Active Directory 同盟服務適用於 Windows Server 2016 中的新功能What's new in Active Directory Federation Services for Windows Server 2016

適用於:Windows Server 2016Applies To: Windows Server 2016

Active Directory 同盟服務適用於 Windows Server 2016 中的新功能What's new in Active Directory Federation Services for Windows Server 2016

如果您正在尋找適用於舊版 AD FS 的詳細資訊,請查看下列的文件:If you are looking for information on earlier versions of AD FS, see the following articles:
ADFS 中的 Windows Server 2012 或 2012 R2AD FS 2.0ADFS in Windows Server 2012 or 2012 R2 and AD FS 2.0

Active Directory 同盟服務提供存取控制和單一登入在各種不同的應用程式包括 Office 365、 雲端為基礎的 SaaS 應用程式和公司網路上的應用程式。Active Directory Federation Services provides access control and single sign on across a wide variety of applications including Office 365, cloud based SaaS applications, and applications on the corporate network.

  • 適用於 IT 的組織,讓您提供登入來存取控制現代化和傳統應用程式,在場所和雲端,根據認證和原則相同的設定。For the IT organization, it enables you to provide sign on and access control to both modern and legacy applications, on premises and in the cloud, based on the same set of credentials and policies.
  • 使用者的使用的相同、 熟悉 account 認證提供順暢的登入。For the user, it provides seamless sign on using the same, familiar account credentials.
  • 適用於開發人員,提供以驗證其身分居住組織 directory,以便您可以在應用程式,不驗證或身分專注於您的使用者可以輕鬆地。For the developer, it provides an easy way to authenticate users whose identities live in the organizational directory so that you can focus your efforts on your application, not authentication or identity.

此文章將描述在 Windows Server 2016 (AD FS 2016) AD FS 中的新功能。This article describes what is new in AD FS in Windows Server 2016 (AD FS 2016).

從外部排除密碼Eliminate Passwords from the Extranet

AD FS 2016 讓三個新的選項登入,而不需要密碼,讓組織避免網路的風險危害從 phished,遺漏或遭竊密碼。AD FS 2016 enables three new options for sign on without passwords, enabling organizations to avoid risk of network compromise from phished, leaked or stolen passwords.

使用 Azure 多因素驗證登入Sign in with Azure Multi-factor Authentication

AD FS 2016 組建多因素驗證時 (MFA) 功能在 Windows Server 2012 R2 AD FS 的允許使用只 Azure MFA 驗證碼,而不需要第一次輸入使用者名稱和密碼登入。AD FS 2016 builds upon the multi-factor authentication (MFA) capabilities of AD FS in Windows Server 2012 R2 by allowing sign on using only an Azure MFA code, without first entering a username and password.

  • 使用 Azure MFA 做為主要的驗證方法,使用者會提示他們的使用者名稱與 OTP Azure 驗證器 app 的程式碼。With Azure MFA as the primary authentication method, the user is prompted for their username and the OTP code from the Azure Authenticator app.
  • 使用 Azure MFA 作為次要或額外的驗證方法、 使用者提供或主要驗證認證 (使用 Windows 整合式驗證、 使用者名稱和密碼,智慧卡或裝置的使用者或憑證),然後看到的文字、 語音命令提示字元中 OTP Azure MFA 登入。With Azure MFA as the secondary or additional authentication method, the user provides primary authentication credentials (using Windows Integrated Authentication, username and password, smart card, or user or device certificate), then sees a prompt for text, voice, or OTP based Azure MFA login.
  • 新建 Azure MFA 介面卡,安裝程式與設定 Azure AD FS 使用的 MFA 從未已簡單。With the new built-in Azure MFA adapter, setup and configuration for Azure MFA with AD FS has never been simpler.
  • 組織可以利用 Azure MFA 而不需要在場所 Azure MFA 伺服器。Organizations can take advantage of Azure MFA without the need for an on premises Azure MFA server.
  • 您可以設定 azure MFA 內部網路的外部,或任何存取控制原則的一部分。Azure MFA can be configured for intranet or extranet, or as part of any access control policy.

如需有關 Azure AD FS 使用的 MFAFor more information about Azure MFA with AD FS

無密碼的存取權的相容裝置Password-less Access from Compliant Devices

AD FS 2016 上登入,以便先前的裝置登記功能及存取控制根據裝置相容性狀態。AD FS 2016 builds on previous device registration capabilities to enable sign on and access control based the device compliance status. 使用者可以使用裝置的認證,登入並 compliance 重新時評估變更裝置屬性,以便您隨時可以確保原則的正在執行。Users can sign on using the device credential, and compliance is re-evaluated when device attributes change, so that you can always ensure policies are being enforced. 例如,如此可讓原則This enables policies such as

  • 可以存取只從受管理和/或相容的裝置Enable Access only from devices that are managed and/or compliant
  • 只從受管理和/或相容的裝置可以外部網路的存取權Enable Extranet Access only from devices that are managed and/or compliant
  • 需要多因素驗證無法管理或不相容的電腦Require multi-factor authentication for computers that are not managed or not compliant

AD FS 提供條件存取原則在混合案例中的上場所元件。AD FS provides the on premises component of conditional access policies in a hybrid scenario. 當您登記裝置與雲端資源條件存取 Azure AD 時,裝置的身分可用於,以及 AD FS 原則。When you register devices with Azure AD for conditional access to cloud resources, the device identity can be used for AD FS policies as well.


更多有關如何使用裝置的基礎條件在雲端中的存取For more information about using device based conditional access in the cloud

更多有關如何使用裝置的基礎條件 AD FS 使用的存取For more information about using device based conditional access with AD FS

登入 Windows Hello 企業版Sign in with Windows Hello for Business

Windows 10 裝置引進了 Windows Hello 與 Windows Hello 企業版,使用者密碼取代穩固裝置繫結使用者認證使用者的手勢(釘選、指紋或臉部辨識等生物特徵辨識手勢)所保護。Windows 10 devices introduce Windows Hello and Windows Hello for Business, replacing user passwords with strong device-bound user credentials protected by a user's gesture (a PIN, a biometric gesture like fingerprint, or facial recognition). AD FS 2016 支援這些新這些新的 Windows 10 功能讓使用者可以登入 AD FS 應用程式從內部網路或外部而不需要輸入密碼。AD FS 2016 supports these new these new Windows 10 capabilities so that users can sign in to AD FS applications from the intranet or the extranet without the need to provide a password.

如需有關使用 Microsoft Windows Hello 企業版您在組織中For more information about using Microsoft Windows Hello for Business in your organization

安全地存取應用程式Secure Access to Applications

現代化驗證Modern Authentication

AD FS 2016 支援的最新的現代化通訊協定,以提供更好的使用者體驗 Windows 10,以及最新 iOS 和 Android 裝置和 app。AD FS 2016 supports the latest modern protocols that provide a better user experience for Windows 10 as well as the latest iOS and Android devices and apps.

如需詳細資訊請查看適用於開發人員 AD FS 案例For more information see AD FS Scenarios for Developers

存取控制原則設定而不需要知道取得規則語言Configure access control policies without having to know claim rules language

在過去,AD FS 管理員必須設定原則,使用 AD FS 理賠要求規則語言,讓您更容易設定和維護原則。Previously, AD FS administrators had to configure policies using the AD FS claim rule language, making it difficult to configure and maintain policies. 存取控制原則,系統管理員可以使用組建中的範本,例如適用於通用原則With access control policies, administrators can use built in templates to apply common policies such as

  • [允許只有內部網路存取權Permit intranet access only
  • 允許所有人和需要 MFA 從外部網路Permit everyone and require MFA from Extranet
  • 允許所有人或 MFA 需要從指定的群組Permit everyone and require MFA from a specific group

很容易使用導向處理程序精靈將例外或額外的原則規則自訂的範本和可套用至一或多個應用程式執法一致的原則。The templates are easy to customize using a wizard driven process to add exceptions or additional policy rules and can be applied to one or many applications for consistent policy enforcement.

如需詳細資訊請查看在 AD FS 存取控制原則。For more information see Access control policies in AD FS.

在非 AD LDAP 目錄讓登入Enable sign on with non-AD LDAP directories

許多組織都有 Active Directory 和第三方目錄的組合。Many organizations have a combination of Active Directory and third-party directories. AD FS 支援驗證使用者儲存在 LDAP v3 相容目錄加,AD FS 現在可以使用適用於:With the addition of AD FS support for authenticating users stored in LDAP v3-compliant directories, AD FS can now be used for:

  • 第三方,LDAP v3 相容目錄使用者Users in third party, LDAP v3 compliant directories
  • Active Directory 樹系的 Active Directory 雙向信任未設定中的使用者Users in Active Directory forests to which an Active Directory two-way trust is not configured
  • Active Directory 輕量 Directory Services (AD LDS) 中的使用者Users in Active Directory Lightweight Directory Services (AD LDS)

如需詳細資訊請查看設定 AD FS 進行驗證使用者儲存在 LDAP 目錄。For more information see Configure AD FS to authenticate users stored in LDAP directories.

變得更好登入的體驗Better Sign-in experience

自訂登入 AD FS 應用程式的體驗Customize sign in experience for AD FS applications

我們收到您的登入訂每個應用程式的能力會變得更好的可用性的改進,尤其是針對者登上提供多個不同的公司或品牌代表應用程式的組織。We heard from you that the ability to customize the logon experience for each application would be a great usability improvement, especially for organizations who provide sign on for applications that represent multiple different companies or brands.

之前,在 Windows Server 2012 R2 AD FS 常見的登入的使用經驗提供所有信賴方應用程式的自訂文字子集的能力 content 每個應用程式。Previously, AD FS in Windows Server 2012 R2 provided a common sign on experience for all relying party applications, with the ability to customize a subset of text based content per application. 與 Windows Server 2016,您可以自訂不僅訊息,但映像,商標和 web 主題每個應用程式。With Windows Server 2016, you can customize not only the messages, but images, logo and web theme per application. 此外,您可以建立新的自訂 web 主題,適用這些每可以派對。Additionally, you can create new, custom web themes and apply these per relying party.

如需詳細資訊請查看AD FS 使用者登入自訂。For more information see AD FS user sign-in customization.

管理性與操作改進Manageability and Operational Enhancements

下一節描述在 Windows Server 2016 的 Active Directory 同盟服務引進改善操作案例。The following section describes the improved operational scenarios that are introduced with Active Directory Federation Services in Windows Server 2016.

精簡稽核變得更容易管理Streamlined auditing for easier administrative management

AD FS 適用於 Windows Server 2012 R2 是許多稽核事件單一要求和的相關資訊的登入或權杖發行活動是缺少 (在某些 AD FS 版本) 或讓跨多個稽核事件。In AD FS for Windows Server 2012 R2 there were numerous audit events generated for a single request and the relevant information about a log-in or token issuance activity is either absent (in some versions of AD FS) or spread across multiple audit events. AD FS 預設稽核事件是因為其詳細資訊的性質被關閉。By default the AD FS audit events are turned off due to their verbose nature.
AD FS 2016 發行,稽核已變更有效率且較低的詳細資訊。With the release of AD FS 2016, auditing has become more streamlined and less verbose.

如需詳細資訊請查看稽核要在 Windows Server 2016 AD FS 美化效果。For more information see Auditing enhancements to AD FS in Windows Server 2016.

已改善使用 SAML 2.0 交互操作 confederations 參與Improved interoperability with SAML 2.0 for participation in confederations

AD FS 2016 包含其他 SAML 通訊協定支援,包括根據中繼資料包含多個項目信任匯入的支援。AD FS 2016 contains additional SAML protocol support, including support for importing trusts based on metadata that contains multiple entities. 這可讓您設定在 confederations InCommon 聯盟和其他實作 eGov 2.0 一般符合參與 AD FS。This enables you to configure AD FS to participate in confederations such as InCommon Federation and other implementations conforming to the eGov 2.0 standard.

如需詳細資訊請查看改進 SAML 2.0 與交互操作。For more information see Improved interoperability with SAML 2.0.

簡化的密碼管理聯盟 O365 使用者Simplified password management for federated O365 users

您可以設定 Active Directory 同盟 Services (AD FS) 傳送密碼到期宣告信賴廠商信任 (應用程式) 所保護 AD FS。You can configure Active Directory Federation Services (AD FS) to send password expiry claims to the relying party trusts (applications) that are protected by AD FS. 如何使用這些宣告應用程式而有所不同。How these claims are used depends on the application. 例如使用 Office 365,為您信賴,更新已實作通知聯盟的使用者他們即將-到--已過期的密碼換貨及 Outlook。For example, with Office 365 as your relying party, updates have been implemented to Exchange and Outlook to notify federated users of their soon-to-be-expired passwords.

如需詳細資訊請查看設定密碼到期宣告傳送給 AD FS。For more information see Configure AD FS to send password expiry claims.

在 Windows Server 2012 R2 AD FS 從移到 Windows Server 2016 中的 AD FS 已變得更容易Moving from AD FS in Windows Server 2012 R2 to AD FS in Windows Server 2016 is easier

之前,移轉到新版本的 AD FS,您必須從舊發電廠匯出設定和匯入至全新、 平行發電廠。Previously, migrating to a new version of AD FS required exporting configuration from the old farm and importing to a brand new, parallel farm.

現在,前往 AD FS 從 Windows Server 2012 R2 上 AD FS 在 Windows Server 2016 上變得更加容易。Now, moving from AD FS on Windows Server 2012 R2 to AD FS on Windows Server 2016 has become much easier. 只是 Windows Server 2012 R2 陣列,以新增新的 Windows Server 2016 伺服器,並讓它看起來就像 Windows Server 2012 R2 發電廠的行為,在 Windows Server 2012 R2 發電廠行為層級,將會執行發電廠。Simply add a new Windows Server 2016 server to a Windows Server 2012 R2 farm, and the farm will act at the Windows Server 2012 R2 farm behavior level, so it looks and behaves just like a Windows Server 2012 R2 farm.

然後發電廠加入新的 Windows Server 2016 伺服器驗證功能,從負載平衡器移除較舊的伺服器。Then, add new Windows Server 2016 servers to the farm, verify the functionality and remove the older servers from the load balancer. 所有發電廠節點都執行 Windows Server 2016,一旦您已經準備好升級 2016年發電廠行為層級,並開始使用的新功能。Once all farm nodes are running Windows Server 2016, you are ready to upgrade the farm behavior level to 2016 and begin using the new features.

如需詳細資訊請查看升級到 Windows Server 2016 中的 AD FS。For more information see Upgrading to AD FS in Windows Server 2016.