IE&中SharePoint网站上的Azure ADFS注销问题边缘浏览器 [英] Azure ADFS signout issue on SharePoint site in IE & Edge browser

问题描述

我们已为SharePoint 2013配置了Active Directory ADFS身份验证.我们已经实现了退出按钮，可以将用户重定向到

https://login.microsoftonline.com/[ TenantID]/wsfed?wa=wsignout1.0 . 但是，用户无需重新登录即可 要求再次输入其凭据.即使关闭浏览器，也会发生这种情况.我了解这是我们从域网络内部访问站点时的预期行为，因为新登录会自动发生.然而， 我们不希望从外部网络访问该网站时会发生这种情况.

https://login.microsoftonline.com/[TenantID]/wsfed?wa=wsignout1.0.  However, the users are able to log back in without requiring to enter their credentials again.  This happens even when we close the browser.  I understand this is an expected behavior when we access the site from inside the domain network because the new sign-on automatically takes place. However, we don't expect this to happen when we access the site from an external network. 

 

此行为仅在IE和Edge上发生.它在Chrome和Firefox上运行良好，要求用户输入凭据以重新登录.但是，我发现可以解决该问题 使其可以在IE上运行，如下所示.

The behavior happens only on IE and Edge. It works fine on Chrome and Firefox where users will be asked to enter their credentials to log back in. However, I found a work around to make it work on IE as listed below.

 

1.在SharePoint主页上登录.

1. Sign in on the SharePoint home page.

2.手动清除浏览器缓存

3.点击退出以重定向到 https://login.microsoftonline.com/[TenantID]/wsfed?wa=wsignout1.0

3. Click sign out to redirect on https://login.microsoftonline.com/[TenantID]/wsfed?wa=wsignout1.0

4.重新输入URL，系统将提示您输入预期的凭据.

4. Re-enter the URL and you will be prompted to enter credentials as expected.

 

有人知道这种行为的原因吗?

推荐答案

您遇到的行为是设计使然.

The behavior you are experiencing is by Design.

为什么Windows集成身份验证以这种方式工作:

Why Windows Integrated Authentication Works This Way:

•当AD FS使用Windows身份验证时，协商标头将发送到客户端浏览器，这将导致出现401凭据提示，以便进行NTLM或Kerberos身份验证.如果是Kerberos，则可能具有AD FS联合身份验证 IE安全区域(例如本地Intranet区域)中的服务名称，该区域使用用户当前登录的凭据进行自动登录.使用Kerberos成功自动登录的情况下，客户端不会经历任何身份验证提示. 对于NTLM，客户端将在浏览器中看到凭据提示

• When Windows authentication is used by AD FS, a negotiate header is sent to the client browser, which results in a 401 credential prompt in order for NTLM or Kerberos authentication to occur. In the case of Kerberos, it is possible to have the AD FS Federation Service Name in a IE Security Zone, such as Local Intranet Zone, where automatic logon using the user’s currently logged on credentials is utilized. In the case of successful automatic logon using Kerberos, no authentication prompt is experienced by the client. In the case of NTLM, the client will see the credential prompt in the browser

•提供Windows凭据(NTLM或Kerberos)后，浏览器将在浏览器会话期间记住这些凭据，并且每当服务器发送协商消息时，它将自动将这些凭据重新呈现给服务器. 标头为401.

• Once Windows credentials are provided (either NTLM or Kerberos), the browser will remember those credentials for the duration of the browser session, and will automatically re-present those credentials to the server any time the server sends down a negotiate header with a 401.

解决方法是从网络浏览器清除cookie，然后尝试再次注销.

The workaround is clearing cookies from the web browser, and then trying signing out again.

有关在IE中清除Cookie的更多信息:

More information about clearing cookies in IE:

https://support.microsoft .com/en-us/help/278835/how-to-delete-cookie-files-in-internet-explorer

谢谢

温迪

这篇关于IE&中SharePoint网站上的Azure ADFS注销问题边缘浏览器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！