職稱:複合驗證以及 Active Directory Domain Services 宣告在 Active Directory 同盟服務描述:下列文件討論複合驗證以及 AD DS 宣告 AD FS 中的。title: Compound Authentication and Active Directory Domain Services claims in Active Directory Federation Services description:The following document discusses compound authentication and AD DS claims in AD FS.

作者:billmath ms.author: billmath 管理員:femila ms.date: 09 日 07 日 2017 ms.topic:文章 ms.prod: windows server 臨界 ms.technology:身分-adfsauthor: billmath ms.author: billmath manager: femila ms.date: 09/07/2017 ms.topic: article ms.prod: windows-server-threshold ms.technology: identity-adfs

複合驗證,AD FS 中的 AD DS 宣告Compound authentication and AD DS claims in AD FS

Windows Server 2012 美化 F:kerberos 驗證引進複合驗證。Windows Server 2012 enhances Kerberos authentication by introducing compound authentication. 複合驗證可讓您以包含兩個身分要求 Kerberos 票證授與服務 (TGS):Compound authentication enables a Kerberos Ticket-Granting Servcie (TGS) request to include two identities:

  • 使用者的身分the identity of the user
  • 使用者的裝置的身分。the identity of the user’s device.

Windows 會複合驗證完成來將它擴展[Kerberos 彈性驗證安全通道(積極型」),或 Kerberos 保護 ](https://technet.microsoft.com/library/hh831747.aspx)。Windows accomplishes compound authentication by extending Kerberos Flexible Authentication Secure Tunneling (FAST), or Kerberos armoring.

AD FS 2012 及更新版本,可讓消耗 AD DS 發出使用者或裝置宣告位於 Kerberos 驗證票證。AD FS 2012 and later versions allows consumption of AD DS issued user or device claims that reside in a Kerberos authentication ticket. 在舊版 AD FS,引擎無法從 Kerberos 只朗讀使用者和群組安全性 Id (Sid),但找不到任何朗讀宣告宣告 Kerberos 票證中所包含的資訊。In previous versions of AD FS, the claims engine could only read user and group security IDs (SIDs) from Kerberos but was not able to read any claims information contained within a Kerberos ticket.

您可以使用 Active Directory Domain Services (AD DS) 聯盟應用程式為豐富存取控制-發行宣告使用者和裝置,使用 Active Directory 同盟 Services (AD FS)。You can enable richer access control for federated applications by using Active Directory Domain Services (AD DS)-issued user and device claims together, with Active Directory Federation Services (AD FS).

需求Requirements

  1. 存取聯盟應用程式中,電腦必須驗證,AD FS 使用Windows 整合式驗證The Computers accessing federated applications, must Authenticate to AD FS using Windows Integrated Authentication.

    • 連接後端 AD FS 伺服器時,只使用 Windows 整合式驗證。Windows Integrated Authentication is only available when connecting to the Backend AD FS Servers.
    • 電腦必須同盟服務的名稱,AD FS 伺服器端瑞曲之戰Computers must be able to reach the Backend AD FS Servers for Federation Service Name
    • AD FS 伺服器必須為主要的驗證方法其內部網路設定中提供整合式驗證的 Windows。AD FS Servers must offer Windows Integrated Authentication as a Primary Authentication method in its Intranet settings.
  2. 原則Kerberos client 支援宣告複合驗證以及 Kerberos 保護 \必須套用到所有電腦存取聯盟受到複合驗證的應用程式。The policy Kerberos client support for claims compound authentication and Kerberos armoring must be applied to all Computers accessing federated applications that are protected by Compound Authentication. 這是在單一森林或跨樹系案例適用。This is applicable in case of single forest or cross forest scenarios.

  3. 必須與容納 AD FS 伺服器網域\ [KDC 支援宣告複合驗證以及 Kerberos 保護 \的網域控制站套用原則設定。The Domain housing the AD FS Servers must have the KDC support for claims compound authentication and Kerberos armoring policy setting applied to the Domain Controllers.

在 Windows Server 2012 R2 設定 AD FS 步驟Steps for configuring AD FS in Windows Server 2012 R2

使用下列步驟來設定複合驗證以及宣告Use the following steps for configuring compound authentication and claims

步驟 1:讓 \ [KDC 支援宣告、複合驗證以及 Kerberos 保護 \ 預設的網域控制站原則Step 1: Enable KDC support for claims, compound authentication, and Kerberos armoring on the Default Domain Controller Policy

  1. 在伺服器管理員中,選取 [工具]群組原則管理In Server Manager, select Tools, Group Policy Management.
  2. 瀏覽向下預設網域控制站原則,以滑鼠右鍵按一下,然後選取編輯Navigate down to the Default Domain Controller Policy, right-click and select edit. 群組原則管理
  3. 群組原則編輯器] 管理,在電腦設定,展開原則,展開系統管理範本,展開系統,然後選取 [ KDCOn the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Administrative Templates, expand System, and select KDC.
  4. 在右窗格中,按兩下 [ \ [KDC 支援宣告、複合驗證以及 Kerberos 保護 \In the right pane, double-click KDC support for claims, compound authentication, and Kerberos armoring. 群組原則管理
  5. 在新] 對話方塊視窗,設定 \ [KDC 支援宣告到啟用In the new dialog window, set KDC support for claims to Enabled.
  6. 下方 [選項],選取 [支援從下拉式功能表然後按套用[確定]Under Options, select Supported from the drop-down menu and then click Apply and OK. 群組原則管理

步驟 2:讓 Kerberos client 支援宣告、複合驗證以及 Kerberos 保護 \ 存取聯盟應用程式的電腦上Step 2: Enable Kerberos client support for claims, compound authentication, and Kerberos armoring on computers accessing federated applications

  1. 在群組原則套用到存取聯盟應用程式,在電腦上群組原則編輯器] 管理,在電腦設定,展開 [原則,展開 [管理範本,展開 [系統,然後選取 [ KerberosOn a Group Policy applied to the computers accessing federated applications, in the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Administrative Templates, expand System, and select Kerberos.
  2. 在 [群組原則編輯器] 管理視窗的右窗格中,按兩下 [ Kerberos client 支援宣告、複合驗證以及 Kerberos 保護 \。In the right pane of the Group Policy Management Editor window, double-click Kerberos client support for claims, compound authentication, and Kerberos armoring.
  3. 在新] 對話方塊視窗中,為 Kerberos client 支援啟用,按一下 [套用[確定]In the new dialog window, set Kerberos client support to Enabled and click Apply and OK. 群組原則管理
  4. 關閉 「 群組原則管理編輯器。Close the Group Policy Management Editor.

步驟 3:確認已更新的 AD FS 伺服器。Step 3: Ensure the AD FS servers have been updated.

您必須以確保您 AD FS 伺服器上安裝的下列更新。You need to ensure that the following updates are installed on your AD FS servers.

更新Update 描述Description
KB2919355KB2919355 累積安全性更新(包括 KB2919355,KB2932046、KB2934018、KB2937592、KB2938439)Cumulative security update(includes KB2919355,KB2932046,KB2934018,KB2937592,KB2938439)
KB2959977KB2959977 Server 2012 R2 的更新Update for Server 2012 R2
3052122 HotfixHotfix 3052122 此更新在 Active Directory 同盟服務新增複合 ID 宣告的支援。This update adds support for compound ID claims in Active Directory Federation Services.

步驟 4:設定主要驗證提供者Step 4: Configure the Primary Authentication Provider

  1. 主要驗證提供者為Windows 驗證AD FS 內部網路設定。Set the Primary Authentication Provider to Windows Authentication for AD FS Intranet settings.
  2. AD FS 管理,在驗證原則主要驗證並在通用設定按一下編輯In AD FS Management, under Authentication Policies, select Primary Authentication and under Global Settings click edit.
  3. 編輯全球驗證原則內部選取Windows 驗證On Edit Global Authentication Policy under Intranet select Windows Authentication.
  4. 按一下適用於[確定]Click Apply and Ok.

群組原則管理

  1. 使用的 PowerShell,您可以使用設定為 AdfsGlobalAuthenticationPolicy cmdlet。Using PowerShell you can use the Set-AdfsGlobalAuthenticationPolicy cmdlet.
Set-AdfsGlobalAuthenticationPolicy -PrimaryIntranetAuthenticationProvider 'WindowsAuthentication'

注意

在 WID 基礎發電廠,PowerShell 命令必須執行主要 AD FS 伺服器。In a WID based farm, the PowerShell command must be executed on the Primary AD FS Server. 在 SQL 根據陣列,可能會執行 PowerShell 指令任何發電廠的成員,AD FS 伺服器上。In a SQL based farm, the PowerShell command may be executed on any AD FS server that is a member of the farm.

步驟 5:加入 AD FS 理賠要求描述Step 5: Add the claim description to AD FS

  1. 加入發電廠下列宣告描述。Add the following Claim Description to the farm. 此理賠要求描述在於預設 ADFS 2012 R2 並不需要手動新增。This Claim Description is not present by default in ADFS 2012 R2 and needs to be manually added.
  2. AD FS 管理,在服務,以滑鼠右鍵按一下取得描述,然後選取新增取得描述In AD FS Management, under Service, right-click Claim description and select Add claim description
  3. 宣告描述中輸入下列資訊Enter the following information in the claim description
  4. 這兩個方塊中檢查的地方。Place a check in both boxes.
  5. 按一下[確定]Click OK.

宣告描述

  1. 使用的 PowerShell,您可以使用新增-AdfsClaimDescription cmdlet。Using PowerShell you can use the Add-AdfsClaimDescription cmdlet. powershell Add-AdfsClaimDescription -Name 'Windows device group' -ClaimType 'http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsdevicegroup' ` -ShortName 'windowsdevicegroup' -IsAccepted $true -IsOffered $true -IsRequired $false -Notes 'The windows group SID of the device'

注意

在 WID 基礎發電廠,PowerShell 命令必須執行主要 AD FS 伺服器。In a WID based farm, the PowerShell command must be executed on the Primary AD FS Server. 在 SQL 根據陣列,可能會執行 PowerShell 指令任何發電廠的成員,AD FS 伺服器上。In a SQL based farm, the PowerShell command may be executed on any AD FS server that is a member of the farm.

步驟 6:讓 msDS-SupportedEncryptionTypes 屬性複合驗證的位元Step 6: Enable the compound authentication bit on the msDS-SupportedEncryptionTypes attribute

  1. 讓您指定 AD FS 服務使用來執行帳號 msDS-SupportedEncryptionTypes 屬性位元的複合驗證設定為 ADServiceAccount PowerShell cmdlet。Enable compound authentication bit on the msDS-SupportedEncryptionTypes attribute on the account you designated to run the AD FS service using the Set-ADServiceAccount PowerShell cmdlet.

注意

如果您變更服務帳號,則您必須手動執行讓複合驗證設定為 ADUser-compoundIdentitySupported: $true Windows PowerShell cmdlet。If you change the service account, then you must manually enable compound authentication by running the Set-ADUser -compoundIdentitySupported:$true Windows PowerShell cmdlets.

Set-ADServiceAccount -Identity “ADFS Service Account” -CompoundIdentitySupported:$true 
  1. 重新開機 ADFS 服務。Restart the ADFS Service.

注意

一旦 'CompoundIdentitySupported' 設定為 true,安裝新的伺服器 (2012R2 日 2016) 發生故障下列錯誤碼–相同 gMSA 為安裝-ADServiceAccount:無法安裝 account 服務。錯誤訊息: ' 提供的操作不符合 target。].Once ‘CompoundIdentitySupported’ is set to true, installation of the same gMSA on new Servers (2012R2/2016) fails with the following error – Install-ADServiceAccount : Cannot install service account. Error Message: 'The provided context did not match the target.'.

方案:暫時設定 $false CompoundIdentitySupported。Solution: Temporarily set CompoundIdentitySupported to $false. 這個步驟會導致 ADFS 停止發行 WindowsDeviceGroup 主張。This step causes ADFS to stop issuing WindowsDeviceGroup claims. Set-ADServiceAccount 層的身分 ADFS 服務 Account'-CompoundIdentitySupported: $false 新的伺服器上安裝 gMSA 以及然後 CompoundIdentitySupported 回 $True。Set-ADServiceAccount -Identity 'ADFS Service Account' -CompoundIdentitySupported:$false Install the gMSA on the new Server and then enable CompoundIdentitySupported back to $True. 停用 CompoundIdentitySupported,然後正在重新啟用不需要將重新 ADFS 服務。Disabling CompoundIdentitySupported and then reenabling does not need ADFS service to be restarted.

步驟 7:更新 AD FS 宣告提供者信任的 Active DirectoryStep 7: Update the AD FS Claims Provider Trust for Active Directory

  1. 更新 AD FS 宣告提供者信任的 Active Directory 包含下列規則 '通過' 理賠要求為 'WindowsDeviceGroup' 理賠要求。Update the AD FS Claims Provider Trust for Active Directory to include the following ‘Pass-through’ Claim rule for ‘WindowsDeviceGroup’ Claim.
  2. AD FS 管理,按一下 [宣告提供者信任並在右窗格中,righ 按Active Directory,然後選取編輯理賠要求規則In AD FS Management, click Claims Provider Trusts and in the right pane, righ-click Active Directory and select Edit Claim Rules.
  3. 編輯理賠要求規則主動導演適用於新增規則On the Edit Claim Rules for Active Director click Add Rule.
  4. 新增轉換理賠要求規則精靈選取傳遞透過或篩選連入宣告下一步On the Add Transform Claim Rule Wizard select Pass Through or Filter an Incoming Claim and click Next.
  5. 新增的顯示名稱,然後選取Windows 裝置群組傳入取得輸入下拉式清單。Add a display name and select Windows device group from the Incoming claim type drop-down.
  6. 按一下完成Click Finish. 按一下適用於[確定]Click Apply and Ok. 宣告描述

步驟 8:上可以方的 'WindowsDeviceGroup' 宣告預期的位置,新增類似 '通過' 轉換' 理賠要求規則。Step 8: On the Relying Party where the ‘WindowsDeviceGroup’ claims are expected, add a similar ‘Pass-through’ Or ‘Transform’ claim rule.

  1. AD FS 管理,按一下 [可以廠商信任和就在右窗格中,righ 按一下您資源點數,然後選取編輯理賠要求規則In AD FS Management, click Relying Party Trusts and in the right pane, righ-click your RP and select Edit Claim Rules.
  2. 發行轉換規則[新增規則On the Issuance Transform Rules click Add Rule.
  3. 新增轉換理賠要求規則精靈選取傳遞透過或篩選連入宣告下一步On the Add Transform Claim Rule Wizard select Pass Through or Filter an Incoming Claim and click Next.
  4. 新增的顯示名稱,然後選取Windows 裝置群組傳入取得輸入下拉式清單。Add a display name and select Windows device group from the Incoming claim type drop-down.
  5. 按一下完成Click Finish. 按一下適用於[確定]Click Apply and Ok. 宣告描述

Windows Server 2016 中設定 AD FS 步驟Steps for configuring AD FS in Windows Server 2016

下列會詳細顯示設定複合驗證,AD FS 適用於 Windows Server 2016 上的步驟。The following will detail the steps for configuring compound authentication on AD FS for Windows Server 2016.

步驟 1:讓 \ [KDC 支援宣告、複合驗證以及 Kerberos 保護 \ 預設的網域控制站原則Step 1: Enable KDC support for claims, compound authentication, and Kerberos armoring on the Default Domain Controller Policy

  1. 在伺服器管理員中,選取 [工具]群組原則管理In Server Manager, select Tools, Group Policy Management.
  2. 瀏覽向下預設網域控制站原則,以滑鼠右鍵按一下,然後選取編輯Navigate down to the Default Domain Controller Policy, right-click and select edit.
  3. 群組原則編輯器] 管理,在電腦設定,展開原則,展開系統管理範本,展開系統,然後選取 [ KDCOn the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Administrative Templates, expand System, and select KDC.
  4. 在右窗格中,按兩下 [ \ [KDC 支援宣告、複合驗證以及 Kerberos 保護 \In the right pane, double-click KDC support for claims, compound authentication, and Kerberos armoring.
  5. 在新] 對話方塊視窗,設定 \ [KDC 支援宣告到啟用In the new dialog window, set KDC support for claims to Enabled.
  6. 下方 [選項],選取 [支援從下拉式功能表然後按套用[確定]Under Options, select Supported from the drop-down menu and then click Apply and OK.

步驟 2:讓 Kerberos client 支援宣告、複合驗證以及 Kerberos 保護 \ 存取聯盟應用程式的電腦上Step 2: Enable Kerberos client support for claims, compound authentication, and Kerberos armoring on computers accessing federated applications

  1. 在群組原則套用到存取聯盟應用程式,在電腦上群組原則編輯器] 管理,在電腦設定,展開 [原則,展開 [管理範本,展開 [系統,然後選取 [ KerberosOn a Group Policy applied to the computers accessing federated applications, in the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Administrative Templates, expand System, and select Kerberos.
  2. 在 [群組原則編輯器] 管理視窗的右窗格中,按兩下 [ Kerberos client 支援宣告、複合驗證以及 Kerberos 保護 \。In the right pane of the Group Policy Management Editor window, double-click Kerberos client support for claims, compound authentication, and Kerberos armoring.
  3. 在新] 對話方塊視窗中,為 Kerberos client 支援啟用,按一下 [套用[確定]In the new dialog window, set Kerberos client support to Enabled and click Apply and OK.
  4. 關閉 「 群組原則管理編輯器。Close the Group Policy Management Editor.

步驟 3:設定主要驗證提供者Step 3: Configure the Primary Authentication Provider

  1. 主要驗證提供者為Windows 驗證AD FS 內部網路設定。Set the Primary Authentication Provider to Windows Authentication for AD FS Intranet settings.
  2. AD FS 管理,在驗證原則主要驗證並在通用設定按一下編輯In AD FS Management, under Authentication Policies, select Primary Authentication and under Global Settings click edit.
  3. 編輯全球驗證原則內部選取Windows 驗證On Edit Global Authentication Policy under Intranet select Windows Authentication.
  4. 按一下適用於[確定]Click Apply and Ok.
  5. 使用的 PowerShell,您可以使用設定為 AdfsGlobalAuthenticationPolicy cmdlet。Using PowerShell you can use the Set-AdfsGlobalAuthenticationPolicy cmdlet.
Set-AdfsGlobalAuthenticationPolicy -PrimaryIntranetAuthenticationProvider 'WindowsAuthentication'

注意

在 WID 基礎發電廠,PowerShell 命令必須執行主要 AD FS 伺服器。In a WID based farm, the PowerShell command must be executed on the Primary AD FS Server. 在 SQL 根據陣列,可能會執行 PowerShell 指令任何發電廠的成員,AD FS 伺服器上。In a SQL based farm, the PowerShell command may be executed on any AD FS server that is a member of the farm.

步驟 4:讓 msDS-SupportedEncryptionTypes 屬性複合驗證的位元Step 4: Enable the compound authentication bit on the msDS-SupportedEncryptionTypes attribute

  1. 讓您指定 AD FS 服務使用來執行帳號 msDS-SupportedEncryptionTypes 屬性位元的複合驗證設定為 ADServiceAccount PowerShell cmdlet。Enable compound authentication bit on the msDS-SupportedEncryptionTypes attribute on the account you designated to run the AD FS service using the Set-ADServiceAccount PowerShell cmdlet.

注意

如果您變更服務帳號,則您必須手動執行讓複合驗證設定為 ADUser-compoundIdentitySupported: $true Windows PowerShell cmdlet。If you change the service account, then you must manually enable compound authentication by running the Set-ADUser -compoundIdentitySupported:$true Windows PowerShell cmdlets.

Set-ADServiceAccount -Identity “ADFS Service Account” -CompoundIdentitySupported:$true 
  1. 重新開機 ADFS 服務。Restart the ADFS Service.

注意

一旦 'CompoundIdentitySupported' 設定為 true,安裝新的伺服器 (2012R2 日 2016) 發生故障下列錯誤碼–相同 gMSA 為安裝-ADServiceAccount:無法安裝 account 服務。錯誤訊息: ' 提供的操作不符合 target。].Once ‘CompoundIdentitySupported’ is set to true, installation of the same gMSA on new Servers (2012R2/2016) fails with the following error – Install-ADServiceAccount : Cannot install service account. Error Message: 'The provided context did not match the target.'.

方案:暫時設定 $false CompoundIdentitySupported。Solution: Temporarily set CompoundIdentitySupported to $false. 這個步驟會導致 ADFS 停止發行 WindowsDeviceGroup 主張。This step causes ADFS to stop issuing WindowsDeviceGroup claims. Set-ADServiceAccount 層的身分 ADFS 服務 Account'-CompoundIdentitySupported: $false 新的伺服器上安裝 gMSA 以及然後 CompoundIdentitySupported 回 $True。Set-ADServiceAccount -Identity 'ADFS Service Account' -CompoundIdentitySupported:$false Install the gMSA on the new Server and then enable CompoundIdentitySupported back to $True. 停用 CompoundIdentitySupported,然後正在重新啟用不需要將重新 ADFS 服務。Disabling CompoundIdentitySupported and then reenabling does not need ADFS service to be restarted.

步驟 5:更新 AD FS 宣告提供者信任的 Active DirectoryStep 5: Update the AD FS Claims Provider Trust for Active Directory

  1. 更新 AD FS 宣告提供者信任的 Active Directory 包含下列規則 '通過' 理賠要求為 'WindowsDeviceGroup' 理賠要求。Update the AD FS Claims Provider Trust for Active Directory to include the following ‘Pass-through’ Claim rule for ‘WindowsDeviceGroup’ Claim.
  2. AD FS 管理,按一下 [宣告提供者信任並在右窗格中,righ 按Active Directory,然後選取編輯理賠要求規則In AD FS Management, click Claims Provider Trusts and in the right pane, righ-click Active Directory and select Edit Claim Rules.
  3. 編輯理賠要求規則主動導演適用於新增規則On the Edit Claim Rules for Active Director click Add Rule.
  4. 新增轉換理賠要求規則精靈選取傳遞透過或篩選連入宣告下一步On the Add Transform Claim Rule Wizard select Pass Through or Filter an Incoming Claim and click Next.
  5. 新增的顯示名稱,然後選取Windows 裝置群組傳入取得輸入下拉式清單。Add a display name and select Windows device group from the Incoming claim type drop-down.
  6. 按一下完成Click Finish. 按一下適用於[確定]Click Apply and Ok.

步驟 6:上可以方的 'WindowsDeviceGroup' 宣告預期的位置,新增類似 '通過' 轉換' 理賠要求規則。Step 6: On the Relying Party where the ‘WindowsDeviceGroup’ claims are expected, add a similar ‘Pass-through’ Or ‘Transform’ claim rule.

  1. AD FS 管理,按一下 [可以廠商信任和就在右窗格中,righ 按一下您資源點數,然後選取編輯理賠要求規則In AD FS Management, click Relying Party Trusts and in the right pane, righ-click your RP and select Edit Claim Rules.
  2. 發行轉換規則[新增規則On the Issuance Transform Rules click Add Rule.
  3. 新增轉換理賠要求規則精靈選取傳遞透過或篩選連入宣告下一步On the Add Transform Claim Rule Wizard select Pass Through or Filter an Incoming Claim and click Next.
  4. 新增的顯示名稱,然後選取Windows 裝置群組傳入取得輸入下拉式清單。Add a display name and select Windows device group from the Incoming claim type drop-down.
  5. 按一下完成Click Finish. 按一下適用於[確定]Click Apply and Ok.

驗證Validation

驗證 'WindowsDeviceGroup' 宣告版本、建立測試宣告使用.Net 4.6 感知應用程式。To validate the release of ‘WindowsDeviceGroup’ claims, create a test Claims Aware Application using .Net 4.6. 使用 WIF SDK 4.0。With WIF SDK 4.0. 設定為信賴 ADFS 中的應用程式與更新依照上述步驟理賠要求規則。Configure the Application as a Relying Party in ADFS and update it with Claim Rule as specified in steps above. 驗證時要使用的 ADFS Windows 整合式驗證提供者的應用程式,下列宣告是上。When authenticating to the Application using Windows Integrated Authentication provider of ADFS, the following claims are casted. 驗證

適用於電腦/裝置宣告現在可能會使用更豐富的存取控制項。The Claims for the computer/device may now be consumed for richer access controls.

例如–下列AdditionalAuthenticationRules如果–驗證使用者不安全小組的成員叫用 MFA AD FS 可將您的位置告知」-1-5-21-2134745077-1211275016-3050530490-1117」和電腦(位置使用者是從驗證)並不安全性群組」S-1-5-21-2134745077-1211275016-3050530490-1115 (WindowsDeviceGroup)」的成員For example – The following AdditionalAuthenticationRules Tells AD FS to invoke MFA if – The Authenticating User is not member of the security group “-1-5-21-2134745077-1211275016-3050530490-1117” AND the Computer (where is the user is Authenticating from) is not member of the security group "S-1-5-21-2134745077-1211275016-3050530490-1115 (WindowsDeviceGroup)"

不過,如果符合上述條件,不會叫用 MFA。However, if any of the above conditions are met, do not invoke MFA.

'NOT EXISTS([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsdevicegroup", Value =~ "S-1-5-21-2134745077-1211275016-3050530490-1115"])
&& NOT EXISTS([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-21-2134745077-1211275016-3050530490-1117"])
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'