外部用户的ADFS登录页面 [英] ADFS login page for external users
问题描述
大家好,
我最近在Windows 2008服务器上构建了一个ADFS实验室,在此过程中配置了一个独立的WAP服务器来测试外部身份验证。 当时我不确定这是否是正确的方法,我找不到任何特定的doco
,表明身份验证页面可能位于ADFS代理服务器上。 我即将进入预生产环境,这个问题仍然困扰着我。 可以在代理服务器上配置IIS应用程序,还是应该将
分开?
I built an ADFS lab on Windows 2008 servers recently, and during this process configured a stand alone WAP server for testing external authentication. At the time I was unsure if this was the correct way to do it and I couldn't find any specific doco that suggested the authentication page could sit on the ADFS proxy server. I am about to move into a pre-production environment and this question is still puzzling me. Is it okay to configure the IIS app on the proxy server or should I keep this separate?
该应用程序最初用于连接用户和Office 365租户。
The app will initially be for connecting users with our Office 365 tenancy.
干杯
Andy
推荐答案
嗨Andy ,
Hi Andy,
2008年AD FS在Windows版本中扮演一个角色,实际上是AD FS 1.x.Windows Server 2008的AD FS 2.0可以单独下载。在Windows Server 2012下运行的AD FS 2012 R2附带了一个Web应用程序代理(WAP)..因为您提到了2008环境的设置,这通常意味着使用AD FS 2.0代理,因此我将这个
区分开来。和AD FS 2.0服务器场。你提到了一个WAP组件。这是Windows Server 2012 R2配置中的复合,而不是AD FS 2.0
/ Windows 2008。
AD FS in 2008 possesses a role in the Windows build which is actually AD FS 1.x.. AD FS 2.0 for Windows Server 2008 is available as a separate download. AD FS 2012 R2, running under Windows Server 2012 comes with a Web Application Proxy (WAP).. I make this distinction because you referred to setup of a 2008 environment which would typically mean the use of the AD FS 2.0 Proxy and AD FS 2.0 farm. You mentioned a WAP component. This is a composite in a Windows Server 2012 R2 configuration and not AD FS 2.0 / Windows 2008.
AD FS 2.0还具有代理功能(AD FS代理)这包含一组单独的登录页面,而不是服务器场使用的登录页面。服务器场默认使用集成Windows身份验证(IWA),而代理使用IIS提供的表单登录。
身份验证方法在代理和服务器场的IIS服务器上的/ adfs / ls路径下的web.config文件中定义。我猜您不会想要更改此设置。
AD FS 2.0 also possesses a proxy capability (AD FS Proxy) and this contains a set of separate logon pages than that used by the farm. The farm defaults to using Integrated Windows Authentication (IWA), whereas the proxy uses forms logon served up by IIS. Authentication methods are defined in the web.config file under the /adfs/ls path on the IIS server of both proxy and farm. I'm guessing you won't want to change this setup.
对于O365,您的内部客户通常会指向DNS中的服务器场(A)记录(例如,对于此类应用程序)作为OWA和SharePoint),从而通过上述IWA配置使用其Windows登录票获得透明SSO的好处。
外部客户端(读取:Internet)指向AD FS代理的外部DNS中的(A)记录。上面的行为是使用WS-Federation协议并且是基于浏览器的(使用浏览器重定向在O365和AD FS之间通勤),命中/ adfs / ls
基于IIS的端点。这些被称为被动请求者客户端。
For O365, your internal clients will typically point to the farm (A) record in DNS (e.g. for apps such as OWA and SharePoint) and thereby get the benefits of transparent SSO using their Windows Logon ticket via the aforementioned IWA configuration. External clients (read: Internet) point to the (A) record in your external DNS of your AD FS Proxy. The above behavior is using the WS-Federation protocol and is browser-based (using browser redirects to commute between O365 and AD FS), hitting the /adfs/ls IIS based endpoint. These are known as a Passive Requestor Client.
Outlook / ActiveSync是"厚"客户端和不了解AD FS ..他们的基本身份验证凭据被发送到O365(Exchange Online),然后在MS Gateway上将这些凭据转换为XML文档,其中包含封装的凭据
。然后将它们从MS发送回AD FS设置,命中AD FS代理,然后将此信息代理到服务器场以在SOAP / Web服务(SOAP)端点进行身份验证(/ adfs / servers / trust / 13 / usernamemixed) 。 Lync是不同的。
它是AD FS识别的并且被称为Active-Requestor客户端,因为它与AD FS通信以获得安全令牌,然后将其传递给O365。它也使用SOAP / Web服务......
Outlook/ActiveSync are "thick" clients and unaware of AD FS .. their basic authentication credentials are sent to O365 (Exchange Online), whereupon these are then translated into XML documents at the MS Gateway with the encapsulated credentials contained therein. These are then sent back from MS to your AD FS setup, hitting the AD FS proxy which then proxies this information to the farm for authentication at a SOAP/Web Services (SOAP) endpoint (/adfs/servers/trust/13/usernamemixed). Lync is different. It is AD FS aware and is known as an Active-Requestor client because it communicates with AD FS to get a security token which it then passes to O365. It too uses SOAP/Web Services...
btw ..在AD FS 2012 R2中,没有IIS。所有功能现在都在http.sys(内核模式)下移动。
btw.. In AD FS 2012 R2, there is no IIS. All functionality now moves under http.sys (kernel-mode).
问候,
Mylo
这篇关于外部用户的ADFS登录页面的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
