檢視聯盟伺服器 Proxy Account 合作夥伴中的角色Review the Role of the Federation Server Proxy in the Account Partner

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

主要聯盟伺服器 proxy 周邊網路的 Active Directory 同盟服務 (AD FS) account 合作夥伴組織中的角色是從網際網路上登入時 client 的電腦收集驗證憑證,並將這些認證傳遞至聯盟伺服器,這位於 account 合作夥伴公司的企業網路。The primary role of the federation server proxy in the perimeter network of the account partner organization in Active Directory Federation Services (AD FS) is to collect authentication credentials from a client computer that logs on over the Internet and to pass those credentials to the federation server, which is located inside the corporate network of the account partner organization. 負責 client 電腦會儲存在 account 合作夥伴的屬性存放區。The account for the client computer is stored in the account partner’s attribute store.

聯盟 proxy 伺服器也可以在下列一或多個下列的角色,根據您的設定需求 account 合作夥伴公司的功能:A federation server proxy can also function in one or more of the following roles, depending on how you configure it to meet the needs of the account partner organization:

  • 轉送的安全性權杖-聯盟伺服器問題的安全性權杖給聯盟伺服器 proxy,然後才轉送 client 電腦預付碼。Relay Security Tokens—The federation server issues a security token to the federation server proxy, which then relays the token to the client computer. 安全性權杖用來提供特定信賴該 client 電腦的存取。The security token is used to provide access for that client computer to a specific relying party.

  • 收集認證 — 聯盟 proxy 伺服器會使用預設 client 登入 Web 表單 (clientlogon.aspx) 收集 password\ 認證透過 forms\ 為基礎的驗證。Collect Credentials—The federation server proxy uses a default client logon Web form (clientlogon.aspx) to collect password-based credentials through forms-based authentication. 不過,您可以自訂若接受其他受支援的類型的驗證,例如安全通訊端層 (SSL) client 驗證此表單。However, you can customize this form to accept other supported types of authentication, such as Secure Sockets Layer (SSL) client authentication. 如需如何自訂此頁面,查看自訂 Client 登入及 Home 領域探索頁面 \ (http:////go.microsoft.com/fwlink/ 嗎?LinkId\ = 104275)。For more information about how to customize this page, see Customizing Client Logon and Home Realm Discovery Pages (http://go.microsoft.com/fwlink/?LinkId=104275). 聯盟 proxy 伺服器不接受透過 Windows 整合式驗證認證。A federation server proxy does not accept credentials through Windows Integrated Authentication.

總結聯盟伺服器 proxy account 合作夥伴中的扮演 client 登入聯盟伺服器位於公司網路 proxy。To summarize, a federation server proxy in the account partner acts as a proxy for client logons to a federation server that is located in the corporate network. 聯盟 proxy 伺服器也可以協助安全性權杖給網際網路戶端目的地信賴的對象為的分配。The federation server proxy also facilitates the distribution of security tokens to Internet clients that are destined for relying parties.

警告

公開聯盟伺服器上 account 合作夥伴外部網路 proxy 將 Web 表單可以存取網際網路的任何人 client 登入來存取。Exposing a federation server proxy on the account partner extranet will the client logon Web form accessible by anyone with Internet access. 這可能會讓您的組織某些 password\ 型攻擊,例如字典攻擊或可以設定觸發儲存在公司的 Active Directory Domain Services (AD DS) 帳號鎖定暴力攻擊。This can potentially leave your organization vulnerable to some password-based attacks, such as dictionary attacks or brute force attacks that can trigger account lockouts for user accounts that are stored in the corporate Active Directory Domain Services (AD DS).

也了See Also

Windows Server 2012 中的 AD FS 設計指南AD FS Design Guide in Windows Server 2012