用于多重身份验证的 NPS 扩展的高级配置选项Advanced configuration options for the NPS extension for Multi-Factor Authentication

网络策略服务器 (NPS) 扩展可将基于云的 Azure AD 多重身份验证功能扩展至本地基础结构。The Network Policy Server (NPS) extension extends your cloud-based Azure AD Multi-Factor Authentication features into your on-premises infrastructure. 本文假设你已安装扩展,并想了解如何为自身需求自定义扩展。This article assumes that you already have the extension installed, and now want to know how to customize the extension for you needs.

备用登录 IDAlternate login ID

由于 NPS 扩展同时连接到本地和云端的目录,因此可能会出现本地用户主体名称 (UPN) 与云中的名称不匹配的问题。Since the NPS extension connects to both your on-premises and cloud directories, you might encounter an issue where your on-premises user principal names (UPNs) don't match the names in the cloud. 要解决此问题,请使用备用登录 ID。To solve this problem, use alternate login IDs.

在 NPS 扩展中,可以指定一个 Active Directory 属性,用它来替换用于 Azure AD 多重身份验证的 UPN。Within the NPS extension, you can designate an Active Directory attribute to be used in place of the UPN for Azure AD Multi-Factor Authentication. 这样就能通过双重验证来保护本地资源,且无需修改本地 UPN。This enables you to protect your on-premises resources with two-step verification without modifying your on-premises UPNs.

要配置备用登录 ID,请转至 HKLM\SOFTWARE\Microsoft\AzureMfa 并编辑下列注册表值:To configure alternate login IDs, go to HKLM\SOFTWARE\Microsoft\AzureMfa and edit the following registry values:

名称Name 类型Type 默认值Default value 说明Description
LDAP_ALTERNATE_LOGINID_ATTRIBUTELDAP_ALTERNATE_LOGINID_ATTRIBUTE stringstring Empty 指定要使用的 Active Directory 属性(而非 UPN)的名称。Designate the name of Active Directory attribute that you want to use instead of the UPN. 此属性将用作 AlternateLoginId 属性。This attribute is used as the AlternateLoginId attribute. 如果将此注册表值设置为有效的 Active Directory 属性(例如 mail 或 displayName),那么将使用该属性的值(而不使用用户的 UPN)来进行身份验证。If this registry value is set to a valid Active Directory attribute (for example, mail or displayName), then the attribute's value is used in place of the user's UPN for authentication. 如果此注册表值为空或未配置,则将禁用 AlternateLoginId,并使用用户的 UPN 来进行身份验证。If this registry value is empty or not configured, then AlternateLoginId is disabled and the user's UPN is used for authentication.
LDAP_FORCE_GLOBAL_CATALOGLDAP_FORCE_GLOBAL_CATALOG booleanboolean FalseFalse 在查找 AlternateLoginId 时,凭此标记强制使用全局编录执行 LDAP 搜索。Use this flag to force the use of Global Catalog for LDAP searches when looking up AlternateLoginId. 将域控制器配置为全局编录,向全局编录中添加 AlternateLoginId 属性,然后启用此标记。Configure a domain controller as a Global Catalog, add the AlternateLoginId attribute to the Global Catalog, and then enable this flag.

如果配置了 LDAP_LOOKUP_FORESTS(非空),则无论注册表设置的值为何,都会将此标记强制设为 True。If LDAP_LOOKUP_FORESTS is configured (not empty), this flag is enforced as true, regardless of the value of the registry setting. 在这种情况下,NPS 扩展要求对每个林都使用 AlternateLoginId 属性来配置全局编录。In this case, the NPS extension requires the Global Catalog to be configured with the AlternateLoginId attribute for each forest.
LDAP_LOOKUP_FORESTSLDAP_LOOKUP_FORESTS stringstring Empty 提供以分号分隔的林列表以供搜索。Provide a semi-colon separated list of forests to search. 例如,contoso.com;foobar.com。For example, contoso.com;foobar.com. 如果配置了此注册表值,则 NPS 扩展将以迭代的方式、按列表顺序搜索整个林,然后返回第一个成功的 AlternateLoginId 值。If this registry value is configured, the NPS extension iteratively searches all the forests in the order in which they were listed, and returns the first successful AlternateLoginId value. 如果未配置此注册表值,则将 AlternateLoginId 的查找范围限制在当前域中。If this registry value is not configured, the AlternateLoginId lookup is confined to the current domain.

要使用备用登录 ID 排除故障,请对备用登录 ID 错误执行推荐的步骤。To troubleshoot problems with alternate login IDs, use the recommended steps for Alternate login ID errors.

IP 异常IP exceptions

如果需要监视服务器的可用性(例如,负载均衡器是否在发送工作负荷前验证了哪个服务器正在运行),则并不希望验证请求阻止这些检查。If you need to monitor server availability, like if load balancers verify which servers are running before sending workloads, you don't want these checks to be blocked by verification requests. 而是创建已知由服务帐户使用的 IP 地址列表,并为该列表禁用多重身份验证要求。Instead, create a list of IP addresses that you know are used by service accounts, and disable Multi-Factor Authentication requirements for that list.

要配置 IP 允许列表,请转到 HKLM\SOFTWARE\Microsoft\AzureMfa,并配置如下注册表值:To configure an IP allowed list, go to HKLM\SOFTWARE\Microsoft\AzureMfa and configure the following registry value:

名称Name 类型Type 默认值Default value 说明Description
IP_WHITELISTIP_WHITELIST stringstring Empty 提供以分号隔开的 IP 地址列表。Provide a semi-colon separated list of IP addresses. 包括发出服务请求的计算机的 IP 地址,例如 NAS/VPN 服务器。Include the IP addresses of machines where service requests originate, like the NAS/VPN server. 不支持 IP 范围和子网。IP ranges and subnets are not supported.

例如 10.0.0.1;10.0.0.2;10.0.0.3For example, 10.0.0.1;10.0.0.2;10.0.0.3.

备注

此注册表项不是由安装程序默认创建的,并且在重启该服务时,AuthZOptCh 日志中会出现错误。This registry key is not created by default by the installer and an error appears in the AuthZOptCh log when the service is restarted. 可能会忽略日志中的此错误,但如果创建了此注册表项并在不需要时将其保留为空,则不会返回错误消息。This error in the log can be ignored, but if this registry key is created and left empty if not needed then the error message does not return.

当发出请求的 IP 地址来自 IP_WHITELIST 时,将跳过双重验证。When a request comes in from an IP address that exists in the IP_WHITELIST, two-step verification is skipped. 将 IP 列表与 RADIUS 请求的 ratNASIPAddress 属性中提供的 IP 地址相比较。The IP list is compared to the IP address that is provided in the ratNASIPAddress attribute of the RADIUS request. 如果收到的 RADIUS 请求不包含 ratNASIPAddress 属性,则将记录一条警告:“IP_WHITE_LIST_WARNING::IP 允许列表被忽略,因为 RADIUS 请求的 NasIpAddress 属性缺少源 IP。”If a RADIUS request comes in without the ratNASIPAddress attribute, a warning is logged: "IP_WHITE_LIST_WARNING::IP Whitelist is being ignored as the source IP is missing in the RADIUS request NasIpAddress attribute.

后续步骤Next steps

解决 Azure AD 多重身份验证的 NPS 扩展出现的错误消息Resolve error messages from the NPS extension for Azure AD Multi-Factor Authentication