AD FS 2016 與 Azure MFA 設定Configure AD FS 2016 and Azure MFA

適用於:Windows Server 2016Applies To: Windows Server 2016

如果您的組織會聯盟使用 Azure AD,您可以使用 Azure 多因素驗證安全 AD FS 資源,這兩個上場所和雲端。If your organization is federated with Azure AD, you can use Azure Multi-Factor Authentication to secure AD FS resources, both on-premises and in the cloud. Azure MFA 可讓您能排除的密碼,並提供更安全的驗證方式。Azure MFA enables you to eliminate passwords and provide a more secure way to authenticate. 開始使用 Windows Server 2016,您現在可以設定 Azure MFA 主要驗證。Starting with Windows Server 2016, you can now configure Azure MFA for primary authentication.

不同於在 Windows Server 2012 R2,AD FS 使用 AD FS 2016 Azure MFA 介面卡直接整合 Azure AD 並不需要在場所 Azure MFA 伺服器。Unlike with AD FS in Windows Server 2012 R2, the AD FS 2016 Azure MFA adapter integrates directly with Azure AD and does not require an on premises Azure MFA server. Azure MFA 介面卡是 Windows Server 2016 並不需要其他安裝的。The Azure MFA adapter is built in to Windows Server 2016, and there is no need for additional installation.

登記使用者的使用 AD FS 2016 Azure MFARegistering users for Azure MFA with AD FS 2016

AD FS 不情形」證明向上」或登記 Azure MFA 安全性驗證資訊,例如電話號碼或行動裝置版」app 的支援。AD FS does not support inline “proof up”, or registration of Azure MFA security verification information such as phone number or mobile app. 這表示使用者必須取得 proofed 瀏覽 https://account.activedirectory.windowsazure.com/Proofup.aspx 之前使用 Azure MFA 驗證,AD FS 應用程式。This means users must get proofed up by visiting https://account.activedirectory.windowsazure.com/Proofup.aspx prior to using Azure MFA to authenticate to AD FS applications. 當有不尚未 proofed 向上 Azure AD 嘗試驗證,AD FS Azure MFA 使用中的使用者時,他們將會取得 AD FS 錯誤。When a user who has not yet proofed up in Azure AD tries to authenticate with Azure MFA at AD FS, they will get an AD FS error. AD FS 管理員的身分、為您可以自訂使用者指南 proofup 頁面改為使用此錯誤經驗。As an AD FS administrator, you can customize this error experience to guide the user to the proofup page instead. 您可以執行此動作偵測 AD FS 頁面中的錯誤訊息字串,並顯示新訊息引導 https://aka.ms/mfasetup,瀏覽的使用者使用 onload.js 自訂項目,然後再重新嘗試驗證。You can do this using onload.js customization to detect the error message string within the AD FS page and show a new message to guide the users to visit https://aka.ms/mfasetup, then re-attempt authentication. 詳細指導方針看到「自訂 AD FS 網頁引導使用者登記 MFA 驗證方法「下方這篇文章中。For detailed guidance see the "Customize the AD FS web page to guide users to register MFA verification methods" below in this article.

注意

之前,需要使用者 MFA 與驗證的登記(造訪 https://account.activedirectory.windowsazure.com/Proofup.aspx,例如透過快顯 aka.ms/mfasetup)。Previously, users were required to authenticate with MFA for registration (visiting https://account.activedirectory.windowsazure.com/Proofup.aspx, for example via the shortcut aka.ms/mfasetup). 現在,已經不尚未登記 MFA 驗證資訊 AD FS 人可以存取 Azure AD 的 proofup 網頁快速鍵 aka.ms/mfasetup 透過使用只主要驗證(例如整合式的 Windows 驗證或使用者名稱和密碼 AD FS 透過網頁).Now, an AD FS user who has not yet registered MFA verification information can access Azure AD’s proofup page via the shortcut aka.ms/mfasetup using only primary authentication (such as Windows Integrated Authentication or username and password via the AD FS web pages). 如果使用者不有任何設定的驗證方法、Azure AD 會執行情形登記使用者看到的訊息中的 [您的系統管理員已所需設定此負責額外的安全性驗證」,然後選取使用者」設定現在「。If the user has no verification methods configured, Azure AD will perform inline registration in which the user sees the message “Your admin has required that you set up this account for additional security verification”, and the user can then select to “Set it up now”. 已經設定一個以上 MFA 驗證方法使用者將仍然會提示您提供 MFA proofup 網頁瀏覽時。Users who already have at least one MFA verification method configured will still be prompted to provide MFA when visiting the proofup page.

Azure MFA 做為主要驗證Azure MFA as Primary Authentication

有幾個要作為主要驗證,AD FS 使用 Azure MFA 變得更好的原因︰There are a couple of great reasons to use Azure MFA as Primary Authentication with AD FS:

  • 若要避免使用密碼登入 Azure AD 的 Office 365 和其他 AD FS 應用程式To avoid passwords for sign-in to Azure AD, Office 365 and other AD FS apps
  • 若要保護密碼依登入需要額外因素例如密碼前驗證碼To protect password based sign-in by requiring an additional factor such as verification code prior to the password

如果您想要使用做為主要的驗證方法 AD FS 中 Azure MFA 實現優點,您可能也會想来保留條件使用 Azure AD 的功能包括「true MFA「提示額外因素 AD FS 中存取。If you wish to use Azure MFA as a primary authentication method in AD FS to achieve these benefits, you probably also want to keep the ability to use Azure AD conditional access including “true MFA” by prompting for additional factors in AD FS.

現在您可以設定 Azure AD 網域 MFA 場所(設定「SupportsMfa「$True)上的執行動作。You can now do this by configuring the Azure AD domain setting to do MFA on premises (setting “SupportsMfa” to $True). 此設定,AD FS 可將提示 Azure AD 進行額外的驗證或「true MFA「需要的條件存取案例。In this configuration, AD FS can be prompted by Azure AD to perform additional authentication or “true MFA” for conditional access scenarios that require it.

如上文所述,任何 AD FS 的使用者尚未且已(設定的 MFA 驗證資訊)應該會提示您透過自訂 AD FS 錯誤網頁瀏覽 aka.ms/mfasetup 進行驗證的資訊,然後再重新嘗試 AD FS 登入。As described above, any AD FS user who has not yet registered (configured MFA verification information) should be prompted via a customized AD FS error page to visit aka.ms/mfasetup to configure verification information, then re-attempt AD FS login.
因為 Azure MFA 為主要的單一因數之後將需要提供額外因素管理或更新中 Azure AD 時,他們驗證的資訊或存取其他資源需要 MFA 初始設定的使用者。Because Azure MFA as primary is considered a single factor, after initial configuration users will need to provide an additional factor to manage or update their verification information in Azure AD, or to access other resources that require MFA.

Azure MFA 做為額外的驗證,Office 365Azure MFA as Additional authentication to Office 365

之前,如果您有 MFA Azure AD FS 中 Office 365 或其他信賴的對象,最好額外的驗證方法就是設定 Azure AD 以執行複合的 MFA,AD FS 和 MFA 場所中執行主要驗證是 trAzure AD,iggered。Previously, if you wished to have Azure MFA as an additional authentication method in AD FS for Office 365 or other relying parties, the best option was to configure Azure AD to do compound MFA, in which primary authentication is performed on premises in AD FS and MFA is triggered by Azure AD. 現在,您可以使用 Azure MFA 做為額外的驗證,AD FS 中網域 SupportsMfa 設定設定為 $True 時。Now, you can use Azure MFA as additional authentication in AD FS when the domain SupportsMfa setting is set to $True.

如上文所述,任何 AD FS 的使用者尚未且已(設定的 MFA 驗證資訊)應該會提示您透過自訂 AD FS 錯誤網頁瀏覽 aka.ms/mfasetup 進行驗證的資訊,然後再重新嘗試 AD FS 登入。As described above, any AD FS user who has not yet registered (configured MFA verification information) should be prompted via a customized AD FS error page to visit aka.ms/mfasetup to configure verification information, then re-attempt AD FS login.

必要條件Pre-Requisites

使用 Azure MFA AD FS 進行驗證時,所需下列必要條件:The following pre-requisites are required when using Azure MFA for authentication with AD FS:

注意

Azure AD 以及 Azure MFA 包含 Azure AD Premium 和 Enterprise Mobility Suite (EMS)。Azure AD and Azure MFA are included in Azure AD Premium and the Enterprise Mobility Suite (EMS). 如果您擁有的其中您不需要個人月租方案。If you have either of these you do not need individual subscriptions.

設定 AD FS 伺服器Configure the AD FS Servers

以完成設定 MFA Azure AD fs,您需要每個 AD FS 使用設定伺服器所述。In order to complete configuration for Azure MFA for AD FS, you need to configure each AD FS server using the steps described.

注意

確保,執行下列步驟執行所有AD FS 伺服器。Ensure that these steps are performed on all AD FS servers in the farm. 如果您有多個 AD FS 伺服器陣列中,您可以執行從遠端使用 Azure AD Powershell 必要的設定。If you have have multiple AD FS servers in your farm, you can perform the necessary configuration remotely using Azure AD Powershell.

步驟 1:產生 Azure MFA 的每個 AD FS 伺服器使用憑證New-AdfsAzureMfaTenantCertificatecmdlet。Step 1: Generate a certificate for Azure MFA on each AD FS server using the New-AdfsAzureMfaTenantCertificate cmdlet.

您需要做的第一件事就是產生 Azure MFA 使用的憑證。The first thing you need to do is generate a certificate for Azure MFA to use. 這可以使用 PowerShell。This can be done using PowerShell. 在本機電腦的憑證存放區中,找到產生的憑證,並已標示包含您 Azure AD directory 的 TenantID 主體名稱。The certificate generated can be found in the local machines certificate store, and it is marked with a subject name containing the TenantID for your Azure AD directory.

AD FS 和 MFA

請注意,TenantID 您 directory 名稱 Azure AD 中。Note that TenantID is the name of your directory in Azure AD. 使用下列 PowerShell cmdlet 產生新的憑證。Use the following PowerShell cmdlet to generate the new certificate.
$certbase64 = New-AdfsAzureMfaTenantCertificate -TenantID <tenantID>

AD FS 和 MFA

步驟 2:將新的憑證新增至 Azure 多因素驗證 Client SPNStep 2: Add the new credentials to Azure Multi-Factor Auth Client SPN

為了讓 AD FS 伺服器 Azure 多因素驗證 Client 的通訊,您需要新增至 SPN Azure 多因素驗證 Client 認證。In order to enable the AD FS servers to communicate with the Azure Multi-Factor Auth Client, you need to add the credentials to the SPN for the Azure Multi-Factor Auth Client. 憑證產生使用New-AdfsAzureMFaTenantCertificatecmdlet 做為這些認證。The certificates generated using the New-AdfsAzureMFaTenantCertificate cmdlet will serve as these credentials. 執行下列 PowerShell 使用 Azure 多因素驗證 Client SPN 以新增新的認證。Do the following using PowerShell to add the new credentials to the Azure Multi-Factor Auth Client SPN.

注意

您需要連接到您的使用 Connect-MsolService PowerShell 使用 Azure AD 的執行個體才能完成此步驟。In order to complete this step you need to connect to your instance of Azure AD with PowerShell using Connect-MsolService. 這些步驟假設您透過 PowerShell 已連接。These steps assume you have already connected via PowerShell. 資訊的查看連接-MsolService。For information see Connect-MsolService.

  1. 設定為新認證的憑證針對 Azure 多因素驗證 ClientSet the certificate as the new credential against the Azure Multi-Factor Auth Client

    New-MsolServicePrincipalCredential -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -Type asymmetric -Usage verify -Value $certBase64

重要

需要上的所有 AD FS 伺服器陣列中都執行這個命令。This command needs to be run on all of the AD FS servers in your farm. Azure AD MFA 將會失敗,已經不需要設定新的認證針對 Azure 多因素驗證 Client 的憑證的伺服器上。Azure AD MFA will fail on servers that have not have the certificate set as the new credential against the Azure Multi-Factor Auth Client.

注意

981f26a1-7f43-403b-a875-f8b09b8cd720 是 Azure 多因素驗證 Client 的 guid。981f26a1-7f43-403b-a875-f8b09b8cd720 is the guid for Azure Multi-Factor Auth Client.

設定 AD FS 陣列Configure the AD FS Farm

一旦您完成在每個 AD FS 伺服器上一節,您將需要執行Set-AdfsAzureMfaTenantcmdlet。Once you have completed the previous section on each AD FS server, you will need to run the Set-AdfsAzureMfaTenant cmdlet.

這個 cmdlet 需要 AD FS 陣列執行一次。This cmdlet needs to be executed only once for an AD FS farm. 使用 PowerShell 完成此步驟。Use PowerShell to complete this step.

注意

您將需要在每個伺服器 AD FS 服務陣列中重新開機,這些變更生效前。You will need to restart the AD FS service on each server in the farm before these changes take affect.

Set-AdfsAzureMfaTenant -TenantId <tenant ID> -ClientId 981f26a1-7f43-403b-a875-f8b09b8cd720  

AD FS 和 MFA

之後,您將會看到 Azure MFA 可為主要的驗證方法內部和外部網路使用。After this, you will see that Azure MFA is available as a primary authentication method for intranet and extranet use.

AD FS 和 MFA

續約及管理 AD FS Azure MFA 憑證Renew and Manage AD FS Azure MFA Certificates

下列指導方針會引導您完成管理 MFA Azure AD FS 伺服器上的憑證的方式。The following guidance takes you through how to manage the Azure MFA certificates on your AD FS servers. 根據預設,當您設定 AD FS 使用 Azure MFA,憑證產生 New-AdfsAzureMfaTenantCertificate PowerShell cmdlet 透過是有效 2 年。By default, when you configure AD FS with Azure MFA, the certificates generated via the New-AdfsAzureMfaTenantCertificate PowerShell cmdlet are valid for 2 years. 如何關閉],以判斷到期您的憑證,以及更新,並安裝新的憑證,使用下列程序。To determine how close to expiration your certificates are, and then to renew and install new certificates, use the following procedure.

評估 AD FS Azure MFA 憑證到期日Assess AD FS Azure MFA certificate expiration date

每個 AD FS 伺服器、在本機電腦上我市集中,將會有自簽署的憑證「組織單位 = Microsoft AD FS Azure MFA「發行者主題中。On each AD FS server, in the local computer My store, there will be a self signed certificate with “OU=Microsoft AD FS Azure MFA” in the Issuer and Subject. 這是 Azure MFA 的憑證。This is the Azure MFA certificate. 檢查有效期間這個判斷到期每個 AD FS 伺服器上的憑證。Check the validity period of this certificate on each AD FS server to determine the expiration date.

每個 AD FS 伺服器上建立新的 AD FS Azure MFA 憑證Create new AD FS Azure MFA Certificate on each AD FS server

如果您的憑證的有效期即將結尾,開始更新程序建立新 Azure MFA 伺服器上的憑證每個 AD FS。If the validity period of your certificates is nearing its end, start the renewal process by generating a new Azure MFA certificate on each AD FS server. 在 powershell 命令視窗中,產生使用下列 cmdlet 每個 AD FS 伺服器上新的憑證:In a powershell command window, generate a new certificate on each AD FS server using the following cmdlet:

PS C:\> $newcert = New-AdfsAzureMfaTenantCertificate -TenantId <tenant id such as contoso.onmicrosoft.com> -Renew $true

根據下列 cmdlet,將產生有效 2 天未來 2 天 + 2 年的新的憑證。As a result of this cmdlet, a new certificate that is valid from 2 days in the future to 2 days + 2 years will be generated. AD FS 和 Azure MFA 作業將不會受到此 cmdlet 或新的憑證。AD FS and Azure MFA operations will not be affected by this cmdlet or the new certificate. (請注意:2 日延遲刻意,並提供執行下列步驟來設定新的憑證承租人 AD FS 開始使用 Azure MFA 它之前的時間。)(Note: the 2 day delay is intentional and provides time to execute the steps below to configure the new certificate in the tenant before AD FS starts using it for Azure MFA.)

在 Azure AD 承租人設定的每個新 AD FS Azure MFA 憑證Configure each new AD FS Azure MFA certificate in the Azure AD tenant

使用 Azure AD PowerShell 模組」(每個 AD FS 在伺服器上),每個新的憑證更新如下的 Azure AD 承租人設定 (請注意:您必須先連接到使用 Connect-MsolService 執行下列命令)。Using the Azure AD PowerShell module, for each new certificate (on each AD FS server), update your Azure AD tenant settings as follows (Note: you must first connect to the tenant using Connect-MsolService to run the following commands).

PS C:/> New-MsolServicePrincipalCredential -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -Type Asymmetric -Usage Verify -Value $certbase64
Where $certbase64 is the new certificate.  The base64 encoded certificate can be obtained by exporting the certificate (without the private key) as a DER encoded file and opening in Notepad.exe, then copy/pasting to the PSH session and assigning to the variable $certbase64

請確認新的憑證會被用於 Azure MFAVerify that the new certificate(s) will be used for Azure MFA

一次新的憑證生效,AD FS 將它們取貨,並開始使用 Azure MFA 幾天的時間在每個各憑證。Once the new certificate(s) become valid, AD FS will pick them up and start using each respective certificate for Azure MFA within a few hours to a day. 當發生這種情形時,每個伺服器您將會看到事件登入 AD FS 管理員事件登入,使用下列資訊:登入名稱:AD FS 管理員日來源:AD FS 日期:2018 年 2 月 27 日 7:33:31 PM 263: 547 工作分類:無層級:資訊關鍵字: AD FS 使用者:DOMAIN\adfssvc 電腦:ADFS.domain.contoso.com 描述:Azure MFA 承租人憑證已經更新。Once this occurs, on each server you will see an event logged in the AD FS Admin event log with the following information: Log Name: AD FS/Admin Source: AD FS Date: 2/27/2018 7:33:31 PM Event ID: 547 Task Category: None Level: Information Keywords: AD FS User: DOMAIN\adfssvc Computer: ADFS.domain.contoso.com Description: The tenant certificate for Azure MFA has been renewed.

TenantId: contoso.onmicrosoft.com。舊指紋:7CC103D60967318A11D8C51C289EF85214D9FC63。TenantId: contoso.onmicrosoft.com. Old thumbprint: 7CC103D60967318A11D8C51C289EF85214D9FC63. 舊的到期日期:2019 年 9 月 15 日 9:43:17 PM。Old expiration date: 9/15/2019 9:43:17 PM. 新的指紋:8110D7415744C9D4D5A4A6309499F7B48B5F3CCF。New thumbprint: 8110D7415744C9D4D5A4A6309499F7B48B5F3CCF. 新的到期日期:2020 年 2 月 27 日 2: AM 16:07。New expiration date: 2/27/2020 2:16:07 AM.

自訂 AD FS 網頁指南使用者登記 MFA 驗證方法Customize the AD FS web page to guide users to register MFA verification methods

使用下列範例自訂使用者有不尚未 proofed 上 AD FS 網頁(設定 MFA 驗證資訊)。Use the following examples to customize your AD FS web pages for users who have not yet proofed up (configured MFA verification information).

尋找錯誤Find the error

首先,有幾個不同的錯誤訊息會傳回 AD FS 案例中的使用者缺少驗證資訊。First, there are a couple of different error messages AD FS will return in the case in which the user lacks verification information. 如果您正在使用 Azure MFA 做為主要的驗證,取消 proofed 使用者將會看到包含下列訊息 AD FS 錯誤頁面:If you are using Azure MFA as primary authentication, the un-proofed user will see an AD FS error page containing the following messages:

    <div id="errorArea"> 
        <div id="openingMessage" class="groupMargin bigText">
            An error occurred 
        </div> 
        <div id="errorMessage" class="groupMargin">
            Authentication attempt failed. Select a different sign in option or close the web browser and sign in again. Contact your administrator for more information. 
        </div>

當您嘗試為額外的驗證 Azure AD 時,未 proofed 使用者將會看到包含下列訊息 AD FS 錯誤頁面:When Azure AD as additional authentication is being attempted, the un-proofed user will see an AD FS error page containing the following messages:

<div id='mfaGreetingDescription' class='groupMargin'>For security reasons, we require additional information to verify your account (mahesh@jenfield.net)</div>
    <div id="errorArea"> 
        <div id="openingMessage" class="groupMargin bigText">
            An error occurred 
        </div> 
        <div id="errorMessage" class="groupMargin">
            The selected authentication method is not available for &#39;username@contoso.com&#39;. Choose another authentication method or contact your system administrator for details. 
        </div>

捕捉錯誤和更新的頁面上的文字Catch the error and update the page text

捕捉錯誤,並顯示使用者自訂指導方針其實 javascript 附加到結尾 onload.js 檔案的一部分 AD FS web(1)搜尋辨識錯誤字串,並提供自訂(2)主題網頁。Catching the error and showing the user custom guidance is a matter of appending javascript to the end of the onload.js file that is part of the AD FS web theme to (1) search for the identifying error string(s) and (2) provide custom web content. (如何自訂 onload.js 檔案的一般指導方針,會看到文章在此。)(For guidance in general on how to customize the onload.js file, see the article here.)