您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Windows 身份验证-Kerberos 约束委派与 Azure Active DirectoryWindows authentication - Kerberos constrained delegation with Azure Active Directory

Kerberos 约束委派 (KCD) 提供资源之间的约束委派,并且基于服务主体名称。Kerberos Constrained Delegation (KCD) provides constrained delegation between resources and is based on Service Principle Names. 它要求域管理员创建委托,并且限制为单一域。It requires domain administrators to create the delegations and is limited to a single domain. 基于资源的 KCD 通常用作一种为 web 应用程序提供 Kerberos 身份验证的方法,该应用程序在 Active Directory 林中的多个域中具有用户。Resource-based KCD is often used as a way of providing Kerberos authentication for a web application that has users in multiple domains within an Active Directory forest.

Azure Active Directory 应用程序代理可以提供单一登录 (SSO) 和远程访问基于 KCD 的应用程序,这些应用程序需要使用 Kerberos 票证进行访问,Kerberos 约束委派 (KCD) 。Azure Active Directory Application Proxy can provide single sign-on (SSO) and remote access to KCD-based applications that require a Kerberos ticket for access and Kerberos Constrained Delegation (KCD).

通过向应用程序代理连接器授予在 Active Directory 中模拟用户的权限,可以启用使用集成 Windows 身份验证 (IWA) 的本地 KCD 应用程序的 SSO。You enable SSO to your on-premises KCD applications that use Integrated Windows Authentication (IWA) by giving Application Proxy connectors permission to impersonate users in Active Directory. 应用程序代理连接器将使用此权限代表用户发送和接收令牌。The Application Proxy connector uses this permission to send and receive tokens on the users' behalf.

何时使用Use when

需要提供远程访问、使用预身份验证进行保护,并提供 SSO 到本地 IWA 应用程序。There is a need to provide remote access, protect with pre-authentication, and provide SSO to on-premises IWA applications.

体系结构示意图

系统组件Components of system

  • 用户:访问应用程序代理提供的旧版应用程序。User: Accesses legacy application served by Application Proxy.

  • Web 浏览器:用户与之交互以访问应用程序外部 URL 的组件。Web browser: The component that the user interacts with to access the external URL of the application.

  • Azure AD:对用户进行身份验证。Azure AD: Authenticates the user.

  • 应用程序代理服务:充当反向代理,用于将请求从用户发送到本地应用程序。Application Proxy service: Acts as reverse proxy to send request from the user to the on-premises application. 它位于 Azure AD。It sits in Azure AD. 应用程序代理还可以强制实施任何条件性访问策略。Application Proxy can also enforce any conditional access policies.

  • 应用程序代理连接器:在 Windows server 上安装在本地,以提供与应用程序的连接。Application Proxy connector: Installed on-premises on Windows servers to provide connectivity to the application. 返回 Azure AD 的响应。Returns the response to Azure AD. 与 Active Directory 执行 KCD 协商,模拟用户以获取应用程序的 Kerberos 令牌。Performs KCD negotiation with Active Directory, impersonating the user to get a Kerberos token to the application.

  • Active Directory:将应用程序的 Kerberos 令牌发送到应用程序代理连接器。Active Directory: Sends the Kerberos token for the application to the Application Proxy connector.

  • 旧版应用 程序:从应用程序代理接收用户请求的应用程序。Legacy applications: Applications that receive user requests from Application Proxy. 旧应用程序将响应返回到应用程序代理连接器。The legacy applications return the response to the Application Proxy connector.

通过 Azure AD (KCD) 实现 Windows 身份验证Implement Windows authentication (KCD) with Azure AD