选择身份验证模式Choose an Authentication Mode

适用对象:是SQL Server 否Azure SQL 数据库 否Azure Synapse Analytics (SQL DW) 否并行数据仓库APPLIES TO: yesSQL Server noAzure SQL Database noAzure Synapse Analytics (SQL DW) noParallel Data Warehouse

在安装过程中,必须为 数据库引擎Database Engine选择身份验证模式。During setup, you must select an authentication mode for the 数据库引擎Database Engine. 下面是两种可能的模式:Windows 身份验证模式和混合模式。There are two possible modes: Windows Authentication mode and mixed mode. Windows 身份验证模式会启用 Windows 身份验证并禁用 SQL ServerSQL Server 身份验证。Windows Authentication mode enables Windows Authentication and disables SQL ServerSQL Server Authentication. 混合模式会同时启用 Windows 身份验证和 SQL ServerSQL Server 身份验证。Mixed mode enables both Windows Authentication and SQL ServerSQL Server Authentication. Windows 身份验证始终可用,并且无法禁用。Windows Authentication is always available and cannot be disabled.

配置身份验证模式Configuring the Authentication Mode

如果在安装过程中选择混合模式身份验证,则必须为名为 sa 的内置 SQL ServerSQL Server 系统管理员帐户提供一个强密码并确认该密码。If you select Mixed Mode Authentication during setup, you must provide and then confirm a strong password for the built-in SQL ServerSQL Server system administrator account named sa. sa 帐户通过使用 SQL ServerSQL Server 身份验证进行连接。The sa account connects by using SQL ServerSQL Server Authentication.

如果在安装过程中选择 Windows 身份验证,则安装程序会为 SQL ServerSQL Server 身份验证创建 sa 帐户,但会禁用该帐户。If you select Windows Authentication during setup, Setup creates the sa account for SQL ServerSQL Server Authentication but it is disabled. 如果稍后更改为混合模式身份验证并要使用 sa 帐户,则必须启用该帐户。If you later change to Mixed Mode Authentication and you want to use the sa account, you must enable the account. 您可以将任何 Windows 或 SQL ServerSQL Server 帐户配置为系统管理员。Any Windows or SQL ServerSQL Server account can be configured as a system administrator. 由于 sa 帐户广为人知且经常成为恶意用户的攻击目标,因此除非应用程序需要使用 sa 帐户,否则请勿启用该帐户。Because the sa account is well known and often targeted by malicious users, do not enable the sa account unless your application requires it. 切勿为 sa 帐户设置空密码或弱密码。Never set a blank or weak password for the sa account. 若要从 Windows 身份验证模式更改为混合模式身份验证并使用 SQL ServerSQL Server 身份验证,请参阅 更改服务器身份验证模式To change from Windows Authentication mode to Mixed Mode Authentication and use SQL ServerSQL Server Authentication, see Change Server Authentication Mode.

通过 Windows 身份验证进行连接Connecting Through Windows Authentication

当用户通过 Windows 用户帐户连接时, SQL ServerSQL Server 使用操作系统中的 Windows 主体标记验证帐户名和密码。When a user connects through a Windows user account, SQL ServerSQL Server validates the account name and password using the Windows principal token in the operating system. 也就是说,用户身份由 Windows 进行确认。This means that the user identity is confirmed by Windows. SQL ServerSQL Server 不要求提供密码,也不执行身份验证。does not ask for the password, and does not perform the identity validation. Windows 身份验证是默认身份验证模式,并且比 SQL ServerSQL Server 身份验证更为安全。Windows Authentication is the default authentication mode, and is much more secure than SQL ServerSQL Server Authentication. Windows 身份验证使用 Kerberos 安全协议,提供有关强密码复杂性验证的密码策略强制,还提供帐户锁定支持,并且支持密码过期。Windows Authentication uses Kerberos security protocol, provides password policy enforcement with regard to complexity validation for strong passwords, provides support for account lockout, and supports password expiration. 通过 Windows 身份验证创建的连接有时也称为可信连接,这是因为 SQL ServerSQL Server 信任由 Windows 提供的凭据。A connection made using Windows Authentication is sometimes called a trusted connection, because SQL ServerSQL Server trusts the credentials provided by Windows.

通过使用 Windows 身份验证,可以在域级别创建 Windows 组,并且可以在 SQL ServerSQL Server 中为整个组创建登录名。By using Windows Authentication, Windows groups can be created at the domain level, and a login can be created on SQL ServerSQL Server for the entire group. 在域级别管理访问可以简化帐户管理。Managing access from at the domain level can simplify account administration.

重要

请尽可能使用 Windows 身份验证。When possible, use Windows authentication.

通过 SQL Server 身份验证进行连接Connecting Through SQL Server Authentication

当使用 SQL ServerSQL Server 身份验证时,在 SQL ServerSQL Server 中创建的登录名并不基于 Windows 用户帐户。When using SQL ServerSQL Server Authentication, logins are created in SQL ServerSQL Server that are not based on Windows user accounts. 用户名和密码均通过使用 SQL ServerSQL Server 创建并存储在 SQL ServerSQL Server中。Both the user name and the password are created by using SQL ServerSQL Server and stored in SQL ServerSQL Server. 使用 SQL ServerSQL Server 身份验证进行连接的用户每次连接时都必须提供其凭据(登录名和密码)。Users connecting using SQL ServerSQL Server Authentication must provide their credentials (login and password) every time that they connect. 当使用 SQL ServerSQL Server 身份验证时,必须为所有 SQL ServerSQL Server 帐户设置强密码。When using SQL ServerSQL Server Authentication, you must set strong passwords for all SQL ServerSQL Server accounts. 有关强密码的指南,请参阅 Strong PasswordsFor strong password guidelines, see Strong Passwords.

可供 SQL ServerSQL Server 登录名选择使用的密码策略有三种。Three optional password policies are available for SQL ServerSQL Server logins.

  • 用户在下次登录时必须更改密码User must change password at next login

    要求用户在下次连接时更改密码。Requires the user to change the password the next time that the user connects. 更改密码的功能由 SQL Server Management StudioSQL Server Management Studio提供。The ability to change the password is provided by SQL Server Management StudioSQL Server Management Studio. 如果使用该选项,则第三方软件开发人员应提供此功能。Third-party software developers should provide this feature if this option is used.

  • 强制密码过期Enforce password expiration

    SQL ServerSQL Server 登录名强制实施计算机的密码最长使用期限策略。The maximum password age policy of the computer is enforced for SQL ServerSQL Server logins.

  • 强制实施密码策略Enforce password policy

    SQL ServerSQL Server 登录名强制实施计算机的 Windows 密码策略。The Windows password policies of the computer are enforced for SQL ServerSQL Server logins. 这包括密码长度和密码复杂性。This includes password length and complexity. 此功能需要通过 NetValidatePasswordPolicy API 实现,该 API 只在 Windows Server 2003Windows Server 2003 和更高版本中提供。This functionality depends on the NetValidatePasswordPolicy API, which is only available in Windows Server 2003Windows Server 2003 and later versions.

确定本地计算机的密码策略To determine the password policies of the local computer

  1. “开始” 菜单上,单击 “运行”On the Start menu, click Run.

  2. 在“运行” 对话框中,键入 secpol.msc,然后单击“确定” 。In the Run dialog box, type secpol.msc, and then click OK.

  3. “本地安全设置” 应用程序中,依次展开 “安全设置”“帐户策略” ,然后单击 “密码策略”In the Local Security Settings application, expand Security Settings, expand Account Policies, and then click Password Policy.

    密码策略将如结果窗格中所示。The password policies are described in the results pane.

SQL Server 身份验证的缺点Disadvantages of SQL Server Authentication

  • 如果用户是具有 Windows 登录名和密码的 Windows 域用户,则还必须提供另一个用于连接的 (SQL ServerSQL Server) 登录名和密码。If a user is a Windows domain user who has a login and password for Windows, he must still provide another (SQL ServerSQL Server) login and password to connect. 记住多个登录名和密码对于许多用户而言都较为困难。Keeping track of multiple names and passwords is difficult for many users. 每次连接到数据库时都必须提供 SQL ServerSQL Server 凭据也十分烦人。Having to provide SQL ServerSQL Server credentials every time that one connects to the database can be annoying.

  • SQL ServerSQL Server 身份验证无法使用 Kerberos 安全协议。Authentication cannot use Kerberos security protocol.

  • SQL ServerSQL Server 登录名不能使用 Windows 提供的其他密码策略。Windows offers additional password policies that are not available for SQL ServerSQL Server logins.

  • 必须在连接时通过网络传递已加密的 SQL ServerSQL Server 身份验证登录密码。The encrypted SQL ServerSQL Server Authentication login password, must be passed over the network at the time of the connection. 一些自动连接的应用程序将密码存储在客户端。Some applications that connect automatically will store the password at the client. 这可能产生其他攻击点。These are additional attack points.

SQL Server 身份验证的优点Advantages of SQL Server Authentication

  • 允许 SQL ServerSQL Server 支持那些需要进行 SQL ServerSQL Server 身份验证的旧版应用程序和由第三方提供的应用程序。Allows SQL ServerSQL Server to support older applications and applications provided by third parties that require SQL ServerSQL Server Authentication.

  • 允许 SQL ServerSQL Server 支持具有混合操作系统的环境,在这种环境中并不是所有用户均由 Windows 域进行验证。Allows SQL ServerSQL Server to support environments with mixed operating systems, where all users are not authenticated by a Windows domain.

  • 允许用户从未知的或不可信的域进行连接。Allows users to connect from unknown or untrusted domains. 例如,既定客户使用指定的 SQL ServerSQL Server 登录名进行连接以接收其订单状态的应用程序。For instance, an application where established customers connect with assigned SQL ServerSQL Server logins to receive the status of their orders.

  • 允许 SQL ServerSQL Server 支持基于 Web 的应用程序,在这些应用程序中用户可创建自己的标识。Allows SQL ServerSQL Server to support Web-based applications where users create their own identities.

  • 允许软件开发人员通过使用基于已知的预设 SQL ServerSQL Server 登录名的复杂权限层次结构来分发应用程序。Allows software developers to distribute their applications by using a complex permission hierarchy based on known, preset SQL ServerSQL Server logins.

    备注

    使用 SQL ServerSQL Server 身份验证不会限制安装 SQL ServerSQL Server 的计算机上的本地管理员权限。Using SQL ServerSQL Server Authentication does not limit the permissions of local administrators on the computer where SQL ServerSQL Server is installed.

另请参阅See Also

安装 SQL Server 的安全注意事项Security Considerations for a SQL Server Installation