AD FS 3.0表单身份验证问题 [英] AD FS 3.0 Forms Authentication Problem
问题描述
我在Windows Server 2012 R2上部署了一个简单的AD FS基础架构:公司网络上的1x AD FS服务器+ DMZ中的1x WAP服务器。
I have deployed a simple AD FS infrastructure on Windows Server 2012 R2: 1x AD FS server on the corporate network + 1x WAP server in the DMZ.
IWA工作正常对于内部网络上的用户:当导航到IdpInitiatedSignon.aspx页面并进行身份验证时,浏览器会以"您已登录"消息进行响应。
IWA works fine for users on the internal network: when navigating to the IdpInitiatedSignon.aspx page and authenticating, the browser responds with a 'You have signed in' message.
但是,如果我尝试从中进行身份验证面向互联网的计算机使用FBA,证书似乎被接受,但它只是再次返回到空的登录屏幕。奇怪的是,如果输入的凭据无效,则会显示一条消息。
However, if I try to authenticate from an internet-facing computer using FBA, the credentials appear to be accepted OK, but it just returns to an empty log on screen again. Oddly, if the credentials entered are invalid, a message is displayed to that effect.
我已启用详细日志记录,并且可以看到用户似乎已正确认证(事件ID 4624 in安全日志)以及向用户发出令牌(安全日志中的事件ID 299)。
I've enabled verbose logging and can see that a user appears to be authenticated correctly (event ID 4624 in the Security log) and that a token is issued to the user (event ID 299 in the Security log).
如果我更改了内部网的AD FS中的身份验证设置,请替换Windows身份验证对于全局身份验证策略中的表单身份验证,我获得相同的体验。
If I change the authentication settings in AD FS for the intranet, replacing Windows Authentication for Forms Authentication in the Global Authentication Policy, I get the same experience.
使用所有最新的修补程序修补服务器。
The servers are patched with all the latest hotfixes.
任何人都可以提供建议至于为什么,在使用FBA时,我没有得到"你已登录"的消息?
Can anyone advise as to why, when using FBA, I don't get the 'You have signed in' message?
我有一个实验室环境并且没有这个问题 - 唯一的区别是两个是实验室环境没有修补,它是2012 R2,因为它已经出厂了!
I have a lab environment and don't have this issue - the only difference between the two is that the lab environment isn't patched, it is 2012 R2 as it rolled out of the factory!
推荐答案
关闭这个线程的循环,我有一个新的和未修补的serv配置,安装AD FS和验证身份验证。 IWA和FBA都可以很好地对抗AD FS服务器,并且当WAP服务器针对新的AD
FS服务器配置时,FBA工作。
Just to close the loop on this thread, I had a new and unpatched server provisioned, installed AD FS and validated authentication. Both IWA and FBA worked fine against the AD FS server, and FBA worked when the WAP server was configured against the new AD FS server.
我随后使用Microsoft修补了服务器更新和身份验证继续有效,所以我将经验归结为一个iffy服务器版本!
I subsequently patched the server using Microsoft Update and authentication continued to work, so I'm putting the experience down to an iffy server build!
这篇关于AD FS 3.0表单身份验证问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
