Bejelentkezés Microsoft-fiókkal
Jelentkezzen be, vagy hozzon létre egy fiókot.
Üdvözöljük!
Válasszon másik fiókot.
Több fiókja van
Válassza ki a bejelentkezéshez használni kívánt fiókot.
Angol
Sajnáljuk. Ez a cikk nem érhető el az Ön nyelvén.

Summary

Authentication fails if you use a non-password authentication (such as PIV cards) on an Identity Provider (IdP) server, and the request contains the prompt parameter that has login as the value.

Cause

This problem occurs because the default prompt federation behavior is to convert the prompt=login parameter to wauth=password&wfresh=0 during the federation.

About the fix

Active Directory Federation Services (AD FS) now supports the following options to control how the prompt=login parameter should be handled during a federation. These options can be set globally for all federated servers by using the set-ADFSProperties cmdlet, but only when the farm is running in mixed mode. The global setting is migrated automatically to the individual claims providers when the farm behavior level (FBL) is raised to Windows Server 2016. They can be viewed by using the get-ADFSProperties cmdlet.

Note These options can also be set on individual claims providers by using the Add-AdfsClaimsProviderTrust cmdlet when the farm is running in a non-mixed mode. 

  • None. Do not federate the prompt=login request and error instead.

  • FallbackToProtocolSpecificParameters (Default). Translate prompt=login to wfresh=0 and Wauth=forms during a federation. If "wauth" exists in the original request, it will be preserved.


    The default "wauth" value can be overridden by using the PromptLoginFallbackAuthenticationType parameter. For example, the following command translates prompt=login to wfresh=0 and wauth=urn:ietf:rfc:2246 during a federation. 

    Set-AdfsProperties -PromptLoginFederation FallbackToProtocolSpecificParameters -PromptLoginFallbackAuthenticationType urn:ietf:rfc:2246

  • ForwardPromptAndHintsOverWsFederation. Forward the prompt parameter as it is during a federation.

  • Disabled. Discard the prompt parameter from the request during a federation.

The following are examples of the set-ADFSProperties cmdlet:

  • Set-AdfsProperties -PromptLoginFederation None

  • Set-AdfsProperties -PromptLoginFederation ForwardPromptAndHintsOverWsFederation

How to get this update

To add the new option, install the February 2018 update KB 4077525.  

Prerequisites

To install this update, you must have Windows Server 2016 installed.
 

Registry information

To apply this update, you don't have to make any changes to the registry.
 

Restart requirement

You must restart the computer after you apply this update.
 

Update replacement information

This update does not replace a previously released update.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References

Learn about the terminology that Microsoft uses to describe software updates.

Facebook LinkedIn E-mail
FELIRATKOZÁS RSS-HÍRCSATORNÁKRA

További segítségre van szüksége?

További lehetőségeket szeretne?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Hasznos volt ez az információ?

Mi volt hatással a felhasználói élményére?
Ha elküldi a visszajelzést, a Microsoft felhasználja azt a termékei és szolgáltatásai továbbfejlesztéséhez. Az informatikai rendszergazda képes lesz ezeket az adatokat összegyűjteni. Adatvédelmi nyilatkozat.

Köszönjük a visszajelzését!

×