已禁用的用户无法通过 ADFS + Multi-Factor Server 成功进行身份验证

Question 1

以下是我为实现此目的所做的事情。您可以在 powershell 中设置规则，而不是使用 gui。将 Relying-Part-Trust 和 group-sid 替换为您的

$rp = Get-AdfsRelyingPartyTrust –Name 'Relying-Party-Trust'
Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp -additionalauthenticationrules 
'[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value 
== "group-sid"] && [Type == 
"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] 
=> issue(Type = 
"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value 
= "http://schemas.microsoft.com/claims/multipleauthn");'

Answer

以下是我为实现此目的所做的事情。您可以在 powershell 中设置规则，而不是使用 gui。将 Relying-Part-Trust 和 group-sid 替换为您的

$rp = Get-AdfsRelyingPartyTrust –Name 'Relying-Party-Trust'
Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp -additionalauthenticationrules 
'[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value 
== "group-sid"] && [Type == 
"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] 
=> issue(Type = 
"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value 
= "http://schemas.microsoft.com/claims/multipleauthn");'

Question 2

您需要添加额外的声明来区分互联网和外联网。

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-authentication-policies#to-configure-multi-factor-authentication-globally

Answer

您需要添加额外的声明来区分互联网和外联网。

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-authentication-policies#to-configure-multi-factor-authentication-globally

已禁用的用户无法通过 ADFS + Multi-Factor Server 成功进行身份验证

答案1

答案2

相关内容