設定 Windows 整合驗證 (WIA) 使用 AD FS 使用的瀏覽器Configure browsers to use Windows Integrated Authentication (WIA) with AD FS

根據預設,Windows 整合驗證 (WIA) 可以在 Active Directory 同盟 Services (AD FS) 在 Windows Server 2012 R2 進行驗證要求組織連絡 (intranet) 的任何應用程式使用它驗證的瀏覽器中發生的。By default, Windows Integrated Authentication (WIA) is enabled in Active Directory Federation Services (AD FS) in Windows Server 2012 R2 for authentication requests that occur within the organization’s internal network (intranet) for any application that uses a browser for its authentication.

AD FS 2016 現在已改進的預設設定,讓時不也(不正確)攔截的 Windows Phone,以及執行 WIA 在 Edge 瀏覽器:AD FS 2016 now has an improved default setting that enables the Edge browser to do WIA while not also (incorrectly) catching Windows Phone as well:

=~Windows\s*NT.*Edge

上述表示,您不再需要設定個人使用者代理程式字串支援常見 Edge 案例中,即使它們會經常更新。The above means you no longer have to configure individual user agent strings to support common Edge scenarios, even though they are updated quite often.

設定其他瀏覽器,[AD FS 屬性WiaSupportedUserAgents來新增所需的值根據您所使用的瀏覽器。For other browsers, configure the AD FS property WiaSupportedUserAgents to add the required values based on the browsers you are using. 您可以使用以下程序。You can use the procedures below.

檢視 WIASupportedUserAgent 設定View WIASupportedUserAgent settings

WIASupportedUserAgents定義支援 WIA 使用者代理程式。The WIASupportedUserAgents defines the user agents which support WIA. AD FS 分析使用者代理字串時登入執行瀏覽器或瀏覽器的控制項。AD FS analyzes the user agent string when performing logins in a browser or browser control.

您可以檢視使用下列 PowerShell 範例目前的設定:You can view the current settings using the following PowerShell example:

    $strings = Get-AdfsProperties | select -ExpandProperty WiaSupportedUserAgents

WIA 支援

變更 WIASupportedUserAgent 設定Change WIASupportedUserAgent settings

根據預設,新 AD FS 安裝有建立的使用者專員字串相符項目的設定。By default, a new AD FS installation has a set of user agent string matches created. 不過,這些可能是最新的根據變更瀏覽器和裝置。However, these may be out of date based on changes to browsers and devices. 尤其是,Windows 裝置有類似的使用者代理程式字串次要變化權杖中。Particularly, Windows devices have similar user agent strings with minor variations in the tokens. 下列 Windows PowerShell 範例提供最佳的指導方針目前支援的裝置是目前市面上 WIA 順暢的設定:The following Windows PowerShell example provides the best guidance for the current set of devices that are on the market today that support seamless WIA:

    Set-AdfsProperties -WIASupportedUserAgents @("MSIE 6.0", "MSIE 7.0; Windows NT", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0; Windows NT 6", "Windows NT 6.3; Trident/7.0", "Windows NT 6.3; Win64; x64; Trident/7.0", "Windows NT 6.3; WOW64; Trident/7.0", "Windows NT 6.2; Trident/7.0", "Windows NT 6.2; Win64; x64; Trident/7.0", "Windows NT 6.2; WOW64; Trident/7.0", "Windows NT 6.1; Trident/7.0", "Windows NT 6.1; Win64; x64; Trident/7.0", "Windows NT 6.1; WOW64; Trident/7.0", "MSIPC", "Windows Rights Management Client")

上述命令,將可確保 AD FS 只適用於 WIA 涵蓋使用如下:The command above will ensure that AD FS only covers the following use cases for WIA:

使用者代理程式User Agents 使用案例Use cases
MSIE 6.0MSIE 6.0 IE 6.0IE 6.0
MSIE 7.0;Windows NTMSIE 7.0; Windows NT IE 7、IE 在該處。IE 7, IE in intranet zone. 桌面作業系統傳送的「Windows NT」片段。The “Windows NT” fragment is sent by desktop operation system.
MSIE 8.0MSIE 8.0 IE 8.0 不裝置傳送此 (,需要更多特定)IE 8.0 (no devices send this, so need to make more specific)
MSIE 9.0MSIE 9.0 IE 9.0(不裝置傳送,所以不需要將此詳細特定)IE 9.0 (no devices send this, so no need to make this more specific)
MSIE 10.0;Windows NT 6MSIE 10.0; Windows NT 6 適用於 Windows XP 和桌面作業系統的較新版 IE 10.0IE 10.0 for Windows XP and newer versions of desktop operating system
因為它們傳送排除 (的喜好設定為行動裝置版) 的 Windows Phone 8.0 裝置Windows Phone 8.0 devices (with preference set to mobile) are excluded because they send

使用者代理: Mozilla 日 5.0 (相容。MSIE 10.0;Windows Phone 8.0;戟日 6.0;IEMobile 日 10.0;ARM;觸控功能。NOKIA;Lumia 920)User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920)
Windows NT 6.3;7.0 戟日Windows NT 6.3; Trident/7.0
Windows NT 6.3;Win64;x64;7.0 戟日Windows NT 6.3; Win64; x64; Trident/7.0

Windows NT 6.3;WOW64;7.0 戟日Windows NT 6.3; WOW64; Trident/7.0
Windows 8.1 桌面作業系統,不同平台Windows 8.1 desktop operating system, different platforms
Windows NT 6.2;7.0 戟日Windows NT 6.2; Trident/7.0
Windows NT 6.2;Win64;x64;7.0 戟日Windows NT 6.2; Win64; x64; Trident/7.0

Windows NT 6.2;WOW64;7.0 戟日Windows NT 6.2; WOW64; Trident/7.0
Windows 8 桌面作業系統,不同平台Windows 8 desktop operating system, different platforms
Windows NT 6.1;7.0 戟日Windows NT 6.1; Trident/7.0
Windows NT 6.1;Win64;x64;7.0 戟日Windows NT 6.1; Win64; x64; Trident/7.0

Windows NT 6.1;WOW64;7.0 戟日Windows NT 6.1; WOW64; Trident/7.0
Windows 7 桌面作業系統,不同 platoformsWindows 7 desktop operating system, different platoforms
MSIPCMSIPC 保護 Microsoft 的資訊與控制項 ClientMicrosoft Information Protection and Control Client
Windows 的權限管理 ClientWindows Rights Management Client Windows 的權限管理 ClientWindows Rights Management Client