逐步解說指南: 管理其他多因素驗證敏感的應用程式的風險Walkthrough Guide: Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications

適用於: Windows Server 2012 R2Applies To: Windows Server 2012 R2

有關本指南About This Guide

本節提供要素 (MFA) 設定在 Windows Server 2012 R2 的 Active Directory 同盟 Services (AD FS) 中的指示根據使用者群組成員資格資料。This walkthrough provides instructions for configuring multifactor authentication (MFA) in Active Directory Federation Services (AD FS) in Windows Server 2012 R2 based on the user's group membership data.

如需 AD FS 機制 MFA 與驗證的詳細資訊,請查看管理其他多因素驗證敏感的應用程式的風險For more information about MFA and authentication mechanisms in AD FS, see Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications.

本節下列各節所組成:This walkthrough consists of the following sections:

步驟 1: 實驗室設定Step 1: Setting up the lab environment

完成本節,您必須環境,包含下列元件:In order to complete this walkthrough, you need an environment that consists of the following components:

  • 測試使用者和群組帳號,並執行 Windows Server 2012 R2 或 Windows Server 2008、 Windows Server 2008 R2 或 Windows Server 2012 上執行升級到 Windows Server 2012 R2 其架構 Active Directory domain Active Directory domainAn Active Directory domain with a test user and group accounts, running on Windows Server 2012 R2 or an Active Directory domain running on Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 with its schema upgraded to Windows Server 2012 R2

  • Windows Server 2012 R2 上執行的聯盟伺服器A federation server running on Windows Server 2012 R2

  • 網頁伺服器裝載範例應用程式A web server that hosts your sample application

  • Client 電腦,您可以存取的範例應用程式A client computer from which you can access the sample application

警告

我們建議 (兩者皆 production 和測試環境),不做聯盟伺服器和您的網頁伺服器使用相同的電腦。It is highly recommended (both in a production and test environments) that you do not use the same computer to be your federation server and your web server.

在此環境中聯盟伺服器問題,讓使用者可以存取的範例應用程式所需的宣告。In this environment, the federation server issues the claims that are required so that users can access the sample application. Web 伺服器裝載的範例應用程式,將信任的使用者提供宣告聯盟伺服器的問題。The Web server hosts a sample application that will trust the users who present the claims that the federation server issues.

如何設定此環境中的指示,請查看在 Windows Server 2012 R2 AD FS 設定實驗室For instructions on how to set up this environment, see Set up the lab environment for AD FS in Windows Server 2012 R2.

步驟 2: 驗證預設機制驗證,AD FSStep 2: Verify the default AD FS authentication mechanism

您將會在此步驟驗證預設 AD FS 存取控制機制 (表單驗證的外部和Windows 驗證的內部)、 位置使用者會重新導向至 AD FS 登入頁面、 提供有效的認證,並會授與應用程式存取。In this step you will verify the default AD FS access control mechanism (Forms Authentication for extranet and Windows Authentication for intranet), where the user is redirected to the AD FS sign-in page, provides valid credentials, and is granted access to the application. 您可以使用劉小龍 Hatley AD account 和claimapp範例應用程式中設定設定在 Windows Server 2012 R2 AD FS 實驗室You can use the Robert Hatley AD account and the claimapp sample application that you configured in Set up the lab environment for AD FS in Windows Server 2012 R2.

  1. 您 client 在電腦上,開放瀏覽器視窗,並瀏覽到您的範例應用程式: https://webserv1.contoso.com/claimappOn your client computer, open a browser window, and navigate to your sample application: https://webserv1.contoso.com/claimapp.

    這個動作會自動重新導向至 amc 要求聯盟伺服器,並提示您使用的使用者名稱和密碼登入。This action automatically redirects the request to the federation server and you are prompted to sign in with a username and password.

  2. 輸入認證劉小龍 Hatley您在建立廣告 account設定實驗室 AD FS 在 Windows Server 2012 R2 的Type in the credentials of the Robert Hatley AD account that you created in Set up the lab environment for AD FS in Windows Server 2012 R2.

    您將會授與應用程式的存取。You will be granted access to the application.

步驟 3: 聯盟伺服器上設定 MFAStep 3: Configure MFA on your federation server

有兩個部分設定 MFA AD FS 在 Windows Server 2012 R2 中:There are two parts to configuring MFA in AD FS in Windows Server 2012 R2:

選取 [額外的驗證方法Select an additional authentication method

為了 MFA 設定,您必須選取額外的驗證方法。In order to set up MFA, you must select an additional authentication method. 在本節額外的驗證方法,您可以選擇下列選項:In this walkthrough, for additional authentication method, you can choose between the following options:

憑證驗證Certificate authentication

完成其中一項下列程序,選取憑證驗證做為額外的驗證方法:Complete either of the following procedures to select Certificate authentication as the additional authentication method:

若要設定憑證驗證做為額外的驗證方法,AD FS 管理主控台透過To configure Certificate authentication as an additional authentication method via the AD FS Management Console
  1. 聯盟伺服器,在 AD FS 管理主控台中,瀏覽至驗證原則節點,然後在多因素驗證區段中,按一下 [編輯旁邊的連結通用設定子區段。On your federation server, in the AD FS Management Console, navigate to the Authentication Policies node, and under Multi-factor Authentication section, click the Edit link next to the Global Settings sub-section.

  2. 編輯全球驗證原則視窗中,選取憑證驗證做為額外的驗證方法、,然後按一下 [ [確定]In the Edit Global Authentication Policy window, select Certificate Authentication as an additional authentication method, and then click OK.

若要設定憑證驗證做為額外的驗證方法,透過 Windows PowerShellTo configure Certificate authentication as an additional authentication method via Windows PowerShell
  1. 在您聯盟的伺服器,開放 Windows PowerShell 命令視窗中,執行下列命令:On your federation server, open the Windows PowerShell command window and run the following command:

    Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider CertificateAuthentication
    

    警告

    若要確認已順利執行這個命令時,您可以執行Get-AdfsGlobalAuthenticationPolicy命令。To verify that this command ran successfully, you can run the Get-AdfsGlobalAuthenticationPolicy command.

Windows Azure 多因素驗證Windows Azure Multi-Factor Authentication

完成下列程序,才能下載並設定,然後選取 [ Windows Azure 多因素驗證額外的驗證聯盟伺服器上為:Complete the following procedures in order to download and configure and select Windows Azure Multi-Factor Authentication as additional authentication on your federation server:

  1. 建立 Windows 透過多因素驗證提供者 Azure 入口網站Create a Multi-Factor Authentication Provider via the Windows Azure Portal

  2. 下載 Windows Azure 多因素驗證 ServerDownload the Windows Azure Multi-Factor Authentication Server

  3. 聯盟伺服器上安裝 Windows Azure 多因素驗證 ServerInstall the Windows Azure Multi-Factor Authentication Server on your Federation Server

  4. 設定 Windows Azure 多因素驗證做為額外的驗證方法Configure Windows Azure Multi-Factor Authentication as an additional authentication method

建立 Windows 透過多因素驗證提供者 Azure 入口網站Create a Multi-Factor Authentication Provider via the Windows Azure Portal
  1. 登入 Windows Azure 入口網站,以系統管理員。Log on to the Windows Azure Portal as an Administrator.

  2. 在左邊,選取 [Active Directory。On the left, select Active Directory.

  3. 在 Active Directory 頁面上,於最上方,選取 [多因素驗證提供者On the Active Directory page, at the top, select Multi-Factor Auth Providers. 然後在下方,按一下新增]Then at the bottom, click New.

  4. App 服務 Active Directory]-> [,請選取多因素驗證提供者,然後選取 [快速建立Under App Services->Active Directory, select Multi-Factor Auth Provider, and select Quick Create.

  5. 應用程式服務,請選取使用驗證提供者,然後選取 [快速建立Under App Services, select Active Auth Providers, and select Quick Create.

  6. 填入下列欄位,然後選取建立Fill in the following fields and select Create.

    1. 名稱-多因素驗證提供者的名稱。Name - The name of the Multi-Factor Auth Provider.

    2. 使用的機型-使用模式的多因素驗證提供者。Usage Model - The usage model of the Multi-Factor Authentication Provider.

      • 每個驗證-購買型號的每個驗證充電。Per Authentication - purchasing model that charges per authentication. 通常會用來在消費者攝影機的應用程式使用 Windows Azure 多因素驗證案例。Typically used for scenarios that use Windows Azure Multi-Factor Authentication in a consumer-facing application.

      • 每個讓使用者-購買型號的每個讓使用者充電。Per Enabled User - purchasing model that charges per enabled user. 常用員工面向案例,例如 Office 365。Typically used for employee-facing scenarios such as Office 365.

      使用型號上的其他資訊,請查看Windows Azure 計價的詳細資料For additional information on usage models, see Windows Azure pricing details.

    3. Directory -多因素驗證提供者相關聯的 Windows Azure Active Directory 承租人。Directory - The Windows Azure Active Directory tenant that the Multi-Factor Authentication Provider is associated with. 這是選擇性不必連結到 Windows Azure Active Directory 時保護先應用程式提供者。This is optional as the provider does not have to be linked to Windows Azure Active Directory when securing on-premises applications.

  7. 只要按建立多因素驗證提供者將會建立,您應該會看到的訊息,指出: 成功地建立多因素驗證提供者。Once you click create, the Multi-Factor Authentication Provider will be created and you should see a message stating: Successfully created Multi-Factor Authentication Provider. 按一下[確定]Click Ok.

接下來,您必須在下載 Windows Azure 多因素驗證伺服器。Next, you must download the Windows Azure Multi-Factor Authentication Server. 您可以透過 Windows Azure 入口網站 Windows Azure 多因素驗證 Portal 這是第一個。You can do this by launching the Windows Azure Multi-Factor Authentication Portal through the Windows Azure portal.

下載 Windows Azure 多因素驗證 ServerDownload the Windows Azure Multi-Factor Authentication Server
  1. 登入 Windows Azure 入口網站,以系統管理員的身分,並按一下您在上面的程序中建立多因素驗證提供者。Log on to the Windows Azure Portal as an Administrator, and click on the Multi-Factor Authentication Provider you created in the procedure above. 然後按一下管理按鈕。Then click the Manage button.

    這時限Windows Azure 多因素驗證入口網站。This launches the Windows Azure Multi-Factor Authentication portal.

  2. Windows Azure 多因素驗證入口網站,按一下 [下載,然後按一下 [下載下載一份 Windows Azure 多因素驗證伺服器。In the Windows Azure Multi-Factor Authentication portal, click Downloads, and then click Download to download a copy of the Windows Azure Multi-Factor Authentication Server.

在您的 Windows Azure 多因素驗證伺服器下載可執行檔,您必須聯盟伺服器上安裝它。Once you have downloaded the executable for the Windows Azure Multi-Factor Authentication Server, you must install it on your federation server.

聯盟伺服器上安裝 Windows Azure 多因素驗證 ServerInstall the Windows Azure Multi-Factor Authentication Server on your Federation Server
  1. 下載,並可執行檔上按兩下 [Windows Azure 多因素驗證伺服器。Download and double-click on the executable for the Windows Azure Multi-Factor Authentication Server. 這將會開始安裝。This will begin the installation.

  2. 在 [授權合約畫面中,朗讀 「 合約 」,選取我同意,按一下 [On the License Agreement screen, read the agreement, select I Agree and click Next.

  3. 確定是正確的目的地資料夾,然後按一下下一步Ensure that the destination folder is correct and click Next.

  4. 在安裝完成時,請按一下完成Once the installation complete, click Finish.

您現在已經上市聯盟伺服器上安裝 Windows Azure 多因素驗證伺服器,並將其設定為額外的驗證方法。You are now ready to launch the Windows Azure Multi-Factor Authentication server that you installed on your federation server and configure it as an additional authentication method.

設定 Windows Azure 多因素驗證做為額外的驗證方法Configure Windows Azure Multi-Factor Authentication as an additional authentication method
  1. 上市Windows Azure 多因素驗證在您安裝該聯盟伺服器,並在 [歡迎使用] 頁面上,請檢查使用驗證組態精靈略過核取方塊,按一下 [下一步Launch Windows Azure Multi-Factor Authentication from where you installed it on your federation server, and on the Welcome page, check the Skip using the Authentication Configuration Wizard checkbox and click Next.

  2. 若要啟動多因素驗證伺服器,請返回頁面中的多因素驗證管理入口網站下載多因素驗證伺服器,然後按一下產生啟動認證按鈕。To activate the Multi-Factor Authentication Server, go back to the page in the Multi-Factor Authentication management portal where you downloaded the Multi-Factor Authentication Server and click the Generate Activation Credentials button. 在多因素驗證伺服器使用者介面中,輸入認證的程式,然後按一下ActivateIn the Multi-Factor Authentication Server user interface, enter the credentials that were generated and click Activate.

  3. 下一步]多因素驗證伺服器使用者介面會提示您先執行多伺服器設定精靈]Next, the Multi-Factor Authentication Server user interface prompts you to run the Multi-Server Configuration Wizard. 選取 [否]Select No.

    重要

    您可以略過完成多伺服器設定精靈提供與用來完成本節只有一個聯盟伺服器實驗室。You can skip completing the Multi-Server Configuration Wizard given the lab environment with only one federation server that is used to complete this walkthrough. 不過,如果您的環境中包含數個聯盟伺服器,您必須安裝多因素驗證伺服器,並完成多伺服器設定精靈]為了讓複寫之間聯盟伺服器上執行之多因素伺服器每個聯盟伺服器上。However, if your environment contains several federation servers, you must install the Multi-Factor Authentication Server and complete the Multi-Server Configuration Wizard on each federation server in order to enable replication between the Multi-Factor servers running on your federation servers.

  4. 多因素驗證伺服器使用者介面中,選取使用者圖示,按匯入的 Active Directory,請選取劉小龍 Hatley帳號提供 Windows Azure 多因素驗證中的它,然後按一下 [匯入In the Multi-Factor Authentication Server user interface, select the Users icon, click Import from Active Directory, select the Robert Hatley account to provision it in Windows Azure Multi-Factor Authentication, and then click Import.

  5. 使用者清單中,選取劉小龍 Hatley帳號,請按一下 [編輯,並在編輯使用者] 視窗中,提供行動電話號碼此帳號,請確定啟用核取方塊已選取,然後按一下 [套用In the Users list, select the Robert Hatley account, click Edit, and in the Edit User window, provide a cell phone number of this account, make sure the Enabled checkbox is checked, and then click Apply.

  6. 使用者清單中,選取劉小龍 Hatley帳號,並按測試In the Users list, select the Robert Hatley account, and click Test. 測試使用者視窗中,提供的認證劉小龍 Hatley account。In the Test User window, provide the credentials for the Robert Hatley account. 手機鈴響中,按下時 '#',才能完成 account 驗證。When the cell phone rings, press '#' to complete the account verification.

  7. 多因素驗證伺服器使用者介面中,選取AD FS圖示,確定允許使用者註冊讓使用者選取方法(包括電話簡訊),使用後援安全性問題可以登入簽核取方塊、 按一下 [安裝 AD FS 介面卡,並完成多因素驗證,AD FS 介面卡安裝精靈中。In the Multi-Factor Authentication Server user interface, select the AD FS icon, make sure that Allow user enrollment, Allow users to select method (including Phone call and Text message), Use security questions for fallback and Enable logging checkboxes are checked, click Install AD FS Adapter, and complete the Multi-Factor Authentication AD FS Adapter installation wizard.

    注意

    多因素驗證,AD FS 介面卡安裝精靈中建立安全性群組名為PhoneFactor 系統管理員您 Active Directory 中,然後新增此群組 AD FS 服務帳號,您的同盟服務。The Multi-Factor Authentication AD FS Adapter installation wizard creates a security group called PhoneFactor Admins in your Active Directory and then adds the AD FS service account of your federation service to this group.

    我們建議您確認您的網域控制站上的PhoneFactor 管理員確實建立群組,而且 AD FS 服務 account 此群組成員。It is recommended that you verify on your domain controller that the PhoneFactor Admins group is indeed created and that the AD FS service account is a member of this group.

    視需要新增 AD FS 服務帳號PhoneFactor 管理員在您的網域控制站手動群組。If necessary, add the AD FS service account to the PhoneFactor Admins group on your domain controller manually.

    安裝 AD FS 介面卡上的其他詳細資料,按一下右上角的多因素驗證伺服器中協助連結。For additional details on installing the AD FS Adapter, click the Help link in the top right corner of the Multi-Factor Authentication Server.

  8. 為隊伍登記中同盟服務,在聯盟伺服器上的顯示卡上市 Windows PowerShell 命令視窗中,並執行下列命令: \Program Files\Multi-Factor Authentication Server\Register-MultiFactorAuthenticationAdfsAdapter.ps1To register the adapter in your federation service, on your federation server, launch the Windows PowerShell command window, and run the following command: \Program Files\Multi-Factor Authentication Server\Register-MultiFactorAuthenticationAdfsAdapter.ps1. 介面卡現在係為WindowsAzureMultiFactorAuthenticationThe adapter is now registered as WindowsAzureMultiFactorAuthentication. 您必須重新才會生效登記您 AD FS 服務。You must restart your AD FS service for the registration to take effect.

  9. 若要設定 Windows Azure 多因素驗證做為額外的驗證方法、 在 AD FS 管理主控台中,瀏覽至驗證原則節點,然後在多因素驗證區段中,按一下 [編輯旁邊的連結通用設定子區段。To configure Windows Azure Multi-Factor Authentication as the additional authentication method, in the AD FS Management Console, navigate to the Authentication Policies node, and under Multi-factor Authentication section, click the Edit link next to the Global Settings sub-section. 編輯全球驗證原則視窗中,選取多因素驗證做為額外的驗證方法、,然後按一下 [ [確定]In the Edit Global Authentication Policy window, select Multi-Factor Authentication as an additional authentication method, and then click OK.

    注意

    您可以自訂名稱,並描述 Windows Azure 多因素驗證方法,以及任何設定第三方驗證方法、,AD FS UI 中顯示執行設定為 AdfsAuthenticationProviderWebContent cmdlet。You can customize the name and description of the Windows Azure Multi-Factor Authentication method, as well as any configured third-party authentication method, as it appears in your AD FS UI, by running the Set-AdfsAuthenticationProviderWebContent cmdlet. 如需詳細資訊,請查看http://technet.microsoft.com/library/dn479401.aspxFor more information, see http://technet.microsoft.com/library/dn479401.aspx

設定 MFA 原則Set up MFA policy

為了讓 MFA,您必須設定 MFA 原則聯盟伺服器上。In order to enable MFA, you must set up the MFA policy on your federation server. 本節每次我們 MFA 原則,針對劉小龍 Hatley account 所需經歷 MFA 因為他屬於財經群組中設定設定在 Windows Server 2012 R2 AD FS 實驗室For this walkthrough, per our MFA policy, Robert Hatley account is required to undergo MFA because he belongs to the Finance group that you set up in Set up the lab environment for AD FS in Windows Server 2012 R2.

您可以設定 「 透過 AD FS 管理主控台中,或使用 Windows PowerShell MFA 原則。You can set up the MFA policy either via the AD FS Management Console or using the Windows PowerShell.

若要設定根據透過 AD FS 管理主控台 'claimapp 使用者的群組成員資格資料 MFA 原則To configure the MFA policy based on user's group membership data for 'claimapp' via the AD FS Management Console
  1. 聯盟伺服器,在 AD FS 管理主控台中,瀏覽至驗證原則\每可以廠商信任] 節點,然後選取,表示您的範例應用程式信賴廠商信任 (claimapp)。On your federation server, in the AD FS Management Console, navigate to Authentication Policies\Per Relying Party Trust node, and select the relying party trust that represents your sample application (claimapp).

  2. 動作頁面上,或以滑鼠右鍵按一下claimapp、 選取編輯自訂多因素驗證Either in the Actions page or by right-clicking claimapp, select Edit Custom Multi-factor Authentication.

  3. 編輯可以方信任 claimapp 的視窗中,按一下 [新增按鈕旁使用者或群組清單。In the Edit Relying Party Trust for claimapp window, click the Add button next to the Users/Groups list. 輸入財經您在建立廣告群組的名稱設定實驗室 AD FS 在 Windows Server 2012 R2 的,並按一下 [檢查名稱的名稱解析時,按一下 [ [確定]Type in Finance for the name of your AD group that you created in Set up the lab environment for AD FS in Windows Server 2012 R2, and click Check Names, and when the name is resolved, click OK.

  4. 按一下[確定]編輯可以方信任 claimapp 的] 視窗。Click OK in the Edit Relying Party Trust for claimapp window.

若要設定 MFA 原則的 Windows PowerShell 透過 'claimapp 使用者的群組成員資格資料To configure the MFA policy based on user's group membership data for 'claimapp' via Windows PowerShell
  1. 在您聯盟的伺服器,開放 Windows PowerShell 命令視窗中,執行下列命令:On your federation server, open the Windows PowerShell command window and run the following command:

    $rp = Get-AdfsRelyingPartyTrust -Name claimapp
    
  2. 在同一個 Windows PowerShell 命令視窗中,執行下列命令:In the same Windows PowerShell command window, run the following command:

    $GroupMfaClaimTriggerRule = 'c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "^(?i) <group_SID>$"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'
    Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -AdditionalAuthenticationRules $GroupMfaClaimTriggerRule
    

    注意

    請確定您的廣告群組 SID 的值與取代 < group_SID >財經Make sure to replace <group_SID> with the value of the SID of your AD group Finance.

步驟 4: 確認 MFA 機制Step 4: Verify MFA mechanism

您將會在此步驟來驗證您設定一個步驟中 MFA 功能。In this step you will verify the MFA functionality that you set up in the previous step. 您可以使用下列程序,以確認劉小龍 Hatley AD 使用者都可以存取您的範例應用程式和所需經歷 MFA 他屬於因為這次財經群組。You can use the following procedure to verify that Robert Hatley AD user can access your sample application and this time is required to undergo MFA because he belongs to the Finance group.

  1. 您 client 在電腦上,開放瀏覽器視窗,並瀏覽到您的範例應用程式: https://webserv1.contoso.com/claimappOn your client computer, open a browser window, and navigate to your sample application: https://webserv1.contoso.com/claimapp.

    這個動作會自動重新導向至 amc 要求聯盟伺服器,並提示您使用的使用者名稱和密碼登入。This action automatically redirects the request to the federation server and you are prompted to sign in with a username and password.

  2. 憑證中的輸入劉小龍 Hatley AD account。Type in the credentials of the Robert Hatley AD account.

    此時,因為您所設定的 MFA 原則,將會提示使用者進行額外的驗證。At this point, because of the MFA policy that you configured, the user will be prompted to undergo additional authentication. 預設的訊息文字是基於安全性考量,我們需要驗證您的其他資訊。The default message text is For security reasons, we require additional information to verify your account. 不過,這文字可完全自訂。However, this text is fully customizable. 如需了解如何自訂體驗登入資訊,請查看[自訂頁面 AD FS 登入For more information about how to customize the sign-in experience, see Customizing the AD FS Sign-in Pages.

    如果您設定憑證驗證做為額外的驗證方法、 預設的訊息文字是選擇您想要使用的驗證憑證。如果您取消操作,請關閉瀏覽器,然後再試一次。If you configured Certificate authentication as the additional authentication method, the default message text is Select a certificate that you want to use for authentication. If you cancel the operation, please close your browser and try again.

    如果您設定 Windows Azure 多因素驗證做為額外的驗證方法、 預設的訊息文字是通話將會放到您的手機來完成您的驗證。If you configured Windows Azure Multi-Factor Authentication as the additional authentication method, the default message text is A call will be placed to your phone to complete your authentication. 如需關於 Windows Azure 多因數驗證以登入和驗證的建議方式使用各種不同的選項,請查看Windows Azure 多因素驗證的概觀For more information about signing in with Windows Azure Multi-Factor Authentication and using various options for the preferred method of verification, see Windows Azure Multi-Factor Authentication Overview.

也了See Also

管理敏感的應用程式與其他多因素驗證風險 設定實驗室 AD FS 在 Windows Server 2012 R2Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications Set up the lab environment for AD FS in Windows Server 2012 R2