答附錄審查 AD FS 需求Appendix A: Reviewing AD FS Requirements

適用於:Windows Server 2012Applies To: Windows Server 2012

讓組織中部署 Active Directory 同盟 Services (AD FS) 合作夥伴可以成功共同作業,您必須先確定您的企業網路基礎結構已支援帳號,憑證的名稱解析,AD FS 需求。So that the organizational partners in your Active Directory Federation Services (AD FS) deployment can collaborate successfully, you must first make sure that your corporate network infrastructure is configured to support AD FS requirements for accounts, name resolution, and certificates. AD FS 有下列幾種需求:AD FS has the following types of requirements:

提示

您可以找到其他 AD FS 資源連結,以AD FS 內容地圖頁面上的 Microsoft TechNet Wiki。You can find additional AD FS resource links at the AD FS Content Map page on the Microsoft TechNet Wiki. 此頁面由 AD FS 社群的成員,並會定期監視 AD FS Product 小組。This page is managed by members of the AD FS Community and is monitored on a regular basis by the AD FS Product Team.

硬體需求Hardware requirements

下列最低與建議的硬體需求適用於聯盟伺服器] 與聯盟 proxy 伺服器的電腦。The following minimum and recommended hardware requirements apply to the federation server and federation server proxy computers.

硬體需求Hardware requirement 最低需求Minimum requirement 建議的需求Recommended requirement
CPU 速度CPU speed 單核心 1 ghzSingle-core, 1 gigahertz (GHz) Quad core,2 GHzQuad-core, 2 GHz
RAMRAM 1 GB1 GB 4 GB4 GB
磁碟空間Disk space 50 MB50 MB 100 MB100 MB

軟體需求Software requirements

AD FS 依賴伺服器功能建置到 Windows Server® 2012年作業系統。AD FS relies on server functionality that is built into the Windows Server® 2012 operating system.

注意

聯盟服務與同盟服務 Proxy 角色服務無法並存相同的電腦上。The Federation Service and Federation Service Proxy role services cannot coexist on the same computer.

憑證需求Certificate requirements

憑證播放最重要的角色保護聯盟伺服器、 聯盟的 proxy 伺服器、 宣告感知應用程式,以及 Web 戶端間通訊。Certificates play the most critical role in securing communications between federation servers, federation server proxies, claims-aware applications, and Web clients. 根據是否您的設定聯盟伺服器或聯盟伺服器 proxy 電腦,此一節中所述,而有所不同憑證的需求。The requirements for certificates vary, depending on whether you are setting up a federation server or federation server proxy computer, as described in this section.

聯盟伺服器的憑證Federation server certificates

聯盟伺服器需要下表中的憑證。Federation servers require the certificates in the following table.

憑證類型Certificate type 描述Description 您需要知道部署之前What you need to know before deploying
安全通訊端層 (SSL) 憑證Secure Sockets Layer (SSL) certificate 這是確保聯盟伺服器戶端間通訊使用標準安全通訊端層 (SSL) 憑證。This is a standard Secure Sockets Layer (SSL) certificate that is used for securing communications between federation servers and clients. 這個憑證必須聯盟伺服器或聯盟 Proxy 伺服器繫結至預設網站網際網路資訊服務 (IIS)。This certificate must be bound to the Default Web Site in Internet Information Services (IIS) for a Federation Server or a Federation Server Proxy. 聯盟伺服器 Proxy,繫結必須設定在前順利執行聯盟 Proxy 伺服器設定精靈。For a Federation Server Proxy, the binding must be configured in IIS prior to running the Federation Server Proxy Configuration Wizard successfully.

建議:此憑證的必須信任的 AD FS 用,因為使用的是公用 (第三方) 憑證授權單位發行 (加拿大),例如 VeriSign 伺服器驗證憑證。Recommendation: Because this certificate must be trusted by clients of AD FS, use a server authentication certificate that is issued by a public (third-party) certification authority (CA), for example, VeriSign. 秘訣:這個憑證主體名稱用來表示同盟服務的名稱為每個您要部署的 AD FS 執行個體。Tip: The Subject name of this certificate is used to represent the Federation Service name for each instance of AD FS that you deploy. 基於這個原因,您可能要考慮選擇主體名稱在任何新 CA 發行憑證的最佳代表您的公司或組織的合作夥伴的名稱。For this reason, you may want to consider choosing a Subject name on any new CA-issued certificates that best represents the name of your company or organization to partners.
服務通訊的憑證Service communication certificate 此憑證允許 WCF 訊息安全性保護之間聯盟伺服器通訊。This certificate enables WCF message security for securing communications between federation servers. 根據預設,為服務通訊憑證使用 SSL 憑證。By default, the SSL certificate is used as the service communications certificate. 請使用 AD FS 管理主控台這可進行變更。This can be changed using the AD FS Management console.
權杖簽署的憑證Token-signing certificate 這是標準 X509 用於安全地登入所有權杖問題聯盟伺服器的憑證。This is a standard X509 certificate that is used for securely signing all tokens that the federation server issues. 權杖簽署的憑證必須包含私密金鑰,而且它應該鏈結同盟服務中受信任的網站。The token-signing certificate must contain a private key, and it should chain to a trusted root in the Federation Service. 根據預設,AD FS 建立自動簽署的憑證。By default, AD FS creates a self-signed certificate. 不過,您可以變更此稍後 CA 發行憑證使用 AD FS 管理嵌入式管理單元,根據您的組織的需求。However, you can change this later to a CA-issued certificate by using the AD FS Management snap-in, depending on the needs of your organization.
預付碼-解密憑證Token-decryption certificate 這是用來解密任何連入權杖加密的協力廠商聯盟伺服器標準 SSL 憑證。This is a standard SSL certificate that is used to decrypt any incoming tokens that are encrypted by a partner federation server. 這也被發行聯盟中繼資料中。It is also published in federation metadata. 根據預設,AD FS 建立自動簽署的憑證。By default, AD FS creates a self-signed certificate. 不過,您可以變更此稍後 CA 發行憑證使用 AD FS 管理嵌入式管理單元,根據您的組織的需求。However, you can change this later to a CA-issued certificate by using the AD FS Management snap-in, depending on the needs of your organization.

警告

憑證預付碼簽章和權杖解密所使用的重要同盟服務的穩定性。Certificates that are used for token-signing and token-decrypting are critical to the stability of the Federation Service. 因為遺失或計畫的移除之任何設定為這個項目的的憑證可能會服務中斷,您應該備份為這個項目的設定的任何憑證。Because a loss or unplanned removal of any certificates that are configured for this purpose can disrupt service, you should back up any certificates that are configured for this purpose.

如需聯盟伺服器使用憑證的詳細資訊,請查看聯盟伺服器的憑證需求For more information about the certificates that federation servers use, see Certificate Requirements for Federation Servers.

聯盟 proxy 伺服器的憑證Federation server proxy certificates

聯盟伺服器 proxy 需要下表中的憑證。Federation server proxies require the certificates in the following table.

憑證類型Certificate type 描述Description 您需要知道部署之前What you need to know before deploying
伺服器驗證憑證Server authentication certificate 這是用來保護電腦的通訊聯盟伺服器 proxy 之間網際網路 client 標準安全通訊端層 (SSL) 憑證。This is a standard Secure Sockets Layer (SSL) certificate that is used for securing communications between a federation server proxy and Internet client computers. 這個憑證必須繫結至預設網站網際網路資訊服務 (IIS) 之前,您也可以順利執行 AD FS 聯盟伺服器 Proxy 設定精靈。This certificate must be bound to the Default Web Site in Internet Information Services (IIS) before you can run the AD FS Federation Server Proxy Configuration Wizard successfully.

建議:此憑證的必須信任的 AD FS 用,因為使用的是公用 (第三方) 憑證授權單位發行 (加拿大),例如 VeriSign 伺服器驗證憑證。Recommendation: Because this certificate must be trusted by clients of AD FS, use a server authentication certificate that is issued by a public (third-party) certification authority (CA), for example, VeriSign.

秘訣:這個憑證主體名稱用來表示同盟服務的名稱為每個您要部署的 AD FS 執行個體。Tip: The Subject name of this certificate is used to represent the Federation Service name for each instance of AD FS that you deploy. 基於這個原因,您可能要考慮選擇最適合代表您的公司或組織的合作夥伴名稱主體名稱。For this reason, you may want to consider choosing a Subject name that best represents the name of your company or organization to partners.

如需聯盟的 proxy 伺服器使用憑證的詳細資訊,請查看聯盟的 Proxy 伺服器的憑證需求For more information about the certificates that federation server proxies use, see Certificate Requirements for Federation Server Proxies.

瀏覽器需求Browser requirements

雖然才能 AD FS client 進行任何 JavaScript 功能與目前的網頁瀏覽器,提供預設網頁經過只對 7.0、 8.0 及 9.0 Mozilla Firefox 3.0 和 Safari 3.1 Windows 上的 Internet Explorer 版本。Although any current Web browser with JavaScript capability can be made to work as an AD FS client, the Web pages that are provided by default have been tested only against Internet Explorer versions 7.0, 8.0 and 9.0, Mozilla Firefox 3.0, and Safari 3.1 on Windows. 必須支援 JavaScript,並 cookie 必須讓的瀏覽器登入且 sign-out 正常運作。JavaScript must be enabled, and cookies must be enabled for browser-based sign-in and sign-out to work correctly.

Microsoft AD FS product 小組成功測試瀏覽器與作業系統設定在下表中。The AD FS product team at Microsoft successfully tested the browser and operating system configurations in the following table.

瀏覽器Browser Windows 7Windows 7 Windows VistaWindows Vista
Internet Explorer 7.0Internet Explorer 7.0 XX XX
Internet Explorer 8.0Internet Explorer 8.0 XX XX
Internet Explorer 9.0Internet Explorer 9.0 XX 不測試Not Tested
FireFox 3.0FireFox 3.0 XX XX
Safari 3.1Safari 3.1 XX XX

注意

AD FS 支援 32 位元與 64 位元版本的上述表格中所顯示的瀏覽器。AD FS supports both the 32bit and 64bit versions of all the browsers showing in the above table.

CookieCookies

AD FS 建立工作階段架構與持續性必須登入、 sign-out、 單一登入 (SSO),以及其他功能提供 client 電腦儲存的 cookie。AD FS creates session-based and persistent cookies that must be stored on client computers to provide sign-in, sign-out, single sign-on (SSO), and other functionality. 因此,必須接受 cookie 設定 client 瀏覽器。Therefore, the client browser must be configured to accept cookies. Cookie 可用來驗證都是安全超傳輸通訊協定 」 (HTTPS) 工作階段 cookie 所撰寫的原生伺服器。Cookies that are used for authentication are always Secure Hypertext Transfer Protocol (HTTPS) session cookies that are written for the originating server. 如果 client 瀏覽器不允許 cookie 這些設定,AD FS 無法正常運作。If the client browser is not configured to allow these cookies, AD FS cannot function correctly. 持續 cookie 可用來保留宣告提供者的使用者選取項目。Persistent cookies are used to preserve user selection of the claims provider. 您可以停用來設定檔登入頁面 AD FS 使用的設定。You can disable them by using a configuration setting in the configuration file for the AD FS sign-in pages.

基於安全性考量需要 SSL TLS 日的支援。Support for TLS/SSL is required for security reasons.

網路需求Network requirements

設定適當的網路下列服務已成功 AD FS 您在組織中部署的重要。Configuring the following network services appropriately is critical for successful deployment of AD FS in your organization.

TCP/IP 網路連接TCP/IP network connectivity

TCP/IP 網路連接函式 AD FS,必須存在之間 client;網域控制站;與電腦的裝載同盟服務、 同盟服務 Proxy (時使用),以及 AD FS Web 代理程式。For AD FS to function, TCP/IP network connectivity must exist between the client; a domain controller; and the computers that host the Federation Service, the Federation Service Proxy (when it is used), and the AD FS Web Agent.

DNSDNS

AD FS、 Active Directory Domain Services (AD DS),以外的重要的主要網路服務是網域名稱系統 」 (DNS)。The primary network service that is critical to the operation of AD FS, other than Active Directory Domain Services (AD DS), is Domain Name System (DNS). 部署 DNS 時,使用者可以使用易記連接到電腦和其他資源 IP 網路上的易記電腦名稱。When DNS is deployed, users can use friendly computer names that are easy to remember to connect to computers and other resources on IP networks.

Windows Server 2008 會使用 DNS 名稱解析,而不是 Windows nt4.0 為基礎的網路所使用的 Windows 網際網路名稱服務 」 (WINS) NetBIOS 名稱解析。Windows Server 2008 uses DNS for name resolution instead of the Windows Internet Name Service (WINS) NetBIOS name resolution that was used in Windows NT 4.0–based networks. 它是仍然可以使用 WINS 需要應用程式。It is still possible to use WINS for applications that require it. 不過,AD DS,AD FS 需要 DNS 名稱解析。However, AD DS and AD FS require DNS name resolution.

設定支援 AD FS DNS 的程序而有所不同,是否:The process of configuring DNS to support AD FS varies, depending on whether:

  • 您的組織已經有現有 DNS 基礎結構。Your organization already has an existing DNS infrastructure. 在大部分案例中,DNS 已設定在您的網路,讓您的企業網路中的網頁瀏覽器戶端具有網際網路存取權。In most scenarios, DNS is already configured throughout your network so that Web browser clients in your corporate network have access to the Internet. 網際網路存取和名稱解析 AD FS 需求,因為這基礎結構假設為可供您 AD FS 部署。Because Internet access and name resolution are requirements of AD FS, this infrastructure is assumed to be in place for your AD FS deployment.

  • 您想要新增到您的企業網路聯盟的伺服器。You intend to add a federated server to your corporate network. 為了驗證使用者企業網路,必須返回 CNAME 內部伺服器同盟服務執行的設定內部公司網路森林中的 DNS 伺服器。For the purpose of authenticating users in the corporate network, internal DNS servers in the corporate network forest must be configured to return the CNAME of the internal server that is running the Federation Service. 如需詳細資訊,請查看聯盟伺服器的名稱解析需求For more information, see Name Resolution Requirements for Federation Servers.

  • 您想要新增到周邊網路 proxy 伺服器聯盟。You intend to add a federated server proxy to your perimeter network. 當您想要驗證帳號位於組織的身分合作夥伴的企業網路時,必須設定返回 CNAME 內部聯盟 proxy 伺服器的企業網路森林中的內部 DNS 伺服器。When you want to authenticate user accounts that are located in the corporate network of your identity partner organization, the internal DNS servers in the corporate network forest must be configured to return the CNAME of the internal federation server proxy. 了解如何設定 DNS 容納聯盟的 proxy 伺服器的資訊,請查看聯盟的 Proxy 伺服器的名稱解析需求For information about how to configure DNS to accommodate the addition of federation server proxies, see Name Resolution Requirements for Federation Server Proxies.

  • 您的設定實驗室測試 DNS。You are setting up DNS for a test lab environment. 如果您不單一根 DNS 伺服器所在授權實驗室測試環境中使用 AD FS 計劃,就可能,您將需要設定 DNS 轉送程式,以便將適當轉送查詢兩個或更多的樹系之間的名稱。If you plan to use AD FS in a test lab environment where no single root DNS server is authoritative, it is probable that you will have to set up DNS forwarders so that queries to names between two or more forests will be forwarded appropriately. 如需如何設定 AD FS 測試實驗室的一般資訊,請查看AD FS 逐步及如何指南For general information about how to set up an AD FS test lab environment, see AD FS Step-by-Step and How To Guides.

屬性市集需求Attribute store requirements

AD FS 需要至少屬性市集驗證使用者與解壓縮安全性宣告那些使用者使用。AD FS requires at least one attribute store to be used for authenticating users and extracting security claims for those users. 針對一份屬性儲存 AD FS 支援,請查看的角色的屬性儲存中的 AD FS 設計。For a list of attribute stores that AD FS supports, see The Role of Attribute Stores in the AD FS Design Guide.

注意

AD FS 預設會自動建立 Active Directory 屬性市集。AD FS automatically creates an Active Directory attribute store, by default.

您的組織是否做為 account 合作夥伴 (主持聯盟的使用者) 或 (裝載聯盟應用程式) 資源合作夥伴屬性市集需求而定。Attribute store requirements depend on whether your organization is acting as the account partner (hosting the federated users) or the resource partner (hosting the federated application).

AD DSAD DS

AD fs 順利運作,網域控制站 account 合作夥伴公司或組織資源合作夥伴必須執行 Windows Server 2003 SP1、 Windows Server 2003 R2、 Windows Server 2008 或 Windows Server 2012。For AD FS to operate successfully, domain controllers in either the account partner organization or the resource partner organization must be running Windows Server 2003 SP1, Windows Server 2003 R2, Windows Server 2008 , or Windows Server 2012 .

AD FS 安裝並設定加入網域的電腦上,當 Active Directory 使用者 account 存放區該網域可做為可選取屬性存放區。When AD FS is installed and configured on a domain-joined computer, the Active Directory user account store for that domain is made available as a selectable attribute store.

重要

AD FS 需要安裝的網際網路資訊服務 (IIS),因為我們建議您安裝 AD FS 軟體網域控制站在基於安全性考量 production 環境中。Because AD FS requires the installation of Internet Information Services (IIS), we recommend that you not install the AD FS software on a domain controller in a production environment for security purposes. 不過,此設定是由 Microsoft 客戶服務支援支援。However, this configuration is supported by Microsoft Customer Service Support.

架構需求Schema requirements

AD FS 不需要的架構變更或到 AD DS 功能等級修改。AD FS does not require schema changes or functional-level modifications to AD DS.

功能層級需求Functional-level requirements

大部分的 AD FS 功能不需要 AD DS 功能等級修改順利運作。Most AD FS features do not require AD DS functional-level modifications to operate successfully. 不過,Windows Server 2008 網域功能層級或更高版本,才能 client 憑證驗證憑證明確對應到 AD DS 中的使用者 account 如果順利運作。However, Windows Server 2008 domain functional level or higher is required for client certificate authentication to operate successfully if the certificate is explicitly mapped to a user's account in AD DS.

服務 account 需求Service account requirements

如果您要建立聯盟伺服器陣列,您必須先建立專用的網域型服務 account AD DS 同盟服務可以使用中。If you are creating a federation server farm, you must first create a dedicated domain-based service account in AD DS that the Federation Service can use. 之後,您在使用此帳號發電廠設定每個聯盟伺服器。Later, you configure each federation server in the farm to use this account. 如需如何執行此動作,請查看手動設定聯盟伺服器陣列服務 Account中的 AD FS 部署。For more information about how to do this, see Manually Configure a Service Account for a Federation Server Farm in the AD FS Deployment Guide.

LDAPLDAP

當您使用其他輕量型 Directory 存取通訊協定 LDAP 為基礎的屬性存放區時,您必須連接到支援的 Windows 整合式驗證 LDAP 伺服器。When you work with other Lightweight Directory Access Protocol (LDAP)-based attribute stores, you must connect to an LDAP server that supports Windows Integrated authentication. RFC 2255 中所述 LDAP 連接字串必須也撰寫 LDAP URL 的格式。The LDAP connection string must also be written in the format of an LDAP URL, as described in RFC 2255.

SQL ServerSQL Server

AD fs 順利運作,裝載屬性存放區結構化查詢的語言 (SQL) 伺服器的電腦必須執行 Microsoft SQL Server 2005 或 SQL Server 2008。For AD FS to operate successfully, computers that host the Structured Query Language (SQL) Server attribute store must be running either Microsoft SQL Server 2005 or SQL Server 2008. 當您使用 SQL 為基礎的屬性存放區時,您還必須設定連接字串。When you work with SQL-based attribute stores, you also must configure a connection string.

自訂屬性存放區Custom attribute stores

您可以開發自訂屬性存放區,可讓進階的案例。You can develop custom attribute stores to enable advanced scenarios. 建置到 AD FS 原則語言可以參考自訂屬性存放區,以便增強案例下列任一項:The policy language that is built into AD FS can reference custom attribute stores so that any of the following scenarios can be enhanced:

  • 建立 [本機驗證使用者宣告Creating claims for a locally authenticated user

  • 補充外部驗證使用者宣告Supplementing claims for an externally authenticated user

  • 若要取得權杖使用者的授權Authorizing a user to obtain a token

  • 若要取得行為的使用者權杖服務的授權Authorizing a service to obtain a token on behavior of a user

當您使用 [自訂屬性網上商店時,您也可能設定連接字串。When you work with a custom attribute store, you may also have to configure a connection string. 此時,您可以輸入您要可讓您自訂屬性存放區的連接任何自訂代碼。In this situation, you can enter any custom code you like that enables a connection to your custom attribute store. 在這種情形連接字串是一組解譯為實作自訂屬性網上商店的開發人員名稱日值配對。The connection string in this situation is a set of name/value pairs that are interpreted as implemented by the developer of the custom attribute store.

如需有關開發和使用自訂屬性存放區的詳細資訊,請屬性市集概觀For more information about developing and using custom attribute stores, see Attribute Store Overview.

應用程式需求Application requirements

聯盟伺服器可以與並保護聯盟應用程式,例如宣告感知應用程式。Federation servers can communicate with and protect federation applications, such as claims-aware applications.

驗證的需求Authentication requirements

AD FS 整合自然現有的 Windows 驗證,例如 F:kerberos 驗證、 NTLM、 智慧卡,與 v3 client 端 x.509。AD FS integrates naturally with existing Windows authentication, for example, Kerberos authentication, NTLM, smart cards, and X.509 v3 client-side certificates. 聯盟伺服器驗證使用者網域中針對使用標準 F:kerberos 驗證。Federation servers use standard Kerberos authentication to authenticate a user against a domain. 戶端可以使用驗證,驗證智慧卡,與 Windows 整合式驗證,根據您如何設定驗證進行驗證。Clients can authenticate by using forms-based authentication, smart card authentication, and Windows Integrated authentication, depending on how you configure authentication.

AD FS 聯盟伺服器 proxy 角色可讓中驗證外部使用 SSL client 驗證使用者的案例。The AD FS federation server proxy role makes possible a scenario in which the user authenticates externally using SSL client authentication. 您也可以設定聯盟伺服器角色要求 SSL client 驗證,雖然最順暢的使用者體驗通常透過設定 account 聯盟伺服器的整合式 Windows 驗證。You can also configure the federation server role to require SSL client authentication, although typically the most seamless user experience is achieved by configuring the account federation server for Windows Integrated authentication. 此時,AD FS 已使用者使用適用於 Windows 桌面登入認證為何無法控制。In this situation, AD FS has no control over what credentials the user employs for Windows desktop logon.

智慧卡登入Smart card logon

AD FS 可執行的認證,它會 (密碼、 SSL client 驗證或 Windows 整合式驗證) 驗證類型,雖然這不會直接執行使用智慧卡驗證。Although AD FS can enforce the type of credentials that it uses for authentication (passwords, SSL client authentication, or Windows Integrated authentication), it does not directly enforce authentication with smart cards. 因此,AD FS 不會提供 client 端使用者介面 (UI) 以取得智慧卡個人驗證認證號碼 (PIN)。Therefore, AD FS does not provide a client-side user interface (UI) to obtain smart-card personal identification number (PIN) credentials. 這是因為 windows 戶端刻意不提供聯盟伺服器或網頁伺服器使用者的認證詳細資料。This is because Windows-based clients intentionally do not provide user credential details to federation servers or Web servers.

智慧卡驗證Smart card authentication

智慧卡驗證使用 Kerberos 通訊協定 account 聯盟伺服器的驗證。Smart card authentication uses the Kerberos protocol to authenticate to an account federation server. AD FS 不能延伸到新增新的驗證方法。AD FS cannot be extended to add new authentication methods. 不需要鏈結操之在 client 電腦上受信任的根憑證智慧卡中。The certificate in the smart card is not required to chain up to a trusted root on the client computer. 使用 AD FS 使用智慧卡基礎憑證需要下列條件:Use of a smart-card-based certificate with AD FS requires the following conditions:

  • 瀏覽器所在的電腦必須工作 reader 和密碼編譯服務提供者 (CSP) 的智慧卡。The reader and cryptographic service provider (CSP) for the smart card must work on the computer where the browser is located.

  • 智慧卡憑證必須鏈到 account 聯盟伺服器 account 聯盟伺服器 proxy 上受信任的網站。The smart card certificate must chain up to a trusted root on the account federation server and the account federation server proxy.

  • 憑證必須對應到 AD ds 帳號下列方法:The certificate must map to the user account in AD DS by either of the following methods:

    • 憑證主體名稱相當於在 AD DS 帳號 LDAP 分辨名稱。The certificate subject name corresponds to the LDAP distinguished name of a user account in AD DS.

    • 憑證主旨 altname 擴充功能的使用者 account AD ds 已使用者主體名稱 (UPN)。The certificate subject altname extension has the user principal name (UPN) of a user account in AD DS.

若要支援特定驗證越需求案例中,其也可設定來建立,表示使用者如何驗證理賠要求 AD FS。To support certain authentication strength requirements in some scenarios, it is also possible to configure AD FS to create a claim that indicates how the user was authenticated. 讓授權決策信賴可以使用此理賠要求。A relying party can then use this claim to make an authorization decision.

也了See Also

Windows Server 2012 中的 AD FS 設計指南AD FS Design Guide in Windows Server 2012