ADFS身份验证 - IE8有效,Chrome失败 [英] ADFS authentication - IE8 works, Chrome fails
问题描述
对于Chrome - 它会重定向到AD FS服务器...要求进行身份验证但无法进行身份验证。
我尝试使用fiddler进行请求,但它显示没有什么有趣的 - 所以表明我们重定向到adfs进行身份验证,但没有更多
它可能是什么?为什么它不可能验证chrome
谢谢
在事件查看器中,您将看到状态:0xc000035b的审计失败事件。您可以通过关闭adfs / ls web应用程序的扩展保护来绕过这个问题。
Web上有几篇文章,例如 Microsoft AD FS论坛上的Windows集成登录线程中出现0xc000035b错误。引用:
$ b
要关闭Extended Protection,请在
AD FS服务器上启动IIS管理器
,在左侧的树视图中,
访问站点 - >默认网站 - >
adfs - > ls。选择
/ adfs / ls文件夹后,双击
认证图标,然后右键单击
Windows认证并选择
高级设置...在高级
设置对话框,为
扩展保护选择关。
这个问题出现在我知道的几种情况中:使用Firefox 3.5+或Chrome时,使用某些特定的NTLM配置(我没有详细信息),以及使用Fiddler时(请参阅 TechNet文章文章和Fiddler and Channel-Binding-Tokens包含更多技术背景信息的博客文章)。
(请注意,我无法找到任何有关如何通过Google Chrome和Firefox对AD FS进行NTLM身份验证的信息3.5+工作没有关闭'扩展保护'。我的意思是,Internet Explorer与扩展保护一起使用,为什么不使用Chrome或Firefox?或者这是一个Chrome / Firefox实现的bug /限制,例如,在使用Windows NTLM库时?)
so, have web-site configured for ADFS 2.0 authentication...
for IE - it works fine and did authentication correct
for Chrome - it reaches redirect to AD FS server... ask to authenticate but could not authenticate.
I try to requests using fiddler but it show nothing interesting - so show that we redirect to adfs for authentication but nothing more
what it could be? why it is impossible to authenticate for chrome
thanks
In the event viewer you will see an 'Audit Failure' event with "Status: 0xc000035b". You can circumvent this problem by switching off 'Extended Protection' for the adfs/ls web application.
There are several articles on the Web on this, for example the "0xc000035b error during windows integrated login" thread on Microsoft's AD FS forum. Quoting:
To turn Extended Protection off, on the AD FS server, launch IIS Manager, then, on the left side tree view, access Sites -> Default Web Site -> adfs -> ls. Once you’ve selected the "/adfs/ls" folder, double-click the Authentication icon, then right-click Windows Authentication and select Advanced Settings… On the Advanced Settings dialog, choose Off for Extended Protection.
This issue occurs in several situations that I know of: when using Firefox 3.5+ or Chrome, using some specific NTLM configuration for which I don't have the details at hand, and when using Fiddler (see the "AD FS 2.0: Continuously Prompted for Credentials While Using Fiddler Web Debugger" TechNet article post, and the "Fiddler and Channel-Binding-Tokens" blog post which contains more technical background information).
(Note that nowhere I could find any information how to make NTLM authentication to AD FS from, e.g., Google Chrome and Firefox 3.5+ work without switching off 'Extended Protection'. I mean, Internet Explorer works with 'Extended Protection', why don't Chrome or Firefox? Or is this a Chrome/Firefox implementation bug/restriction, e.g., in their use of the Windows NTLM library?)
这篇关于ADFS身份验证 - IE8有效,Chrome失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
