Active Directory 同盟服務提示 = 登入參數支援Active Directory Federation Services prompt=login parameter support

下列文件告訴您的原生支援提示 = 登入參數,可在 AD FS。The following document describes the native support for the prompt=login parameter that is available in AD FS.

提示 = 登入?What is prompt=login?

某些(使用現代化驗證支援)的 Office 365 應用程式傳送提示 = 登入參數 Azure ad 為每個驗證要求的一部分。Some Office 365 applications (with modern authentication enabled) send the prompt=login parameter to Azure AD as part of each authentication request. 根據預設,Azure AD 轉譯這兩個參數:By default, Azure AD translates this into two parameters:

   <b>wauth</b>=urn:oasis:names:tc:SAML:1.0:am:password, and <b>wfresh</b>=0

這可能會造成內部網路與多因素驗證案例需要驗證類型以外的使用者名稱和密碼的問題。This can cause problems with corporate intranet and multi-factor authentication scenarios in which an authentication type other than username and password is desired.

AD FS 在 2016 年 7 月更新彙總套件與 Windows Server 2012 R2 推出提示 = 登入參數原生的支援。AD FS in Windows Server 2012 R2 with the July 2016 update rollup introduced native support for the prompt=login parameter. 這表示您現在可以設定 Azure AD 的選擇傳送此參數-Azure AD 的一部分就是您 AD FS 服務和 Office 365 驗證要求。This means, you now have the option of configuring Azure AD to send this parameter as-is to your AD FS service as part of Azure AD and Office 365 authentication requests.

AD FS 版本支援提示 = 登入AD FS versions that support prompt=login

以下是 AD FS 版本支援提示 = 參數登入的清單。The following is a list of AD FS versions that support the prompt=login parameter.

  • AD FS 年 7 月 2016 年與 Windows Server 2012 R2 的更新彙總套件AD FS in Windows Server 2012 R2 with the July 2016 update rollup

  • 在 Windows Server 2016 AD FSAD FS in Windows Server 2016

如何設定傳送提示您 Azure AD 承租人 = AD FS 登入How do to configure your Azure AD tenant to send prompt=login to AD FS

使用 Azure AD PowerShell 模組設定。Use the Azure AD PowerShell module to configure the setting.

注意

(PromptLoginBehavior 屬性支援)的提示 = 登入功能是目前只適用於' 版本 1.0' Azure AD Powershell 模組,cmdlet 中已包含」Msol」,例如 Set-MsolDomainFederationSettings 名稱。The prompt=login capability (enabled by the PromptLoginBehavior property) is currently available only in the ‘version 1.0’ Azure AD Powershell module, in which the cmdlets have names that include “Msol”, such as Set-MsolDomainFederationSettings. 不透過目前可用 ' 版本 2.0' Azure AD PowerShell 模組,其 cmdlet 有名稱等」設定-AzureAD\ *」。It is not currently available via ‘version 2.0’ Azure AD PowerShell module, whose cmdlets have names like “Set-AzureAD*”.

若要設定 [命令提示字元中 = 登入的行為,下列 cmdlet 語法:To configure prompt=login behavior, the cmdlet syntax below:

範例 1:Example 1:

    Set-MsolDomainFederationSettings –DomainName <your domain name> -PreferredAuthenticationProtocol <your current protocol setting> 

範例 2:Example 2:

    Set-MsolDomainFederationSettings –DomainName <your domain name> -SupportsMfa <$True|$False>

範例 3:Example 3:

    Set-MsolDomainFederationSettings –DomainName <your domain name> -PromptLoginBehavior <TranslateToFreshPasswordAuth|NativeSupport|Disabled>

檢視 cmdlet 的輸出找到 PreferredAuthenticationProtocol、SupportsMfa,以及 PromptLoginBehavior 屬性的值:![取得-MsolDomainFederationSettingsThe PreferredAuthenticationProtocol, SupportsMfa, and PromptLoginBehavior property values can be found by viewing the output from the cmdlet: Get-MsolDomainFederationSettings</span></span>

    Get-MsolDomainFederationSettings -DomainName <your_domain_name> | fl *

注意

根據預設,執行 Get-MsolDomainFederationSettings 時,某些屬性,不會顯示在主機中。By default, when running Get-MsolDomainFederationSettings, certain properties are not displayed in the console. 若要檢視建議您使用這些參數 |fl * 強制的所有物件的屬性輸出。To view these parameters it is recommended that you use the | fl * to force the output of all of the properties of the object.

以下是 PromptLoginBehavior 參數,其設定的相關詳細資訊。The following is more information about the PromptLoginBehavior paramter and its settings.

  • TranslateToFreshPasswordAuth表示預設 Azure AD 行為傳送的wauthwfresh以而非提示 AD FS = 登入TranslateToFreshPasswordAuth means the default Azure AD behavior of sending wauth and wfresh to AD FS instead of prompt=login
  • NativeSupport = 提示登入參數會傳送到 AD FS 表示NativeSupport means that the prompt=login parameter will be sent as is to AD FS
  • 停用表示不會傳送給 AD FSDisabled means nothing will be sent to AD FS