您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 Azure AD Connect 同步实现密码哈希同步Implement password hash synchronization with Azure AD Connect sync

本文提供将用户密码从本地 Active Directory 实例同步到基于云的 Azure Active Directory (Azure AD) 实例时所需的信息。This article provides information that you need to synchronize your user passwords from an on-premises Active Directory instance to a cloud-based Azure Active Directory (Azure AD) instance.

密码哈希同步的工作原理How password hash synchronization works

Active Directory 域服务以实际用户密码的哈希值表示形式存储密码。The Active Directory domain service stores passwords in the form of a hash value representation, of the actual user password. 哈希值是单向数学函数(哈希算法)的计算结果。A hash value is a result of a one-way mathematical function (the hashing algorithm). 没有任何方法可将单向函数的结果还原为纯文本版本的密码。There is no method to revert the result of a one-way function to the plain text version of a password.

为了同步密码,Azure AD Connect 同步将从本地 Active Directory 实例提取密码哈希。To synchronize your password, Azure AD Connect sync extracts your password hash from the on-premises Active Directory instance. 同步到 Azure Active Directory 身份验证服务之前,已对密码哈希应用其他安全处理。Extra security processing is applied to the password hash before it is synchronized to the Azure Active Directory authentication service. 密码将基于每个用户按时间顺序同步。Passwords are synchronized on a per-user basis and in chronological order.

密码哈希同步过程的实际数据流类似于用户数据的同步。The actual data flow of the password hash synchronization process is similar to the synchronization of user data. 但是,密码的同步频率高于其他属性的标准目录同步窗口。However, passwords are synchronized more frequently than the standard directory synchronization window for other attributes. 密码哈希同步过程每隔 2 分钟运行一次。The password hash synchronization process runs every 2 minutes. 无法修改此过程的运行频率。You cannot modify the frequency of this process. 同步某个密码时,该密码将覆盖现有的云密码。When you synchronize a password, it overwrites the existing cloud password.

首次启用密码哈希同步功能时,它将对范围内的所有用户执行初始密码同步。The first time you enable the password hash synchronization feature, it performs an initial synchronization of the passwords of all in-scope users. 无法显式定义一部分要同步的用户密码。You cannot explicitly define a subset of user passwords that you want to synchronize. 但是,如果有多个连接器,则可以使用ADSyncAADPasswordSyncConfiguration cmdlet 为某些连接器禁用密码哈希同步,但不允许使用其他连接器。However, if there are multiple connectors, it is possible to disable password hash sync for some connectors but not others using the Set-ADSyncAADPasswordSyncConfiguration cmdlet.

更改本地密码时,更新后的密码会同步,此操作基本上在几分钟内就可完成。When you change an on-premises password, the updated password is synchronized, most often in a matter of minutes. 密码哈希同步功能会自动重试失败的同步尝试。The password hash synchronization feature automatically retries failed synchronization attempts. 如果尝试同步密码期间出现错误,该错误会被记录在事件查看器中。If an error occurs during an attempt to synchronize a password, an error is logged in your event viewer.

同步密码对当前登录的用户没有任何影响。The synchronization of a password has no impact on the user who is currently signed in. 当前的云服务会话不会立即受到已同步密码更改的影响,而是在登录云服务时才受到影响。Your current cloud service session is not immediately affected by a synchronized password change that occurs, while you are signed in, to a cloud service. 但是,当云服务要求再次身份验证时,就需要提供新的密码。However, when the cloud service requires you to authenticate again, you need to provide your new password.

无论用户是否已登录到其公司网络,都必须第二次输入其公司凭据,以便向 Azure AD 进行身份验证。A user must enter their corporate credentials a second time to authenticate to Azure AD, regardless of whether they're signed in to their corporate network. 但是,如果用户在登录时选中了“使我保持登录状态(KMSI)”复选框,则可以最大限度地避开这些模式。This pattern can be minimized, however, if the user selects the Keep me signed in (KMSI) check box at sign-in. 这样选择可设置会话 Cookie 以在 180 天内绕过身份验证。This selection sets a session cookie that bypasses authentication for 180 days. Azure AD 管理员可以启用或禁用 KMSI 行为。KMSI behavior can be enabled or disabled by the Azure AD administrator. 此外,可以通过启用无缝 SSO 来减少密码提示,该无缝 SSO 可使连接到企业网络的企业设备上的用户自动登录。In addition, you can reduce password prompts by turning on Seamless SSO, which automatically signs users in when they are on their corporate devices connected to your corporate network.

备注

只有 Active Directory 的对象类型用户才支持密码同步。Password sync is only supported for the object type user in Active Directory. 不支持 iNetOrgPerson 对象类型。It is not supported for the iNetOrgPerson object type.

密码哈希同步工作原理的详细说明Detailed description of how password hash synchronization works

以下部分将深入说明 Active Directory 与 Azure AD 之间的密码哈希同步工作原理。The following section describes, in-depth, how password hash synchronization works between Active Directory and Azure AD.

详细的密码流程

  1. 每隔两分钟,AD Connect 服务器上的密码哈希同步代理都会从 DC 请求存储的密码哈希(unicodePwd 属性)。Every two minutes, the password hash synchronization agent on the AD Connect server requests stored password hashes (the unicodePwd attribute) from a DC. 此请求通过用于同步 DC 之间数据的标准 MS-DRSR 复制协议进行。This request is via the standard MS-DRSR replication protocol used to synchronize data between DCs. 服务帐户必须具有“复制目录更改”和“复制所有目录更改”AD 权限(默认情况下,在安装时授予),才能获取密码哈希。The service account must have Replicate Directory Changes and Replicate Directory Changes All AD permissions (granted by default on installation) to obtain the password hashes.
  2. 在发送前,DC 将使用密钥(即 RPC 会话密钥的 MD5 哈希)和 salt 对 MD4 密码哈希进行加密。Before sending, the DC encrypts the MD4 password hash by using a key that is a MD5 hash of the RPC session key and a salt. 然后,它通过 RPC 将结果发送到密码哈希同步代理。It then sends the result to the password hash synchronization agent over RPC. DC 还使用 DC 复制协议将 salt 传递给同步代理,因此该代理能够解密信封。The DC also passes the salt to the synchronization agent by using the DC replication protocol, so the agent will be able to decrypt the envelope.
  3. 密码哈希同步代理获得加密的信封后,将使用 MD5CryptoServiceProvider和 salt 生成密钥,以便将收到的数据重新解密为其原始的 MD4 格式。After the password hash synchronization agent has the encrypted envelope, it uses MD5CryptoServiceProvider and the salt to generate a key to decrypt the received data back to its original MD4 format. 密码哈希同步代理永远无权访问明文密码。The password hash synchronization agent never has access to the clear text password. 密码哈希同步代理使用 MD5 完全是为了实现与 DC 的复制协议兼容性,并仅在本地的 DC 和密码哈希同步代理之间使用。The password hash synchronization agent’s use of MD5 is strictly for replication protocol compatibility with the DC, and it is only used on premises between the DC and the password hash synchronization agent.
  4. 密码哈希同步代理通过先将哈希转换为 32 字节的十六进制字符串,然后使用 UTF-16 编码重新将此字符串转换为二进制,来将 16 字节的二进制密码哈希扩展为 64 字节。The password hash synchronization agent expands the 16-byte binary password hash to 64 bytes by first converting the hash to a 32-byte hexadecimal string, then converting this string back into binary with UTF-16 encoding.
  5. 密码哈希同步代理通过将每个用户的 salt(包含 10 字节长度的 salt)添加到 64 字节的二进制字符串,来进一步保护原始哈希。The password hash synchronization agent adds a per user salt, consisting of a 10-byte length salt, to the 64-byte binary to further protect the original hash.
  6. 然后,密码哈希同步代理将 MD4 哈希与每个用户的 salt 组合在一起,并将其输入到 PBKDF2 函数。The password hash synchronization agent then combines the MD4 hash plus the per user salt, and inputs it into the PBKDF2 function. 使用 HMAC-SHA256 键控哈希算法的 1000 次迭代。1000 iterations of the HMAC-SHA256 keyed hashing algorithm are used.
  7. 密码哈希同步代理获取生成的 32 字节哈希,将每个用户的 salt 和 SHA256 迭代次数连接到它(以供 Azure AD 使用),然后通过 SSL 将该字符串从 Azure AD Connect 传输到 Azure AD。The password hash synchronization agent takes the resulting 32-byte hash, concatenates both the per user salt and the number of SHA256 iterations to it (for use by Azure AD), then transmits the string from Azure AD Connect to Azure AD over SSL.
  8. 当用户尝试登录到 Azure AD 并输入其密码时,将通过同一 MD4+salt+PBKDF2+HMAC-SHA256 过程运行密码。When a user attempts to sign in to Azure AD and enters their password, the password is run through the same MD4+salt+PBKDF2+HMAC-SHA256 process. 如果生成的哈希与 Azure AD 中存储的哈希匹配,则用户输入的密码正确并进行身份验证。If the resulting hash matches the hash stored in Azure AD, the user has entered the correct password and is authenticated.

备注

原始 MD4 哈希不会传送到 Azure AD。The original MD4 hash is not transmitted to Azure AD. 与之相反,传输的是原始 MD4 哈希的 SHA256 哈希。Instead, the SHA256 hash of the original MD4 hash is transmitted. 因此,如果获取了 Azure AD 中存储的哈希,将无法在本地“传递哈希”攻击中使用。As a result, if the hash stored in Azure AD is obtained, it cannot be used in an on-premises pass-the-hash attack.

安全注意事项Security considerations

同步密码时,纯文本版本的密码既不能向密码哈希同步功能公开,也不能向 Azure AD 或任何相关联的服务公开。When synchronizing passwords, the plain-text version of your password is not exposed to the password hash synchronization feature, to Azure AD, or any of the associated services.

用户身份验证针对 Azure AD(而不是针对组织自己的 Active Directory 实例)进行。User authentication takes place against Azure AD rather than against the organization's own Active Directory instance. Azure AD 中存储的 SHA 256 密码数据(原始 MD4 哈希的哈希)比 Active Directory 中存储的数据更安全。The SHA256 password data stored in Azure AD--a hash of the original MD4 hash--is more secure than what is stored in Active Directory. 而且,由于此 SHA256 哈希无法解密,因此无法将其带回到组织的 Active Directory 环境,并且在“传递哈希”攻击中显示为有效的用户密码。Further, because this SHA256 hash cannot be decrypted, it cannot be brought back to the organization's Active Directory environment and presented as a valid user password in a pass-the-hash attack.

密码策略注意事项Password policy considerations

有两种类型的密码策略受启用密码哈希同步的影响:There are two types of password policies that are affected by enabling password hash synchronization:

  • 密码复杂性策略Password complexity policy
  • 密码过期策略Password expiration policy

密码复杂性策略Password complexity policy

启用密码哈希同步时,本地 Active Directory 实例中的密码复杂性策略会覆盖云中为同步的用户定义的复杂性策略。When password hash synchronization is enabled, the password complexity policies in your on-premises Active Directory instance override complexity policies in the cloud for synchronized users. 可以使用本地 Active Directory 实例的所有有效密码来访问 Azure AD 服务。You can use all of the valid passwords from your on-premises Active Directory instance to access Azure AD services.

备注

直接在云中创建的用户的密码仍受到云中定义的密码策略的约束。Passwords for users that are created directly in the cloud are still subject to password policies as defined in the cloud.

密码过期策略Password expiration policy

如果用户处于密码哈希同步的作用域中,则默认情况下,云帐户密码设置为永不过期If a user is in the scope of password hash synchronization, by default the cloud account password is set to Never Expire.

可以继续使用在本地环境中过期的同步密码来登录云服务。You can continue to sign in to your cloud services by using a synchronized password that is expired in your on-premises environment. 下次在本地环境中更改密码时,云密码会更新。Your cloud password is updated the next time you change the password in the on-premises environment.

EnforceCloudPasswordPolicyForPasswordSyncedUsers功能的公共预览版Public preview of the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature

如果有同步用户仅与 Azure AD 集成服务交互,并且还必须符合密码过期策略,则可以通过启用EnforceCloudPasswordPolicyForPasswordSyncedUsers功能强制他们遵守 Azure AD 密码过期策略。If there are synchronized users that only interact with Azure AD integrated services and must also comply with a password expiration policy, you can force them to comply with your Azure AD password expiration policy by enabling the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature.

禁用EnforceCloudPasswordPolicyForPasswordSyncedUsers时(这是默认设置),Azure AD Connect 将同步用户的 PasswordPolicies 属性设置为 "DisablePasswordExpiration"。When EnforceCloudPasswordPolicyForPasswordSyncedUsers is disabled (which is the default setting), Azure AD Connect sets the PasswordPolicies attribute of synchronized users to "DisablePasswordExpiration". 这是在每次同步用户密码时执行的,并指示 Azure AD 忽略该用户的云密码过期策略。This is done every time a user's password is synchronized and instructs Azure AD to ignore the cloud password expiration policy for that user. 可以通过以下命令使用 Azure AD PowerShell 模块检查属性的值:You can check the value of the attribute using the Azure AD PowerShell module with the following command:

(Get-AzureADUser -objectID <User Object ID>).passwordpolicies

若要启用 EnforceCloudPasswordPolicyForPasswordSyncedUsers 功能,请使用 MSOnline PowerShell 模块运行以下命令,如下所示。To enable the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature, run the following command using the MSOnline PowerShell module as shown below. 您必须为 Enable 参数键入 yes,如下所示:You would have to type yes for the Enable parameter as shown below :

Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers
cmdlet Set-MsolDirSyncFeature at command pipeline position 1
Supply values for the following parameters:
Enable: yes
Confirm
Continue with this operation?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): y

启用后,Azure AD 不会进入每个同步用户,从 PasswordPolicies 属性中删除 DisablePasswordExpiration 值。Once enabled, Azure AD does not go to each synchronized user to remove the DisablePasswordExpiration value from the PasswordPolicies attribute. 相反,当用户下次在本地 AD 中更改密码时,此值将设置为每个用户下次密码同步期间 NoneInstead, the value is set to None during the next password sync for each user when they next change their password in on-premises AD.

建议在启用密码哈希同步之前启用 EnforceCloudPasswordPolicyForPasswordSyncedUsers,以便初始同步密码哈希不会将 DisablePasswordExpiration 值添加到用户的 PasswordPolicies 属性。It is recommended to enable EnforceCloudPasswordPolicyForPasswordSyncedUsers, prior to enabling password hash sync, so that the initial sync of password hashes does not add the DisablePasswordExpiration value to the PasswordPolicies attribute for the users.

默认 Azure AD 密码策略要求用户每隔90天更改其密码。The default Azure AD password policy requires users to change their passwords every 90 days. 如果 AD 中的策略也是90天,则这两个策略应该匹配。If your policy in AD is also 90 days, the two policies should match. 但是,如果 AD 策略不是90天,则可以使用 Set-msolpasswordpolicy PowerShell 命令更新要匹配的 Azure AD 密码策略。However, if the AD policy is not 90 days, you can update the Azure AD password policy to match by using the Set-MsolPasswordPolicy PowerShell command.

Azure AD 支持每个注册域单独的密码过期策略。Azure AD supports a separate password expiration policy per registered domain.

注意:如果在 Azure AD 中有需要使用不过期密码的同步帐户,则必须将 DisablePasswordExpiration 值显式添加到 Azure AD 中的用户对象的 PasswordPolicies 属性。Caveat: If there are synchronized accounts that need to have non-expiring passwords in Azure AD, you must explicitly add the DisablePasswordExpiration value to the PasswordPolicies attribute of the user object in Azure AD. 可以通过运行以下命令来执行此操作。You can do this by running the following command.

Set-AzureADUser -ObjectID <User Object ID> -PasswordPolicies "DisablePasswordExpiration"

备注

此功能目前处于公共预览阶段。This feature is in Public Preview right now. Set-msolpasswordpolicy PowerShell 命令在联合域上不起作用。The Set-MsolPasswordPolicy PowerShell command will not work on federated domains.

用于同步临时密码和 "下次登录时强制更改密码" 的公共预览版Public Preview of synchronizing temporary passwords and "Force Password Change on Next Logon"

典型的做法是强制用户在首次登录时更改其密码,尤其是在管理员密码重置发生之后。It is typical to force a user to change their password during their first logon, especially after an admin password reset occurs. 它通常称为设置 "临时" 密码,并通过选中 Active Directory (AD)中用户对象的 "用户必须在下次登录时更改密码" 标志来完成。It is commonly known as setting a "temporary" password and is completed by checking the "User must change password at next logon" flag on a user object in Active Directory (AD).

临时密码功能有助于确保在第一次使用时完成凭据的所有权转移,以最大程度地减少多个人员有权了解该凭据的时间。The temporary password functionality helps to ensure that the transfer of ownership of the credential is completed on first use, to minimize the duration of time in which more than one individual has knowledge of that credential.

若要在 Azure AD 中支持为同步用户提供临时密码,可以通过在 Azure AD Connect 服务器上运行以下命令来启用ForcePasswordChangeOnLogOn功能:To support temporary passwords in Azure AD for synchronized users, you can enable the ForcePasswordChangeOnLogOn feature, by running the following command on your Azure AD Connect server:

Set-ADSyncAADCompanyFeature  -ForcePasswordChangeOnLogOn $true

备注

强制用户在下次登录时更改其密码需要同时更改密码。Forcing a user to change their password on next logon requires a password change at the same time. Azure AD Connect 不会自行选取强制密码更改标志;它是在密码哈希同步过程中检测到的密码更改的补充。Azure AD Connect will not pick up the force password change flag by itself; it is supplemental to the detected password change that occurs during password hash sync.

注意

仅当在租户上启用 SSPR 和密码写回时,才应使用此功能。You should only use this feature when SSPR and Password Writeback are enabled on the tenant. 这是因为,如果用户通过 SSPR 更改了密码,则会将其同步到 Active Directory。This is so that if a user changes their password via SSPR, it will be synchronized to Active Directory.

备注

此功能目前处于公共预览阶段。This feature is in public preview right now.

帐户过期Account expiration

如果组织在用户帐户管理中使用了 accountExpires 属性,此属性不会同步到 Azure AD。If your organization uses the accountExpires attribute as part of user account management, this attribute is not synchronized to Azure AD. 因此,环境中为密码哈希同步配置的过期 Active Directory 帐户仍会在 Azure AD 中处于活动状态。As a result, an expired Active Directory account in an environment configured for password hash synchronization will still be active in Azure AD. 我们建议,如果帐户已过期,工作流操作应触发一个 PowerShell 脚本以禁用用户的 Azure AD 帐户(使用 Set-AzureADUser cmdlet)。We recommend that if the account is expired, a workflow action should trigger a PowerShell script that disables the user's Azure AD account (use the Set-AzureADUser cmdlet). 相反,在启用帐户后,Azure AD 实例应该开启。Conversely, when the account is turned on, the Azure AD instance should be turned on.

覆盖已同步的密码Overwrite synchronized passwords

管理员可以使用 Windows PowerShell 手动重置密码。An administrator can manually reset your password by using Windows PowerShell.

在这种情况下,新密码会覆盖已同步密码,并且在云中定义的所有密码策略都会应用于新的密码。In this case, the new password overrides your synchronized password, and all password policies defined in the cloud are applied to the new password.

如果再次更改本地密码,新密码则会同步到云,并会手动覆盖更新的密码。If you change your on-premises password again, the new password is synchronized to the cloud, and it overrides the manually updated password.

同步密码对登录的 Azure 用户没有任何影响。The synchronization of a password has no impact on the Azure user who is signed in. 当前的云服务会话不会立即受到已同步密码更改的影响,而是在登录云服务时才受到影响。Your current cloud service session is not immediately affected by a synchronized password change that occurs while you're signed in to a cloud service. KMSI 会延长此差异的持续时间。KMSI extends the duration of this difference. 当云服务要求再次身份验证时,需要提供新的密码。When the cloud service requires you to authenticate again, you need to provide your new password.

其他优点Additional advantages

  • 通常情况下,密码哈希同步比联合身份验证服务易于实现。Generally, password hash synchronization is simpler to implement than a federation service. 它不需要任何其他服务器,并且不依赖于高度可用的联合身份验证服务来对用户进行身份验证。It doesn't require any additional servers, and eliminates dependence on a highly available federation service to authenticate users.
  • 除了联合身份验证,还可以启用密码哈希同步。Password hash synchronization can also be enabled in addition to federation. 如果联合身份验证服务发生了中断,它可以用作回退。It may be used as a fallback if your federation service experiences an outage.

Azure AD 域服务的密码哈希同步过程Password hash sync process for Azure AD Domain Services

如果使用 Azure AD 域服务为需要使用 Kerberos、LDAP 或 NTLM 的应用程序和服务提供旧身份验证,则某些附加的进程是密码哈希同步流的一部分。If you use Azure AD Domain Services to provide legacy authentication for applications and services that need to use Kerberos, LDAP, or NTLM, some additional processes are part of the password hash synchronization flow. Azure AD Connect 使用以下其他过程将密码哈希同步到 Azure AD 以便在 Azure AD 域服务中使用:Azure AD Connect uses the additional following process to synchronize password hashes to Azure AD for use in Azure AD Domain Services:

重要

安装和配置的 Azure AD Connect 应仅用于与本地 AD DS 环境同步。Azure AD Connect should only be installed and configured for synchronization with on-premises AD DS environments. 不支持在 Azure AD DS 托管域中安装 Azure AD Connect 以将对象同步回 Azure AD。It's not supported to install Azure AD Connect in an Azure AD DS managed domain to synchronize objects back to Azure AD.

仅当你为 Azure AD 租户启用 Azure AD DS 时,Azure AD Connect 才同步旧密码哈希。Azure AD Connect only synchronizes legacy password hashes when you enable Azure AD DS for your Azure AD tenant. 如果只使用 Azure AD Connect 将本地 AD DS 环境与 Azure AD 同步,则不会使用以下步骤。The following steps aren't used if you only use Azure AD Connect to synchronize an on-premises AD DS environment with Azure AD.

如果旧版应用程序不使用 NTLM 身份验证或 LDAP 简单绑定,则建议你禁用 Azure AD DS 的 NTLM 密码哈希同步。If your legacy applications don't use NTLM authentication or LDAP simple binds, we recommend that you disable NTLM password hash synchronization for Azure AD DS. 有关详细信息,请参阅禁用弱密码套件和 NTLM 凭据哈希同步For more information, see Disable weak cipher suites and NTLM credential hash synchronization.

  1. Azure AD Connect 检索 Azure AD 域服务的租户实例的公钥。Azure AD Connect retrieves the public key for the tenant's instance of Azure AD Domain Services.
  2. 当用户更改其密码时,本地域控制器将在两个属性中存储密码更改(哈希)的结果:When a user changes their password, the on-premises domain controller stores the result of the password change (hashes) in two attributes:
    • NTLM 密码哈希的unicodePwdunicodePwd for the NTLM password hash.
    • Kerberos 密码哈希的supplementalCredentialssupplementalCredentials for the Kerberos password hash.
  3. Azure AD Connect 通过目录复制通道(需要复制到其他域控制器的属性更改)来检测密码更改。Azure AD Connect detects password changes through the directory replication channel (attribute changes needing to replicate to other domain controllers).
  4. 对于每个更改了其密码的用户,Azure AD Connect 执行以下步骤:For each user whose password has changed, Azure AD Connect performs the following steps:
    • 生成随机 AES 256 位对称密钥。Generates a random AES 256-bit symmetric key.
    • 生成第一轮加密所需的随机初始化向量。Generates a random initialization vector needed for the first round of encryption.
    • supplementalCredentials属性中提取 Kerberos 密码哈希。Extracts Kerberos password hashes from the supplementalCredentials attributes.
    • 检查 "Azure AD 域服务安全配置SyncNtlmPasswords " 设置。Checks the Azure AD Domain Services security configuration SyncNtlmPasswords setting.
      • 如果禁用此设置,则会生成随机的高熵 NTLM 哈希(与用户的密码不同)。If this setting is disabled, generates a random, high-entropy NTLM hash (different from the user's password). 然后,将此哈希与从supplementalCrendetials属性 Exacted 的 Kerberos 密码哈希合并到一个数据结构中。This hash is then combined with the exacted Kerberos password hashes from the supplementalCrendetials attribute into one data structure.
      • 如果启用,则将unicodePwd属性的值与从supplementalCredentials属性提取的 Kerberos 密码哈希合并到一个数据结构中。If enabled, combines the value of the unicodePwd attribute with the extracted Kerberos password hashes from the supplementalCredentials attribute into one data structure.
    • 使用 AES 对称密钥加密单一数据结构。Encrypts the single data structure using the AES symmetric key.
    • 使用租户的 Azure AD 域服务公钥对 AES 对称密钥进行加密。Encrypts the AES symmetric key using the tenant's Azure AD Domain Services public key.
  5. Azure AD Connect 将传输加密的 AES 对称密钥、包含密码哈希的加密数据结构以及要 Azure AD 的初始化向量。Azure AD Connect transmits the encrypted AES symmetric key, the encrypted data structure containing the password hashes, and the initialization vector to Azure AD.
  6. Azure AD 存储加密的 AES 对称密钥、加密的数据结构和用户的初始化向量。Azure AD stores the encrypted AES symmetric key, the encrypted data structure, and the initialization vector for the user.
  7. Azure AD 使用通过加密 HTTP 会话的内部同步机制将加密的 AES 对称密钥、加密的数据结构和初始化向量推送到 Azure AD 域服务。Azure AD pushes the encrypted AES symmetric key, the encrypted data structure, and the initialization vector using an internal synchronization mechanism over an encrypted HTTP session to Azure AD Domain Services.
  8. Azure AD 域服务通过 Azure 密钥保管库检索租户实例的私钥。Azure AD Domain Services retrieves the private key for the tenant's instance from Azure Key vault.
  9. 对于每个加密的数据集(表示单个用户的密码更改),Azure AD 域服务,然后执行以下步骤:For each encrypted set of data (representing a single user's password change), Azure AD Domain Services then performs the following steps:
    • 使用其私钥对 AES 对称密钥进行解密。Uses its private key to decrypt the AES symmetric key.
    • 使用带有初始化向量的 AES 对称密钥来解密包含密码哈希的加密数据结构。Uses the AES symmetric key with the initialization vector to decrypt the encrypted data structure that contains the password hashes.
    • 将接收到的 Kerberos 密码哈希写入 Azure AD 域服务域控制器。Writes the Kerberos password hashes it receives to the Azure AD Domain Services domain controller. 哈希将保存到用户对象的supplementalCredentials属性中,该属性已加密为域服务域控制器的公钥 Azure AD。The hashes are saved into the user object's supplementalCredentials attribute that is encrypted to the Azure AD Domain Services domain controller's public key.
    • Azure AD 域服务将其收到的 NTLM 密码哈希写入 Azure AD 域服务域控制器。Azure AD Domain Services writes the NTLM password hash it received to the Azure AD Domain Services domain controller. 哈希将保存到用户对象的unicodePwd属性中,该属性已加密为域服务域控制器的公钥 Azure AD。The hash is saved into the user object's unicodePwd attribute that is encrypted to the Azure AD Domain Services domain controller's public key.

启用密码哈希同步Enable password hash synchronization

重要

如果要从 AD FS(或其他联合技术)迁移到密码哈希同步,我们强烈建议你按照此处发布的详细部署指南进行操作。If you are migrating from AD FS (or other federation technologies) to Password Hash Synchronization, we highly recommend that you follow our detailed deployment guide published here.

使用“快速设置”选项安装 Azure AD Connect 时,会自动启用密码哈希同步。When you install Azure AD Connect by using the Express Settings option, password hash synchronization is automatically enabled. 有关详细信息,请参阅通过快速设置开始使用 Azure AD ConnectFor more information, see Getting started with Azure AD Connect using express settings.

如果在安装 Azure AD Connect 时使用了自定义设置,则可在用户登录页上使用密码哈希同步。If you use custom settings when you install Azure AD Connect, password hash synchronization is available on the user sign-in page. 有关详细信息,请参阅 Azure AD Connect 的自定义安装For more information, see Custom installation of Azure AD Connect.

启用密码哈希同步

密码哈希同步和 FIPSPassword hash synchronization and FIPS

如果已经根据美国联邦信息处理标准 (FIPS) 锁定服务器,则会禁用 MD5。If your server has been locked down according to Federal Information Processing Standard (FIPS), then MD5 is disabled.

若要为密码哈希同步启用 MD5,请执行以下步骤:To enable MD5 for password hash synchronization, perform the following steps:

  1. 转到 %programfiles%\Azure AD Sync\Bin。Go to %programfiles%\Azure AD Sync\Bin.
  2. 打开 miiserver.exe.config。Open miiserver.exe.config.
  3. 转到文件末尾的 configuration/runtime 节点。Go to the configuration/runtime node at the end of the file.
  4. 添加以下节点:<enforceFIPSPolicy enabled="false"/>Add the following node: <enforceFIPSPolicy enabled="false"/>
  5. 保存所做更改。Save your changes.

下面显示了此代码片段的大致情况,供参考:For reference, this snippet is what it should look like:

    <configuration>
        <runtime>
            <enforceFIPSPolicy enabled="false"/>
        </runtime>
    </configuration>

有关安全性与 FIPS 的信息,请参阅 Azure AD password hash sync, encryption, and FIPS compliance(Azure AD 密码哈希同步、加密和 FIPS 符合性)。For information about security and FIPS, see Azure AD password hash sync, encryption, and FIPS compliance.

排查密码哈希同步问题Troubleshoot password hash synchronization

如果遇到密码哈希同步问题,请参阅排查密码哈希同步问题If you have problems with password hash synchronization, see Troubleshoot password hash synchronization.

后续步骤Next steps