找出您 AD FS 部署務目標Identify Your AD FS Deployment Goals

適用於:Windows Server 2016、Windows Server 2012 R2Applies To: Windows Server 2016, Windows Server 2012 R2

正確辨識您的 Active Directory 同盟服務 (AD FS) 部署目標務必 AD FS 設計專案的成功。Correctly identifying your Active Directory Federation Services (AD FS) deployment goals is essential for the success of your AD FS design project. 排定優先順序,可能,將您的部署目標結合,讓您可以設計和部署 AD FS 使用方法。Prioritize and, possibly, combine your deployment goals so that you can design and deploy AD FS by using an iterative approach. 您可以利用現有、 文件,並預先定義的 AD FS 部署目標,AD FS 的設計帶有相關的開發工作順序遭遇問題。You can take advantage of existing, documented, and predefined AD FS deployment goals that are relevant to the AD FS designs and develop a working solution for your situation.

AD FS 舊版最常部署以達成下列動作:Prior versions of AD FS were most commonly deployed to achieve the following:

  • 提供您的員工或針對 web\ 為基礎,SSO 體驗時存取您的企業 claims\ 型應用程式。Providing your employees or customers with a web-based, SSO experience when accessing claims-based applications within your enterprise.

  • 為您的員工或針對提供任何聯盟合作夥伴組織存取資源 web\ 為基礎的 SSO 體驗。Providing your employees or customers with a web-based, SSO experience to access resources in any federation partner organization.

  • 提供您的員工或針對 Web\ 為基礎,SSO 體驗時遠端存取內部裝載的網站或服務。Providing your employees or customers with a Web-based, SSO experience when remote accessing internally hosted Web sites or services.

  • 時,提供您的員工或針對 web\ 型 SSO 經驗資源或的雲端服務的存取。Providing your employees or customers with a web-based, SSO experience when accessing resources or services in the cloud.

除了這些項目,在 Windows Server® 2012 R2 AD FS 可可幫助您達到下列功能:In addition to these, AD FS in Windows Server® 2012 R2 adds functionality that can help you achieve the following:

  • 適用於 SSO 和順暢的第二個裝置的工作地點加入因素驗證。Device workplace join for SSO and seamless second factor authentication. 這可讓組織允許存取的使用者的個人裝置,並提供這個存取權時管理的風險。This enables organizations to allow access from user’s personal devices and manage the risk when providing this access.

  • 管理 multi\ 雙因素存取控制與風險。Managing risk with multi-factor access control. AD FS 提供豐富的層級的授權,以控制哪些應用程式存取的人員。AD FS provides a rich level of authorization that controls who has access to what applications. 這可以根據使用者屬性 \ (UPN 電子郵件、 安全性群組成員資格、 驗證越等 ),裝置屬性 \ (無論是裝置的工作地點 joined\) 或要求屬性 \ (網路位置、 IP 位址,或是使用者 agent\)。This can be based on user attributes (UPN, email, security group membership, authentication strength, etc.), device attributes (whether the device is workplace joined) or request attributes (network location, IP address, or user agent).

  • 管理其他 multi\ 雙因素驗證敏感的應用程式的風險。Managing risk with additional multi-factor authentication for sensitive applications. AD FS 可讓您控制原則全球或每個應用程式為基礎,可能需要 multi\ 雙因素驗證。AD FS allows you to control policies to potentially require multi-factor authentication globally or on a per application basis. 此外,AD FS 提供任何 multi\ 雙因素廠商安全且順暢 multi\ 雙因素體驗深度整合終端使用者的擴充的功能。In addition, AD FS provides extensibility points for any multi-factor vendor to integrate deeply for a secure and seamless multi-factor experience for end users.

  • 適用於存取受保護應用程式網路 proxy 的 web 資源的外部提供驗證與授權功能。Providing authentication and authorization capabilities for accessing web resources from the extranet that are protected by the Web Application Proxy.

若要簡言之,在 Windows Server 2012 R2 AD FS 可以達成下列目標您在組織中的部署:To summarize, AD FS in Windows Server 2012 R2 can be deployed to achieve the following goals in your organization:

讓使用者從任何地方存取他們個人的裝置上的資源Enable your users to access resources on their personal devices from anywhere

  • 可讓使用者公司 Active Directory 中加入他們的個人裝置,並時存取公司資源從這些裝置,如此一來取得存取和順暢的體驗的工作地點加入。Workplace join that enables users to join their personal devices to corporate Active Directory and as a result gain access and seamless experiences when accessing corporate resources from these devices.

  • Pre\ 驗證的企業網路受 proxy Web 應用程式和從網際網路存取資源。Pre-authentication of resources inside the corporate network that are protected by the Web Application proxy and accessed from the internet.

  • 變更密碼,讓使用者可以變更密碼的地點任何加入裝置時過期使其可以存取資源繼續他們的密碼。Password change to enable users to change their password from any workplace joined device when their password has expired so that they can continue to access resources.

美化存取控制風險管理工具Enhance your access control risk management tools

管理風險是重要的控管與每個 IT 在組織中的規範。Managing risk is an important aspect of governance and compliance in every IT organization. 有許多存取控制風險管理調節中 AD FS 在 Windows Server® 2012 R2,其中包括:There are numerous access control risk management enhancements in AD FS in Windows Server® 2012 R2, including the following:

  • 根據網路位置,以管理使用者存取 AD FS\ 保護的應用程式的驗證方式彈性的控制項。Flexible controls based on network location to govern how a user authenticates to access an AD FS-secured application.

  • 若要判斷使用者是否需要執行 multi\ 雙因素驗證使用者的資料、 裝置資料,以及網路位置為基礎的彈性原則。Flexible policy to determine if a user needs to perform multi-factor authentication based on the user’s data, device data, and network location.

  • Per\ 應用程式控制項略過 SSO 和使用者提供的認證每次存取敏感的應用程式。Per-application control to ignore SSO and force the user to provide credentials every time they access a sensitive application.

  • 根據使用者資料、 裝置的資料或網路位置彈性 per\ 應用程式存取原則。Flexible per-application access policy based on user data, device data, or network location.

  • AD FS 外部鎖定,讓系統管理員 Active Directory 帳號防止暴力來自網際網路的攻擊。AD FS Extranet Lockout, which enables administrators to protect Active Directory accounts from brute force attacks from the internet.

  • 適用於任何地點存取撤銷加入裝置已停用或在 Active Directory。Access revocation for any workplace joined device that is disabled or deleted in Active Directory.

請使用 AD FS 美化 sign\ 中的體驗Use AD FS to enhance the sign-in experience

以下是新增 AD FS 功能在 Windows Server® 2012 R2,來自訂和愉快 sign\ 中的系統管理員:The following are new AD FS capabilities in Windows Server® 2012 R2 that enable administrator to customize and enhance the sign-in experience:

  • 整合 AD FS 服務的變更做了一次,而會自動傳送給 AD FS 聯盟伺服器在指定的其餘的自訂項目。Unified customization of the AD FS service, where the changes are made once and then automatically propagated to the rest of the AD FS federation servers in a given farm.

  • 更新的 sign\ 中的網頁現代化的外觀,並自動迎合不同尺寸規格。Updated sign-in pages that look modern and cater to different form factors automatically.

  • 自動後援 forms\ 驗證適用於未加入網域企業,但仍使用裝置的支援產生中的企業網路 (intranet) 來自存取要求。Support for automatic fallback to forms-based authentication for devices that are not joined to the corporate domain but are still used generate access requests from within the corporate network (intranet).

  • 自訂公司商標圖示的影像、 適用於 IT 的支援,首頁,隱私權,標準連結簡單的控制項。Simple controls to customize the company logo, illustration image, standard links for IT support, home page, privacy, etc.

  • Sign\ 在頁面中的描述簡訊的自訂項目。Customization of description messages in the sign-in pages.

  • Web 主題的自訂項目。Customization of web themes.

  • 家用領域探索 (HRD) 根據組織尾碼美化的合作夥伴公司的隱私權的使用者。Home Realm Discovery (HRD) based on organizational suffix of the user for enhanced privacy of a company’s partners.

  • HRD 的篩選 per\ 應用程式為基礎,自動挑選領域根據應用程式。HRD filtering on a per-application basis to automatically pick a realm based on the application.

  • 按一下 One\ 的錯誤報告變得更容易 IT 進行疑難排解。One-click error reporting for easier IT troubleshooting.

  • 自訂的錯誤訊息。Customizable error messages.

  • 使用者驗證選項時使用多個驗證提供者。User authentication choice when more than one authentication provider is available.

也了See Also

在 Windows Server 2012 R2 的 AD FS 設計指南AD FS Design Guide in Windows Server 2012 R2