AD FS 常見問題集(常見問題集)AD FS Frequently Asked Questions (FAQ)

適用於:Windows Server 2016Applies To: Windows Server 2016

下列文件已 home 有關 Active Directory 同盟服務常見問題的解答。The following documentation is a home to frequently asked questions with regard to Active Directory Federation Services. 在文件已分為群組根據問題的類型。The document has been split into groups based on the type of question.

部署Deployment

如何可以我升級日移轉從舊版 AD FSHow can I upgrade/migrate from previous versions of AD FS

您可以升級 AD FS 使用下列其中一個動作:You can upgrade AD FS using one of the following:

如果您需要從 AD FS 2.0 或 2.1(Windows Server 2008 R2 或 Windows Server 2012)升級,您必須使用附隨指令碼(位於 C:\Windows\ADFS)。If you need to upgrade from AD FS 2.0 or 2.1 (Windows Server 2008 R2 or Windows Server 2012), you must use the in-box scripts (located in C:\Windows\ADFS).

AD FS 安裝為何需要伺服器的重新開機?Why does AD FS installation require a reboot of the server?

HTTP 2 月的支援在 Windows Server 2016 中新增但 HTTP 2 月不能用於 client 憑證驗證。HTTP/2 support was added in Windows Server 2016, but HTTP/2 can't be used for client certificate authentication. 因為許多 AD FS 案例使用 client 憑證驗證,以及大量戶端執行支援重試要求使用 HTTP 日 1.1,AD FS 發電廠設定重新設定 HTTP 日 1.1 本機伺服器 HTTP 設定。Because many AD FS scenarios make use of client certificate authentication, and a significant number of clients do not support retrying requests using HTTP/1.1, AD FS farm configuration re-configures the local server's HTTP settings to HTTP/1.1. 這需要重新開機的伺服器。This requires a reboot of the server.

AD FS 發電廠發行網際網路,而不需要升級後端 AD FS 發電廠支援使用 Windows 2016 WAP 伺服器嗎?Is using Windows 2016 WAP Servers to publish the AD FS farm to the internet without upgrading the back-end AD FS farm supported?

是的支援此設定,但想支援此設定不 AD FS 2016 的新功能。Yes, this configuration is supported, however no new AD FS 2016 features would be supported in this configuration. 此設定是 ad FS 2016 AD FS 2012 R2 的移轉階段期間的 [暫存並不會部署長一段時間。This configuration is meant to be temporary during the migration phase from AD FS 2012 R2 to AD FS 2016 and should not be deployed for long periods of time.

第三方 proxy AD FS 進行支援?Are third party proxies supported with AD FS?

是的第三方 proxy 可以放前面應用程式網路 Proxy,但任何第三方 proxy 必須支援MS-ADFSPIP來取代 Web 應用程式 Proxy 通訊協定。Yes, third party proxies can be placed in front of the Web Application Proxy, but any third party proxy must support the MS-ADFSPIP protocol to be used in place of the Web Application Proxy.

設計Design

哪些第三方多因素驗證提供者可供使用 AD FS?What third party multi-factor authentication providers are available for AD FS?

以下是我們已經知道協力廠商提供者的清單。Below is a list of third party providers we are aware of. 隨時可能提供者可,我們不知道我們將會在為我們了解這些更新的清單。There may always be providers available that we do not know about and we will update the list as we learn about them.

第三方 proxy AD FS 進行支援?Are third party proxies supported with AD FS?

是的第三方 proxy 可以放前面應用程式網路 Proxy,但任何第三方 proxy 必須支援MS-ADFSPIP 通訊協定來取代 Proxy Web 應用程式。Yes, third party proxies can be placed in front of the Web Application Proxy, but any third party proxy must support the MS-ADFSPIP protocol to be used in place of the Web Application Proxy.

何處容量規劃縮放試算表 AD FS 2016?Where is the capacity planning sizing spreadsheet for AD FS 2016?

AD FS 2016 版本試算表可以下載在此The AD FS 2016 version of the spreadsheet can be downloaded here. 這也可以使用在 Windows Server 2012 R2 AD fs。This can also be used for AD FS in Windows Server 2012 R2.

如何確定我 AD FS 和 WAP 伺服器支援的 Apple ATP 需求?How can I ensure my AD FS and WAP servers support Apple's ATP requirements?

蘋果發行一組稱為 App 傳輸安全性 (ATS),可能會影響來電向 AD FS 進行驗證的 iOS 應用程式需求。Apple has released a set of requirements called App Transport Security (ATS) that may impact calls from iOS apps that authenticate to AD FS. AD FS 可確保與,並確認它們支援,符合 WAP 伺服器]適用於使用 ATS 連接需求You can ensure your AD FS and WAP servers comply by making sure they support the requirements for connecting using ATS.
尤其是您應該驗證,AD FS 和 WAP 伺服器支援 TLS 1.2 以及的 TLS 連接交涉的密碼套件,將會支援完整轉寄密碼。In particular, you should verify that your AD FS and WAP servers support TLS 1.2 and that the TLS connection's negotiated cipher suite will support perfect forward secrecy.

您可以讓和停用 1.0,1.1、1.2 SSL 2.0 及 3.0 TLS 版本使用管理 SSL 通訊協定 AD FS 在You can enable and disable SSL 2.0 and 3.0 and TLS versions 1.0, 1.1, and 1.2 using Manage SSL Protocols in AD FS.

確保您 AD FS 和 WAP 伺服器交涉只支援 ATP TLS 密碼套件,您可以停用所有密碼套件不是在清單 ATP 相容密碼套件的To ensure your AD FS and WAP servers negotiate only TLS cipher suites that support ATP, you can disable all cipher suites that are not in the list of ATP compliant cipher suites. 若要這樣做,請使用Windows TLS PowerShell cmdletTo do this, use the Windows TLS PowerShell cmdlets.

作業Operations

如何取代 AD FS SSL 憑證?How do I replace the SSL certificate for AD FS?

AD FS SSL 憑證不找到 AD FS 管理嵌入式管理單元 AD FS 服務通訊憑證相同。The AD FS SSL certificate is not the same as the AD FS Service communications certificate found in the AD FS Management snap-in. 若要變更 AD FS SSL 憑證,您將需要使用 PowerShell。To change the AD FS SSL certificate, you’ll need to use PowerShell. 請依照下列指導方針下方文章中:Follow the guidance in the article below:

AD FS 和 WAP 2016 管理 SSL 憑證Managing SSL Certificates in AD FS and WAP 2016

如何讓或停用 AD FS TLS 日 SSL 設定How can I enable or disable TLS/SSL settings for AD FS

若要停用,或讓 SSL 通訊協定並密碼套件,使用下列方法:To disable or enable SSL protocols and cipher suites, use the following:

管理通訊協定 SSL AD FSManage SSL Protocols in AD FS

Proxy SSL 憑證有 AD FS SSL 憑證相同嗎?Does the proxy SSL certificate have to be the same as the AD FS SSL certificate?

使用下列指導方針與 proxy SSL 憑證,AD FS SSL 憑證:Use the following guidance with regard to the proxy SSL certificate and the AD FS SSL certificate:

  • 如果您使用的 proxy 使用 Windows 整合驗證 proxy SSL 憑證 proxy AD FS 要求必須是相同(使用相同的按鍵)為聯盟伺服器 SSL 憑證If the proxy is used to proxy AD FS requests that use Windows Integrated Authentication, the proxy SSL certificate must be the same (use the same key) as the federation server SSL certificate
  • 如果」ExtendedProtectionTokenCheck」是 AD FS 屬性支援(預設值 AD FS 中),proxy SSL 憑證必須是相同(使用相同的按鍵)聯盟伺服器 SSL 憑證If the AD FS property "ExtendedProtectionTokenCheck" is enabled (the default setting in AD FS), the proxy SSL certificate must be the same (use the same key) as the federation server SSL certificate
  • 否則,proxy SSL 憑證可以有不同的金鑰 AD FS SSL 憑證,但必須符合相同需求Otherwise, the proxy SSL certificate can have a different key from the AD FS SSL certificate, but must meet the same requirements

如何設定提示 AD fs = 登入問題?How can I configure prompt=login behavior for AD FS?

如何設定提示資訊 = 登入,查看Active Directory 同盟服務提示 = 登入參數支援For information on how to configure prompt=login, see Active Directory Federation Services prompt=login parameter support.

如何設定 Windows 整合驗證 (WIA) 使用 AD FS 使用的瀏覽器?How can I configure browsers to use Windows Integrated Authentication (WIA) with AD FS

如何設定瀏覽器資訊的查看設定瀏覽器,AD FS 使用 Windows 整合驗證 (WIA) 以For information on how to configure browsers see Configure browsers to use Windows Integrated Authentication (WIA) with AD FS.

多久的 AD FS 權杖有效?How long are AD FS tokens valid?

這個問題通常表示 '多久使用者才能單一登入 (SSO) 而不需要輸入新的憑證,並如何以系統管理員身分控制的' 嗎?Often this question means ‘how long do users get single sign on (SSO) without having to enter new credentials, and how can I as an admin control that?’ 這個問題,以及控制該設定的文件中所述在此This behavior, and the configuration settings that control it, are described in the article here.

以下列出的各種 cookie 和權杖預設存留時間(以及參數管理存留時間):The default lifetimes of the various cookies and tokens are listed below (as well as the parameters that govern the lifetimes):

且已的裝置Registered Devices

  • PRT 和 SSO cookie:最大的 90 天 PSSOLifeTimeMins 所規範。PRT and SSO cookies: 90 days maximum, governed by PSSOLifeTimeMins. (所提供的裝置使用至少每個 14 天,這由 DeviceUsageWindow)(Provided device is used at least every 14 days, which is controlled by DeviceUsageWindow)

  • 重新整理預付碼:計算會根據上述提供一致的行為Refresh token: calculated based on the above to provide consistent behavior

  • access_token:根據信賴的預設 1 小時access_token: 1 hour by default, based on the relying party

  • id_token:相同存取權杖id_token: same as access token

未且已的裝置Un-registered Devices

  • SSO cookie: SSOLifetimeMins 8 小時的預設所規範。SSO cookies: 8 hours by default, governed by SSOLifetimeMins. 預設時可以的保留我登入 (KMSI),為 24 小時,可透過 KMSILifetimeMins 設定。When Keep Me Signed in (KMSI) is enabled, default is 24 hours and configurable via KMSILifetimeMins.

  • 重新整理預付碼:8 小時的預設值。Refresh token: 8 hours by default. 與支援 KMSI 24 小時24 hours with KMSI enabled

  • access_token:根據信賴的預設 1 小時access_token: 1 hour by default, based on the relying party

  • id_token:相同存取權杖id_token: same as access token

AD FS 不支援 HTTP 嚴格傳輸安全性 (HSTS)?Does AD FS support HTTP Strict Transport Security (HSTS)?

HTTP 嚴格傳輸安全性 (HSTS) 是有助於減少通訊協定降級攻擊和服務的 HTTPS 和 HTTP 結束 cookie 劫持網站的安全性原則機制。HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps mitigate protocol downgrade attacks and cookie hijacking for services that have both HTTP and HTTPS endpoints. 它可以讓宣告的網頁瀏覽器(或其他 complying 使用者代理人)應該只互動使用 HTTPS 並不會透過 HTTP 通訊協定的網頁伺服器。It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using HTTPS and never via the HTTP protocol.

Web 驗證流量的所有 AD FS 端點被都一個專屬透過 HTTPS。All AD FS endpoints for web authentication traffic are opened exclusively over HTTPS. 如此一來,AD FS 有效降低 HTTP 字串傳輸安全性原則機制提供威脅(所設計還有至 HTTP 不降級因為 HTTP 中有不接聽)。As a result, AD FS effectively mitigates the threats that HTTP String Transport Security policy mechanism provides (by design there is no downgrade to HTTP since there are no listeners in HTTP). 此外,AD FS 可防止 cookie 傳送至 HTTP 通訊協定的端點使用另一部伺服器標示的安全旗標與的所有 cookie。In addition, AD FS prevents the cookies from being sent to another server with HTTP protocol endpoints by marking all cookies with the secure flag.

因此,AD FS 伺服器上實作 HSTS 不需要它永遠不會降級。Therefore, implementing HSTS on an AD FS server is not required because it can never be downgraded. 針對相容性目的,AD FS 伺服器符合下列需求,因為它們可以不使用 HTTP 且安全標示的所有 cookie。For compliance purposes, AD FS servers meet these requirements because they can never use HTTP and all cookies are marked secure.

不包含 client 的 IP X ms-轉送-client-ip,但包含 proxy 前面防火牆的 IP。X-ms-forwarded-client-ip does not contain the IP of the client but contains IP of the firewall in front of the proxy. 何處取得正確的 client IP?Where can I get the right IP of the client?

不建議方法之前 WAP SSL 終止。It is not recommended to do SSL termination before WAP. 萬一 SSL 終止完成 WAP 前面,X ms-轉送-client-ip 會包含前面 WAP 網路裝置的 IP。In case SSL termination is done in front of the WAP, the X-ms-forwarded-client-ip will contain the IP of the network device in front of WAP. 以下是各種 IP 的簡短描述相關宣告 AD FS 支援:Below is a brief description of the various IP related claims that are supported by AD FS:

  • X ms-client ip:網路連接到 STS 裝置的 IP。x-ms-client-ip : Network IP of device which connected to the STS. 在外部要求這一律會包含 WAP 的 IP。In the case of an extranet request this always contains the IP of the WAP.
  • X ms-轉送-client-ip:這將會包含 Online 換貨,以及連接至 WAP 裝置的 IP 位址,轉送給 ADFS 的任何值多重值理賠要求。x-ms-forwarded-client-ip : Multi-valued claim which will contain any values forwarded to ADFS by Exchange Online plus the IP address of the device which connected to the WAP.
  • Userip:外部要求此宣告將會包含 x ms-轉送-client-ip 的值。Userip: For extranet requests this claim will contain the value of x-ms-forwarded-client-ip. 內部要求,此宣告將會包含 x ms-client ip 相同的值。For intranet requests, this claim will contain the same value as x-ms-client-ip.

我正在嘗試取得其他宣告端點上的使用者的資訊,但它只退貨主題。I am trying to get additional claims on the user info endpoint, but its only returning subject. 如何取得其他宣告?How can I get additional claims?

ADFS 使用者資訊端點一定會傳回 OpenID 標準中指定以主旨理賠要求。The ADFS userinfo endpoint always returns the subject claim as specified in the OpenID standards. AD FS 不會透過使用者資訊端點要求的其他宣告。AD FS does not provide additional claims requested via the UserInfo endpoint. 如果您需要 ID 權杖中的其他宣告,請參考自訂 ID 權杖 AD FS 在If you need additional claims in ID token, refer to Custom ID Tokens in AD FS.