AD FS 常見問題集(常見問題集)AD FS Frequently Asked Questions (FAQ)

適用於:Windows Server 2016Applies To: Windows Server 2016

下列文件已 home 有關 Active Directory 同盟服務常見問題的解答。The following documentation is a home to frequently asked questions with regard to Active Directory Federation Services. 在文件已分為群組根據問題的類型。The document has been split into groups based on the type of question.


如何可以我升級日移轉從舊版 AD FSHow can I upgrade/migrate from previous versions of AD FS

您可以升級 AD FS 使用下列其中一個動作:You can upgrade AD FS using one of the following:

如果您需要從 AD FS 2.0 或 2.1(Windows Server 2008 R2 或 Windows Server 2012)升級,您必須使用附隨指令碼(位於 C:\Windows\ADFS)。If you need to upgrade from AD FS 2.0 or 2.1 (Windows Server 2008 R2 or Windows Server 2012), you must use the in-box scripts (located in C:\Windows\ADFS).

AD FS 安裝為何需要伺服器的重新開機?Why does AD FS installation require a reboot of the server?

HTTP 2 月的支援在 Windows Server 2016 中新增但 HTTP 2 月不能用於 client 憑證驗證。HTTP/2 support was added in Windows Server 2016, but HTTP/2 can't be used for client certificate authentication. 因為許多 AD FS 案例使用 client 憑證驗證,以及大量戶端執行支援重試要求使用 HTTP 日 1.1,AD FS 發電廠設定重新設定 HTTP 日 1.1 本機伺服器 HTTP 設定。Because many AD FS scenarios make use of client certificate authentication, and a significant number of clients do not support retrying requests using HTTP/1.1, AD FS farm configuration re-configures the local server's HTTP settings to HTTP/1.1. 這需要重新開機的伺服器。This requires a reboot of the server.

AD FS 發電廠發行網際網路,而不需要升級後端 AD FS 發電廠支援使用 Windows 2016 WAP 伺服器嗎?Is using Windows 2016 WAP Servers to publish the AD FS farm to the internet without upgrading the back-end AD FS farm supported?

是的支援此設定,但想支援此設定不 AD FS 2016 的新功能。Yes, this configuration is supported, however no new AD FS 2016 features would be supported in this configuration. 此設定是 ad FS 2016 AD FS 2012 R2 的移轉階段期間的 [暫存並不會部署長一段時間。This configuration is meant to be temporary during the migration phase from AD FS 2012 R2 to AD FS 2016 and should not be deployed for long periods of time.


哪些第三方多因素驗證提供者可供使用 AD FS?What third party multi-factor authentication providers are available for AD FS?

以下是我們已經知道協力廠商提供者的清單。Below is a list of third party providers we are aware of. 隨時可能提供者可,我們不知道我們將會在為我們了解這些更新的清單。There may always be providers available that we do not know about and we will update the list as we learn about them.

第三方 proxy AD FS 進行支援?Are third party proxies supported with AD FS?

是的第三方 proxy 可以放前面應用程式網路 Proxy,但任何第三方 proxy 必須支援MS-ADFSPIP 通訊協定來取代 Proxy Web 應用程式。Yes, third party proxies can be placed in front of the Web Application Proxy, but any third party proxy must support the MS-ADFSPIP protocol to be used in place of the Web Application Proxy.

適用於支援 MS-ADFSPIP AD FS 哪些第三方 proxy?What third party proxies are available for AD FS that support MS-ADFSPIP?

以下是我們已經知道協力廠商提供者的清單。Below is a list of third party providers we are aware of. 隨時可能提供者可,我們不知道我們將會在為我們了解這些更新的清單。There may always be providers available that we do not know about and we will update the list as we learn about them.

何處容量規劃縮放試算表 AD FS 2016?Where is the capacity planning sizing spreadsheet for AD FS 2016?

AD FS 2016 版本試算表可以下載在此The AD FS 2016 version of the spreadsheet can be downloaded here. 這也可以使用在 Windows Server 2012 R2 AD fs。This can also be used for AD FS in Windows Server 2012 R2.

如何確定我 AD FS 和 WAP 伺服器支援的 Apple ATP 需求?How can I ensure my AD FS and WAP servers support Apple's ATP requirements?

蘋果發行一組稱為 App 傳輸安全性 (ATS),可能會影響來電向 AD FS 進行驗證的 iOS 應用程式需求。Apple has released a set of requirements called App Transport Security (ATS) that may impact calls from iOS apps that authenticate to AD FS. AD FS 可確保與,並確認它們支援,符合 WAP 伺服器]適用於使用 ATS 連接需求You can ensure your AD FS and WAP servers comply by making sure they support the requirements for connecting using ATS.
尤其是您應該驗證,AD FS 和 WAP 伺服器支援 TLS 1.2 以及的 TLS 連接交涉的密碼套件,將會支援完整轉寄密碼。In particular, you should verify that your AD FS and WAP servers support TLS 1.2 and that the TLS connection's negotiated cipher suite will support perfect forward secrecy.

您可以讓和停用 1.0,1.1、1.2 SSL 2.0 及 3.0 TLS 版本使用管理 SSL 通訊協定 AD FS 在You can enable and disable SSL 2.0 and 3.0 and TLS versions 1.0, 1.1, and 1.2 using Manage SSL Protocols in AD FS.

確保您 AD FS 和 WAP 伺服器交涉只支援 ATP TLS 密碼套件,您可以停用所有密碼套件不是在清單 ATP 相容密碼套件的To ensure your AD FS and WAP servers negotiate only TLS cipher suites that support ATP, you can disable all cipher suites that are not in the list of ATP compliant cipher suites. 若要這樣做,請使用Windows TLS PowerShell cmdletTo do this, use the Windows TLS PowerShell cmdlets.


如何取代 AD FS SSL 憑證?How do I replace the SSL certificate for AD FS?

AD FS SSL 憑證不找到 AD FS 管理嵌入式管理單元 AD FS 服務通訊憑證相同。The AD FS SSL certificate is not the same as the AD FS Service communications certificate found in the AD FS Management snap-in. 若要變更 AD FS SSL 憑證,您將需要使用 PowerShell。To change the AD FS SSL certificate, you’ll need to use PowerShell. 請依照下列指導方針下方文章中:Follow the guidance in the article below:

AD FS 和 WAP 2016 管理 SSL 憑證Managing SSL Certificates in AD FS and WAP 2016

如何讓或停用 AD FS TLS 日 SSL 設定How can I enable or disable TLS/SSL settings for AD FS

若要停用,或讓 SSL 通訊協定並密碼套件,使用下列方法:To disable or enable SSL protocols and cipher suites, use the following:

管理通訊協定 SSL AD FSManage SSL Protocols in AD FS

Proxy SSL 憑證有 AD FS SSL 憑證相同嗎?Does the proxy SSL certificate have to be the same as the AD FS SSL certificate?

使用下列指導方針與 proxy SSL 憑證,AD FS SSL 憑證:Use the following guidance with regard to the proxy SSL certificate and the AD FS SSL certificate:

  • 如果您使用的 proxy 使用 Windows 整合驗證 proxy SSL 憑證 proxy AD FS 要求必須是相同(使用相同的按鍵)為聯盟伺服器 SSL 憑證If the proxy is used to proxy AD FS requests that use Windows Integrated Authentication, the proxy SSL certificate must be the same (use the same key) as the federation server SSL certificate
  • 如果」ExtendedProtectionTokenCheck」是 AD FS 屬性支援(預設值 AD FS 中),proxy SSL 憑證必須是相同(使用相同的按鍵)聯盟伺服器 SSL 憑證If the AD FS property "ExtendedProtectionTokenCheck" is enabled (the default setting in AD FS), the proxy SSL certificate must be the same (use the same key) as the federation server SSL certificate
  • 否則,proxy SSL 憑證可以有不同的金鑰 AD FS SSL 憑證,但必須符合相同需求Otherwise, the proxy SSL certificate can have a different key from the AD FS SSL certificate, but must meet the same requirements

如何設定提示 AD fs = 登入問題?How can I configure prompt=login behavior for AD FS?

如何設定提示資訊 = 登入,查看Active Directory 同盟服務提示 = 登入參數支援For information on how to configure prompt=login, see Active Directory Federation Services prompt=login parameter support.

如何設定 Windows 整合驗證 (WIA) 使用 AD FS 使用的瀏覽器?How can I configure browsers to use Windows Integrated Authentication (WIA) with AD FS

如何設定瀏覽器資訊的查看設定瀏覽器,AD FS 使用 Windows 整合驗證 (WIA) 以For information on how to configure browsers see Configure browsers to use Windows Integrated Authentication (WIA) with AD FS.

多久的 AD FS 權杖有效?How long are AD FS tokens valid?

這個問題通常表示 '多久使用者才能單一登入 (SSO) 而不需要輸入新的憑證,並如何以系統管理員身分控制的' 嗎?Often this question means ‘how long do users get single sign on (SSO) without having to enter new credentials, and how can I as an admin control that?’ 這個問題,以及控制該設定的文件中所述在此This behavior, and the configuration settings that control it, are described in the article here.

以下列出的各種 cookie 和權杖預設存留時間(以及參數管理存留時間):The default lifetimes of the various cookies and tokens are listed below (as well as the parameters that govern the lifetimes):

且已的裝置Registered Devices

  • PRT 和 SSO cookie:最大的 90 天 PSSOLifeTimeMins 所規範。PRT and SSO cookies: 90 days maximum, governed by PSSOLifeTimeMins. (所提供的裝置使用至少每個 14 天,這由 DeviceUsageWindow)(Provided device is used at least every 14 days, which is controlled by DeviceUsageWindow)

  • 重新整理預付碼:計算會根據上述提供一致的行為Refresh token: calculated based on the above to provide consistent behavior

  • access_token:根據信賴的預設 1 小時access_token: 1 hour by default, based on the relying party

  • id_token:相同存取權杖id_token: same as access token

未且已的裝置Un-registered Devices

  • SSO cookie: SSOLifetimeMins 8 小時的預設所規範。SSO cookies: 8 hours by default, governed by SSOLifetimeMins. 預設時可以的保留我登入 (KMSI),為 24 小時,可透過 KMSILifetimeMins 設定。When Keep Me Signed in (KMSI) is enabled, default is 24 hours and configurable via KMSILifetimeMins.

  • 重新整理預付碼:8 小時的預設值。Refresh token: 8 hours by default. 與支援 KMSI 24 小時24 hours with KMSI enabled

  • access_token:根據信賴的預設 1 小時access_token: 1 hour by default, based on the relying party

  • id_token:相同存取權杖id_token: same as access token

AD FS 不支援 HTTP 嚴格傳輸安全性 (HSTS)?Does AD FS support HTTP Strict Transport Security (HSTS)?

HTTP 嚴格傳輸安全性 (HSTS) 是有助於減少通訊協定降級攻擊和服務的 HTTPS 和 HTTP 結束 cookie 劫持網站的安全性原則機制。HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps mitigate protocol downgrade attacks and cookie hijacking for services that have both HTTP and HTTPS endpoints. 它可以讓宣告的網頁瀏覽器(或其他 complying 使用者代理人)應該只互動使用 HTTPS 並不會透過 HTTP 通訊協定的網頁伺服器。It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using HTTPS and never via the HTTP protocol.

Web 驗證流量的所有 AD FS 端點被都一個專屬透過 HTTPS。All AD FS endpoints for web authentication traffic are opened exclusively over HTTPS. 如此一來,AD FS 有效降低 HTTP 嚴格傳輸的安全性原則機制提供威脅(所設計還有至 HTTP 不降級因為 HTTP 中有不接聽)。As a result, AD FS effectively mitigates the threats that HTTP Strict Transport Security policy mechanism provides (by design there is no downgrade to HTTP since there are no listeners in HTTP). 此外,AD FS 可防止 cookie 傳送至 HTTP 通訊協定的端點使用另一部伺服器標示的安全旗標與的所有 cookie。In addition, AD FS prevents the cookies from being sent to another server with HTTP protocol endpoints by marking all cookies with the secure flag.

因此,AD FS 伺服器上實作 HSTS 不需要它永遠不會降級。Therefore, implementing HSTS on an AD FS server is not required because it can never be downgraded. 針對相容性目的,AD FS 伺服器符合下列需求,因為它們可以不使用 HTTP 且安全標示的所有 cookie。For compliance purposes, AD FS servers meet these requirements because they can never use HTTP and all cookies are marked secure.

不包含 client 的 IP X ms-轉送-client-ip,但包含 proxy 前面防火牆的 IP。X-ms-forwarded-client-ip does not contain the IP of the client but contains IP of the firewall in front of the proxy. 何處取得正確的 client IP?Where can I get the right IP of the client?

不建議方法之前 WAP SSL 終止。It is not recommended to do SSL termination before WAP. 萬一 SSL 終止完成 WAP 前面,X ms-轉送-client-ip 會包含前面 WAP 網路裝置的 IP。In case SSL termination is done in front of the WAP, the X-ms-forwarded-client-ip will contain the IP of the network device in front of WAP. 以下是各種 IP 的簡短描述相關宣告 AD FS 支援:Below is a brief description of the various IP related claims that are supported by AD FS:

  • X ms-client ip:網路連接到 STS 裝置的 IP。x-ms-client-ip : Network IP of device which connected to the STS. 在外部要求這一律會包含 WAP 的 IP。In the case of an extranet request this always contains the IP of the WAP.
  • X ms-轉送-client-ip:這將會包含 Online 換貨,以及連接至 WAP 裝置的 IP 位址,轉送給 ADFS 的任何值多重值理賠要求。x-ms-forwarded-client-ip : Multi-valued claim which will contain any values forwarded to ADFS by Exchange Online plus the IP address of the device which connected to the WAP.
  • Userip:外部要求此宣告將會包含 x ms-轉送-client-ip 的值。Userip: For extranet requests this claim will contain the value of x-ms-forwarded-client-ip. 內部要求,此宣告將會包含 x ms-client ip 相同的值。For intranet requests, this claim will contain the same value as x-ms-client-ip.

我正在嘗試取得其他宣告端點上的使用者的資訊,但它只退貨主題。I am trying to get additional claims on the user info endpoint, but its only returning subject. 如何取得其他宣告?How can I get additional claims?

ADFS 使用者資訊端點一定會傳回 OpenID 標準中指定以主旨理賠要求。The ADFS userinfo endpoint always returns the subject claim as specified in the OpenID standards. AD FS 不會透過使用者資訊端點要求的其他宣告。AD FS does not provide additional claims requested via the UserInfo endpoint. 如果您需要 ID 權杖中的其他宣告,請參考自訂 ID 權杖 AD FS 在If you need additional claims in ID token, refer to Custom ID Tokens in AD FS.

為何我 AD FS 伺服器中看到許多 1021 年錯誤?Why do I see alot of 1021 errors on my AD FS servers?

這個事件通常是登入不正確存取資源 AD FS 上的資源 00000003-0000-0000-c000-000000000000。This event is logged usually for an invalid resource access on AD FS for resource 00000003-0000-0000-c000-000000000000. 這個錯誤會造成嘗試存取權杖取得 Azure AD 圖形服務 client 錯誤行為。This error is caused by an erroneous behavior of the client where it tries to get an access token for the Azure AD Graph service. 在 AD FS 不資源,因為這會導致事件 ID 1021 AD FS 伺服器上。Since the resource is not present on AD FS, this results in event ID 1021 on the AD FS servers. 它是可以放心略過任何警告或錯誤訊息的資源 00000003-0000-0000-c000-000000000000 上 AD FS。It’s safe to ignore any warnings or errors for resource 00000003-0000-0000-c000-000000000000 on AD FS.

為何我會看到一則警告失敗 AD FS 服務 account 新增至企業鍵系統管理員」群組?Why am I seeing a warning for failure to add the AD FS service account to the Enterprise Key Admins group?

此群組只建立網域中的 Windows 2016 網域控制站的 FSMO PDC 角色有時。This group is only created when a Windows 2016 Domain Controller with the FSMO PDC role exists in the Domain. 若要解析錯誤,您可以手動建立群組,並依照以下提供服務 account 新增為群組成員後的權限。To resolve the error, you can create the Group manually and follow the below to give the required permission after adding the service account as member of the group.

  1. 開放Active Directory 使用者和電腦Open Active Directory Users and Computers.
  2. 以滑鼠右鍵按一下您的瀏覽窗格中的網域名稱和屬性。Right-click your domain name from the navigation pane and click Properties.
  3. 按一下安全性(如果您遺失了 [安全性] 索引標籤,將進階功能的 [檢視] 功能表)。Click Security (if the Security tab is missing, turn on Advanced Features from the View menu).
  4. 按一下進階。Click Advanced. 按一下新增。Click Add. 按一下請選取主體。Click Select a principal.
  5. [選取使用者、電腦、或群組] 對話方塊中出現。The Select User, Computer, Service Account, or Group dialog box appears. 在 [輸入物件名稱來選取] 文字方塊中,輸入鍵管理群組。In the Enter the object name to select text box, type Key Admin Group. 按一下 \ [確定 ]。Click OK.
  6. 在適用於清單中,選取 [系使用者物件In the Applies to list box, select Descendant User objects.
  7. 使用捲,捲動到頁面底部,按一下 [ [全部清除]。Using the scroll bar, scroll to the bottom of the page and click Clear all.
  8. 屬性區段中,選取朗讀 msDS-KeyCredentialLink撰寫 msDS-KeyCrendentialLinkIn the Properties section, select Read msDS-KeyCredentialLink and Write msDS-KeyCrendentialLink.

會從 Android 裝置的現代化驗證失敗的原因是否伺服器不會傳送中使用 SSL 憑證鏈結所有中繼憑證?Why does modern authentication from Android devices fail if the server does not send all the intermediate certificates in the chain with the SSL cert?

聯盟的使用者可能會遇到驗證 Azure ad 的應用程式使用 Android ADAL 媒體櫃失敗。Federated users may experience authentication to Azure AD for apps that use the Android ADAL library failing. App 將會取得AuthenticationException當嘗試顯示登入頁面。The app will get an AuthenticationException when it tries to show the login page. AD FS 中登入頁面可能會被如何稱呼為不安全。In chrome the AD FS login page might be called out as unsafe.

Android 的所有版本和所有的裝置不支援下載額外的憑證的authorityInformationAccess欄位的憑證。Android - across all versions and all devices - does not support downloading additional certificates from the authorityInformationAccess field of the certificate. 這是 Chrome 瀏覽器,為 true 也。This is true of the Chrome browser as well. 如果從 AD FS 不會傳送整個憑證鏈結遺失中繼憑證的任何伺服器驗證憑證會導致這個錯誤。Any Server Authentication certificate that’s missing intermediate certificates will result in this error if the entire certificate chain is not passed from AD FS.

這個問題的適當方案是設定 AD FS 和 WAP 伺服器來傳送必要中間的憑證,以及 SSL 憑證。A proper solution to this problem is to configure the AD FS and WAP servers to send the necessary intermediate certificates along with the SSL certificate.

當匯出 SSL 憑證,從一部電腦,若要匯入到電腦的個人的市集,AD FS 和 WAP 伺服器,請務必匯出私人鍵,然後選取個人資訊交換 PKCS #12When exporting the SSL certificate, from one machine, to be imported to the computer’s personal store, of the AD FS and WAP server(s), make sure to export the Private key and select Personal Information Exchange - PKCS #12.

很重要的核取方塊來如果可能包含所有的憑證憑證路徑中核取,以及匯出所有擴充的屬性It is important that the check box to Include all certificates in the certificate path if possible is checked, as well as Export all extended properties.

Windows 伺服器上執行 certlm.msc 和匯入 *。插入電腦的個人憑證存放區 PFX。Run certlm.msc on the Windows servers and import the *.PFX into the Computer’s Personal Certificate store. 這會造成伺服器 ADAL 文件庫傳遞整個憑證鏈結。This will cause the server to pass the entire certificate chain to the ADAL library.


憑證存放區的網路負載平衡器也應包含完整的憑證鏈結如果有的話更新The certificate store of Network Load Balancers should also be updated to include the entire certificate chain if present

AD FS 不支援車頭要求?Does AD FS support HEAD requests?

AD FS 不支援車頭要求。AD FS does not support HEAD requests. 應用程式不應該使用 AD FS 端點針對車頭要求。Applications should not be using HEAD requests against AD FS endpoints. 這可能會造成 HTTP 錯誤回應是發生未預期和/或延遲。This may cause HTTP error responses that are unexpected and/or delayed. 此外,您可能會看到未預期的錯誤事件 AD FS 事件登入。Additionally, you may see unexpected error events in the AD FS event log.

為何無法看到重新整理預付碼時,我已登入遠端 IdP?Why am I not seeing a refresh token when I am logging in with a remote IdP?

如果 IdP 所發行的權杖 validty 小於 1 小時的不被發行重新整理預付碼。A refresh token is not issued if the token issued by IdP has a validty of less than 1 hour. 為確保發出重新整理預付碼,請增加權杖 IdP 發給超過 1 小時的有效性。To ensure a refresh token is issued, increase the validity of token issued by the IdP to more than 1 hour.