及服務記錄檔/AD FS 2.0 追蹤/偵錯] 節點來檢查宣告的詳細資料。尋找事件識別碼為 1001 的事件。You can now use Event Viewer on the AD FS server to examine details about claims from the Applications and Services Logs/AD FS 2.0 Tracing/Debug node. Look for events with Event ID 1001.

您也可以使用 HttpModule 或網頁組件,或是透過 OperationContext 來列舉宣告。如需詳細資訊,請參閱如何在 SharePoint 2010 中於增強宣告時取得所有使用者宣告。這些有關 SharePoint 2010 的資訊也適用於 SharePoint 2013。You can also enumerate claims with an HttpModule or web part or through OperationContext. For more information, see How to Get All User Claims at Claims Augmentation Time in SharePoint 2010. This information about SharePoint 2010 applies also to SharePoint 2013.

宣告使用者驗證的疑難排解方法Troubleshooting methodology for claims user authentication

下列步驟可協助您判斷宣告驗證嘗試失敗的原因。The following steps can help you determine the cause of failed claims authentication attempts.

步驟 1:判斷失敗的驗證嘗試詳細資料Step 1: Determine the details of the failed authentication attempt

若要取得驗證嘗試失敗的詳細及確切資訊,您必須在 SharePoint ULS 記錄檔中尋找。這些記錄檔儲存在 %CommonProgramFiles%\Microsoft Shared\Web Server Extensions\15\LOGS 資料夾中。To obtain detailed and definitive information about a failed authentication attempt, you have to find it in the SharePoint ULS logs. These log files are stored in the %CommonProgramFiles%\Microsoft Shared\Web Server Extensions\15\LOGS folder.

您可以手動在 ULS 記錄檔中尋找失敗的驗證嘗試,或是使用 ULS 記錄檔檢視器來尋找。You can find the failed authentication attempt in the ULS log files either manually or you can use the ULS Log Viewer.

手動尋找失敗的驗證嘗試To find the failed authentication attempt manually

  1. 向使用者取得產生失敗驗證嘗試的使用者帳戶名稱。Obtain the user account name that produces the failed authentication attempt from the user.

  2. 在執行 SharePoint Server 或 SharePoint Foundation 的伺服器上,尋找 %CommonProgramFiles% \Microsoft Shared\Web Server Extensions\16\LOGS 或 %CommonProgramFiles% \Microsoft Shared\Web Server Extensions\15\LOGS 資料夾。On the server that is running SharePoint Server or SharePoint Foundation, find the %CommonProgramFiles% \Microsoft Shared\Web Server Extensions\16\LOGS or %CommonProgramFiles% \Microsoft Shared\Web Server Extensions\15\LOGS folder.

  3. LOGS 資料夾中,按一下 [修改日期]*,以依日期排序資料夾,最新的在上面。In the *LOGS folder, click Date modified to sort the folder by date, with the most recent at the top.

  4. 重試驗證工作Try the authentication task againl

  5. LOGS 資料夾視窗中,按兩下清單頂端的記錄檔,以在 [記事本] 中開啟該檔案。In the LOGS folder window, double-click the log file at the top of the list to open the file in Notepad.

  6. 在 [記事本]**** 中,依序按一下 [編輯]**** 和 [尋找]*,輸入*驗證授權宣告驗證,然後按一下 [尋找下一筆]*In *Notepad, click Edit, click Find, type Authentication Authorization or Claims Authentication, and then click Find Next.

  7. 按一下 [取消]*,然後閱讀 [訊息]* 欄的內容。Click Cancel, and then read the contents of the Message column.

若要使用 ULS 檢視器,請從 ULS 檢視器下載,並儲存至執行 SharePoint Server 或 SharePoint Foundation 之伺服器上的資料夾。安裝之後,遵循下列步驟來尋找失敗的驗證嘗試。To use the ULS Viewer, download it from ULS Viewer and save it to a folder on the server that is running SharePoint Server or SharePoint Foundation. After it is installed, follow these steps to locate the failed authentication attempt.

使用 ULS 檢視器來尋找失敗的驗證嘗試To find the failed authentication attempt with the ULS Viewer

  1. 在執行 SharePoint Server 或 SharePoint Foundation 的伺服器上,從儲存所在的資料夾按兩下 UlsviewerOn the server that is running SharePoint Server or SharePoint Foundation, double-click Ulsviewer from the folder in which it is stored.

  2. 在 [ULS 檢視器]**** 中,按一下 [檔案]*,指向 [開啟來源],然後按一下 [ULS]In the *ULS Viewer, click File, point to Open From, and then click ULS.

  3. 在 [設定 ULS 執行階段摘要]**** 對話方塊中,確認 [使用預設記錄檔目錄中的 ULS 摘要]**** 中已指定 %CommonProgramFiles% \Common Files\Microsoft Shared\Web Server Extensions\16\LOGS 資料夾\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS 資料夾。如果沒有,則按一下 [使用即時摘要的目錄位置]**** 並且在 [記錄檔位置]**** 中指定 \Microsoft Shared\Web Server Extensions\16\LOGS 資料夾\Microsoft Shared\Web Server Extensions\15\LOGS 資料夾In the Setup the ULS Runtime feed dialog box, verify that %CommonProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\16\LOGS folder or \Common Files\Microsoft Shared\Web Server Extensions\15\LOGS folder is specified in Use ULS feed from default log-file directory. If not, click Use directory location for real-time feeds and specify the %CommonProgramFiles%\Microsoft Shared\Web Server Extensions\16\LOGS folder or \Microsoft Shared\Web Server Extensions\15\LOGS folder in Log file location.

    針對 %CommonProgramFiles%,請將 CommonProgramFiles 環境變數的值替換為執行 SharePoint Server 或 SharePoint Foundation 的伺服器。例如,如果該位置為 C 磁碟機,則 %CommonProgramFiles% 設為 C:\Program Files\Common Files。For %CommonProgramFiles%, substitute the value from the CommonProgramFiles environment variable of the server that is running SharePoint Server or SharePoint Foundation. For example, if the location is the C drive, %CommonProgramFiles% is set to C:\Program Files\Common Files.

  4. 按一下 [確定]*Click *OK.

  5. 按一下 [編輯]*,然後按一下 [修改篩選]Click **Edit, and then click **Modify Filter*.

  6. 在 [篩選條件]**** 對話方塊的 [欄位]**** 中,按一下 [類別]*In the *Filter by dialog box, in Field, click Category.

  7. 在 [值]**** 中,輸入 [驗證授權]**** 或 [宣告驗證]*,然後按一下 [確定]In **Value, type **Authentication Authorization* or Claims Authentication, and then click OK.

  8. 重複驗證嘗試。Repeat the authentication attempt.

  9. 從 [ULS 檢視器]**** 視窗中,按兩下所顯示的字行,以檢視 [訊息]**** 部分。From the ULS Viewer window, double-click the displayed lines to view the Message portion.

針對非 OAuth 要求,從 Message 部分的宣告編碼部分中,您可以從宣告編碼字串 (例如:i:0#.w|contoso\chris) 判斷驗證方法和所編碼的使用者身分識別。如需詳細資訊,請參閱 SharePoint 2013 和 SharePoint 2010 宣告編碼From the claims encoding part of the Message portion for non-OAuth requests, you can determine the authentication method and encoded user identity from the claims-encoded string (example: i:0#.w|contoso\chris). For more information, see SharePoint 2013 and SharePoint 2010 claims encoding.

步驟 2:檢查設定需求Step 2: Check configuration requirements

若要判斷如何設定 Web 應用程式或區域,以支援一或多個宣告驗證方法,請使用 SharePoint 管理中心網站。To determine how a web application or zone is configured to support one or more claims authentication methods, use the SharePoint Central Administration website.

確認 Web 應用程式或區域的驗證設定To verify the authentication configuration for a web application or zone

  1. 從管理中心的快速啟動上,按一下 [應用程式管理]*,然後按一下 [管理 Web 應用程式]From Central Administration, click **Application Management* on the Quick Launch, and then click Manage web applications.

  2. 按一下使用者嘗試存取之 Web 應用程式的名稱,然後在功能區的 [安全性]**** 群組中,按一下 [驗證提供者]*Click the name of the web application that the user is trying to access, and in the *Security group of the ribbon, click Authentication Providers.

  3. 在驗證提供者清單中,按一下適當的區域 (例如 [預設]*)。In the list of authentication providers, click the appropriate zone (such as *Default).

  4. 在 [編輯驗證]**** 對話方塊的 [宣告驗證類型]**** 區段中,確認宣告驗證的設定。In the Edit Authentication dialog box, in the Claims Authentication Types section, verify the settings for claims authentication.

    • 若為 Windows 宣告驗證,請確認已選取 [啟用 Windows 驗證]**** 和 [整合式 Windows 驗證]*,而且已依需要選取 [NTLM]* 或 [交涉 (Kerberos)]*。若有需要,可選取 [基本驗證]For Windows claims authentication, verify that **Enable Windows Authentication* and Integrated Windows authentication are selected, and that either NTLM or Negotiate (Kerberos) is selected as needed. Select Basic authentication if it is needed.

    • 若為表單型驗證,請確認已選取 [啟用表單型驗證 (FBA)]*。確認 [ASP.NET 成員資格提供者名稱]* 和 [ASP.NET 角色管理員名稱]**** 中的值。這些值必須符合您在 web.config 檔案中,為 SharePoint 管理中心網站、Web 應用程式和 SharePoint Web Services\SecurityTokenServiceApplication 設定的成員資格提供者和角色值。如需詳細資訊,請參閱Configure forms-based authentication for a claims-based web application in SharePoint ServerFor forms-based authentication, verify that Enable Forms Based Authentication (FBA) is selected. Verify the values in ASP.NET Membership provider name and ASP.NET Role manager name. These values must match the membership provider and role values that you configured in your web.config files for the CentralAdmin_1st, web application, and SharePoint Web Services\SecurityTokenServiceApplication. For more information, see Configure forms-based authentication for a claims-based web application in SharePoint Server.

    • 若為 SAML 型宣告驗證,請確認已選取 [信任的身分識別提供者]**** 和正確的信任提供者名稱。如需詳細資訊,請參閱<Configure SAML-based claims authentication with AD FS in SharePoint Server>。For SAML-based claims authentication, verify that Trusted identity provider and the correct trusted provider name are selected. For more information, see Configure SAML-based claims authentication with AD FS in SharePoint Server.

    • 在 [登入頁面 URL]**** 區段中,確認登入頁面的選項。若為預設登入頁面,應已選取 [預設登入頁面 URL]*。若為自訂登入頁面,請確認自訂登入頁面的指定 URL。若要進行確認,請複製 URL,然後嘗試使用網頁瀏覽器來加以存取。In the *Sign In Page URL section, verify the option for the sign-in page. For a default sign-in page, Default Sign In Page should be selected. For a custom sign-in-page, verify the specified URL of the custom sign-in page. To verify it, copy the URL, and then attempt to access it using a web browser.

  5. 按一下 [儲存]*,將變更儲存至驗證設定。Click *Save to save the changes to the authentication settings.

  6. 重複驗證嘗試。若為表單型或 SAML 型驗證,所預期的登入頁面是否伴隨著正確的登入選項出現?Repeat the authentication attempt. For forms-based or SAML-based authentication, does the expected sign-in page appear with the correct sign-in options?

  7. 如果驗證仍失敗,請檢查 ULS 記錄檔,以判斷驗證設定變更之前與之後的驗證嘗試是否有任何差異。If authentication still fails, check the ULS logs to determine whether there is any difference between the authentication attempt before the authentication configuration change and after it.

步驟 3:所要檢查的其他項目Step 3: Additional items to check

檢查記錄檔和 Web 應用程式設定之後,確認下列項目:After you check the log files and web application configuration, verify the following:

  • 網頁用戶端電腦上的網頁瀏覽器可支援宣告。如需詳細資訊,請參閱<在 SharePoint Server 2016 中規劃瀏覽器支援>。The web browser on the web client computer supports claims. For more information, see Plan browser support in SharePoint Server 2016.

  • 若為 Windows 宣告驗證,請確認下列項目:For Windows claims authentication, verify that the following:

    • 使用者發出驗證嘗試的來源電腦是主控 SharePoint Web 應用程式之伺服器的相同網域成員,或是主控伺服器所信任之網域的成員。The computer from which the user issues the authentication attempt is a member of the same domain as the server that hosts the SharePoint web application or a member of a domain that the hosting server trusts.

    • 使用者發出驗證嘗試的來源電腦已登入其 Active Directory 網域服務 (AD DS) 網域。在網頁用戶端電腦上的命令提示字元或 SharePoint 管理命令介面中,輸入 nltest /dsgetdc: /force ,以確定其可存取網域控制站。如果沒有列出任何網域控制站,請疑難排解網頁用戶端電腦與 AD DS 網域控制站之間缺乏探索能力及連線能力的問題。The computer from which the user issues the authentication attempt is logged on to its Active Directory Domain Services (AD DS) domain. Type nltest /dsgetdc: /force at a Command Prompt or the SharePoint Management Shell on the web client computer to make sure that it can access a domain controller. If no domain controllers are listed, troubleshoot the lack of discoverability and connectivity between the web client computer and an AD DS domain controller.

    • 執行 SharePoint Server 或 SharePoint Foundation 的伺服器已登入其 AD DS 網域。在執行 SharePoint Server 或 SharePoint Foundation 之伺服器上的命令提示字元或 SharePoint 管理命令介面 中,鍵入 nltest /dsgetdc: /force ,以確定其可以存取網域控制站。如果沒有列出任何網域控制站,請對 SharePoint Server 或 SharePoint Foundation 之伺服器與 AD DS 網域控制站之間缺乏探索能力及連線能力的問題,進行疑難排解。The server that is running SharePoint Server or SharePoint Foundation is logged on to its AD DS domain. Type nltest /dsgetdc: /force at a Command Prompt or the SharePoint Management Shell on the server that is running SharePoint Server or SharePoint Foundation to make sure that it can access a domain controller. If no domain controllers are listed, troubleshoot the lack of discoverability and connectivity between the server that is running SharePoint Server or SharePoint Foundation and an AD DS domain controller.

  • 若為表單型驗證,請確認下列項目:For forms-based authentication, verify that the following:

    • 所設定之 ASP.NET 成員資格和角色提供者的使用者認證正確。The user credentials for the configured ASP.NET membership and role provider are correct.

    • 網路上有主控 ASP.NET 成員資格和角色提供者的系統可供使用。The systems that host the ASP.NET membership and role provider are available on the network.

    • 自訂登入頁面正確地收集和傳達使用者的認證。若要測試是否正確,請將 Web 應用程式設定為暫時使用預設登入頁面,並確認運作正常。Custom sign-in pages correctly collect and convey the user's credentials. To test this, configure the web application to temporarily use the default sign-in page and verify that it works.

  • 若為 SAML 型宣告驗證,請確認下列項目:For SAML-based claims authentication, verify that the following:

    • 所設定之身分識別提供者的使用者認證正確。The user credentials for the configured identity provider are correct.

    • 網路上有做為同盟提供者 (例如 AD FS) 和身分識別提供者 (例如 AD DS 或協力廠商身分識別提供者) 的系統可供使用。Systems that act as the federation provider (such as AD FS) and the identity provider (such as AD DS or a third-party identity provider) are available on the network.

    • 自訂登入頁面正確地收集和傳達使用者的認證。若要測試是否正確,請將 Web 應用程式設定為暫時使用預設登入頁面,並確認運作正常。Custom sign-in pages correctly collect and convey the user's credentials. To test this, configure the web application to temporarily use the default sign-in page and verify that it works.

步驟 4:使用 Web 偵錯工具來監視及分析網路流量Step 4: Use a web debug tool to monitor and analyze web traffic

使用 HttpWatchFiddler 之類的工具來分析下列類型的 HTTP 流量:Use a tool such as HttpWatch or Fiddler to analyze the following types of HTTP traffic:

  • 在網頁用戶端電腦與執行 SharePoint Server 或 SharePoint Foundation 的伺服器之間Between the web client computer and the server that is running SharePoint Server or SharePoint Foundation

    例如,您可以監視執行 SharePoint Server 或 SharePoint Foundation 之伺服器傳送的 HTTP 重新導向訊息,以將同盟伺服器 (例如 AD FS) 的位置通知網頁用戶端電腦。For example, you can monitor the HTTP Redirect messages that the server that is running SharePoint Server or SharePoint Foundation sends to inform the web client computer of the location of a federation server (such as AD FS).

  • 在網頁用戶端電腦與同盟伺服器 (例如 AD FS) 之間Between the web client computer and the federation server (such as AD FS)

    例如,您可以監視網頁用戶端電腦傳送的 HTTP 訊息,以及同盟伺服器的回應,其中可能包含安全性憑證及其宣告。For example, you can monitor the HTTP messages that the web client computer sends and the responses of the federation server, which could include security tokens and their claims.

注意

如果您使用 Fiddler,在要求三次驗證提示之後,驗證嘗試就會失敗。若要防止此行為,請參閱使用 Fiddler 搭配 SAML 和 SharePoint 以通過三次驗證提示If you use Fiddler, the authentication attempt can fail after requiring three authentication prompts. To prevent this behavior, see Using Fiddler With SAML and SharePoint to Get Past the Three Authentication Prompts.

步驟 5:擷取及分析驗證網路流量Step 5: Capture and analyze authentication network traffic

使用網路流量工具 (例如 Network Monitor 3.4) 來擷取及分析網頁用戶端電腦、執行 SharePoint Server 或 SharePoint Foundation 的伺服器,以及 SharePoint Server 或 SharePoint Foundation 所仰賴的系統之間的流量,以進行宣告驗證。Use a network traffic tool, such as Network Monitor 3.4, to capture and analyze traffic between the web client computer, the server that is running SharePoint Server or SharePoint Foundation, and the systems on which SharePoint Server or SharePoint Foundation relies for claims authentication.

注意

在許多情況下,宣告驗證會使用超文字安全傳輸通訊協定 (HTTPS) 連線,這種連線會將在電腦之間傳送的訊息加密。您必須要有增益集或擴充選項的協助,才能以網路流量工具查看加密訊息的內容。例如,若為 Network Monitor,您必須安裝及設定 Network Monitor Decryption Expert。另一個嘗試將 HTTPS 訊息解密的較簡單方法,就是在主控 SharePoint Server 或 SharePoint Foundation 的伺服器上使用 Fiddler 之類的工具,可針對未解密的 HTTP 訊息提供報告。In many cases, claims authentication uses Hypertext Transfer Protocol Secure (HTTPS)-based connections, which encrypt the messages sent between computers. You cannot see the contents of encrypted messages with a network traffic tool without the aid of an add-in or extension. For example, for Network Monitor, you must install and configure the Network Monitor Decryption Expert. As an easier alternative to attempting to decrypt HTTPS messages, use a tool such as Fiddler on the server that hosts SharePoint Server or SharePoint Foundation, which can report on the unencrypted HTTP messages.

網路流量的分析可顯示下列項目:An analysis of the network traffic can reveal the following:

  • 在宣告驗證程序中,在相關電腦之間傳送的確切通訊協定與訊息組合。回覆訊息可能包含錯誤狀況資訊,可用來判斷額外的疑難排解步驟。The exact set of protocols and messages that are being sent between the computers involved in the claims authentication process. Reply messages can contain error condition information, which you can use to determine additional troubleshooting steps.

  • 要求訊息是否有相對應的回覆。傳送多次但未收到回覆的要求訊息,可能表示網路流量未到達其目的地。在此情況下,請檢查封包路由問題、路徑中的封包篩選裝置 (例如防火牆) 或目的地的封包篩選 (例如本機防火牆)。Whether request messages have corresponding replies. Multiple sent request messages that do not receive a reply can indicate that the network traffic is not reaching its intended destination. In that case, check for packet routing issues, packet filtering devices in the path (such as a firewall), or packet filtering on the destination (such as a local firewall).

  • 是否嘗試過多種宣告方法,以及哪些方法失敗。Whether multiple claims methods are being tried, and which are failing.

若為 Windows 宣告驗證,您可以擷取及分析下列電腦之間的流量:For Windows claims authentication, you can capture and analyze the traffic between the following computers:

  • 網頁用戶端電腦與執行 SharePoint Server 或 SharePoint Foundation 的伺服器The web client computer and the server that is running SharePoint Server or SharePoint Foundation

  • 執行 SharePoint Server 或 SharePoint Foundation 的伺服器與其網域控制站The server that is running SharePoint Server or SharePoint Foundation and its domain controller

若為表單型驗證,您可以擷取及分析下列電腦之間的流量:For forms-based authentication, you can capture and analyze the traffic between the following computers:

  • 網頁用戶端電腦與執行 SharePoint Server 或 SharePoint Foundation 的伺服器The web client computer and the server that is running SharePoint Server or SharePoint Foundation

  • 執行 SharePoint Server 或 SharePoint Foundation 的伺服器與 ASP.NET 成員資格和角色提供者The server that is running SharePoint Server or SharePoint Foundation and the ASP.NET membership and role provider

若為 SAML 型宣告驗證,您可以擷取及分析下列電腦之間的流量:For SAML-based claims authentication, you can capture and analyze the traffic between the following computers:

  • 網頁用戶端電腦與執行 SharePoint Server 或 SharePoint Foundation 的伺服器The web client computer and the server that is running SharePoint Server or SharePoint Foundation

  • 網頁用戶端電腦與其身分識別提供者 (例如 AD DS 網域控制站)The web client computer and its identity provider (such as an AD DS domain controller)

  • 網頁用戶端電腦與同盟提供者 (例如 AD FS)The web client computer and the federation provider (such as AD FS)

另請參閱See also

其他資源Other Resources

Configure forms-based authentication for a claims-based web application in SharePoint ServerConfigure forms-based authentication for a claims-based web application in SharePoint Server

Configure SAML-based claims authentication with AD FS in SharePoint ServerConfigure SAML-based claims authentication with AD FS in SharePoint Server