ADFS SSO以双向森林信任 [英] ADFS SSO in two way forest trust
问题描述
大家好,
Hi all,
我们遇到跨森林的SSO问题。但首先是一些背景知识。
We have an issue with SSO across forests. But first some background.
DOMAIN A托管一个Web应用程序,需要使用ADFS进行SSO。我们已经在DOMAIN A中构建了ADFS,并使其完美运行。 DOMAIN A中的客户端可以成功SSO到Web应用程序。我们已使用组策略在本地Intranet
区域中设置* .ourdomainname。
DOMAIN A hosts a web application that requires the use of ADFS for SSO. We have built the ADFS in DOMAIN A and got it all working nicely. The clients in DOMAIN A can successfully SSO to the web application. We have set *.ourdomainname in the Local Intranet Zone using group policy.
在DOMAIN A和DOMAIN B之间使用选择性身份验证存在双向林信任。 ADFS运行的帐户已被授予允许对DOMAIN B中的所有DC进行身份验证。此外,DOMAIN B用户已被授予Allowed
以对ADFS服务器进行身份验证
There is a two-way forest trust using selective authentication between DOMAIN A and DOMAIN B. The service account that ADFS runs under has been granted Allowed to Authenticate against all the DCs in DOMAIN B. Also, DOMAIN B users have been granted the Allowed
to Authenticate against the ADFS server
当DOMAIN B的客户端连接到Web应用程序时,它会尝试重定向到ADFS服务器进行身份验证,但Internet Explorer会显示"无法显示网页"。错误。然而有趣的是当从本地Intranet区域删除* .ourdomainname或adfs
fqdn时,会提示客户端输入用户名和密码,并且在输入时接受凭据并且我们是重定向回到经过身份验证的Web应用。
When a client from DOMAIN B connects to the web application it attempts to redirect to the ADFS server for authentication but then Internet Explorer displays a "Cannot Display Webpage" error. However the interesting bit is when *.ourdomainname or the adfs fqdn are removed from the Local Intranet Zone, the client is prompted for a user name and password as you would expect, and when entered the credentials are accepted and we are redirected back to the web app authenticated.
我无法理解为什么SSO无法在DOMAIN B中工作,但使用ADFS提示手动记录。
I cannot fathom why the SSO would not work in DOMAIN B but manually logging using the ADFS prompt does.
是否需要一些额外的配置才能让SSO在DOMAIN B中运行?
Is there some extra configuration required to get SSO working in DOMAIN B?
干杯
推荐答案
奇怪的行为。如果将区域设置为常规受信任站点而不是Intranet站点,是否会遇到同样的问题?
Odd behavior. Do you run into the same problem if you set the zone to a regular trusted site instead of an intranet site?
这篇关于ADFS SSO以双向森林信任的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
