为不支持 WIA 的设备配置基于 intranet 窗体的身份验证Configuring intranet forms-based authentication for devices that do not support WIA
05/31/2017
本文内容
默认情况下,在 Windows Server 2012 R2 的 Active Directory 联合身份验证服务 (AD FS) 中启用了 Windows 集成身份验证 (WIA) ,用于在组织内部网络中发生的身份验证请求 (intranet) 使用浏览器进行身份验证的应用程序。By default, Windows Integrated Authentication (WIA) is enabled in Active Directory Federation Services (AD FS) in Windows Server 2012 R2 for authentication requests that occur within the organization's internal network (intranet) for any application that uses a browser for its authentication. 例如,这些应用程序可以是基于浏览器的应用程序,这些应用程序使用 WS-Federation 或 SAML 协议以及使用 OAuth 协议的丰富应用程序。For example, these can be browser-based applications that use WS-Federation or SAML protocols and rich applications that use the OAuth protocol. WIA 向最终用户提供无缝登录到应用程序,而无需手动输入其凭据。WIA provides end users with seamless logon to the applications without having to manually entering their credentials. 但是,某些设备和浏览器不能支持 WIA,因此这些设备发出的身份验证请求会失败。However, some devices and browsers are not capable of supporting WIA and as a result authentication requests from these devices fail. 此外,在某些与 NTLM 协商的浏览器上的体验并不理想。Also, the experience on certain browsers that negotiate to NTLM is not desirable. 推荐的方法是回退到此类设备和浏览器的基于窗体的身份验证。The recommended approach is to fallback to forms-based authentication for such devices and browsers.
Windows Server 2016 和 Windows Server 2012 R2 中的 AD FS 使管理员能够配置支持回退到基于窗体的身份验证的用户代理列表。AD FS in Windows Server 2016 and Windows Server 2012 R2 provides the administrators with the ability to configure the list of user agents that support the fallback to forms-based authentication. 可以通过两个配置进行回退:The fallback is made possible by two configurations:
Comm