ADFS [英] ADFS

问题描述

大家好，

我们正在尝试实施ADFS解决方案并提供一些基本查询，我已尝试通过Azure的架构文档。

基本上我们需要Azure门户重定向到我们的ADFS并将用户验证到Azure门户。

我们没有办公室，也不需要任何其他服务，它的普通认证来自互联网的门户网站。

我们感到困惑。

我们在本地有15个地点主持人每个域控制器，也是域的全局目录，例如。 mydomain.com

到目前为止，域名完全是内部的，并且复制适用于所有位置。

我们 有很多AD用户/帐户/通过本地域控制器进行身份验证，无法访问互联网。

我们配置了ADFS，WAP和...

问题1.如果按照此处的说明配置AAD
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/ how-to-connect-install-custom ，这会影响本地的本地身份验证，因为它将托管域转换为联合身份。

Q2。本地身份验证是否保持本地或他们失败了。例如，域用户登录到服务器，服务帐户等。

Q3。我们不会同步所有对象，只需一个OU。并且该OU中的用户可以登录Azure门户。

非常感谢您的时间和支持。

---

Venu

解决方案

1。它会影响附加到联合域的特定域控制器上的用户的身份验证。一种解决方法是配置备用登录ID。 https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-login-id

2.起源于的用户本地Windows AD与Azure同步将通过ADFS进行身份验证。您可以通过关闭服务器并查看用户在打开服务器之前无法进行身份验证来对此进行测试。如果你想要
绕过这个，你可以在机器上手动添加用户作为本地管理员。 

3。如果使用基于OU的筛选，则OU中的所有对象都将同步到Azure AD。  https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync -configure过滤

Hi Members,

We are trying to implement ADFS solution and have some basic queries which i've tried going through the Architecture documentation of Azure.

Basically we need the Azure portal to redirect to our ADFS and authenticate the user to Azure Portal.

We dont have office and dont need any other services , its plain authentication of Portal from internet.

what we are confused with.

we have 15 Locations on-prem which host 2 Domain Controllers each, which are also Global Catalogs for domain eg. mydomain.com

The domain is totally internal so far and the replication works between all locations.

We have lot of AD users/ accounts / which authenticate to the local Domain Controllers and have no access to the internet.

We configured, the ADFS, WAP and...

Q1.If we configure the AAD as described here https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-custom, would this impact local on-prem authentications as it converts the managed domain to federated.

Q2.Does local authentication stay Local or they fail. eg, domain user logons to server, service accounts, etc.

Q3. We would not sync all objects, just a single OU. and the users in that OU could sign in to the Azure Portal.

Many thanks for your time and support.

---

Venu

解决方案

1. It would affect the authentication for the users that are on that particular domain controller that is attached to your federated domain. One workaround is to configure an alternate login ID. https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-login-id

2.Users that originated in the local Windows AD and are synced with Azure will be authenticated through ADFS. You can test this by turning off your servers and seeing that the users will not be able to authenticate until they are turned on. If you want to get around this you can manually add the users as local admins on the machine. 

3. If you use OU-based filtering, all objects in the OU would synchronize to Azure AD. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering

这篇关于ADFS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！