为什么使用ADAL进行ADFS身份验证从不要求用户输入凭据?
[英]Why does ADFS authentication using ADAL never require the user to enter credentials?
问题描述
We are running ADFS 3 on Windows Server 2012 R2, and using the C# ADAL library v3 to retrieve an authentication token from ADFS for our custom .NET application. 
我们正在Windows Server 2012 R2上运行ADFS 3,并使用C#ADAL库v3从ADFS中为我们的自定义.NET应用程序检索身份验证令牌。 The idea is to use ADFS to provide AD authentication of our users to our .NET Core Web APIs using the same web-standard method whether the client application is a .NET app or a ReactJS app. 这个想法是使用ADFS通过相同的Web标准方法向我们的.NET Core Web API提供用户的AD身份验证,无论客户端应用程序是.NET应用程序还是ReactJS应用程序。
The applications are internal LOB applications, and all users are internal corporate users who are logged onto AD through Windows when using the application. 这些应用程序是内部LOB应用程序,所有用户都是内部公司用户,使用该应用程序时它们是通过Windows登录到AD的。 The authentication appears to be working in that ADFS is called and provided a JWT token for the calling user, and that token is successfully checked by the web API. 身份验证似乎正在起作用,因为已调用ADFS并为主叫用户提供了JWT令牌,并且该令牌已由Web API成功检查。
What concerns me is that, when authentication is triggered for the Web API, a browser Window flashes up but never pauses to force the user to authenticate - ADFS just responds with a token for the user. 让我担心的是,当针对Web API触发身份验证时,浏览器窗口会闪烁,但不会暂停以强制用户进行身份验证-ADFS只是为用户提供令牌响应。 I expected the users to have to authenticate with their username and password, at least the first time and immediately after a password change. 我希望用户至少在第一次更改密码后必须立即使用用户名和密码进行身份验证。
Is this expected behaviour, and why? 这是预期的行为,为什么? This answer is to a different question, but implies that in this situation Integrated Windows Authentication (IWA) will be used unless ADFS is configured to force Forms Based Authentication (FBA). 该答案是一个不同的问题,但意味着在这种情况下,除非将ADFS配置为强制基于表单的身份验证(FBA),否则将使用集成Windows身份验证(IWA)。
Can anyone confirm that this is what is happening? 谁能确认这是怎么回事?
Thanks, Peter 谢谢彼得
1 个解决方案
解决方案1
1 已采纳 2017-01-30 13:03:18
If you are running the ADFS Server in your Domain Environment (which I suppose you do, since ADFS is sort of Windows-only-ish). 如果您在域环境中运行ADFS服务器(我想您应该这样做,因为ADFS有点像Windows一样)。 Then your users are experiencing SingleSignOn through Kerberos. 然后,您的用户将通过Kerberos体验SingleSignOn。
So what essentially happens is the following: 因此,本质上是这样的:
- Users Browser (UA = user agent) opens 用户浏览器(UA =用户代理)打开
- UA loads ADFS, providing it's user-agent-header UA加载ADFS,并提供用户代理标题
- AD FS sniffs that header for configured values (PS> Get-ADFSProperties for more info) AD FS嗅探该标头以获取配置的值(有关更多信息,请单击PS> Get-ADFSProperties)
- AD FS sees IE or any other WIA-enabled browser (you can make Chrome and FF work, too) AD FS可以看到IE或任何其他支持WIA的浏览器(您也可以使Chrome和FF正常工作)
- AD FS starts Kerberos Negotiation with the UA AD FS与UA启动Kerberos协商
- AD FS issues user ticket AD FS发行用户票证
You can enforce users to authenticate, by setting an appropriate policy or disabling WIA on AD FS (enable FBA, or you won't authenticate with any method). 您可以通过设置适当的策略或在AD FS上禁用WIA来强制用户进行身份验证(启用FBA,否则您将不会使用任何方法进行身份验证)。
You can also call AD FS via a WAP proxy - this will also force FBA (assuming you do not have device authentication) 您也可以通过WAP代理调用AD FS-这也会强制执行FBA(假设您没有设备身份验证)
Nevertheless - why would you reauthenticate the user in ADFS? 但是,为什么要在ADFS中重新验证用户身份? He already provided his password to the windows machine he is sitting at - if you force reauth you loose a nice and smooth single-sign-on experience. 他已经将密码提供给了他所在的Windows机器-如果您强制重新身份验证,则会失去良好而流畅的单点登录体验。 You do not gain anything by asking the user again. 再次询问用户不会获得任何好处。 If you want it "more secure" roll out two factor authentication. 如果您希望它“更安全”,则推出两因素身份验证。 AD FS 2016 has modules for that. AD FS 2016为此提供了模块。
Update - just to clearify for others: 更新-只是为了澄清其他人:
AD FS should automatically fall-back to FBA (if not configured otherwise), if the browser does not support WIA! 如果浏览器不支持WIA,则AD FS应该自动回退到FBA(如果未进行其他配置)!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.