{"id":1184,"date":"2018-03-05T09:00:17","date_gmt":"2018-03-05T17:00:17","guid":{"rendered":"https:\/\/www.microsoft.com\/zh-tw\/2018\/03\/05\/azure-ad-and-adfs-best-practices-defending-against-password-spray-attacks\/"},"modified":"2022-06-28T11:36:17","modified_gmt":"2022-06-28T18:36:17","slug":"azure-ad-and-adfs-best-practices-defending-against-password-spray-attacks","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/zh-tw\/microsoft-365\/blog\/2018\/03\/05\/azure-ad-and-adfs-best-practices-defending-against-password-spray-attacks\/","title":{"rendered":"Azure AD \u8207 ADFS \u6700\u4f73\u505a\u6cd5\uff1a\u9632\u79a6\u5bc6\u78bc\u5674\u6ffa\u653b\u64ca"},"content":{"rendered":"

\u5927\u5bb6\u597d\uff0c<\/p>\n

\u53ea\u8981\u60a8\u6709\u904e\u5bc6\u78bc\uff0c\u5c31\u4e00\u5b9a\u6703\u6709\u4eba\u53bb\u731c\u5b83\u662f\u4ec0\u9ebc\u3002\u9019\u7bc7\u90e8\u843d\u683c\u6587\u7ae0\u4e2d\uff0c\u6211\u5011\u8981\u8a0e\u8ad6\u7684\u662f\u4e00\u7a2e\u6700\u8fd1\u8b8a\u5f97\u6975\u5176\u983b\u7e41\u7684\u5e38\u898b\u653b\u64ca\uff0c\u4e26\u544a\u8a34\u60a8\u5e7e\u7a2e\u9632\u79a6\u7684\u6700\u4f73\u505a\u6cd5\u3002\u9019\u7a2e\u653b\u64ca\u4e00\u822c\u7a31\u70ba\u300c\u5bc6\u78bc\u5674\u6ffa\u300d\u3002<\/strong><\/p>\n

\u5728\u5bc6\u78bc\u5674\u6ffa\u653b\u64ca\u4e2d\uff0c\u653b\u64ca\u8005\u6703\u4f7f\u7528\u8a31\u591a<\/em>\u4e0d\u540c\u5e33\u6236\u8207\u670d\u52d9\u4e2d\u6700\u5e38\u898b\u7684\u5bc6\u78bc\uff0c\u53bb\u5617\u8a66\u5b58\u53d6\u4efb\u4f55\u4ed6\u5011\u80fd\u627e\u5230\u7684\u5bc6\u78bc\u4fdd\u8b77\u8cc7\u7522\u3002\u9019\u4e9b\u653b\u64ca\u901a\u5e38\u53ef\u80fd\u6a6b\u8de8\u8a31\u591a\u4e0d\u540c\u7d44\u7e54\u548c\u8b58\u5225\u63d0\u4f9b\u8005\u3002\u8209\u4f8b\u4f86\u8aaa\uff0c\u653b\u64ca\u8005\u6703\u4f7f\u7528 Mailsniper<\/a> \u9019\u985e\u5bb9\u6613\u53d6\u5f97\u7684\u5de5\u5177\u7d44\u53bb\u7f85\u5217\u51fa\u6578\u500b\u7d44\u7e54\u4e2d\u7684\u6240\u6709\u4f7f\u7528\u8005\uff0c\u7136\u5f8c\u5617\u8a66\u7528\u300cP@$$w0rd\u300d\u548c\u300cPassword1\u300d\u53bb\u767b\u5165\u9019\u4e9b\u5e33\u6236\u3002\u70ba\u4e86\u8b93\u60a8\u6e05\u695a\u4e86\u89e3\uff0c\u9019\u7a2e\u653b\u64ca\u884c\u70ba\u53ef\u80fd\u50cf\u9019\u6a23\uff1a<\/p>\n

\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n\n\n
\u76ee\u6a19\u4f7f\u7528\u8005<\/strong><\/td>\n\u76ee\u6a19\u5bc6\u78bc<\/strong><\/td>\n<\/tr>\n
User1@org1.com<\/td>\n\u5bc6\u78bc1<\/td>\n<\/tr>\n
User2@org1.com<\/td>\n\u5bc6\u78bc1<\/td>\n<\/tr>\n
User1@org2.com<\/td>\n\u5bc6\u78bc1<\/td>\n<\/tr>\n
User2@org2.com<\/td>\n\u5bc6\u78bc1<\/td>\n<\/tr>\n
\u2026<\/td>\n\u2026<\/td>\n<\/tr>\n
User1@org1.com<\/td>\nP@$$w0rd<\/td>\n<\/tr>\n
User2@org1.com<\/td>\nP@$$w0rd<\/td>\n<\/tr>\n
User1@org2.com<\/td>\nP@$$w0rd<\/td>\n<\/tr>\n
User2@org2.com<\/td>\nP@$$w0rd<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

\u9019\u7a2e\u653b\u64ca\u6a21\u5f0f\u907f\u958b\u4e86\u5927\u591a\u6578\u5075\u6e2c\u6280\u8853\uff0c\u56e0\u70ba\u4ee5\u500b\u5225\u4f7f\u7528\u8005\u6216\u516c\u53f8\u7684\u89d2\u5ea6\u4f86\u8aaa\uff0c\u9019\u985e\u653b\u64ca\u770b\u8d77\u4f86\u5c31\u53ea\u50cf\u662f\u7368\u7acb\u7684\u767b\u5165\u5931\u6557\u884c\u70ba\u3002<\/p>\n

\u4f46\u5c0d\u653b\u64ca\u8005\u4f86\u8aaa\uff0c\u9019\u662f\u4e00\u5834\u4ee5\u91cf\u53d6\u52dd\u7684\u904a\u6232\uff1a\u4ed6\u5011\u77e5\u9053\u6709\u67d0\u4e9b\u5bc6\u78bc\u78ba\u5be6\u6975\u70ba<\/em>\u5e38\u898b\u3002\u5373\u4fbf\u4f7f\u7528\u9019\u4e9b\u6700\u5e38\u7528\u5bc6\u78bc\u7684\u5e33\u6236\u53ea\u4f54\u4e86\u7e3d\u5e33\u6236\u91cf\u7684 0.5 \u5230 1.0%\uff0c\u4f46\u53ea\u8981\u6bcf\u5343\u500b\u5e33\u6236\u4e2d\u80fd\u8b93\u653b\u64ca\u8005\u53d6\u5f97\u5e7e\u6b21\u6210\u529f\uff0c\u653b\u64ca\u5c31\u5df2\u7d93\u7b97\u662f\u6709\u6548\u4e86\u3002<\/p>\n

\u4ed6\u5011\u6703\u4f7f\u7528\u9019\u4e9b\u5e33\u6236\u53bb\u53d6\u5f97\u96fb\u5b50\u90f5\u4ef6\u4e2d\u7684\u8cc7\u6599\u3001\u641c\u96c6\u9023\u7d61\u4eba\u8cc7\u8a0a\u4e26\u50b3\u9001\u7db2\u8def\u91e3\u9b5a\u9023\u7d50\uff0c\u6216\u662f\u55ae\u7d14\u62d3\u5c55\u5bc6\u78bc\u5674\u6ffa\u7684\u76ee\u6a19\u7fa4\u3002\u653b\u64ca\u8005\u4e0d\u5728\u4e4e\u81ea\u5df1\u653b\u64ca\u7684\u76ee\u6a19\u5230\u5e95\u662f\u8ab0\uff0c\u53ea\u8981\u80fd\u7372\u5f97\u53ef\u4ee5\u5229\u7528\u7684\u6210\u529f\u7d50\u679c\u5c31\u597d\u3002<\/p>\n

\u597d\u6d88\u606f\u662f\uff0cMicrosoft \u5df2\u7d93\u5be6\u4f5c\u4e86\u8a31\u591a\u80fd\u5920\u5e72\u64fe\u9019\u4e9b\u653b\u64ca\u6548\u80fd\u7684\u5de5\u5177\uff0c\u4e26\u6703\u63a8\u51fa\u66f4\u591a\u5de5\u5177\u3002\u8acb\u95b1\u8b80\u4e0b\u6587\u4f86\u4e86\u89e3\u60a8\u53ef\u4ee5\u5728\u73fe\u5728\u8207\u672a\u4f86\u5e7e\u500b\u6708\u4e2d\u63a1\u53d6\u54ea\u4e9b\u52d5\u4f5c\uff0c\u4ee5\u963b\u6b62\u5bc6\u78bc\u5674\u6ffa\u653b\u64ca\u3002<\/p>\n

4 \u500b\u80fd\u8f15\u9b06\u5e72\u64fe\u5bc6\u78bc\u5674\u6ffa\u653b\u64ca\u7684\u6b65\u9a5f<\/h3>\n

\u6b65\u9a5f 1\uff1a\u4f7f\u7528\u96f2\u7aef\u9a57\u8b49<\/h3>\n

\u5728\u96f2\u7aef\uff0c\u6211\u5011\u6bcf\u5929\u6703\u770b\u5230\u6578\u5341\u5104\u6b21\u767b\u5165 Microsoft \u5404\u9805\u7cfb\u7d71\u7684\u6d3b\u52d5\u3002\u6211\u5011\u7684\u5b89\u5168\u6027\u5075\u6e2c\u6f14\u7b97\u6cd5\u80fd\u8b93\u6211\u5011\u5075\u6e2c\u653b\u64ca\uff0c\u4e26\u5728\u653b\u64ca\u767c\u751f\u7684\u7576\u4e0b\u4fbf\u52a0\u4ee5\u963b\u64cb\u3002\u56e0\u70ba\u9019\u4e9b\u5373\u6642\u5075\u6e2c\u8207\u9632\u8b77\u7cfb\u7d71\u662f\u5f9e\u96f2\u7aef\u9a45\u52d5\uff0c\u6240\u6709\u53ea\u6709\u5728\u60a8\u5f9e\u96f2\u7aef\u9032\u884c Azure AD \u9a57\u8b49\u6642\u80fd\u5920\u4f7f\u7528 (\u5305\u62ec \u50b3\u905e\u9a57\u8b49<\/a>)\u3002<\/p>\n

\u667a\u6167\u9396\u5b9a<\/h3>\n

\u6211\u5011\u6703\u5728\u96f2\u7aef\u4f7f\u7528\u667a\u6167\u9396\u5b9a\u4f86\u5340\u5225\u54ea\u4e9b\u767b\u5165\u770b\u8d77\u4f86\u662f\u4f86\u81ea\u6709\u6548\u4f7f\u7528\u8005\uff0c\u54ea\u4e9b\u767b\u5165\u5247\u53ef\u80fd\u662f\u653b\u64ca\u8005\u3002\u6211\u5011\u80fd\u5c01\u9396\u653b\u64ca\u8005\uff0c\u4e26\u8b93\u6709\u6548\u4f7f\u7528\u8005\u7e7c\u7e8c\u4f7f\u7528\u5e33\u6236\u3002\u9019\u80fd\u9632\u7bc4\u4f7f\u7528\u8005\u53d7\u5230\u670d\u52d9\u62d2\u7d55\uff0c\u4e26\u4e14<\/em>\u963b\u6b62\u904e\u65bc\u6025\u5207\u7684\u5bc6\u78bc\u5674\u6ffa\u653b\u64ca\u3002\u6211\u5011\u5df2\u5c07\u9019\u9805\u529f\u80fd\u61c9\u7528\u5230\u4efb\u4f55\u6388\u6b0a\u7b49\u7d1a\u7684 Azure AD \u767b\u5165\uff0c\u4ee5\u53ca\u6240\u6709\u7684 Microsoft \u5e33\u6236\u767b\u5165\u3002<\/p>\n

2018 \u5e74 3 \u6708\u8d77\uff0c\u4f7f\u7528 Active Directory \u540c\u76df\u670d\u52d9 (ADFS) \u7684\u79df\u7528\u6236\u5c07\u80fd\u5728 Windows Server 2016 \u7684 ADFS \u4e2d\u4f7f\u7528\u667a\u6167\u9396\u5b9a\u529f\u80fd\uff0c\u8acb\u7559\u610f Windows Update \u4ee5\u7372\u5f97\u9019\u9805\u529f\u80fd\u3002<\/p>\n

IP \u9396\u5b9a<\/h3>\n

IP \u9396\u5b9a\u7684\u904b\u4f5c\u65b9\u6cd5\u662f\u900f\u904e\u5206\u6790\u6578\u5341\u5104\u6b21\u767b\u5165\u6d3b\u52d5\uff0c\u4f86\u8a55\u5b9a\u6bcf\u7d44 IP \u4f4d\u5740\u5c0d Microsoft \u5404\u7cfb\u7d71\u5b58\u53d6\u6d3b\u52d5\u7684\u54c1\u8cea\u3002IP \u9396\u5b9a\u80fd\u4ee5\u9019\u9805\u5206\u6790\u627e\u51fa\u884c\u70ba\u53ef\u7591\u7684 IP \u4f4d\u5740\uff0c\u4e26\u5373\u6642<\/em>\u5c01\u9396\u767b\u5165\u3002<\/p>\n

\u653b\u64ca\u6a21\u64ec<\/h3>\n

\u653b\u64ca\u6a21\u64ec\u5668\u73fe\u5728\u5df2\u63d0\u4f9b\u516c\u958b\u9810\u89bd<\/a>\uff0c\u8eab\u70ba Office 365 \u5a01\u8105\u60c5\u5831\u4e00\u54e1\u7684\u5b83\uff0c\u80fd\u8b93\u5ba2\u6236\u5c0d\u5176\u4f7f\u7528\u8005\u5c55\u958b\u6a21\u64ec\u653b\u64ca\uff0c\u5224\u65b7\u4f7f\u7528\u8005\u5728\u653b\u64ca\u4e8b\u4ef6\u4e2d\u6703\u5982\u4f55\u53cd\u61c9\uff0c\u4e26\u66f4\u65b0\u539f\u5247\u4ee5\u78ba\u4fdd\u5df2\u4f7f\u7528\u9069\u7576\u7684\u5b89\u5168\u6027\u5de5\u5177\uff0c\u4fdd\u8b77\u8cb4\u7d44\u7e54\u4e0d\u53d7\u5bc6\u78bc\u5674\u6ffa\u653b\u64ca\u7b49\u5a01\u8105\u3002<\/p>\n

\"\"<\/p>\n

\u6211\u5011\u5efa\u8b70\u60a8\u76e1\u901f\u57f7\u884c\u4e0b\u5217\u4e8b\u9805\uff1a<\/h3>\n
    \n
  1. \u5982\u679c\u60a8\u6b63\u5728\u4f7f\u7528\u96f2\u7aef\u9a57\u8b49\uff0c\u60a8\u4fbf\u5df2\u53d7\u5230\u4fdd\u8b77<\/li>\n
  2. \u5982\u679c\u60a8\u4f7f\u7528 ADFS \u6216\u5176\u4ed6\u6df7\u5408\u5f0f\u6848\u4f8b\uff0c\u8acb\u53c3\u95b1 2018 \u5e74 3 \u6708\u7684 ADFS \u5347\u7d1a\u4f86\u7372\u5f97\u667a\u6167\u9396\u5b9a\u529f\u80fd<\/li>\n
  3. \u8acb\u4f7f\u7528\u653b\u64ca\u6a21\u64ec\u5668<\/a>\u4f86\u4e3b\u52d5\u8a55\u4f30\u60a8\u7684\u5b89\u5168\u6027\u72c0\u614b\uff0c\u4e26\u9032\u884c\u8abf\u6574<\/li>\n<\/ol>\n

    \u6b65\u9a5f 2\uff1a\u4f7f\u7528\u591a\u91cd\u8981\u7d20\u9a57\u8b49<\/h3>\n

    \u5bc6\u78bc\u662f\u5b58\u53d6\u5e33\u6236\u7684\u9470\u5319\uff0c\u4f46\u653b\u64ca\u8005\u5c31\u662f\u731c\u5c0d\u4e86\u5bc6\u78bc\uff0c\u624d\u6703\u8b93\u5bc6\u78bc\u5674\u6ffa\u653b\u64ca\u6210\u529f\u3002\u70ba\u4e86\u963b\u6b62\u9019\u4e9b\u653b\u64ca\u8005\uff0c\u6211\u5011\u9700\u8981\u4f7f\u7528\u5bc6\u78bc\u4ee5\u5916\u7684\u6771\u897f\u4f86\u5206\u8fa8\u5e33\u6236\u64c1\u6709\u8005\u8207\u653b\u64ca\u8005\u3002\u4ee5\u4e0b\u662f\u4e09\u7a2e\u80fd\u5920\u9054\u6210\u6b64\u76ee\u6a19\u7684\u505a\u6cd5\u3002<\/p>\n

    \u98a8\u96aa\u578b\u591a\u91cd\u8981\u7d20\u9a57\u8b49<\/h3>\n

    Azure AD Identity Protection \u6703\u4f7f\u7528\u524d\u8ff0\u767b\u5165\u8cc7\u6599\u52a0\u4e0a\u9032\u968e\u6a5f\u5668\u5b78\u7fd2\u8207\u6f14\u7b97\u6cd5\u5075\u6e2c\uff0c\u70ba\u9032\u5165\u7cfb\u7d71\u7684\u6bcf\u4e00\u6b21\u767b\u5165\u8a55\u5b9a\u98a8\u96aa\u5206\u6578\u3002\u9019\u80fd\u8b93\u4f01\u696d\u5ba2\u6236\u5728 Identity Protection \u4e2d\u5efa\u7acb\u539f\u5247\uff0c\u5982\u679c\u5075\u6e2c\u5230\u4f7f\u7528\u8005\u6216\u8a72\u6b21\u5de5\u4f5c\u968e\u6bb5\u6709\u98a8\u96aa\uff0c\u7cfb\u7d71\u5c31\u6703\u63d0\u793a\u4f7f\u7528\u8005\u4f7f\u7528\u7b2c\u4e8c\u91cd\u8981\u7d20\u9032\u884c\u9a57\u8b49\u3002\u9019\u80fd\u6e1b\u5c11\u4f7f\u7528\u8005\u7684\u8ca0\u64d4\uff0c\u4e26\u963b\u7919\u60e1\u610f\u4eba\u58eb\u3002\u8acb\u5728\u6b64\u6df1\u5165\u4e86\u89e3 Azure Active Directory Identity Protection<\/a>\u3002<\/p>\n

    \"\"<\/p>\n

    \u5e38\u99d0\u578b\u591a\u91cd\u8981\u7d20\u9a57\u8b49<\/h3>\n

    \u5982\u679c\u9700\u8981\u66f4\u9ad8\u7684\u5b89\u5168\u6027\uff0c\u60a8\u53ef\u4ee5\u4f7f\u7528 Azure MFA \u4f86\u8981\u6c42\u4f7f\u7528\u8005\u7121\u8ad6\u662f\u5728\u96f2\u7aef\u9a57\u8b49\u6216 ADFS \u4e2d\uff0c\u300c\u6bcf\u6b21\u300d<\/em>\u90fd\u9700\u8981\u9032\u884c\u591a\u91cd\u8981\u7d20\u9a57\u8b49\u3002\u9019\u6703\u9700\u8981\u4f7f\u7528\u8005\u5728\u6bcf\u4e00\u6b21\u767b\u5165\u6642\u90fd\u6301\u6709\u4ed6\u5011\u7684\u88dd\u7f6e\uff0c\u4e26\u4e14\u66f4\u983b\u7e41\u5730\u9032\u884c\u591a\u91cd\u8981\u7d20\u9a57\u8b49\uff0c\u4ee5\u63d0\u4f9b\u8cb4\u4f01\u696d\u6700\u9ad8\u7684\u5b89\u5168\u6027\u3002\u60a8\u61c9\u8a72\u5c0d\u7d44\u7e54\u4e2d\u7684\u6bcf\u4f4d\u7cfb\u7d71\u7ba1\u7406\u54e1\u555f\u7528\u6b64\u529f\u80fd\u3002\u8acb\u5728\u6b64\u6df1\u5165\u4e86\u89e3 Azure Multi-Factor Authentication<\/a>\uff0c\u4ee5\u53ca\u5982\u4f55\u8a2d\u5b9a ADFS \u7684 Azure MFA<\/a>\u3002<\/p>\n

    \u4ee5 Azure MFA \u505a\u70ba\u4e3b\u8981\u9a57\u8b49<\/h3>\n

    \u5728 ADFS 2016 \u4e2d\uff0c\u60a8\u80fd\u5920\u4f7f\u7528 Azure MFA \u505a\u70ba\u7121\u5bc6\u78bc\u9a57\u8b49\u7684\u4e3b\u8981\u9a57\u8b49\u65b9\u5f0f<\/a>\u3002\u9019\u9805\u6975\u4f73\u5de5\u5177\u80fd\u9632\u7bc4\u5bc6\u78bc\u5674\u6ffa\u548c\u5bc6\u78bc\u7aca\u53d6\u653b\u64ca\uff1a\u7562\u7adf\uff0c\u5982\u679c\u6c92\u6709\u5bc6\u78bc\uff0c\u4e5f\u5c31\u6c92\u6709\u76ee\u6a19\u53ef\u4ee5\u731c\u6e2c\u4e86\u3002\u9019\u9069\u7528\u65bc\u64c1\u6709\u4e0d\u540c\u8981\u7d20\u5f62\u5f0f\u7684\u6240\u6709\u985e\u578b\u88dd\u7f6e\u3002\u6b64\u5916\uff0c\u60a8\u73fe\u5728\u53ea\u80fd\u5728\u4f7f\u7528 Azure MFA \u9a57\u8b49\u4e86 OTP \u5f8c\uff0c\u624d\u80fd\u5c07\u5bc6\u78bc\u7576\u6210\u7b2c\u4e8c\u8981\u7d20\u3002\u8acb\u5728\u6b64\u6df1\u5165\u4e86\u89e3\u5982\u4f55\u4f7f\u7528\u5bc6\u78bc\u505a\u70ba\u7b2c\u4e8c\u8981\u7d20<\/a>\u3002<\/p>\n

    \u6211\u5011\u5efa\u8b70\u60a8\u76e1\u901f\u57f7\u884c\u4e0b\u5217\u4e8b\u9805\uff1a<\/h3>\n
      \n
    1. \u6211\u5011\u5f37\u70c8\u5efa\u8b70<\/em>\u60a8\u91dd\u5c0d\u7d44\u7e54\u4e2d\u7684\u300c\u6240\u6709\u7cfb\u7d71\u7ba1\u7406\u54e1\u300d<\/em>\u555f\u7528\u5e38\u99d0\u578b\u591a\u91cd\u8981\u7d20\u9a57\u8b49\uff0c\u7279\u5225\u662f<\/em>\u8a02\u95b1\u64c1\u6709\u8005\u548c\u79df\u7528\u6236\u7cfb\u7d71\u7ba1\u7406\u54e1\u3002\u771f\u7684\uff0c\u8acb\u7acb\u5373\u57f7\u884c\u6b64\u52d5\u4f5c\u3002<\/li>\n
    2. \u70ba\u4e86\u8b93\u5176\u9918\u4f7f\u7528\u8005\u7372\u5f97\u6700\u4f73\u9ad4\u9a57\uff0c\u6211\u5011\u5efa\u8b70\u60a8\u70ba\u4ed6\u5011\u555f\u7528\u98a8\u96aa\u578b\u591a\u91cd\u8981\u7d20\u9a57\u8b49\uff0cAzure AD Premium P2 \u6388\u6b0a\u80fd\u5920\u63d0\u4f9b\u9019\u9805\u529f\u80fd\u3002<\/li>\n
    3. \u5426\u5247\uff0c\u8acb\u91dd\u5c0d\u96f2\u7aef\u9a57\u8b49\u8207 ADFS \u4f7f\u7528 Azure MFA\u3002<\/li>\n
    4. \u5728 ADFS \u4e2d\uff0c\u8acb\u5728 Windows Server 2016 \u4e0a\u5347\u7d1a\u81f3 ADFS\uff0c\u4ee5\u4fbf\u4f7f\u7528 Azure MFA \u505a\u70ba\u4e3b\u8981\u9a57\u8b49\u65b9\u5f0f\uff0c\u7279\u5225\u662f\u91dd\u5c0d\u60a8\u6240\u6709\u7684\u5916\u90e8\u7db2\u8def\u5b58\u53d6\u3002<\/li>\n<\/ol>\n

      \u6b65\u9a5f 3\uff1a\u8b93\u6bcf\u500b\u4eba\u4f7f\u7528\u66f4\u9069\u7576\u7684\u5bc6\u78bc<\/h3>\n

      \u5373\u4f7f\u60a8\u63a1\u53d6\u4e86\u4e0a\u8ff0\u6240\u6709\u52d5\u4f5c\uff0c\u5bc6\u78bc\u5674\u6ffa\u9632\u79a6\u95dc\u9375\u5143\u7d20\u9084\u662f\u8b93\u300c\u6240\u6709\u300d<\/em>\u4f7f\u7528\u8005\u64c1\u6709\u96e3\u4ee5\u731c\u6e2c\u7684\u5bc6\u78bc\u3002\u8b93\u4f7f\u7528\u8005\u4e86\u89e3\u5982\u4f55\u5efa\u7acb\u96e3\u4ee5\u731c\u6e2c\u7684\u5bc6\u78bc\u5e38\u5e38\u662f\u4ef6\u96e3\u4e8b\u3002Microsoft \u80fd\u4f7f\u7528\u4e0b\u5217\u5de5\u5177\u5354\u52a9\u60a8\u5be6\u73fe\u9019\u4e00\u76ee\u6a19\u3002<\/p>\n

      \u7981\u7528\u5bc6\u78bc<\/h3>\n

      \u5728 Azure AD \u4e2d\uff0c\u6bcf\u6b21<\/em>\u5bc6\u78bc\u8b8a\u66f4\u548c\u91cd\u8a2d\u90fd\u8981\u53d7\u5230\u7981\u7528\u5bc6\u78bc\u6aa2\u67e5\u5668\u6aa2\u9a57\u3002\u6709\u4eba\u63d0\u4ea4\u65b0\u5bc6\u78bc\u6642\uff0c\u7cfb\u7d71\u6703\u5c07\u8a72\u5bc6\u78bc\u8207\u4e00\u7cfb\u5217\u5b57\u8a5e\u6e05\u55ae\u9032\u884c\u6a21\u7cca\u6bd4\u5c0d\uff0c\u9019\u4e9b\u5b57\u8a5e\u662f\u4efb\u4f55\u4eba\u90fd\u4e0d\u61c9\u8a72\u4f7f\u7528\u5728\u5bc6\u78bc\u4e2d\u7684\u8a5e\u5f59 (\u5c31\u7b97\u4ee5 l33t-sp3@k \u7b49 Leet \u62fc\u5beb\u4e5f\u7121\u6cd5\u9003\u907f\u6bd4\u5c0d)\u3002\u5982\u679c\u6709\u7b26\u5408\u9805\u76ee\uff0c\u90a3\u9ebc\u7cfb\u7d71\u6703\u62d2\u7d55\u8a72\u7d44\u65b0\u5bc6\u78bc\uff0c\u4e26\u8981\u6c42\u4f7f\u7528\u8005\u9078\u64c7\u66f4\u96e3\u731c\u6e2c\u7684\u5bc6\u78bc\u3002\u6211\u5011\u6253\u9020\u4e86\u9019\u4efd\u6700\u5e38\u53d7\u5230\u653b\u64ca\u7684\u5bc6\u78bc\u6e05\u55ae\uff0c\u4e26\u6642\u5e38\u66f4\u65b0\u3002<\/p>\n

      \"\"<\/p>\n

      \u81ea\u8a02\u7981\u7528\u5bc6\u78bc<\/h3>\n

      \u70ba\u4e86\u8b93\u7981\u7528\u5bc6\u78bc\u529f\u80fd\u66f4\u5b8c\u5584\uff0c\u6211\u5011\u5c07\u6703\u5141\u8a31\u79df\u7528\u6236\u81ea\u8a02\u7981\u7528\u5bc6\u78bc\u6e05\u55ae<\/strong>\u3002\u7cfb\u7d71\u7ba1\u7406\u54e1\u80fd\u9078\u64c7\u5176\u7d44\u7e54\u5e38\u898b\u7684\u5b57\u8a5e\uff0c\u4f8b\u5982\u6709\u540d\u7684\u54e1\u5de5\u6216\u5275\u8fa6\u4eba\u3001\u7522\u54c1\u3001\u5730\u9ede\u3001\u5730\u5340\u7279\u9ede\u7b49\u7b49\uff0c\u4ee5\u9632\u6b62\u4f7f\u7528\u8005\u5728\u5bc6\u78bc\u4e2d\u4f7f\u7528\u9019\u4e9b\u8a5e\u5f59\u3002\u6211\u5011\u6703\u5c07\u9019\u4efd\u6e05\u55ae\u5f37\u5236\u65b0\u589e\u5230\u5168\u7403\u9069\u7528\u7684\u6e05\u55ae\u4e2d\uff0c\u8b93\u60a8\u4e0d\u9700\u8981\u5728\u6e05\u55ae\u4e4b\u9593\u6289\u64c7\u3002\u9019\u9805\u529f\u80fd\u76ee\u524d\u8655\u65bc\u6709\u9650\u9810\u89bd\u7248\u72c0\u614b\uff0c\u4e26\u5c07\u5728\u4eca\u5e74\u63a8\u51fa\u3002<\/p>\n

      \u91dd\u5c0d\u5167\u90e8\u90e8\u7f72\u8b8a\u66f4\u7684\u7981\u7528\u5bc6\u78bc<\/h3>\n

      \u4eca\u5e74\u6625\u5929\uff0c\u6211\u5011\u63a8\u51fa\u4e86\u80fd\u8b93\u4f01\u696d\u7cfb\u7d71\u7ba1\u7406\u54e1\u5728\u6df7\u5408\u5f0f Azure AD-Active Directory \u74b0\u5883\u4e2d\u7981\u7528\u5bc6\u78bc<\/strong>\u7684\u5de5\u5177\u3002\u7981\u7528\u5bc6\u78bc\u6e05\u55ae\u6703\u5f9e\u96f2\u7aef\u540c\u6b65\u81f3\u60a8\u7684\u5167\u90e8\u90e8\u7f72\u74b0\u5883\u4e2d\uff0c\u4e26\u5728\u64c1\u6709\u8a72\u4ee3\u7406\u7a0b\u5f0f\u7684\u6bcf\u500b\u7db2\u57df\u63a7\u5236\u7ad9\u4e0a\u5f37\u5236\u57f7\u884c\u3002\u7121\u8ad6\u4f7f\u7528\u8005\u5728\u96f2\u7aef\u6216\u5167\u90e8\u90e8\u7f72\u4e2d\u8b8a\u66f4\u5bc6\u78bc\uff0c\u9019\u9805\u529f\u80fd\u90fd\u53ef\u4ee5\u5354\u52a9\u7cfb\u7d71\u7ba1\u7406\u54e1\u78ba\u4fdd\u5176\u4ed6\u4eba\u66f4\u96e3\u731c\u5c0d\u5176\u5bc6\u78bc\u3002\u6211\u5011\u5df2\u65bc 2018 \u5e74 2 \u6708\u63a8\u51fa\u6b64\u529f\u80fd\u7684\u6709\u9650\u79c1\u4eba\u9810\u89bd\u7248\uff0c\u4e26\u5c07\u65bc\u4eca\u5e74\u63a8\u884c\u81f3\u5168\u7403\u3002<\/p>\n

      \u6539\u8b8a\u60a8\u5c0d\u5bc6\u78bc\u7684\u8a8d\u77e5<\/h3>\n

      \u5f88\u591a\u95dc\u65bc\u826f\u597d\u5bc6\u78bc\u7684\u5e38\u898b\u89c0\u5ff5\u90fd\u662f\u932f\u8aa4\u7684\u3002\u901a\u5e38\uff0c\u8d8a\u7b26\u5408\u6578\u5b78\u908f\u8f2f\u7684\u89c0\u5ff5\u8d8a\u5bb9\u6613\u9020\u6210\u53ef\u9810\u6e2c\u7684\u4f7f\u7528\u8005\u884c\u70ba\uff1a\u4f8b\u5982\uff0c\u8981\u6c42\u4f7f\u7528\u7279\u5b9a\u5b57\u7b26\u985e\u578b\u548c\u8981\u6c42\u9031\u671f\u6027\u8b8a\u66f4\u5bc6\u78bc\uff0c\u90fd\u6703\u9020\u6210\u7279\u5b9a\u7684\u5bc6\u78bc\u6a21\u5f0f\u3002\u8acb\u53c3\u95b1\u6211\u5011\u7684\u5bc6\u78bc\u6307\u5c0e\u65b9\u91dd\u767d\u76ae\u66f8<\/a>\u4f86\u4e86\u89e3\u66f4\u591a\u8a73\u7d30\u8cc7\u6599\u3002\u5982\u679c\u60a8\u642d\u914d PTA \u6216 ADFS \u4f7f\u7528 Active Directory\uff0c\u8acb\u66f4\u65b0\u60a8\u7684\u5bc6\u78bc\u539f\u5247<\/a>\u3002\u5982\u679c\u60a8\u4f7f\u7528\u96f2\u7aef\u7ba1\u7406\u5e33\u6236\uff0c\u8acb\u8003\u616e\u5c07\u5bc6\u78bc\u8a2d\u5b9a\u70ba\u6c38\u4e0d\u5230\u671f<\/a>\u3002<\/p>\n

      \u6211\u5011\u5efa\u8b70\u60a8\u76e1\u901f\u57f7\u884c\u4e0b\u5217\u4e8b\u9805\uff1a<\/h3>\n
        \n
      1. \u8acb\u5728 Microsoft \u7981\u7528\u5bc6\u78bc\u5de5\u5177\u5167\u90e8\u90e8\u7f72\u767c\u884c\u5f8c\u7acb\u5373\u5b89\u88dd\uff0c\u9019\u80fd\u5354\u52a9\u60a8\u7684\u4f7f\u7528\u8005\u5efa\u7acb\u66f4\u9069\u7576\u7684\u5bc6\u78bc\u3002<\/li>\n
      2. \u8acb\u6aa2\u95b1\u60a8\u7684\u5bc6\u78bc\u539f\u5247\uff0c\u4e26\u8003\u616e\u5c07\u5bc6\u78bc\u8a2d\u5b9a\u70ba\u6c38\u4e0d\u5230\u671f<\/a>\uff0c\u9019\u6a23\u60a8\u7684\u4f7f\u7528\u8005\u5c31\u4e0d\u6703\u4f7f\u7528\u5b63\u7bc0\u6027\u6a21\u5f0f\u4f86\u5efa\u7acb\u5bc6\u78bc\u3002<\/li>\n<\/ol>\n

        \u6b65\u9a5f 4\uff1a\u4f7f\u7528 ADFS \u8207 Active Directory \u4e2d\u5176\u4ed6\u5f37\u5927\u529f\u80fd<\/h3>\n

        \u5982\u679c\u60a8\u642d\u914d ADFS \u8207 Active Directory \u4f7f\u7528\u6df7\u5408\u5f0f\u9a57\u8b49\uff0c\u53ef\u4ee5\u63a1\u53d6\u66f4\u591a\u6b65\u9a5f\u4f86\u4fdd\u8b77\u60a8\u7684\u74b0\u5883\u4e0d\u53d7\u5bc6\u78bc\u5674\u6ffa\u653b\u64ca\u3002<\/p>\n

        \u7b2c\u4e00\u500b\u6b65\u9a5f\uff1a\u5982\u679c\u662f\u904b\u884c ADFS 2.0 \u6216 Windows Server 2012 \u7684\u7d44\u7e54\uff0c\u8acb\u60a8\u76e1\u901f\u898f\u5283\u79fb\u8f49\u81f3 Windows Server 2016 \u4e2d\u7684 ADFS\u3002\u9019\u4efd\u6700\u65b0\u7248\u672c\u80fd\u5920\u66f4\u5feb\u66f4\u65b0\uff0c\u8b93\u60a8\u64c1\u6709\u5916\u90e8\u7db2\u8def\u9396\u5b9a\u7b49\u66f4\u8c50\u5bcc\u7684\u529f\u80fd\u3002\u540c\u6642\u4e5f\u8acb\u60a8\u8a18\u5f97\uff1a\u5f9e Windows Server 2012R2 \u5347\u7d1a\u5230 2016 \u5176\u5be6\u975e\u5e38\u7c21\u55ae\u3002<\/p>\n

        \u5c01\u9396\u4f86\u81ea\u5916\u90e8\u7db2\u8def\u7684\u820a\u7248\u9a57\u8b49<\/h3>\n

        \u820a\u7248\u8b49\u901a\u8a0a\u5354\u5b9a\u7121\u6cd5\u5f37\u5236\u57f7\u884c MFA\uff0c\u56e0\u6b64\u6700\u597d\u7684\u65b9\u6cd5\u662f\u5c01\u9396\u4f86\u81ea\u5916\u90e8\u7db2\u8def\u7684\u820a\u7248\u9a57\u8b49<\/a>\u3002\u6b64\u6b65\u9a5f\u6703\u9632\u6b62\u767c\u8d77\u5bc6\u78bc\u5674\u6ffa\u653b\u64ca\u7684\u4eba\u5229\u7528\u9019\u4e9b\u7f3a\u4e4f MFA \u7684\u901a\u8a0a\u5354\u5b9a\u3002<\/p>\n

        \u555f\u7528 ADFS Web \u61c9\u7528\u7a0b\u5f0f Proxy \u5916\u90e8\u7db2\u8def\u5c01\u9396\u529f\u80fd<\/h3>\n

        \u5982\u679c\u60a8\u5c1a\u672a\u555f\u7528 ADFS Web \u61c9\u7528\u7a0b\u5f0f Proxy \u7684\u5916\u90e8\u7db2\u8def\u5c01\u9396\u529f\u80fd\uff0c\u60a8\u61c9\u8a72\u76e1\u901f\u555f\u7528\u6b64\u529f\u80fd<\/a>\uff0c\u4ee5\u4fdd\u8b77\u60a8\u7684\u4f7f\u7528\u8005\u514d\u53d7\u6f5b\u5728\u66b4\u529b\u7834\u89e3\u5bc6\u78bc\u653b\u64ca\u4fb5\u72af\u3002<\/p>\n

        \u90e8\u7f72\u9069\u7528\u65bc ADFS \u7684 Azure AD Connect Health<\/h3>\n

        Azure AD Connect Health \u80fd\u64f7\u53d6 ADFS \u8a18\u9304\u4e2d\u4f7f\u7528\u8005\u540d\u7a31\/\u5bc6\u78bc\u4e0d\u826f\u8981\u6c42\u7684 IP \u4f4d\u5740\uff0c\u9019\u80fd\u8b93\u60a8\u7372\u5f97\u4e00\u7cfb\u5217\u6848\u4f8b\u7684\u984d\u5916\u5831\u544a\uff0c\u4e26\u5728\u958b\u555f\u8f14\u52a9\u652f\u63f4\u6848\u4f8b\u6642\uff0c\u63d0\u4f9b\u66f4\u591a\u6df1\u5165\u89e3\u6790\u4f86\u652f\u63f4\u5de5\u7a0b\u5e2b\u3002<\/p>\n

        \u82e5\u8981\u9032\u884c\u90e8\u7f72\uff0c\u8acb\u5728\u6240\u6709 ADFS \u4f3a\u670d\u5668 (2.6.491.0) \u4e0a\u4e0b\u8f09\u9069\u7528\u65bc ADFS \u7684 Azure AD Connect Health \u4ee3\u7406\u7a0b\u5f0f<\/a>\u3002ADFS \u4f3a\u670d\u5668\u5fc5\u9808\u57f7\u884c\u5b89\u88dd\u4e86 KB 3134222<\/a> \u7684Windows Server 2012 R2\uff0c\u6216\u662f Windows Server 2016\u3002<\/p>\n

        \u4f7f\u7528\u975e\u5bc6\u78bc\u5f0f\u5b58\u53d6\u65b9\u6cd5<\/h3>\n

        \u4e0d\u7528\u5bc6\u78bc\uff0c\u5c31\u6c92\u6709\u5bc6\u78bc\u6703\u53d7\u5230\u731c\u6e2c\u3002\u4e0b\u5217\u975e\u5bc6\u78bc\u5f0f\u9a57\u8b49\u65b9\u6cd5\u53ef\u4f9b ADFS \u548c Web \u61c9\u7528\u7a0b\u5f0f Proxy \u4f7f\u7528\uff1a<\/p>\n

          \n
        1. \u6191\u8b49\u5f0f\u9a57\u8b49\u80fd\u8b93\u9632\u706b\u7246\u5b8c\u5168\u5c01\u9396\u4f7f\u7528\u8005\u540d\u7a31\/\u5bc6\u78bc\u7aef\u9ede\u3002\u6df1\u5165\u4e86\u89e3 ADFS \u4e2d\u7684\u6191\u8b49\u5f0f\u9a57\u8b49<\/a><\/li>\n
        2. \u5982\u524d\u6587\u6240\u8ff0\uff0c\u60a8\u53ef\u4ee5\u5728\u96f2\u7aef\u9a57\u8b49\u3001ADFS 2012 R2 \u8207 ADFS 2016 \u4e2d\uff0c\u628a Azure MFA \u7576\u6210\u7b2c\u4e8c\u8981\u7d20\u4f7f\u7528\u3002\u4f46\u60a8\u4e5f\u53ef\u4ee5\u5c07\u5b83\u7576\u6210 ADFS 2016 \u4e2d\u7684\u4e3b\u8981\u8981\u7d20\uff0c\u5b8c\u5168\u963b\u6b62\u4efb\u4f55\u5bc6\u78bc\u5674\u6ffa\u7684\u53ef\u80fd\u6027\u3002\u8acb\u5728\u6b64\u4e86\u89e3\u5982\u4f55\u8a2d\u5b9a Azure MFA \u642d\u914d ADFS<\/a><\/li>\n
        3. Windows 10 \u63d0\u4f9b\u7684 Windows Hello \u4f01\u696d\u7248 (\u65bc Windows Server 2016 \u5167\u53d7 ADFS \u652f\u63f4) \u80fd\u5920\u4f9d\u64da\u4f7f\u7528\u8005\u8207\u88dd\u7f6e\u4f7f\u7528\u7684\u5f37\u5f0f\u5bc6\u78bc\u7de8\u8b6f\u91d1\u9470\uff0c\u63d0\u4f9b\u5305\u62ec\u5916\u90e8\u7db2\u8def\u5728\u5167\u7684\u5b8c\u5168\u7121\u5bc6\u78bc\u5b58\u53d6\u3002\u5df2\u52a0\u5165 Azure AD \u6216\u5df2\u52a0\u5165\u6df7\u5408\u5f0f Azure AD \u7684\u516c\u53f8\u7ba1\u7406\u88dd\u7f6e\u53ef\u4ee5\u4f7f\u7528\u6b64\u529f\u80fd\uff0c\u540c\u6642\uff0c\u500b\u4eba\u88dd\u7f6e\u4e5f\u53ef\u900f\u904e\u8a2d\u5b9a App \u7684 [\u65b0\u589e\u516c\u53f8\u6216\u5b78\u6821\u5e33\u6236] \u9078\u9805\u4f86\u4f7f\u7528\u6b64\u529f\u80fd\u3002\u7372\u5f97\u66f4\u591a\u95dc\u65bc Hello \u4f01\u696d\u7248\u7684\u8a73\u7d30\u8cc7\u8a0a<\/a>\u3002<\/li>\n<\/ol>\n

          \u6211\u5011\u5efa\u8b70\u60a8\u76e1\u901f\u57f7\u884c\u4e0b\u5217\u4e8b\u9805\uff1a<\/h3>\n
            \n
          1. \u5347\u7d1a\u81f3 ADFS 2016 \u4ee5\u66f4\u5feb\u7372\u5f97\u66f4\u65b0<\/li>\n
          2. \u5c01\u9396\u4f86\u81ea\u5916\u90e8\u7db2\u8def<\/a>\u7684\u820a\u7248\u9a57\u8b49\u3002<\/li>\n
          3. \u5728\u6240\u6709 ADFS \u4f3a\u670d\u5668\u4e0a\u90e8\u7f72\u9069\u7528\u65bc ADFS \u7684 Azure AD Connect Health \u4ee3\u7406\u7a0b\u5f0f\u3002<\/li>\n
          4. \u8003\u616e\u4f7f\u7528\u7121\u5bc6\u78bc\u4e3b\u8981\u9a57\u8b49\u65b9\u6cd5\uff0c\u4f8b\u5982 Azure MFA\u3001\u8a8d\u8b49\u6216 Windows Hello \u4f01\u696d\u7248\u3002<\/li>\n<\/ol>\n

            \u984d\u5916\u52d5\u4f5c\uff1a\u4fdd\u8b77\u60a8\u7684 Microsoft \u5e33\u6236<\/h3>\n

            \u5982\u679c\u60a8\u662f Microsoft \u5e33\u6236\u4f7f\u7528\u8005\uff1a<\/p>\n