設定其他登入 IDConfiguring Alternate Login ID

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

使用者 Active Directory 同盟 Services (AD FS) 功能的應用程式使用任何形式的使用者識別碼接受 Active Directory Domain Services (AD DS),可以登入。Users can sign in to Active Directory Federation Services (AD FS) enabled applications using any form of user identifier that is accepted by Active Directory Domain Services (AD DS). 其中包括使用者主體名稱 (Upn) (johndoe@contoso.com) 或網域完整坡-account 名稱(contoso\johndoe 或 contoso.com\johndoe)。These include User Principal Names (UPNs) (johndoe@contoso.com) or domain qualified sam-account names (contoso\johndoe or contoso.com\johndoe).

在某些環境,公司的原則或先業務的應用程式相依性,因為終端使用者只可能會注意到他們的電子郵件地址並不他們 UPN 或坡-帳號名稱。In some environments, due to corporate policy or on-premises line-of-business application dependencies, end users may only be aware of their email address and not their UPN or sam-account name. 有時候,UPN 也是非路由 (jdoe@contoso.local) 和僅適用於驗證到企業網路上的應用程式。In some cases, the UPN is also non-routable (jdoe@contoso.local) and is only used for authenticating into applications on the corporate network.

自從非路由網域 (ex。Since non-routable domains' (ex. Contoso.local) 擁有無法驗證,Office 365 需要所有使用者登入是完整 internet 路由 Id。Contoso.local) ownership cannot be verified, Office 365 requires all user login IDs to be fully internet routable. 如果在場所 UPN 使用非路由網域 (ex。If the on-premises UPN uses a non-routable domain (ex. Contoso.local),或無法變更現有 UPN 因為本機應用程式相依性,我們建議使用其他登入收到設定Contoso.local), or the existing UPN cannot be changed due to local application dependencies, we recommend setting up alternate login ID. ID 登入其他可讓您的體驗中設定登入的使用者可以登入屬性以外他們 UPN,例如電子郵件的位置。Alternate login ID allows you to configure a sign in experience where users can sign in with an attribute other than their UPN, such as mail.

這項功能的優勢時,它可以讓您收養 SaaS 提供者,例如不需要將修改您先 Upn Office 365。One of the benefits of this feature is that it enables you to adopt SaaS providers, such as Office 365 without modifying your on-premises UPNs. 它也可讓您的業務服務消費者提供身分應用程式的支援。It also enables you to support line-of-business service applications with consumer-provisioned identities.

重要

使用商務用在混合的環境 Exchange 和/或 Skype ID 替代是支援,但不是建議這樣做。Using Alternate ID in hybrid environments with Exchange and/or Skype for Business is supported but not recommended. 使用的憑證 (例如 UPN) 上場所和 online 提供最佳在混合的環境中的使用者體驗。Using the same set of credentials (e.g. the UPN) for on-premises and online provides the best user experience in a hybrid environment. Microsoft 建議針對變更其 Upn 盡可能避免替代 id 需要Microsoft recommends customers change their UPNs if possible to avoid the need for Alternate ID. 使用商務用 Lync 或 Skype ID 替代需要 Lync Server 2013 或更新版本。Using alternate ID with Lync or Skype for business requires Lync Server 2013 or later. 針對使用替代 ID 應考慮現代化驗證的換貨中 Office 365 更佳的使用體驗。Customers who use Alternate ID should consider enabling Modern Authentication for Exchange in Office 365 for an improved user experience. 此外,針對使用商務用 Skype 與行動裝置版戶端必須確保 SIP 地址使用者的電子郵件地址(及其他 ID)。In addition, customers using Skype for Business with mobile clients must ensure that the SIP address is identical to the user’s mail address (and alternate ID).

請參考下表中的使用者體驗替代一般驗證,驗證現代化與憑證驗證(需要讓現代化驗證)中使用各種不同的 Office 365 戶端的來電顯示。Please refer to the table below for the user experience with Alternate ID using various Office 365 clients with Regular Authentication, Modern Authentication and Certificate Based Authentication (requires enabling Modern Authentication).

Client 類型Client Types 其他資訊Additional Information 支援聲明-一般和現代化驗證Support Statement - Regular and Modern Authentication 描述Description
OutlookOutlook 一般驗證:您必須在 [加入網域的電腦,並連接到企業網路Regular Authentication: You must be on a domain joined machine and connected to the corporate network

現代化驗證:支援Modern Authentication: Supported
您只能使用替代 ID 不允許外部存取信箱使用者的環境中。You can only use Alternate ID in environments that do not allow external access for mailbox users. 這表示的使用者可以僅限進行驗證有信箱支援的方式連接和加入到企業網路,在 VPN,或透過直接存取連接時。This means that users can only authenticate to there mailbox in a supported way when they are connected and joined to the corporate network, on a VPN, or connected via Direct Access. 如果您選擇設定現代化驗證(也就是 ADAL),您可以使用 Outlook 的非網域中加入日連接的電腦,但設定您的設定檔 Outlook 時,您將會取得數個額外的提示。If you opt to configure Modern Authentication (Known as ADAL) you can use Outlook from non-domain joined/connected machines, but you will get a couple of extra prompts when configuring your Outlook profile.

查看第一的使用者體驗示範表格下映像。See the first image below the table for user experience demo.
現代化驗證,Office 2013 中Modern Authentication in Office 2013
混合公用資料夾Hybrid Public Folders 不支援一般驗證:Regular Authentication: Not supported

現代化驗證:支援Modern Authentication: Supported
混合公用資料夾無法展開如果替代 ID 可用,因此不應該使用今天使用一般的驗證方法。Hybrid Public Folders will not be able to expand if Alternate ID's are used and therefore should not be used today with regular authentication methods. 如果您想要無法使用公用混合資料夾您必須設定現代化驗證(也就是 ADAL)。If you want to be able to use Public Folder in Hybrid you will have to configure Modern Authentication (Known as ADAL).

查看第一的使用者體驗示範表格下映像。See the first image below the table for user experience demo.
現代化驗證,Office 2013 中Modern Authentication in Office 2013
跨場所委派Cross premises Delegation 不支援Not supported 目前跨的場所在混合設定中,不支援的權限,但它們也會無法再使用 AltID。Currently cross premises permissions are not supported in a hybrid configuration, but they also will not work if you use AltID.
保存信箱存取(信箱先-保存在雲端中)Archive mailbox access (Mailbox on-premises - archive in the cloud) 支援Supported 使用者存取封存時,將會取得認證額外的提示,他們就會有提供那里其他出現提示時的來電顯示。Users will get an extra prompt for credentials when accessing the archive, they will have to provide there alternate ID when prompted.

查看第一的使用者體驗示範表格下映像。See the first image below the table for user experience demo.
Office 365 Pro 加上啟用] 頁面Office 365 Pro Plus activation page 支援的側邊登錄 client 建議Supported - client side registry key recommended 與其他 ID 設定,您會看到先 UPN 在驗證欄位會預先填入。With Alternate ID configured you will see the on-premises UPN is pre-populated In the verification field. 這需要變更,以替代所使用的身分。This needs to be changed to the alternate Identity that is being used. 我們建議使用 client 側邊 reg 鍵連結欄中所述。We recommend to use the client side reg key noted in the link column.

查看第二個映像的使用者體驗示範表格下方。See the second image below the table for user experience demo.
Office 2013 和 Lync 2013 定期提示您輸入認證 SharePoint Online、OneDrive 及 Lync OnlineOffice 2013 and Lync 2013 periodically prompt for credentials to SharePoint Online, OneDrive, and Lync Online
商務用 Skype 日 LyncSkype for Business/ Lync 支援(除非如上所述)但可能會對使用者造成混淆。Supported (except as noted) but there is a potential for user confusion. 在行動裝置版戶端,替代 Id 平台 SIP 位址 = 電子郵件地址 = 替代編號。On mobile clients, Alternate Id is supported only if SIP address= email address = Alternate ID. 使用者可能需要登入 Skype 兩次,適用於企業桌面 client,第一次使用先 UPN,然後使用 [替代編號。Users may need to sign-in twice to the Skype for Business desktop client, first using the on-premises UPN and then using the Alternate ID. (請注意,[登入位址」,可能不是「的使用者名稱」一樣,但通常是實際 SIP 地址)。(Note that the “Sign-in address” is actually the SIP address which may not be the same as the “User name”, though often is). 出現的使用者名稱的第一次提示時,使用者應該輸入 UPN,即使這不正確預先填入的替代 ID 或 SIP 地址。When first prompted for a User name, the user should enter the UPN, even if it is incorrectly pre-populated with the Alternate ID or SIP address. 登入與 UPN、使用者名稱命令提示字元中將會再出現這填入 UPN 一次按下後使用者。After the user clicks sign-in with the UPN, the User name prompt will reappear, this time prepopulated with the UPN. 這次使用者必須替代 ID 取代此並按一下 [登入以完成登入處理程序。This time the user must replace this with the Alternate ID and click Sign in to complete the sign in process. 在行動裝置版戶端,使用者應該先使用者 ID 在 [進階] 頁面,使用輸入坡樣式格式使用者名稱,不 UPN 格式。On mobile clients, users should enter the on-premises user ID in the advanced page, using SAM-style format (domain\username), not UPN format.

成功登入之後 Lync 的商務用 Skype 標示為「換貨需要認證」時,如果您需要提供適用於信箱所在的認證。After successful sign-in, if Skype for Business or Lync says "Exchange needs your credentials", you need to provide the credentials that are valid for where the mailbox is located. 如果您需要提供其他 ID 雲端信箱If the mailbox is in the cloud you need to provide the Alternate ID. 如果信箱場所在您需要提供先 UPN。If the Mailbox is on-premises you need to provide the on-premises UPN.
現代化驗證,Office 2013 中Modern Authentication in Office 2013
Outlook Web AccessOutlook Web Access 支援Supported
適用於 Android、IOS 和 Windows Phone outlook 行動裝置版的應用程式Outlook Mobile Apps for Android, IOS, and Windows Phone 支援Supported
商務用 OneDriveOneDrive for Business 支援的側邊登錄 client 建議Supported - client side registry key recommended 與其他 ID 設定,您會看到先 UPN 在驗證欄位會預先填入。With Alternate ID configured you will see the on-premises UPN is pre-populated In the verification field. 這需要變更,以替代所使用的身分。This needs to be changed to the alternate Identity that is being used. 我們建議使用 client 側邊 reg 鍵連結欄中所述。We recommend to use the client side reg key noted in the link column.

查看第二個映像的使用者體驗示範表格下方。See the second image below the table for user experience demo.
Office 2013 和 Lync 2013 定期提示您輸入認證 SharePoint Online、OneDrive 及 Lync OnlineOffice 2013 and Lync 2013 periodically prompt for credentials to SharePoint Online, OneDrive, and Lync Online
適用於行動裝置版 Client 的商務用 OneDriveOneDrive for Business Mobile Client 支援Supported

其他登入

其他登入

其他登入

下列螢幕擷取畫面,,以下是使用商務用 Skype 其他範例。Below, the following screenshots are an additional example using Skype for Business. 在範例會使用下列資訊In example the following information is used

  • SIP:userA@contoso.comSIP: userA@contoso.com
  • UPN:userA@contoso.localUPN: userA@contoso.local
  • 電子郵件:userA@contoso.comEmail: userA@contoso.com
  • AltId:userA@contoso.comAltId: userA@contoso.com

登入] 欄位中輸入 SIP 地址。Enter SIP address in Sign-in field.

Skype 登入

Skype 登入

Skype 登入

若要設定 ID 其他登入To configure alternate login ID

為了設定 ID 其他登入,您必須執行下列工作:In order to configure alternate login ID, you must perform the following tasks:

設定,ID 登入其他可讓您 AD FS 宣告提供者信任Configure your AD FS claims provider trusts to enable alternate login ID

  1. 安裝KB2919355Install KB2919355. 您可以透過 Windows Update 服務取得或直接下載。You can get it via Windows Update Services or download it directly.

  2. 更新的任何伺服器聯盟陣列中執行下列 PowerShell cmdlet AD FS 設定(如果您有 WID 發電廠,您必須執行這個命令陣列中主要 AD FS 伺服器上):Update the AD FS configuration by running the following PowerShell cmdlet on any of the federation servers in your farm (if you have a WID farm, you must run this command on the primary AD FS server in your farm):

    Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID <attribute> -LookupForests <forest domain>
    

    AlternateLoginID您想要使用的登入屬性 LDAP 名稱。AlternateLoginID is the LDAP name of the attribute that you want to use for login.

    LookupForests是之子-森林屬於您的使用者 DNS 清單。LookupForests is the list of forest DNS that your users belong to.

    若要以便其他登入 ID 功能,您必須設定-AlternateLoginID 和-LookupForests 參數非空值、有效的值。To enable alternate login ID feature, you must configure both -AlternateLoginID and -LookupForests parameters with a non-null, valid value.

    下列範例中,您的讓其他登入 ID 功能,例如您帳號 contoso.com 和 fabrikam.com 森林中的使用者可以登入 AD FS 功能的應用程式與他們「郵件」屬性。In the following example, you are enabling alternate login ID functionality such that your users with accounts in contoso.com and fabrikam.com forests can log in to AD FS-enabled applications with their "mail" attribute.

    Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID mail -LookupForests contoso.com,fabrikam.com
    
  3. 停用此功能,請將值設定為兩個參數為空值。To disable this feature, set the value for both parameters to be null.

    Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID $NULL -LookupForests $NULL
    
  4. 要 ID 其他登入 Azure AD,請使用 Azure AD 連接需要額外的設定步驟。To enable alternate login ID with Azure AD, no additional configurations steps are needed when using Azure AD Connect. 您可以直接從精靈設定替代 ID。Alternate ID can be configured directly from the wizard. 查看唯一找出您的使用者] 區段底下連接至 Azure ADSee uniquely identifying your users under the section Connect to Azure AD.

其他詳細資料和注意事項Additional Details & Considerations

  • 其他登入 ID 功能只有聯盟環境中部署 AD FS 進行。The Alternate login ID feature is only available for federated environments with AD FS deployed. 不支援下列案例中:It is not supported in the following scenarios:

    • 非路由網域 (例如 Contoso.local) 無法 Azure AD 來確認。Non-routable domains (e.g. Contoso.local) that cannot be verified by Azure AD.
    • 管理部署 AD FS 不需要的環境。Managed environments that do not have AD FS deployed.
  • 當支援,其他登入 ID 功能目前僅適用於驗證使用者名稱/密碼上所有的使用者名稱/密碼驗證支援的通訊協定 AD FS (SAML-P、WS-Fed,Ws-trust,與 OAuth)。When enabled, the alternate login ID feature is only available for username/password authentication across all the user name/password authentication protocols supported by AD FS (SAML-P, WS-Fed, WS-Trust, and OAuth).

  • Windows 整合驗證 (WIA) 執行時(例如,當使用者試著從內部網路存取加入網域的電腦上的公司應用程式和 AD FS 管理員已經設定使用內部 WIA 驗證原則),將會使用驗證 UPN。When Windows Integrated Authentication (WIA) is performed (for example, when users try to access a corporate application on a domain-joined machine from intranet and AD FS administrator has configured the authentication policy to use WIA for intranet), UPN will be used for authentication. 如果您已經設定的任何理賠要求規則的其他登入 ID 功能信賴派對,您應該確定那些規則的 WIA 案例中仍然有效。If you have configured any claim rules for the relying parties for alternate login ID feature, you should make sure those rules are still valid in the WIA case.

  • 當支援,其他登入 ID 功能需要至少一個通用伺服器可從每個使用者 account 樹系 AD FS 支援 AD FS 伺服器。When enabled, the alternate login ID feature requires at least one global catalog server to be reachable from the AD FS server for each user account forest that AD FS supports. 瑞曲之戰使用者 account 森林中的通用伺服器會導致回到使用 UPN AD FS。Failure to reach a global catalog server in the user account forest will result in AD FS falling back to use UPN. 預設的網域控制站的通用伺服器。By default all the domain controllers are global catalog servers.

  • 時,如果 AD FS 伺服器以相同的其他登入 ID 值指定跨所有設定的使用者 account 樹系找到更多個使用者物件功能,它將無法登入。When enabled, if the AD FS server finds more than one user object with the same alternate login ID value specified across all the configured user account forests, it will fail the login.

  • AD FS 時其他登入 ID 功能,將會嘗試第一次驗證使用者與其他登入 ID 和然後改為使用 UPN,如果找不到由其他登入收到 accountWhen alternate login ID feature is enabled, AD FS will try to authenticate the end user with alternate login ID first and then fall back to use UPN if it cannot find an account that can be identified by the alternate login ID. 請確定您有任何其他登入 ID 和 UPN 衝突如果您想要仍然支援 UPN 登入。You should make sure there are no clashes between the alternate login ID and the UPN if you want to still support the UPN login. 例如,與其他人的 UPN 設定的電子郵件屬性會封鎖登入他 UPN 從另一位使用者。For example, setting one's mail attribute with the other's UPN will block the other user from signing in with his UPN.

  • 由系統管理員設定的樹系很往下,如果會繼續查看其他登入其他設定的樹系的來電顯示與帳號 AD FS。If one of the forests that is configured by the administrator is down, AD FS will continue to look up user account with alternate login ID in other forests that are configured. 如果 AD FS 伺服器找到跨樹系它已搜尋獨特的使用者物件,使用者會成功登入。If AD FS server finds a unique user objects across the forests that it has searched, a user will log in successfully.

  • 您可能會此外想要自訂 AD FS 登入頁面,讓使用者一些有關其他登入收到提示You may additionally want to customize the AD FS sign-in page to give end users some hint about the alternate login ID. 你就可以加入描述自訂的登入頁面 (如需詳細資訊,請查看自訂 AD FS 登入頁面或自訂使用者名稱] 欄位上述的「登入組織 account「字串 (如需詳細資訊,進階自訂 AD FS 登入頁面You can do it by either adding the customized sign-in page description (for more information, see Customizing the AD FS Sign-in Pages or customizing "Sign in with organizational account" string above username field (for more information, see Advanced Customization of AD FS Sign-in Pages.

  • 包含 ID 登入其他值新宣告類型是http:schemas.microsoft.com/ws/2013/11/alternateloginidThe new claim type that contains the alternate login ID value is http:schemas.microsoft.com/ws/2013/11/alternateloginid

事件和效能計數器Events and Performance Counters

已新增下列效能計數器測量 AD FS 伺服器的效能,會支援其他登入 ID 時:The following performance counters have been added to measure the performance of AD FS servers when alternate login ID is enabled:

  • 其他登入 Id 驗證:數字的驗證使用其他登入 ID 來執行Alternate Login Id Authentications: number of authentications performed by using alternate login ID

  • 其他登入 Id 驗證秒:的驗證執行使用其他登入 ID 秒的數字Alternate Login Id Authentications/Sec: number of authentications performed by using alternate login ID per second

  • 搜尋延遲平均其他登入 id:搜尋延遲平均跨樹系的系統管理員也已設定的其他登入 IDAverage Search Latency for Alternate Login ID: average search latency across the forests that an administrator has configured for alternate login ID

以下是各種錯誤案例,以及對使用者的登入體驗事件登入,AD FS 使用的對應影響:The following are various error cases and corresponding impact on a user's sign-in experience with events logged by AD FS:

錯誤案例Error Cases 登入的使用經驗影響Impact on Sign-in Experience 事件Event
無法取得 SAMAccountName 使用者物件的值。Unable to get a value for SAMAccountName for the user object 登入失敗Login failure 事件 ID 364 例外訊息 MSIS8012:找不到 samAccountName 的使用者: ' {0} '。Event ID 364 with exception message MSIS8012: Unable to find samAccountName for the user: '{0}'.
CanonicalName 屬性不能存取The CanonicalName attribute is not accessible 登入失敗Login failure 事件 ID 364 例外訊息 MSIS8013: CanonicalName: '{0}' 的使用者:{1} ' 是格式不正確。Event ID 364 with exception message MSIS8013: CanonicalName: '{0}' of the user:'{1}' is in bad format.
在一個森林中找到多個使用者物件Multiple user objects are found in one forests 登入失敗Login failure 事件 ID 364 例外訊息 MSIS8015:森林 '{1} 的身分中找到的身分' {0} ' 的多個帳號:{2}Event ID 364 with exception message MSIS8015: Found multiple user accounts with identity '{0}' in forest '{1}' with identities: {2}
跨樹系多個位於多個使用者物件Multiple user objects are found across multiple forests 登入失敗Login failure 事件 ID 364 例外訊息 MSIS8014:森林中找到的身分 '{0}' 的多個帳號:{1}Event ID 364 with exception message MSIS8014: Found multiple user accounts with identity '{0}' in forests: {1}

也了See Also

AD FS 作業AD FS Operations