設定裝置不支援 WIA 內部表單式驗證Configuring intranet forms-based authentication for devices that do not support WIA

適用於:Windows Server 2016、Windows Server 2012 R2Applies To: Windows Server 2016, Windows Server 2012 R2

根據預設,Windows 整合驗證 (WIA) 可以在 Active Directory 同盟 Services (AD FS) 在 Windows Server 2012 R2 進行驗證要求組織連絡 (intranet) 的任何應用程式使用它驗證的瀏覽器中發生的。By default, Windows Integrated Authentication (WIA) is enabled in Active Directory Federation Services (AD FS) in Windows Server 2012 R2 for authentication requests that occur within the organization’s internal network (intranet) for any application that uses a browser for its authentication. 例如,這些可能瀏覽器為基礎的應用程式使用 WS 同盟或 SAML 通訊協定和豐富的應用程式使用 OAuth 通訊協定。For example, these can be browser-based applications that use WS-Federation or SAML protocols and rich applications that use the OAuth protocol. WIA 而不需要手動輸入認證他們提供的應用程式順暢登入的使用者。WIA provides end users with seamless logon to the applications without having to manually entering their credentials. 不過,某些裝置和瀏覽器不支援 WIA,因此從這些裝置驗證要求失敗。However, some devices and browsers are not capable of supporting WIA and as a result authentication requests from these devices fail. 此外,不想在某些瀏覽器交涉 ntlm 的體驗。Also, the experience on certain browsers that negotiate to NTLM is not desirable. 建議的方法是後援表單架構的驗證,這類裝置,瀏覽器。The recommended approach is to fallback to forms-based authentication for such devices and browsers.

Windows Server 2016 和 Windows Server 2012 R2 AD FS 讓系統管理員可以設定的使用者,以驗證支援代理程式清單的能力。AD FS in Windows Server 2016 and Windows Server 2012 R2 provides the administrators with the ability to configure the list of user agents that support the fallback to forms-based authentication. 後援是因為兩種設定:The fallback is made possible by two configurations:

  • WIASupportedUserAgentStrings屬性的Set-ADFSPropertiescommandletThe WIASupportedUserAgentStrings property of the Set-ADFSProperties commandlet
  • WindowsIntegratedFallbackEnabled屬性的Set-AdfsGlobalAuthenticationPolicycommmandletThe WindowsIntegratedFallbackEnabled property of the Set-AdfsGlobalAuthenticationPolicy commmandlet

WIASupportedUserAgentStrings定義支援 WIA 使用者代理程式。The WIASupportedUserAgentStrings defines the user agents which support WIA. AD FS 分析使用者代理字串時登入執行瀏覽器或瀏覽器的控制項。AD FS analyzes the user agent string when performing logins in a browser or browser control. 如果使用者代理字串的元件不符合元件使用者代理程式字串中所設定的任何WIASupportedUserAgentStrings屬性,AD FS 會改為使用提供表單架構的驗證,提供的WindowsIntegratedFallbackEnabled設定為 True 旗標。If the component of the user agent string does not match any of the components of the user agent strings that are configured in WIASupportedUserAgentStrings property, AD FS will fall back to providing forms-based authentication, provided that the WindowsIntegratedFallbackEnabled flag is set to True.

根據預設,新 AD FS 安裝有建立的使用者專員字串相符項目的設定。By default, a new AD FS installation has a set of user agent string matches created. 不過,這些可能是最新的根據變更瀏覽器和裝置。However, these may be out of date based on changes to browsers and devices. 尤其是,Windows 裝置有類似的使用者代理程式字串次要變化權杖中。Particularly, Windows devices have similar user agent strings with minor variations in the tokens. 下列 Windows PowerShell 範例提供最佳的指導方針目前支援的裝置是目前市面上 WIA 順暢的設定:The following Windows PowerShell example provides the best guidance for the current set of devices that are on the market today that support seamless WIA:

Set-AdfsProperties -WIASupportedUserAgents @("MSIE 6.0", "MSIE 7.0; Windows NT", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0; Windows NT 6", "Windows NT 6.3; Trident/7.0", "Windows NT 6.3; Win64; x64; Trident/7.0", "Windows NT 6.3; WOW64; Trident/7.0", "Windows NT 6.2; Trident/7.0", "Windows NT 6.2; Win64; x64; Trident/7.0", "Windows NT 6.2; WOW64; Trident/7.0", "Windows NT 6.1; Trident/7.0", "Windows NT 6.1; Win64; x64; Trident/7.0", "Windows NT 6.1; WOW64; Trident/7.0", "MSIPC", "Windows Rights Management Client")

上述命令,將可確保 AD FS 只適用於 WIA 涵蓋使用如下:The command above will ensure that AD FS only covers the following use cases for WIA:

使用者代理程式User Agents 使用案例Use cases
MSIE 6.0MSIE 6.0 IE 6.0IE 6.0
MSIE 7.0;Windows NTMSIE 7.0; Windows NT IE 7、IE 在該處。IE 7, IE in intranet zone. 桌面作業系統傳送的「Windows NT」片段。The “Windows NT” fragment is sent by desktop operation system.
MSIE 8.0MSIE 8.0 IE 8.0 不裝置傳送此 (,需要更多特定)IE 8.0 (no devices send this, so need to make more specific)
MSIE 9.0MSIE 9.0 IE 9.0(不裝置傳送,所以不需要將此詳細特定)IE 9.0 (no devices send this, so no need to make this more specific)
MSIE 10.0;Windows NT 6MSIE 10.0; Windows NT 6 適用於 Windows XP 和桌面作業系統的較新版 IE 10.0IE 10.0 for Windows XP and newer versions of desktop operating system
因為它們傳送排除 (的喜好設定為行動裝置版) 的 Windows Phone 8.0 裝置Windows Phone 8.0 devices (with preference set to mobile) are excluded because they send

使用者代理: Mozilla 日 5.0 (相容。MSIE 10.0;Windows Phone 8.0;戟日 6.0;IEMobile 日 10.0;ARM;觸控功能。NOKIA;Lumia 920)User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920)
Windows NT 6.3;7.0 戟日Windows NT 6.3; Trident/7.0
Windows NT 6.3;Win64;x64;7.0 戟日Windows NT 6.3; Win64; x64; Trident/7.0

Windows NT 6.3;WOW64;7.0 戟日Windows NT 6.3; WOW64; Trident/7.0
Windows 8.1 桌面作業系統,不同平台Windows 8.1 desktop operating system, different platforms
Windows NT 6.2;7.0 戟日Windows NT 6.2; Trident/7.0
Windows NT 6.2;Win64;x64;7.0 戟日Windows NT 6.2; Win64; x64; Trident/7.0

Windows NT 6.2;WOW64;7.0 戟日Windows NT 6.2; WOW64; Trident/7.0
Windows 8 桌面作業系統,不同平台Windows 8 desktop operating system, different platforms
Windows NT 6.1;7.0 戟日Windows NT 6.1; Trident/7.0
Windows NT 6.1;Win64;x64;7.0 戟日Windows NT 6.1; Win64; x64; Trident/7.0

Windows NT 6.1;WOW64;7.0 戟日Windows NT 6.1; WOW64; Trident/7.0
Windows 7 桌面作業系統,不同 platoformsWindows 7 desktop operating system, different platoforms
MSIPCMSIPC 保護 Microsoft 的資訊與控制項 ClientMicrosoft Information Protection and Control Client
Windows 的權限管理 ClientWindows Rights Management Client Windows 的權限管理 ClientWindows Rights Management Client

為了讓後援表單驗證使用者以外的 WIASupportedUserAgents 字串中所提到的代理程式、 設定為 true WindowsIntegratedFallbackEnabled 旗標In order to enable fallback to form based authentication for user agents other than those mentioned in the WIASupportedUserAgents string, set the WindowsIntegratedFallbackEnabled flag to true

Set-AdfsGlobalAuthenticationPolicy -WindowsIntegratedFallbackEnabled $true

也請確定該功能內部網路的為基礎的驗證。Also ensure that the forms based authentication is enabled for intranet.

設定 Chrome WIAConfiguring WIA for Chrome

您可以新增支援 WIA AD FS 設定 Chrome 或其他使用者代理程式。You can add Chrome or other user agents to the AD FS configuration that supports WIA. 如此完美的登入應用程式而不需要手動輸入認證,當您存取受 AD FS 資源。This enables seamless logon to applications without having to manually enter credentials when you access resources protected by AD FS. 請依照下列步驟來讓 WIA Chrome 上:Follow the steps below to enable WIA on Chrome:

AD FS 設定中新增 Chrome 使用者代理程式字串Add a user agent string for Chrome in AD FS configuration

Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + “Chrome”)

確認 Chrome 的使用者專員字串現在已在 AD FS 屬性設定Confirm that the user agent string for Chrome is now set in the AD FS properties

Get-AdfsProperties | Select -ExpandProperty WIASupportedUserAgents

設定驗證

注意

為推出全新的瀏覽器和裝置,建議您協調那些使用者代理程式的功能和時使用的瀏覽器與裝置稱為最佳化使用者的驗證體驗隨之更新 AD FS 設定。As new browsers and devices are released, it is recommended that you reconcile the capabilities of those user agents and update the AD FS configuration accordingly to optimize the user’s authentication experience when using said browser and devices. 尤其,建議您重新評估WIASupportedUserAgents當您的支援矩陣 WIA 新增新的裝置或瀏覽器類型 AD FS 中設定。More specifically, it is recommended that you re-evaluate the WIASupportedUserAgents setting in AD FS when adding a new device or browser type to your support matrix for WIA.