逐步解說指南:透過其他多因素驗證管理機密應用程式的風險Walkthrough Guide: Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications

適用於:Windows Server 2012 R2Applies To: Windows Server 2012 R2

關於本指南About This Guide

本逐步解說會提供使用者的群組成員資格資料為基礎的 Windows Server 2012 R2 中的 Active Directory Federation Services (AD FS) 中設定多重要素驗證 (MFA) 的指示。This walkthrough provides instructions for configuring multifactor authentication (MFA) in Active Directory Federation Services (AD FS) in Windows Server 2012 R2 based on the user's group membership data.

如需有關 AD FS 的 MFA 和驗證機制的詳細資訊,請參閱Manage Risk with Additional Multi-factor Authentication 為機密的應用程式For more information about MFA and authentication mechanisms in AD FS, see Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications.

本逐步解說包含下列各節:This walkthrough consists of the following sections:

步驟 1:設定實驗室環境Step 1: Setting up the lab environment

若要完成本逐步解說,您的環境必須包含下列元件:In order to complete this walkthrough, you need an environment that consists of the following components:

  • 含有測試使用者和群組帳戶,在 Windows Server 2012 R2 或 Windows Server 2008、 Windows Server 2008 R2 或 Windows Server 2012 上執行結構描述要升級到 Windows Server 2012 R2 的 Active Directory 網域上執行 Active Directory 網域An Active Directory domain with a test user and group accounts, running on Windows Server 2012 R2 or an Active Directory domain running on Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 with its schema upgraded to Windows Server 2012 R2

  • Windows Server 2012 R2 上執行的同盟伺服器A federation server running on Windows Server 2012 R2

  • 裝載範例應用程式的網頁伺服器A web server that hosts your sample application

  • 用來存取範例應用程式的用戶端電腦A client computer from which you can access the sample application

警告

強烈建議 (在生產和測試環境中) 您不要使用相同的電腦作為同盟伺服器和網頁伺服器。It is highly recommended (both in a production and test environments) that you do not use the same computer to be your federation server and your web server.

在這個環境中,同盟伺服器會發行所需的宣告,讓使用者能夠存取範例應用程式。In this environment, the federation server issues the claims that are required so that users can access the sample application. 裝載範例應用程式的網頁伺服器會信任出示同盟伺服器發行之宣告的使用者。The Web server hosts a sample application that will trust the users who present the claims that the federation server issues.

如需有關如何設定此環境的指示,請參閱 < 適用於 Windows Server 2012 R2 中的 AD FS 設定實驗室環境For instructions on how to set up this environment, see Set up the lab environment for AD FS in Windows Server 2012 R2.

步驟 2:驗證預設的 AD FS 驗證機制Step 2: Verify the default AD FS authentication mechanism

在這個步驟您要驗證預設的 AD FS 存取控制機制 (外部網路為 [表單驗證] ,內部網路為 [Windows 驗證] ),使用者會被重新導向到 AD FS 登入頁面、提供有效的認證,然後授與應用程式的存取權。In this step you will verify the default AD FS access control mechanism (Forms Authentication for extranet and Windows Authentication for intranet), where the user is redirected to the AD FS sign-in page, provides valid credentials, and is granted access to the application. 您可以使用Robert Hatley AD 帳戶而claimapp範例應用程式中設定適用於 Windows Server 2012 R2 中的 AD FS 設定實驗室環境You can use the Robert Hatley AD account and the claimapp sample application that you configured in Set up the lab environment for AD FS in Windows Server 2012 R2.

  1. 在用戶端電腦,開啟瀏覽器視窗,並巡覽至範例應用程式: https://webserv1.contoso.com/claimappOn your client computer, open a browser window, and navigate to your sample application: https://webserv1.contoso.com/claimapp.

    這個動作會將要求自動重新導向到同盟伺服器,且會提示您以使用者名稱和密碼登入。This action automatically redirects the request to the federation server and you are prompted to sign in with a username and password.

  2. 輸入的認證Robert Hatley AD 帳戶中建立適用於 Windows Server 2012 R2 中的 AD FS 設定實驗室環境Type in the credentials of the Robert Hatley AD account that you created in Set up the lab environment for AD FS in Windows Server 2012 R2.

    您將會獲得應用程式的存取權。You will be granted access to the application.

步驟 3:在同盟伺服器上設定 MFAStep 3: Configure MFA on your federation server

有要在 Windows Server 2012 R2 中的 AD FS 中設定 MFA 的兩個部分:There are two parts to configuring MFA in AD FS in Windows Server 2012 R2:

選取其他驗證方法Select an additional authentication method

若要設定 MFA,您必須選取其他驗證方法。In order to set up MFA, you must select an additional authentication method. 在這個逐步解說中,若要設定其他驗證方法,您可以選擇下列選項:In this walkthrough, for additional authentication method, you can choose between the following options:

憑證驗證Certificate authentication

完成下列其中一個程序,以選取憑證驗證作為其他驗證方法:Complete either of the following procedures to select Certificate authentication as the additional authentication method:

透過 AD FS 管理主控台將憑證驗證設為其他驗證方法To configure Certificate authentication as an additional authentication method via the AD FS Management Console
  1. 在同盟伺服器的 AD FS 管理主控台中,瀏覽到 [驗證原則] 節點,然後在 [Multi-factor Authentication] 區段按一下 [通用設定] 子區段旁的 [編輯] 連結。On your federation server, in the AD FS Management Console, navigate to the Authentication Policies node, and under Multi-factor Authentication section, click the Edit link next to the Global Settings sub-section.

  2. 在 [編輯通用驗證原則] 視窗中,選取 [憑證驗證] 作為其他驗證方法,然後按一下 [確定]。In the Edit Global Authentication Policy window, select Certificate Authentication as an additional authentication method, and then click OK.

透過 Windows PowerShell 將憑證驗證設為其他驗證方法To configure Certificate authentication as an additional authentication method via Windows PowerShell
  1. 在您的同盟伺服器上,開啟 Windows PowerShell 命令視窗,並執行下列命令:On your federation server, open the Windows PowerShell command window and run the following command:

    Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider CertificateAuthentication
    

    警告

    若要確認是否已順利執行此命令,可以執行 Get-AdfsGlobalAuthenticationPolicy 命令。To verify that this command ran successfully, you can run the Get-AdfsGlobalAuthenticationPolicy command.

Windows Azure Multi-factor AuthenticationWindows Azure Multi-Factor Authentication

完成下列其中一個程序,以下載並設定和選取 [Windows Azure Multi-Factor Authentication] 作為同盟伺服器上的其他驗證:Complete the following procedures in order to download and configure and select Windows Azure Multi-Factor Authentication as additional authentication on your federation server:

  1. 建立多因素驗證提供者透過 Windows Azure 入口網站Create a Multi-Factor Authentication Provider via the Windows Azure Portal

  2. 下載 Windows Azure Multi-factor Authentication ServerDownload the Windows Azure Multi-Factor Authentication Server

  3. 您的同盟伺服器上安裝 Windows Azure Multi-factor Authentication ServerInstall the Windows Azure Multi-Factor Authentication Server on your Federation Server

  4. 設定 Windows Azure Multi-factor Authentication 作為其他驗證方法Configure Windows Azure Multi-Factor Authentication as an additional authentication method

建立多因素驗證提供者透過 Windows Azure 入口網站Create a Multi-Factor Authentication Provider via the Windows Azure Portal
  1. 以系統管理員身分登入 Windows Azure 入口網站。Log on to the Windows Azure Portal as an Administrator.

  2. 在左側選取 [Active Directory]。On the left, select Active Directory.

  3. 在 [Active Directory] 頁面的上方選取 [多因素驗證提供者]。On the Active Directory page, at the top, select Multi-Factor Auth Providers. 然後在下方按一下 [新增]。Then at the bottom, click New.

  4. 在 [應用程式服務->Active Directory] 下,選取 [多因素驗證提供者],再選取 [快速建立]。Under App Services->Active Directory, select Multi-Factor Auth Provider, and select Quick Create.

  5. 在 [應用程式服務] 下,選取 [Active 驗證提供者],再選取 [快速建立]。Under App Services, select Active Auth Providers, and select Quick Create.

  6. 填入下列欄位,然後選取 [建立]。Fill in the following fields and select Create.

    1. 名稱-Multi-factor Auth 提供者的名稱。Name - The name of the Multi-Factor Auth Provider.

    2. 使用量模型-Multi-factor Authentication 提供者的使用模式。Usage Model - The usage model of the Multi-Factor Authentication Provider.

      • 每次驗證-按驗證計費的購買模型。Per Authentication - purchasing model that charges per authentication. 通常用於消費者導向應用程式中使用 Windows Azure Multi-Factor Authentication 的案例。Typically used for scenarios that use Windows Azure Multi-Factor Authentication in a consumer-facing application.

      • 每個啟用的使用者-按啟用的使用者計費的購買模型。Per Enabled User - purchasing model that charges per enabled user. 通常用於員工導向案例,例如 Office 365。Typically used for employee-facing scenarios such as Office 365.

      如需使用模式的詳細資訊,請參閱 Windows Azure 定價詳細資料For additional information on usage models, see Windows Azure pricing details.

    3. 目錄-Multi-factor Authentication 提供者相關聯的 Windows Azure Active Directory 租用戶。Directory - The Windows Azure Active Directory tenant that the Multi-Factor Authentication Provider is associated with. 這是選擇性的欄位,因為在保護內部部署應用程式安全性時,提供者不一定要與 Windows Azure Active Directory 連結。This is optional as the provider does not have to be linked to Windows Azure Active Directory when securing on-premises applications.

  7. 按下建立之後,就會建立多因素驗證提供者,且應該會看到下列訊息:已成功建立多因素驗證提供者。Once you click create, the Multi-Factor Authentication Provider will be created and you should see a message stating: Successfully created Multi-Factor Authentication Provider. 按一下 [確定]。Click Ok.

接著,您必須下載 Windows Azure Multi-Factor Authentication Server。Next, you must download the Windows Azure Multi-Factor Authentication Server. 您可以從 Windows Azure 入口網站啟動 Windows Azure Multi-Factor Authentication 入口網站來完成此動作。You can do this by launching the Windows Azure Multi-Factor Authentication Portal through the Windows Azure portal.

下載 Windows Azure Multi-factor Authentication ServerDownload the Windows Azure Multi-Factor Authentication Server
  1. 以系統管理員身分登入 Windows Azure 入口網站,按一下您在上述程序建立的多因素驗證提供者。Log on to the Windows Azure Portal as an Administrator, and click on the Multi-Factor Authentication Provider you created in the procedure above. 接著,按一下 [管理] 按鈕。Then click the Manage button.

    這會啟動 [Windows Azure Multi-Factor Authentication] 入口網站。This launches the Windows Azure Multi-Factor Authentication portal.

  2. 在 [Windows Azure Multi-Factor Authentication] 入口網站,按一下 [下載] ,然後按一下 [下載] 下載 Windows Azure Multi-Factor Authentication Server 複本。In the Windows Azure Multi-Factor Authentication portal, click Downloads, and then click Download to download a copy of the Windows Azure Multi-Factor Authentication Server.

下載 Windows Azure Multi-Factor Authentication Server 的可執行檔後,必須將它安裝在同盟伺服器上。Once you have downloaded the executable for the Windows Azure Multi-Factor Authentication Server, you must install it on your federation server.

您的同盟伺服器上安裝 Windows Azure Multi-factor Authentication ServerInstall the Windows Azure Multi-Factor Authentication Server on your Federation Server
  1. 下載並按兩下 Windows Azure Multi-Factor Authentication Server 的可執行檔。Download and double-click on the executable for the Windows Azure Multi-Factor Authentication Server. 隨即開始進行安裝。This will begin the installation.

  2. 在 [授權合約] 畫面上,閱讀合約,選取 [我同意] ,然後按 [下一步] 。On the License Agreement screen, read the agreement, select I Agree and click Next.

  3. 確定目的地資料夾正確無誤,再按 [下一步] 。Ensure that the destination folder is correct and click Next.

  4. 安裝完成後,按一下 [完成]。Once the installation complete, click Finish.

您現在可以啟動在同盟伺服器上安裝的 Windows Azure Multi-Factor Authentication Server,並將它設為一種其他驗證方法。You are now ready to launch the Windows Azure Multi-Factor Authentication server that you installed on your federation server and configure it as an additional authentication method.

設定 Windows Azure Multi-factor Authentication 作為其他驗證方法Configure Windows Azure Multi-Factor Authentication as an additional authentication method
  1. 在同盟伺服器上從您安裝 [Windows Azure Multi-Factor Authentication] 的位置啟動它,接著在歡迎使用頁面選取 [略過使用驗證設定精靈] 核取方塊,然後按 [下一步] 。Launch Windows Azure Multi-Factor Authentication from where you installed it on your federation server, and on the Welcome page, check the Skip using the Authentication Configuration Wizard checkbox and click Next.

  2. 若要啟用 Multi-Factor Authentication Server,返回您在多因素驗證管理入口網站下載 Multi-Factor Authentication Server 的頁面,按一下 [產生啟用認證] 按鈕。To activate the Multi-Factor Authentication Server, go back to the page in the Multi-Factor Authentication management portal where you downloaded the Multi-Factor Authentication Server and click the Generate Activation Credentials button. 在 Multi-Factor Authentication Server 使用者介面,輸入產生的憑證,再按一下 [啟用] 。In the Multi-Factor Authentication Server user interface, enter the credentials that were generated and click Activate.

  3. 接著,[Multi-Factor Authentication Server] 使用者介面會提示您執行 [多伺服器設定精靈] 。Next, the Multi-Factor Authentication Server user interface prompts you to run the Multi-Server Configuration Wizard. 選取 [否]。Select No.

    重要

    您可以略過完成 [多伺服器設定精靈],因為用來完成此逐步解說的實驗室環境只有一部同盟伺服器。You can skip completing the Multi-Server Configuration Wizard given the lab environment with only one federation server that is used to complete this walkthrough. 不過,如果您的環境含有多個同盟伺服器,就必須安裝 Multi-Factor Authentication Server,並在每部同盟伺服器上完成 [多伺服器設定精靈] ,才能在同盟伺服器上執行的多因素伺服器間啟用複寫。However, if your environment contains several federation servers, you must install the Multi-Factor Authentication Server and complete the Multi-Server Configuration Wizard on each federation server in order to enable replication between the Multi-Factor servers running on your federation servers.

  4. 在 [Multi-Factor Authentication Server] 使用者介面,選取 [使用者] 圖示,按一下 [從 Active Directory 匯入] ,選取 [Robert Hatley] 帳戶以便在 Windows Azure Multi-Factor Authentication 進行佈建,然後按一下 [匯入] 。In the Multi-Factor Authentication Server user interface, select the Users icon, click Import from Active Directory, select the Robert Hatley account to provision it in Windows Azure Multi-Factor Authentication, and then click Import.

  5. 在 [使用者] 清單,選取 [Robert Hatley] 帳戶,按一下 [編輯] ,然後在 [編輯使用者] 視窗提供此帳戶的手機號碼,確定已選取 [啟用] 核取方塊,接著按一下 [套用] 。In the Users list, select the Robert Hatley account, click Edit, and in the Edit User window, provide a cell phone number of this account, make sure the Enabled checkbox is checked, and then click Apply.

  6. 在 [使用者] 清單,選取 [Robert Hatley] 帳戶,再按一下 [測試]。In the Users list, select the Robert Hatley account, and click Test. 在 [測試使用者] 視窗,提供 [Robert Hatley] 帳戶的認證。In the Test User window, provide the credentials for the Robert Hatley account. 當手機響起時,請按 「 # 」 完成帳戶驗證。When the cell phone rings, press '#' to complete the account verification.

  7. 在 [Multi-Factor Authentication Server] 使用者介面,選取 [AD FS] 圖示,確定已選取 [允許使用者註冊] 、[允許使用者選取方法] (包含 [電話通知] 和 [簡訊] )、[使用遞補用的安全性問題] 及 [啟用記錄] 核取方塊,按一下 [安裝 AD FS 配接器] ,然後完成 [多因素驗證 AD FS 配接器] 安裝精靈。In the Multi-Factor Authentication Server user interface, select the AD FS icon, make sure that Allow user enrollment, Allow users to select method (including Phone call and Text message), Use security questions for fallback and Enable logging checkboxes are checked, click Install AD FS Adapter, and complete the Multi-Factor Authentication AD FS Adapter installation wizard.

    注意

    [多因素驗證 AD FS 配接器] 安裝精靈會在您的 Active Directory 建立一個名為 PhoneFactor Admins 的安全性群組,然後將您的 Federation Service AD FS 服務帳戶加入這個群組。The Multi-Factor Authentication AD FS Adapter installation wizard creates a security group called PhoneFactor Admins in your Active Directory and then adds the AD FS service account of your federation service to this group.

    建議您在網域控制站確認 PhoneFactor Admins 群組確實已經建立,而且 AD FS 服務帳戶是此群組的成員。It is recommended that you verify on your domain controller that the PhoneFactor Admins group is indeed created and that the AD FS service account is a member of this group.

    如有需要,手動將 AD FS 服務帳戶新增到網域控制站上的 PhoneFactor Admins 群組。If necessary, add the AD FS service account to the PhoneFactor Admins group on your domain controller manually.

    如需安裝 AD FS 配接器的詳細資訊,請按一下 Multi-Factor Authentication Server 右上角的 [說明] 連結。For additional details on installing the AD FS Adapter, click the Help link in the top right corner of the Multi-Factor Authentication Server.

  8. 若要在 Federation Service 註冊介面卡,請於同盟伺服器上啟動 Windows PowerShell 命令視窗,並執行下列命令: \Program Files\Multi-Factor Authentication Server\Register-MultiFactorAuthenticationAdfsAdapter.ps1To register the adapter in your federation service, on your federation server, launch the Windows PowerShell command window, and run the following command: \Program Files\Multi-Factor Authentication Server\Register-MultiFactorAuthenticationAdfsAdapter.ps1. 現在,介面卡已註冊為 WindowsAzureMultiFactorAuthenticationThe adapter is now registered as WindowsAzureMultiFactorAuthentication. 您必須重新啟動 AD FS 服務,才能夠讓註冊生效。You must restart your AD FS service for the registration to take effect.

  9. 若要將 Windows Azure Multi-Factor Authentication 設為其他驗證方法,在 AD FS 管理主控台中,瀏覽到 [驗證原則] 節點,然後在 [Multi-factor Authentication] 區段按一下 [通用設定] 子區段旁的 [編輯] 連結。To configure Windows Azure Multi-Factor Authentication as the additional authentication method, in the AD FS Management Console, navigate to the Authentication Policies node, and under Multi-factor Authentication section, click the Edit link next to the Global Settings sub-section. 在 [編輯通用驗證原則] 視窗中,選取 [Multi-Factor Authentication] 作為其他驗證方法,然後按一下 [確定] 。In the Edit Global Authentication Policy window, select Multi-Factor Authentication as an additional authentication method, and then click OK.

    注意

    您可以執行 Set-AdfsAuthenticationProviderWebContent Cmdlet,將 Windows Azure Multi-Factor Authentication 方法及任何已設定的協力廠商驗證方法的名稱和描述自訂為與 AD FS UI 中顯示的一樣。You can customize the name and description of the Windows Azure Multi-Factor Authentication method, as well as any configured third-party authentication method, as it appears in your AD FS UI, by running the Set-AdfsAuthenticationProviderWebContent cmdlet. 如需詳細資訊,請參閱 https://technet.microsoft.com/library/dn479401.aspxFor more information, see https://technet.microsoft.com/library/dn479401.aspx

設定 MFA 原則Set up MFA policy

若要啟用 MFA,您必須在同盟伺服器設定 MFA 原則。In order to enable MFA, you must set up the MFA policy on your federation server. 此逐步解說中,我們的 MFA 原則,每Robert Hatley帳戶,才可進行 MFA,因為他屬於財務中設定的群組設定實驗室環境中的 AD fsWindows Server 2012 R2For this walkthrough, per our MFA policy, Robert Hatley account is required to undergo MFA because he belongs to the Finance group that you set up in Set up the lab environment for AD FS in Windows Server 2012 R2.

您可以使用 AD FS 管理主控台或 Windows PowerShell 來設定 MFA 原則。You can set up the MFA policy either via the AD FS Management Console or using the Windows PowerShell.

若要設定 MFA 原則,根據 'claimapp' 透過 AD FS 管理主控台的使用者群組成員資格資料To configure the MFA policy based on user's group membership data for 'claimapp' via the AD FS Management Console
  1. 在您的同盟伺服器,在 AD FS 管理主控台中,瀏覽至驗證原則\每個信賴憑證者信任節點,然後選取信賴憑證者信任,表示您範例應用程式 (claimapp)。On your federation server, in the AD FS Management Console, navigate to Authentication Policies\Per Relying Party Trust node, and select the relying party trust that represents your sample application (claimapp).

  2. 在 [動作] 頁面,或在 [claimapp] 按一下滑鼠右鍵,選取 [編輯自訂多因素驗證] 。Either in the Actions page or by right-clicking claimapp, select Edit Custom Multi-factor Authentication.

  3. 在 [編輯 claimapp 信賴憑證者信任] 視窗,按一下 [使用者/群組] 清單旁的 [新增] 按鈕。In the Edit Relying Party Trust for claimapp window, click the Add button next to the Users/Groups list. 在中輸入財務您在中所建立的 AD 群組的名稱適用於 Windows Server 2012 R2 中的 AD FS 設定實驗室環境,,按一下 檢查名稱,以及名稱時解決,請按一下確定Type in Finance for the name of your AD group that you created in Set up the lab environment for AD FS in Windows Server 2012 R2, and click Check Names, and when the name is resolved, click OK.

  4. 按一下 [編輯 claimapp 信賴憑證者信任] 視窗的 [確定]。Click OK in the Edit Relying Party Trust for claimapp window.

若要設定 MFA 原則,根據 'claimapp',透過 Windows PowerShell 的使用者群組成員資格資料To configure the MFA policy based on user's group membership data for 'claimapp' via Windows PowerShell
  1. 在您的同盟伺服器上,開啟 Windows PowerShell 命令視窗,並執行下列命令:On your federation server, open the Windows PowerShell command window and run the following command:

    $rp = Get-AdfsRelyingPartyTrust -Name claimapp
    
  2. 在相同的 Windows PowerShell 命令視窗中,執行下列命令:In the same Windows PowerShell command window, run the following command:

    $GroupMfaClaimTriggerRule = 'c:[Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "^(?i) <group_SID>$"] => issue(Type = "https://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "https://schemas.microsoft.com/claims/multipleauthn");'
    Set-AdfsRelyingPartyTrust -TargetRelyingParty $rp -AdditionalAuthenticationRules $GroupMfaClaimTriggerRule
    

    注意

    請記得將 <group_SID> 取代為 AD 群組 Finance 的 SID 值。Make sure to replace <group_SID> with the value of the SID of your AD group Finance.

步驟 4:驗證 MFA 機制Step 4: Verify MFA mechanism

在這個步驟中,您將驗證上個步驟中設定的 MFA 功能。In this step you will verify the MFA functionality that you set up in the previous step. 您可以使用下列程序,確認 Robert Hatley AD 使用者可以存取您的範例應用程式,這次需要進行 MFA,因為他屬於 Finance 群組。You can use the following procedure to verify that Robert Hatley AD user can access your sample application and this time is required to undergo MFA because he belongs to the Finance group.

  1. 在用戶端電腦,開啟瀏覽器視窗,並巡覽至範例應用程式: https://webserv1.contoso.com/claimappOn your client computer, open a browser window, and navigate to your sample application: https://webserv1.contoso.com/claimapp.

    這個動作會將要求自動重新導向到同盟伺服器,且會提示您以使用者名稱和密碼登入。This action automatically redirects the request to the federation server and you are prompted to sign in with a username and password.

  2. 輸入 Robert Hatley AD 帳戶的認證。Type in the credentials of the Robert Hatley AD account.

    此時根據您已設定的 MFA 原則,系統會提示使用者進行其他驗證。At this point, because of the MFA policy that you configured, the user will be prompted to undergo additional authentication. 預設訊息文字是「基於安全性考量,我們需要額外的資訊,以驗證您的帳戶。」The default message text is For security reasons, we require additional information to verify your account. 。不過,您可以完全自訂這段文字內容。However, this text is fully customizable. 如需如何自訂登入體驗的詳細資訊,請參閱< Customizing the AD FS Sign-in Pages>。For more information about how to customize the sign-in experience, see Customizing the AD FS Sign-in Pages.

    如果您設定憑證驗證作為其他驗證方法時,預設訊息文字是選取您想要用於驗證的憑證。如果您取消此作業,請關閉瀏覽器,然後再試一次。If you configured Certificate authentication as the additional authentication method, the default message text is Select a certificate that you want to use for authentication. If you cancel the operation, please close your browser and try again.

    如果您設定 Windows Azure Multi-factor Authentication 做為其他驗證方法,預設訊息文字是 [系統將會撥打電話以完成驗證]。If you configured Windows Azure Multi-Factor Authentication as the additional authentication method, the default message text is A call will be placed to your phone to complete your authentication. 。如需使用 Windows Azure Multi-Factor Authentication 登入並使用偏好驗證方法各種選項的詳細資訊,請參閱 Windows Azure Multi-Factor Authentication 概觀For more information about signing in with Windows Azure Multi-Factor Authentication and using various options for the preferred method of verification, see Windows Azure Multi-Factor Authentication Overview.

另請參閱See Also

管理機密應用程式透過其他多因素驗證的風險 設定適用於 Windows Server 2012 R2 中的 AD FS 實驗室環境Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications Set up the lab environment for AD FS in Windows Server 2012 R2