在 Windows Server 2012 R2 和 Windows Server 2012 AD FS 存取控制原則Access Control Policies in Windows Server 2012 R2 and Windows Server 2012 AD FS

適用於:Windows Server 2012 R2 和 Windows Server 2012Applies To: Windows Server 2012 R2 and Windows Server 2012

這篇文章中所述的原則讓使用兩種類型的宣告The policies described in this article make use of two kinds of claims

  1. 宣告 AD FS 建立依據 proxy AD FS 和 Web 應用程式可以檢查並確認,請直接連接到 AD FS 或 WAP client 的 IP 位址等資訊。Claims AD FS creates based on information the AD FS and Web Application proxy can inspect and verify, such as the IP address of the client connecting directly to AD FS or the WAP.

  2. 宣告 AD FS 建立根據為 HTTP 標頭轉寄給 AD FS client 的資訊Claims AD FS creates based on information forwarded to AD FS by the client as HTTP headers

重要:如如下所述的原則會封鎖加入網域的 Windows 10 並登入需要存取下列其他端點案例Important: The policies as documented below will block Windows 10 domain join and sign on scenarios that require access to the following additional endpoints

AD FS 端點上所需的 Windows 10 加入網域並登入AD FS endpoints required for Windows 10 Domain Join and sign on

  • [同盟服務名稱] / [adfs 日服務日信任日 2005 年日 windowstransport[federation service name]/adfs/services/trust/2005/windowstransport
  • [同盟服務名稱] / [adfs 日服務日信任月 13 日 windowstransport[federation service name]/adfs/services/trust/13/windowstransport
  • [同盟服務名稱] / [adfs 日服務日信任日 2005 年日 usernamemixed[federation service name]/adfs/services/trust/2005/usernamemixed
  • [同盟服務名稱] / [adfs 日服務日信任月 13 日 usernamemixed[federation service name]/adfs/services/trust/13/usernamemixed
  • [同盟服務名稱] / [adfs 日服務日信任日 2005 年日 certificatemixed[federation service name]/adfs/services/trust/2005/certificatemixed
  • [同盟服務名稱] / [adfs 日服務日信任月 13 日 certificatemixed[federation service name]/adfs/services/trust/13/certificatemixed

若要解析,更新拒絕根據允許例外上述的端點的端點宣告任何原則。To resolve, update any policies that deny based on the endpoint claim to allow exception for the endpoints above.

例如,規則下列:For example, the rule below:

c1:[Type == "http://custom/ipoutsiderange", Value == "true"] && c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value != "/adfs/ls/"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = " DenyUsersWithClaim");

想要更新:would be updated to:

c1:[Type == "http://custom/ipoutsiderange", Value == "true"] && c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value != "(/adfs/ls/)|(/adfs/services/trust/2005/windowstransport)|(/adfs/services/trust/13/windowstransport)|(/adfs/services/trust/2005/usernamemixed)|(/adfs/services/trust/13/usernamemixed)|(/adfs/services/trust/2005/certificatemixed)|(/adfs/services/trust/13/certificatemixed)"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = " DenyUsersWithClaim");

注意

從這個分類宣告只能實作商務原則,而不是安全性原則,以保護您的網路的存取。Claims from this category should only be used to implement business policies and not as security policies to protect access to your network. 很可能用未經授權戶端傳送標頭 false 資訊的方式來存取。It is possible for unauthorized clients to send headers with false information as a way to gain access.

這篇文章中所述的原則永遠搭配另一個驗證方法,例如使用者名稱與密碼或使用多監視器因素驗證。The policies described in this article should always be used with another authentication method, such as username and password or multi factor authentication.

Client 存取原則案例Client Access Policies Scenarios

案例Scenario 描述Description
案例 1:封鎖所有外部存取 Office 365Scenario 1: Block all external access to Office 365 Office 365 存取允許從企業連絡,在所有但拒絕要求外部從依據外部 client 的 IP 位址。Office 365 access is allowed from all clients on the internal corporate network, but requests from external clients are denied based on the IP address of the external client.
案例 2:封鎖所有外部存取 Exchange ActiveSync 以外的 Office 365Scenario 2: Block all external access to Office 365 except Exchange ActiveSync Office 365 存取允許從企業連絡,在所有以及從任何 client 的外部裝置,例如智慧型手機,請使用 Exchange ActiveSync。Office 365 access is allowed from all clients on the internal corporate network, as well as from any external client devices, such as smart phones, that make use of Exchange ActiveSync. 封鎖所有其他外部戶端,例如使用 Outlook。All other external clients, such as those using Outlook, are blocked.
案例 3:封鎖所有外部存取 Office 365 以外的瀏覽器為基礎的應用程式Scenario 3: Block all external access to Office 365 except browser-based applications 區塊外部存取 Office 365,除了被動式(瀏覽器為基礎)應用程式 Outlook Web Access 或 SharePoint Online。Blocks external access to Office 365, except for passive (browser-based) applications such as Outlook Web Access or SharePoint Online.
案例 4:封鎖所有外部存取 Office 365 除了指定 Active Directory 群組Scenario 4: Block all external access to Office 365 except for designated Active Directory groups 本案例可用於測試及驗證 client 存取原則部署。This scenario is used for testing and validating client access policy deployment. 它會封鎖外部存取 Office 365 只會針對一或多個 Active Directory 群組成員。It blocks external access to Office 365 only for members of one or more Active Directory group. 它還可以用於提供外部存取僅限群組成員。It can also be used to provide external access only to members of a group.

讓 Client 存取原則Enabling Client Access Policy

若要讓 client 存取原則 AD FS 在 Windows Server 2012 R2,您必須更新 Microsoft Office 365 的身分平台廠商信任做為基礎。To enable client access policy in AD FS in Windows Server 2012 R2, you must update the Microsoft Office 365 Identity Platform relying party trust. 選擇其中一項下列設定理賠要求規則示範案例Microsoft Office 365 的身分平台信賴廠商信任最符合您的組織的需求。Choose one of the example scenarios below to configure the claim rules on the Microsoft Office 365 Identity Platform relying party trust that best meets the needs of your organization.

案例 1:封鎖所有外部存取 Office 365 Scenario 1: Block all external access to Office 365

此 client 存取原則案例可讓您存取所有內部戶端和封鎖所有的外部戶端根據外部 client 的 IP 位址。This client access policy scenario allows access from all internal clients and blocks all external clients based on the IP address of the external client. 您可以使用下列程序新增正確的發行授權規則與 Office 365 可以廠商信任您所選擇的案例。You can use the following procedures to add the correct Issuance Authorization rules to the Office 365 relying party trust for your chosen scenario.

若要建立封鎖所有外部存取 Office 365 規則To create rules to block all external access to Office 365
  1. 伺服器管理員,按一下 [工具,然後按AD FS 管理From Server Manager, click Tools, then click AD FS Management.

  2. 主控台中在AD FS\Trust 關係,按一下 [可以廠商信任,以滑鼠右鍵按一下Microsoft Office 365 的身分平台信任],然後按一下編輯理賠要求規則In the console tree, under AD FS\Trust Relationships, click Relying Party Trusts, right-click the Microsoft Office 365 Identity Platform trust, and then click Edit Claim Rules.

  3. 編輯理賠要求規則對話方塊中,選取發行授權規則索引標籤,然後按一下 [ [新增規則以開始理賠要求規則精靈。In the Edit Claim Rules dialog box, select the Issuance Authorization Rules tab, and then click Add Rule to start the Claim Rule Wizard.

  4. 選取 [規則範本頁面上,在理賠要求規則範本、選取傳送主張使用自訂規則,,然後按一下 [下一步On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom Rule, and then click Next.

  5. 設定規則頁面上,在理賠要求規則名稱,輸入顯示名稱此規則,例如「如果您想要的範圍,以外的任何 IP 宣告拒絕」。On the Configure Rule page, under Claim rule name, type the display name for this rule, for example “If there is any IP claim outside the desired range, deny”. 自訂規則中,輸入或下列理賠要求規則語言語法(取代上方的值為「x ms-轉送-client-ip」的有效的 IP 運算式)貼上:Under Custom rule, type or paste the following claim rule language syntax (replace the value above for “x-ms-forwarded-client-ip” with a valid IP expression):
    c1:[Type == " http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] && c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "^(?!192\.168\.1\.77|10\.83\.118\.23)"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = " DenyUsersWithClaim");

  6. 按一下完成Click Finish. 確認 [新增規則預設之前發行授權規則清單中出現允許所有使用者存取規則(即使出現在清單中稍早拒絕規則將會優先)。Verify that the new rule appears in the Issuance Authorization Rules list before to the default Permit Access to All Users rule (the Deny rule will take precedence even though it appears earlier in the list). 如果您不需要允許存取規則預設值,您可以新增結尾,如下所示使用理賠要求規則語言清單的一項:If you do not have the default permit access rule, you can add one at the end of your list using the claim rule language as follows:

    c:[] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");

  7. 在儲存新規則,編輯理賠要求規則對話方塊中,按[確定]To save the new rules, in the Edit Claim Rules dialog box, click OK. 結果清單應該如下所示。The resulting list should look like the following.

    發行驗證規則Issuance Auth Rules

案例 2:封鎖所有外部存取 Exchange ActiveSync 以外的 Office 365 Scenario 2: Block all external access to Office 365 except Exchange ActiveSync

下列範例可讓存取所有的 Office 365 應用程式,包括 Online 換貨,從內部包含 Outlook。The following example allows access to all Office 365 applications, including Exchange Online, from internal clients including Outlook. 它會封鎖從位於以外的公司網路的存取(如同指示)client IP 位址,除了 Exchange ActiveSync 戶端,例如智慧型手機。It blocks access from clients residing outside the corporate network, as indicated by the client IP address, except for Exchange ActiveSync clients such as smart phones.

若要建立封鎖所有外部存取 Office 365 以外 Exchange ActiveSync 規則To create rules to block all external access to Office 365 except Exchange ActiveSync
  1. 伺服器管理員,按一下 [工具,然後按AD FS 管理From Server Manager, click Tools, then click AD FS Management.

  2. 主控台中在AD FS\Trust 關係,按一下 [可以廠商信任,以滑鼠右鍵按一下Microsoft Office 365 的身分平台信任],然後按一下編輯理賠要求規則In the console tree, under AD FS\Trust Relationships, click Relying Party Trusts, right-click the Microsoft Office 365 Identity Platform trust, and then click Edit Claim Rules.

  3. 編輯理賠要求規則對話方塊中,選取發行授權規則索引標籤,然後按一下 [ [新增規則以開始理賠要求規則精靈。In the Edit Claim Rules dialog box, select the Issuance Authorization Rules tab, and then click Add Rule to start the Claim Rule Wizard.

  4. 選取 [規則範本頁面上,在理賠要求規則範本、選取傳送主張使用自訂規則,,然後按一下 [下一步On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom Rule, and then click Next.

  5. 設定規則頁面上,在理賠要求規則名稱,輸入顯示名稱,則本規則的範例「如果您想要的範圍,以外的任何 IP 宣告發出 ipoutsiderange 宣告」。On the Configure Rule page, under Claim rule name, type the display name for this rule, for example “If there is any IP claim outside the desired range, issue ipoutsiderange claim”. 自訂規則中,輸入或下列理賠要求規則語言語法(取代上方的值為「x ms-轉送-client-ip」的有效的 IP 運算式)貼上:Under Custom rule, type or paste the following claim rule language syntax (replace the value above for “x-ms-forwarded-client-ip” with a valid IP expression):

    c1:[Type == " http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] && c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "^(?!192\.168\.1\.77|10\.83\.118\.23)"] => issue(Type = "http://custom/ipoutsiderange", Value = "true");

  6. 按一下完成Click Finish. 請確認新規則出現在發行授權規則清單中。Verify that the new rule appears in the Issuance Authorization Rules list.

  7. 接著,在編輯理賠要求規則對話方塊中,於發行授權規則索引標籤上,按一下 [新增規則開始理賠要求規則精靈再試一次。Next, in the Edit Claim Rules dialog box, on the Issuance Authorization Rules tab, click Add Rule to start the Claim Rule Wizard again.

  8. 選取 [規則範本頁面上,在理賠要求規則範本、選取傳送主張使用自訂規則,,然後按一下 [下一步On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom Rule, and then click Next.

  9. 設定規則頁面上,在理賠要求規則名稱,輸入顯示名稱此規則,例如「IP 超過所需的範圍,還有非 EAS x ms-client 的應用程式理賠要求,如果拒絕」。On the Configure Rule page, under Claim rule name, type the display name for this rule, for example “If there is an IP outside the desired range AND there is a non-EAS x-ms-client-application claim, deny”. 自訂規則中,輸入或下列理賠要求規則語言語法貼上:Under Custom rule, type or paste the following claim rule language syntax:

`c1:[Type == "http://custom/ipoutsiderange", Value == "true"] && c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value != "Microsoft.Exchange.ActiveSync"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "DenyUsersWithClaim");`  
  1. 按一下完成Click Finish. 請確認新規則出現在發行授權規則清單中。Verify that the new rule appears in the Issuance Authorization Rules list.

  2. 接著,在編輯理賠要求規則對話方塊中,於發行授權規則索引標籤上,按一下 [新增規則開始理賠要求規則精靈再試一次。Next, in the Edit Claim Rules dialog box, on the Issuance Authorization Rules tab, click Add Rule to start the Claim Rule Wizard again.

  3. 選取 [規則範本頁面上,在理賠要求規則範本,選取傳送主張使用自訂規則,,然後按一下下一步On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom Rule, and then click Next.

  4. 設定規則頁面上,在理賠要求規則名稱,輸入此規則的顯示名稱,例如「檢查是否宣告應用程式]。On the Configure Rule page, under Claim rule name, type the display name for this rule, for example “check if application claim exists”. 自訂規則中,輸入或下列理賠要求規則語言語法貼上:Under Custom rule, type or paste the following claim rule language syntax:

    NOT EXISTS([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application"]) => add(Type = "http://custom/xmsapplication", Value = "fail");  
    
  5. 按一下完成Click Finish. 請確認新規則出現在發行授權規則清單中。Verify that the new rule appears in the Issuance Authorization Rules list.

  6. 接著,在編輯理賠要求規則對話方塊中,於發行授權規則索引標籤上,按一下 [新增規則開始理賠要求規則精靈再試一次。Next, in the Edit Claim Rules dialog box, on the Issuance Authorization Rules tab, click Add Rule to start the Claim Rule Wizard again.

  7. 選取 [規則範本頁面上,在理賠要求規則範本,選取傳送主張使用自訂規則,,然後按一下下一步On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom Rule, and then click Next.

  8. 設定規則頁面上,在理賠要求規則名稱,輸入此規則的顯示名稱,例如「拒絕 ipoutsiderange true 與應用程式的使用者失敗」。On the Configure Rule page, under Claim rule name, type the display name for this rule, for example “deny users with ipoutsiderange true and application fail”. 自訂規則中,輸入或下列理賠要求規則語言語法貼上:Under Custom rule, type or paste the following claim rule language syntax:

c1:[Type == "http://custom/ipoutsiderange", Value == "true"] && c2:[Type == "http://custom/xmsapplication", Value == "fail"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "DenyUsersWithClaim");

  1. 按一下完成Click Finish. 確認新規則立即下方的上一個規則及前允許所有使用者存取預設規則(即使出現在清單中稍早拒絕規則將會優先)發行授權規則清單中。Verify that the new rule appears immediately below the previous rule and before to the default Permit Access to All Users rule in the Issuance Authorization Rules list (the Deny rule will take precedence even though it appears earlier in the list).
    如果您不需要允許存取規則預設值,您可以新增結尾,如下所示使用理賠要求規則語言清單的一項:If you do not have the default permit access rule, you can add one at the end of your list using the claim rule language as follows:

    c:[] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");

  2. 在儲存新規則,編輯理賠要求規則對話方塊中,按一下 [確定]。To save the new rules, in the Edit Claim Rules dialog box, click OK. 結果清單應該如下所示。The resulting list should look like the following.

    發行授權規則

案例 3:封鎖所有外部存取 Office 365 以外的瀏覽器為基礎的應用程式 Scenario 3: Block all external access to Office 365 except browser-based applications

若要建立封鎖所有外部存取 Office 365 以外的瀏覽器為基礎的應用程式規則To create rules to block all external access to Office 365 except browser-based applications
  1. 伺服器管理員,按一下 [工具,然後按AD FS 管理From Server Manager, click Tools, then click AD FS Management.

  2. 主控台中在AD FS\Trust 關係,按一下 [可以廠商信任,以滑鼠右鍵按一下Microsoft Office 365 的身分平台信任],然後按一下編輯理賠要求規則In the console tree, under AD FS\Trust Relationships, click Relying Party Trusts, right-click the Microsoft Office 365 Identity Platform trust, and then click Edit Claim Rules.

  3. 編輯理賠要求規則對話方塊中,選取發行授權規則索引標籤,然後按一下 [ [新增規則以開始理賠要求規則精靈。In the Edit Claim Rules dialog box, select the Issuance Authorization Rules tab, and then click Add Rule to start the Claim Rule Wizard.

  4. 選取 [規則範本頁面上,在理賠要求規則範本、選取傳送主張使用自訂規則,,然後按一下 [下一步On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom Rule, and then click Next.

  5. 設定規則頁面上,在理賠要求規則名稱,輸入顯示名稱,則本規則的範例「如果您想要的範圍,以外的任何 IP 宣告發出 ipoutsiderange 宣告」。On the Configure Rule page, under Claim rule name, type the display name for this rule, for example “If there is any IP claim outside the desired range, issue ipoutsiderange claim”. 自訂規則中,輸入或下列理賠要求規則語言語法(取代上方的值為「x ms-轉送-client-ip」的有效的 IP 運算式)貼上:Under Custom rule, type or paste the following claim rule language syntax(replace the value above for “x-ms-forwarded-client-ip” with a valid IP expression):
    c1:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] && c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "^(?!192\.168\.1\.77|10\.83\.118\.23)"] => issue(Type = "http://custom/ipoutsiderange", Value = "true");

  6. 按一下完成Click Finish. 請確認新規則出現在發行授權規則清單中。Verify that the new rule appears in the Issuance Authorization Rules list.

  7. 接著,在編輯理賠要求規則對話方塊中,於發行授權規則索引標籤上,按一下 [新增規則開始理賠要求規則精靈再試一次。Next, in the Edit Claim Rules dialog box, on the Issuance Authorization Rules tab, click Add Rule to start the Claim Rule Wizard again.

  8. 選取 [規則範本頁面上,在理賠要求規則範本,選取傳送主張使用自訂規則,,然後按一下下一步On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom Rule, and then click Next.

  9. 設定規則頁面上,在理賠要求規則名稱,輸入顯示名稱此規則,例如「IP 超過所需的範圍,端點不日 adfs 日 ls,如果拒絕」。On the Configure Rule page, under Claim rule name, type the display name for this rule, for example “If there is an IP outside the desired range AND the endpoint is not /adfs/ls, deny”. 自訂規則中,輸入或下列理賠要求規則語言語法貼上:Under Custom rule, type or paste the following claim rule language syntax:

`c1:[Type == "http://custom/ipoutsiderange", Value == "true"] && c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value != "/adfs/ls/"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = " DenyUsersWithClaim");`  
  1. 按一下完成Click Finish. 確認 [新增規則預設之前發行授權規則清單中出現允許所有使用者存取規則(即使出現在清單中稍早拒絕規則將會優先)。Verify that the new rule appears in the Issuance Authorization Rules list before to the default Permit Access to All Users rule (the Deny rule will take precedence even though it appears earlier in the list).
    如果您不需要允許存取規則預設值,您可以新增結尾,如下所示使用理賠要求規則語言清單的一項:If you do not have the default permit access rule, you can add one at the end of your list using the claim rule language as follows:

    c:[] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");

  2. 在儲存新規則,編輯理賠要求規則對話方塊中,按[確定]To save the new rules, in the Edit Claim Rules dialog box, click OK. 結果清單應該如下所示。The resulting list should look like the following.

    發行

案例 4:封鎖所有外部存取 Office 365 除了指定 Active Directory 群組 Scenario 4: Block all external access to Office 365 except for designated Active Directory groups

下列範例可讓存取從內部根據 IP 位址。The following example enables access from internal clients based on IP address. 它會封鎖存取從位於以外的公司網路有外部 client IP 位址,除了這些中指定的 Active Directory Group.Use 的個人下列步驟來新增到正確的發行授權規則Microsoft Office 365 的身分平台使用理賠要求規則精靈信賴廠商信任:It blocks access from clients residing outside the corporate network that have an external client IP address, except for those individuals in a specified Active Directory Group.Use the following steps to add the correct Issuance Authorization rules to the Microsoft Office 365 Identity Platform relying party trust using the Claim Rule Wizard:

若要建立封鎖所有外部存取 Office 365,除了規則指定 Active Directory 群組To create rules to block all external access to Office 365, except for designated Active Directory groups
  1. 伺服器管理員,按一下 [工具,然後按AD FS 管理From Server Manager, click Tools, then click AD FS Management.

  2. 主控台中在AD FS\Trust 關係,按一下 [可以廠商信任,以滑鼠右鍵按一下Microsoft Office 365 的身分平台信任],然後按一下編輯理賠要求規則In the console tree, under AD FS\Trust Relationships, click Relying Party Trusts, right-click the Microsoft Office 365 Identity Platform trust, and then click Edit Claim Rules.

  3. 編輯理賠要求規則對話方塊中,選取發行授權規則索引標籤,然後按一下 [ [新增規則以開始理賠要求規則精靈。In the Edit Claim Rules dialog box, select the Issuance Authorization Rules tab, and then click Add Rule to start the Claim Rule Wizard.

  4. 選取 [規則範本頁面上,在理賠要求規則範本、選取傳送主張使用自訂規則,,然後按一下 [下一步On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom Rule, and then click Next.

  5. 設定規則頁面上,在理賠要求規則名稱,輸入顯示名稱,則本規則的範例「如果您想要的範圍,以外的任何 IP 宣告發行 ipoutsiderange 理賠要求。」On the Configure Rule page, under Claim rule name, type the display name for this rule, for example “If there is any IP claim outside the desired range, issue ipoutsiderange claim.” 自訂規則中,輸入或下列理賠要求規則語言語法(取代上方的值為「x ms-轉送-client-ip」的有效的 IP 運算式)貼上:Under Custom rule, type or paste the following claim rule language syntax(replace the value above for “x-ms-forwarded-client-ip” with a valid IP expression):

`c1:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "^(?!192\.168\.1\.77|10\.83\.118\.23)"] && c2:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] => issue(Type = "http://custom/ipoutsiderange", Value = "true");`  
  1. 按一下完成Click Finish. 請確認新規則出現在發行授權規則清單中。Verify that the new rule appears in the Issuance Authorization Rules list.

  2. 接著,在編輯理賠要求規則對話方塊中,於發行授權規則索引標籤上,按一下 [新增規則開始理賠要求規則精靈再試一次。Next, in the Edit Claim Rules dialog box, on the Issuance Authorization Rules tab, click Add Rule to start the Claim Rule Wizard again.

  3. 選取 [規則範本頁面上,在理賠要求規則範本,選取傳送主張使用自訂規則,,然後按一下下一步On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom Rule, and then click Next.

  4. 設定規則頁面上,在理賠要求規則名稱,輸入此規則的顯示名稱,例如「請群組 SID」。On the Configure Rule page, under Claim rule name, type the display name for this rule, for example “check group SID”. 自訂規則中,輸入或下列理賠要求規則語言語法 (取代」groupsid「與您正在使用的廣告群組的實際 SID) 貼上:Under Custom rule, type or paste the following claim rule language syntax (replace "groupsid" with the actual SID of the AD group you are using):

    NOT EXISTS([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-32-100"]) => add(Type = "http://custom/groupsid", Value = "fail");

  5. 按一下完成Click Finish. 請確認新規則出現在發行授權規則清單中。Verify that the new rule appears in the Issuance Authorization Rules list.

  6. 接著,在編輯理賠要求規則對話方塊中,於發行授權規則索引標籤上,按一下 [新增規則開始理賠要求規則精靈再試一次。Next, in the Edit Claim Rules dialog box, on the Issuance Authorization Rules tab, click Add Rule to start the Claim Rule Wizard again.

  7. 選取 [規則範本頁面上,在理賠要求規則範本,選取傳送主張使用自訂規則,,然後按一下下一步On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom Rule, and then click Next.

  8. 設定規則頁面上,在理賠要求規則名稱,輸入此規則的顯示名稱,例如「拒絕使用者 ipoutsiderange true 與 groupsid 失敗」。On the Configure Rule page, under Claim rule name, type the display name for this rule, for example “deny users with ipoutsiderange true and groupsid fail”. 自訂規則中,輸入或下列理賠要求規則語言語法貼上:Under Custom rule, type or paste the following claim rule language syntax:

    c1:[Type == "http://custom/ipoutsiderange", Value == "true"] && c2:[Type == "http://custom/groupsid", Value == "fail"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "DenyUsersWithClaim");

  9. 按一下完成Click Finish. 確認新規則立即下方的上一個規則及前允許所有使用者存取預設規則(即使出現在清單中稍早拒絕規則將會優先)發行授權規則清單中。Verify that the new rule appears immediately below the previous rule and before to the default Permit Access to All Users rule in the Issuance Authorization Rules list (the Deny rule will take precedence even though it appears earlier in the list).
    如果您不需要允許存取規則預設值,您可以新增結尾,如下所示使用理賠要求規則語言清單的一項:If you do not have the default permit access rule, you can add one at the end of your list using the claim rule language as follows:

    c:[] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");

  10. 在儲存新規則,編輯理賠要求規則對話方塊中,按一下 [確定]。To save the new rules, in the Edit Claim Rules dialog box, click OK. 結果清單應該如下所示。The resulting list should look like the following.

    發行

建置 IP 位址範圍運算式 Building the IP address range expression

HTTP 標頭目前設定僅供換貨 Online 填入標頭,以 AD FS 傳遞驗證要求時,會填入 x ms-轉送-client-ip 理賠要求。The x-ms-forwarded-client-ip claim is populated from an HTTP header that is currently set only by Exchange Online, which populates the header when passing the authentication request to AD FS. 宣告值可能下列其中一個動作:The value of the claim may be one of the following:

注意

換貨 Online 目前支援只 IPV4 與不 IPV6 位址。Exchange Online currently supports only IPV4 and not IPV6 addresses.

  • 單一 IP 位址:直接連接至換貨 Online client 的 IP 位址A single IP address: The IP address of the client that is directly connected to Exchange Online

注意

  • Client 公司網路上的 IP 位址會出現外部介面組織的輸出 proxy 或閘道 IP 位址。The IP address of a client on the corporate network will appear as the external interface IP address of the organization’s outbound proxy or gateway.
    • 為內部公司戶端或外部戶端 VPN 或 DA.的設定而定,可能會出現戶端的或由 Microsoft DirectAccess (DA) VPN 連接到企業網路Clients that are connected to the corporate network by a VPN or by Microsoft DirectAccess (DA) may appear as internal corporate clients or as external clients depending upon the configuration of VPN or DA.
  • 一或多個 IP 位址:時 Exchange Online 無法判斷連接 client 的 IP 位址,它將會設定 x 轉送的標頭,會納入 HTTP 為基礎的要求,支援許多戶端、負載平衡器,與市面上的 proxy 的非標準標頭的值為基礎的值。One or more IP addresses: When Exchange Online cannot determine the IP address of the connecting client, it will set the value based on the value of the x-forwarded-for header, a non-standard header that can be included in HTTP-based requests and is supported by many clients, load balancers, and proxies on the market.

注意

  1. 將會以逗號分隔多個 IP 位址,指出 client IP 位址和傳遞要求,每個 proxy 的地址。Multiple IP addresses, indicating the client IP address and the address of each proxy that passed the request, will be separated by a comma.
    1. 不在清單上,將有關 Exchange Online 基礎結構的 IP 位址。IP addresses related to Exchange Online infrastructure will not on the list.

一般運算式Regular Expressions

當您必須符合 IP 位址時,您需要建構運算式來進行比較。When you have to match a range of IP addresses, it becomes necessary to construct a regular expression to perform the comparison. 在接下來的步驟,我們將會提供範例,以了解如何建立這類運算式符合下列地址範圍(請注意,您將會有變更成符合您公用 IP 範圍這些範例):In the next series of steps, we will provide examples for how to construct such an expression to match the following address ranges (note that you will have to change these examples to match your public IP range):

  • 192.168.1.1 – 192.168.1.25192.168.1.1 – 192.168.1.25

  • 10.0.0.1 – 10.0.0.1410.0.0.1 – 10.0.0.14

    第一次,符合單一 IP 位址的基本模式時,如下所示:\b###\.###\.###\.###\bFirst, the basic pattern that will match a single IP address is as follows: \b###\.###\.###\.###\b

    將它擴展這,我們可以符合兩個或運算式使用不同的 IP 位址,如下所示:\b###\.###\.###\.###\b 與 #124;\b###\.###\.###\.###\bExtending this, we can match two different IP addresses with an OR expression as follows: \b###\.###\.###\.###\b|\b###\.###\.###\.###\b

    因此,以符合兩個(例如 192.168.1.1 或 10.0.0.1)的地址就會:\b192\.168\.1\.1\b 與 #124;\b10\.0\.0\.1\bSo, an example to match just two addresses (such as 192.168.1.1 or 10.0.0.1) would be: \b192\.168\.1\.1\b|\b10\.0\.0\.1\b

    這會讓您可以輸入地址任何數字的技術。This gives you the technique by which you can enter any number of addresses. 當您需要有各種不同的地址允許,例如 192.168.1.1 – 192.168.1.25,符合必須完成字元依字元:\b192\.168\.1\。([1-9] 和 #124; 1 [0 9] 與 #124; [0 5] 2) \bWhere a range of address need to be allowed, for example 192.168.1.1 – 192.168.1.25, the matching must be done character by character: \b192\.168\.1\.([1-9]|1[0-9]|2[0-5])\b

    請注意下列動作:Please note the following:

  • IP 位址會被視為字串,並不是數字。The IP address is treated as string and not a number.

  • 規則作業切割,如下所示:\b192\.168\.1\。The rule is broken down as follows: \b192\.168\.1\.

  • 這比對任何值 192.168.1 開頭。This matches any value beginning with 192.168.1.

  • 下列符合最終小數點之後所需的地址的部分的範圍:The following matches the ranges required for the portion of the address after the final decimal point:

    • ([1-9] 相符項目的地址結尾 1-9([1-9] Matches addresses ending in 1-9

    • 與 #124; 1 [0 9] 符合 10 至 19 結尾的地址|1[0-9] Matches addresses ending in 10-19

    • 與 #124;2[0-5]) 相符項目的地址結尾 20-25|2[0-5]) Matches addresses ending in 20-25

  • 請注意,必須正確位於括號,以便開始不符合其他部分的 IP 位址。Note that the parentheses must be correctly positioned, so that you don’t start matching other portions of IP addresses.

  • 符合 192 區塊時,我們可以撰寫 10 封鎖類似運算式:\b10\.0\.0\。([1-9] 和 #124; 1 [0 4]) \bWith the 192 block matched, we can write a similar expression for the 10 block: \b10\.0\.0\.([1-9]|1[0-4])\b

  • 並將它們放在一起,為以下運算式應該符合」192.168.1.1~25」和「10.0.0.1~14」的所有地址:\b192\.168\.1\。([1-9] 和 #124; 1 [0 9] 與 #124; [0 5] 2) \b 和 #124;\b10\.0\.0\。([1-9] 和 #124; 1 [0 4]) \bAnd putting them together, the following expression should match all the addresses for “192.168.1.1~25” and “10.0.0.1~14”: \b192\.168\.1\.([1-9]|1[0-9]|2[0-5])\b|\b10\.0\.0\.([1-9]|1[0-4])\b

測試運算式Testing the Expression

Regex 運算式變成很難,因此建議使用 regex 驗證工具。Regex expressions can become quite tricky, so we highly recommend using a regex verification tool. 如果您在網際網路上的搜尋適用於「online regex 運算式」,您會發現幾個良好的 online 公用程式,可讓您可以嘗試範例資料對您運算式。If you do an internet search for “online regex expression builder”, you will find several good online utilities that will allow you to try out your expressions against sample data.

在測試運算式時,很重要,您知道必須符合的預期行為。When testing the expression, it’s important that you understand what to expect to have to match. 換貨 online 系統可能會傳送,以逗號分隔的許多 IP 位址。The Exchange online system may send many IP addresses, separated by commas. 這能運算式上面提供。The expressions provided above will work for this. 不過,請務必思考這測試 regex 運算式時。However, it’s important to think about this when testing your regex expressions. 例如,一可能會使用輸入驗證上述範例以下的範例:For example, one might use the following sample input to verify the examples above:

192.168.1.1, 192.168.1.2, 192.169.1.1.192.168.1.1, 192.168.1.2, 192.169.1.1. 192.168.12.1, 192.168.1.10, 192.168.1.25, 192.168.1.26, 192.168.1.30, 1192.168.1.20192.168.12.1, 192.168.1.10, 192.168.1.25, 192.168.1.26, 192.168.1.30, 1192.168.1.20

10.0.0.1, 10.0.0.5, 10.0.0.10, 10.0.1.0, 10.0.1.1, 110.0.0.1, 10.0.0.14, 10.0.0.15, 10.0.0.10, 10,0.0.110.0.0.1, 10.0.0.5, 10.0.0.10, 10.0.1.0, 10.0.1.1, 110.0.0.1, 10.0.0.14, 10.0.0.15, 10.0.0.10, 10,0.0.1

宣告類型Claim Types

在 Windows Server 2012 R2 AD FS 提供要求操作資訊使用宣告下列類型:AD FS in Windows Server 2012 R2 provides request context information using the following claim types:

X MS-轉送-Client-IPX-MS-Forwarded-Client-IP

宣告類型:Claim type: http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip

此 AD FS 宣告代表「盡量嘗試」,請確實提出要求的使用者 (例如,Outlook client) 的 IP 位址。This AD FS claim represents a “best attempt” at ascertaining the IP address of the user (for example, the Outlook client) making the request. 此宣告可能包含以多個 IP 位址,包括每個 proxy 轉寄要求的位址。This claim can contain multiple IP addresses, including the address of every proxy that forwarded the request. 此宣告 HTTP 會填入。This claim is populated from an HTTP. 宣告值可以下列其中一個動作:The value of the claim can be one of the following:

  • 單一 IP 位址直接連接至換貨 Online client 的 IP 位址A single IP address - The IP address of the client that is directly connected to Exchange Online

注意

Client 公司網路上的 IP 位址會出現外部介面組織的輸出 proxy 或閘道 IP 位址。The IP address of a client on the corporate network will appear as the external interface IP address of the organization’s outbound proxy or gateway.

  • 一或多個 IP 位址One or more IP addresses

    • 如果換貨 Online 無法判斷連接 client 的 IP 位址,它將會設定 x 轉送的標頭的值為基礎的可以根據 http 包含非標準標頭要求和支援許多戶端、負載平衡器,與市面上的 proxy 的值。If Exchange Online cannot determine the IP address of the connecting client, it will set the value based on the value of the x-forwarded-for header, a non-standard header that can be included in HTTP based requests and is supported by many clients, load balancers, and proxies on the market.

    • 將會以逗號分隔指出 client IP 位址和每個 proxy 傳遞要求的地址多個 IP 位址。Multiple IP addresses indicating the client IP address and the address of each proxy that passed the request will be separated by a comma.

注意

將不會出現在清單中相關 Exchange Online 基礎結構的 IP 位址。IP addresses related to Exchange Online infrastructure will not be present in the list.

警告

換貨 Online 目前支援只 IPV4 位址。不支援 IPV6 位址。Exchange Online currently supports only IPV4 addresses; it does not support IPV6 addresses.

X MS-Client 的應用程式X-MS-Client-Application

宣告類型:Claim type: http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application

此 AD FS 宣告代表結束 client,彈性對應至所使用的應用程式使用的通訊協定。This AD FS claim represents the protocol used by the end client, which corresponds loosely to the application being used. 此宣告會填入 HTTP 標頭目前僅限設定換貨 Online,以 AD FS 傳遞驗證要求時,會填入標頭。This claim is populated from an HTTP header that is currently only set by Exchange Online, which populates the header when passing the authentication request to AD FS. 而定,應用程式的此宣告值將下列其中一個動作:Depending on the application, the value of this claim will be one of the following:

  • 如果使用 Exchange 使用同步的裝置的值為 Microsoft.Exchange.ActiveSync。In the case of devices that use Exchange Active Sync, the value is Microsoft.Exchange.ActiveSync.

  • 使用 Microsoft Outlook client 可能會導致任何下列值:Use of the Microsoft Outlook client may result in any of the following values:

    • Microsoft.Exchange.AutodiscoverMicrosoft.Exchange.Autodiscover

    • Microsoft.Exchange.OfflineAddressBookMicrosoft.Exchange.OfflineAddressBook

    • Microsoft.Exchange.RPCMicrosoft.Exchange.WebServicesMicrosoft.Exchange.RPCMicrosoft.Exchange.WebServices

    • Microsoft.Exchange.RPCMicrosoft.Exchange.WebServicesMicrosoft.Exchange.RPCMicrosoft.Exchange.WebServices

  • 下列其他此標頭可能的值:Other possible values for this header include the following:

    • Microsoft.Exchange.PowershellMicrosoft.Exchange.Powershell

    • Microsoft.Exchange.SMTPMicrosoft.Exchange.SMTP

    • Microsoft.Exchange.PopMicrosoft.Exchange.Pop

    • Microsoft.Exchange.ImapMicrosoft.Exchange.Imap

X-MS-Client-使用者代理程式X-MS-Client-User-Agent

宣告類型:Claim type: http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent

此 AD FS 理賠要求提供代表 client 存取服務使用的裝置類型的字串。This AD FS claim provides a string to represent the device type that the client is using to access the service. 這可以針對想要避免存取特定裝置 (例如智慧型手機的特定類型) 時使用。This can be used when customers would like to prevent access for certain devices (such as particular types of smart phones). 此宣告值範例包括 (但不是限於) 下列值。Example values for this claim include (but are not limited to) the values below.

以下是範例 x ms-使用者代理值可能會包含對其 x ms-client 的應用程式是「Microsoft.Exchange.ActiveSync「clientThe below are examples of what the x-ms-user-agent value might contain for a client whose x-ms-client-application is “Microsoft.Exchange.ActiveSync”

  • 1.0 漩渦日Vortex/1.0

  • 蘋果-iPad1C1 日 812.1Apple-iPad1C1/812.1

  • 蘋果-iPhone3C1 日 811.2Apple-iPhone3C1/811.2

  • 蘋果-iPhone 日 704.11Apple-iPhone/704.11

  • Moto-DROID2/4.5.1Moto-DROID2/4.5.1

  • 100.202 SAMSUNGSPHD700 日SAMSUNGSPHD700/100.202

  • Android 0.3 日Android/0.3

    它也可是空的這個值。It is also possible that this value is empty.

X-MS-ProxyX-MS-Proxy

宣告類型:Claim type: http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy

此 AD FS 宣告指示要求已經通過 proxy Web 應用程式。This AD FS claim indicates that the request has passed through the Web Application proxy. 此宣告會填入 Web 應用程式 proxy 後端服務聯盟傳遞驗證要求時,會填入標頭。This claim is populated by the Web Application proxy, which populates the header when passing the authentication request to the back end Federation Service. AD FS 再將它轉換為理賠要求。AD FS then converts it to a claim.

宣告的值為傳遞要求 Web 應用程式 proxy 的 DNS 名稱。The value of the claim is the DNS name of the Web Application proxy that passed the request.

InsideCorporateNetworkInsideCorporateNetwork

宣告類型:Claim type: http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork

類似上述 x-ms-proxy 宣告類型、此宣告類型表示要求已經通過 web proxy 應用程式。Similar to the above x-ms-proxy claim type, this claim type indicates whether the request has passed through the web application proxy. 然而 x ms proxy,insidecorporatenetwork 為 True 指出聯盟服務的公司網路中的直接要求布林值。Unlike x-ms-proxy, insidecorporatenetwork is a boolean value with True indicating a request directly to the federation service from inside the corporate network.

X MS-端點-絕對值-路徑 (作用中與被動式)X-MS-Endpoint-Absolute-Path (Active vs Passive)

宣告類型:Claim type: http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path

此宣告類型可用來判斷來自從 「 作用中的 「 (進階) 與 「 被動式 」 (web-瀏覽器為基礎) 戶端要求。This claim type can be used for determining requests originating from “active” (rich) clients versus “passive” (web-browser-based) clients. 這可讓外部瀏覽器為基礎的應用程式例如 Outlook Web Access、 SharePoint Online 或 Office 365 入口網站時,會被封鎖來自從豐富例如 Microsoft Outlook 要求允許要求。This enables external requests from browser-based applications such as the Outlook Web Access, SharePoint Online, or the Office 365 portal to be allowed while requests originating from rich clients such as Microsoft Outlook are blocked.

宣告的值為收到要求 AD FS 服務的名稱。The value of the claim is the name of the AD FS service that received the request.

也了See Also

AD FS 作業AD FS Operations