我可以使用ADFS 2.0对SQL Server中的某些用户进行身份验证？ [英] Can I use ADFS 2.0 to authenticate certain users against SQL Server?

问题描述

我一直在使用ADFS进行身份验证对AD精细的用户，使用的是索赔VS.知道模板我们的一些用户将无法在Active Directory中，所以我想知道如果可能的ADFS配置查找的SQL Server为这些用户再进行正常。

I have been using ADFS to authenticate users against AD fine, using a claims aware template in VS. Some of our users will not be in Active Directory, so I would like to know if its possible to configure ADFS to look up SQL Server for these users and then carry on as normal.

<一个href=\"http://stackoverflow.com/questions/2827298/does-adfs2-0-provide-custom-authentication-stores\">Does ADFS2.0提供自定义的认证店？

是一个类似的问题，只是一个人，说是可以做到和其他说，你不能。

is a similar question, just one person says yes it can be done and other says you can't.

推荐答案

AD FS 2.0可以的只有的对Active Directory（AD DS）进行身份验证。这是不明确记载的正式AD FS 2.0文档中，但它遵循从以下两个片段：

AD FS 2.0 can only authenticate against Active Directory (AD DS). This is not explicitly documented in the official AD FS 2.0 documentation, but it follows from the following two snippets:

• 附录A：查看AD FS要求从AD FS 1.x的设计指南，一节账户店铺要求说，AD FS支持两种类型的帐户存储：Active Directory域服务（AD DS）和Active Directory轻型目录服务（AD LDS）


• 计划迁移到AD FS 2.0说， 以下是不再以支持AD FS 1.x的特性和场景AD FS 2.0：[...]使用AD LDS作为帐户存储。

• "Appendix A: Reviewing AD FS Requirements" from the AD FS 1.x Design Guide, section "Account store requirements" says, "AD FS supports two types of account stores: Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS)."
• "Planning a Migration to AD FS 2.0" says, "The following are the AD FS 1.x features and scenarios that are no longer supported in AD FS 2.0: [...] AD LDS used as an account store".

所以没有自定义验证库，基于SQL Server或其他。

So no custom authentication stores, SQL Server based or otherwise.

（关于额外的属性的其他问题的商店：这是可能的）

(On the other question on additional attribute stores: that is possible.)

这建议在<一个解决方案href=\"http://stackoverflow.com/questions/2827298/does-adfs2-0-provide-custom-authentication-stores/3064173#3064173\">an回答您参考的另一个问题是有点误导。如果你读<一个href=\"http://blogs.msdn.com/b/card/archive/2010/01/27/customizing-the-ad-fs-2-0-sign-in-web-pages.aspx\">the实际的博客帖子你看，他们添加额外的STS。 AD FS 2.0具有其他STS一个'声明提供信托基金，并重定向到它（如果主领域发现设置正确）。其他STS然后执行它喜欢无论怎样认证，发送一个令牌回AD FS，然后运行它的声明规则。

The solution that is suggested in an answer to the other question you refer to is a bit misleading. If you read the actual blog post you see that they add an extra STS. AD FS 2.0 has a 'Claims Provider Trust' for that other STS, and redirects to it (if the 'home realm discovery' is set up correctly). That other STS then performs the authentication in whichever way it likes, sends a token back to AD FS, which then runs its claim rules.

因此​​，该解决方案是不AD FS 2.0的认证的针对非AD商店，但重定向到STS用于认证的对那家商店。

So in that solution it is not AD FS 2.0 authenticating against an non-AD store, but redirecting to an STS which authenticates against that store.

这篇关于我可以使用ADFS 2.0对SQL Server中的某些用户进行身份验证？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！