Kerberos Authentication OverviewKerberos Authentication Overview

适用于:Windows Server(半年频道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

Kerberos 是一种身份验证协议,用于验证用户或主机的标识。Kerberos is an authentication protocol that is used to verify the identity of a user or host. 本主题包含有关 Windows Server 2012 和 Windows 8 中的 Kerberos 身份验证的信息。This topic contains information about Kerberos authentication in Windows Server 2012 and Windows 8.

功能说明Feature description

Windows Server 操作系统可实现 Kerberos 版本 5 身份验证协议和对公钥身份验证的扩展,用于传输授权数据和委派。The Windows Server operating systems implement the Kerberos version 5 authentication protocol and extensions for public key authentication, transporting authorization data, and delegation. Kerberos 身份验证客户端作为安全支持提供程序 ( SSP 实现 ) ,并且可通过安全支持提供程序接口 SSPI 进行访问 ( ) 。The Kerberos authentication client is implemented as a security support provider (SSP), and it can be accessed through the Security Support Provider Interface (SSPI). 初始用户身份验证与 Winlogon 单一登录 - 体系结构集成。Initial user authentication is integrated with the Winlogon single sign-on architecture.

Kerberos 密钥发行中心 ( KDC ) 与域控制器上运行的其他 Windows Server 安全服务相集成。The Kerberos Key Distribution Center (KDC) is integrated with other Windows Server security services that run on the domain controller. KDC 使用域的 Active Directory 域服务数据库作为其安全帐户数据库。The KDC uses the domain's Active Directory Domain Services database as its security account database. Active Directory 域服务是域或林中的默认 Kerberos 实现所必需的。Active Directory Domain Services is required for default Kerberos implementations within the domain or forest.

实际的应用程序Practical applications

使用 Kerberos 进行基于域的 - 身份验证的好处包括:The benefits gained by using Kerberos for domain-based authentication are:

  • 委托身份验证。Delegated authentication.

    在代表客户端访问资源时,在 Windows 操作系统上运行的服务可以模拟客户端计算机。Services that run on Windows operating systems can impersonate a client computer when accessing resources on the client's behalf. 通常,服务通过访问本地计算机上的资源为客户端完成工作。In many cases, a service can complete its work for the client by accessing resources on the local computer. 当客户端计算机向服务进行身份验证时,NTLM 和 Kerberos 协议都可以提供服务在本地模拟客户端计算机所需的授权信息。When a client computer authenticates to the service, NTLM and Kerberos protocol provide the authorization information that a service needs to impersonate the client computer locally. 但是,某些分布式应用程序的设计使前端 - 服务在连接到其他计算机上的后端服务时,必须使用客户端计算机的标识 - 。However, some distributed applications are designed so that a front-end service must use the client computer's identity when it connects to back-end services on other computers. Kerberos 身份验证支持一种委派机制,使服务在连接到其他服务时可以代表其客户端进行操作。Kerberos authentication supports a delegation mechanism that enables a service to act on behalf of its client when connecting to other services.

  • 单一登录。Single sign on.

    在域或林中使用 Kerberos 身份验证将允许用户或服务访问管理员允许访问的资源,而无需多次请求凭据。Using Kerberos authentication within a domain or in a forest allows the user or service access to resources permitted by administrators without multiple requests for credentials. 在通过 Winlogon 第一次登录域之后,Kerberos 将在每次尝试访问资源时管理整个林中的凭据。After initial domain sign on through Winlogon, Kerberos manages the credentials throughout the forest whenever access to resources is attempted.

  • 互操作性。Interoperability.

    Microsoft 对 Kerberos V5 协议的实现基于标准 - 跟踪规范,建议使用 Internet 工程任务组 ( IETF ) 。The implementation of the Kerberos V5 protocol by Microsoft is based on standards-track specifications that are recommended to the Internet Engineering Task Force (IETF). 因此,在 Windows 操作系统中,Kerberos 协议有助于实现与使用 Kerberos 协议进行身份验证的其他网络之间的互操作性。As a result, in Windows operating systems, the Kerberos protocol lays a foundation for interoperability with other networks in which the Kerberos protocol is used for authentication. 此外,Microsoft 发布了有关实现 Kerberos 协议的 Windows 协议文档。In addition, Microsoft publishes Windows Protocols documentation for implementing the Kerberos protocol. 该文档包含 Microsoft 实现 Kerberos 协议的技术要求、限制、依赖项和 - 特定于 Windows 的协议行为。The documentation contains the technical requirements, limitations, dependencies, and Windows-specific protocol behavior for Microsoft's implementation of the Kerberos protocol.

  • 对服务器更高效的身份验证。More efficient authentication to servers.

    在 Kerberos 出现之前,可以使用 NTLM 身份验证,它要求应用程序服务器必须连接到域控制器,以便验证每个客户端计算机或服务的身份。Before Kerberos, NTLM authentication could be used, which requires an application server to connect to a domain controller to authenticate every client computer or service. 使用 Kerberos 协议时,可续订会话票证会替代 pass - 通过身份验证。With the Kerberos protocol, renewable session tickets replace pass-through authentication. 服务器不需要使用域控制器, ( 除非它需要验证特权属性证书 ( PAC ) ) 。The server is not required to go to a domain controller (unless it needs to validate a Privilege Attribute Certificate (PAC)). 服务器可以通过检查客户端出示的凭据来验证客户端计算机的身份。Instead, the server can authenticate the client computer by examining credentials presented by the client. 客户端计算机在获得一次特定服务器的凭据后,即可在整个网络登录会话期间重复使用这些凭据。Client computers can obtain credentials for a particular server once and then reuse those credentials throughout a network logon session.

  • 相互身份验证。Mutual authentication.

    通过使用 Kerberos 协议,网络连接两端的每一方可验证另一方所宣称的身份。By using the Kerberos protocol, a party at either end of a network connection can verify that the party on the other end is the entity it claims to be. NTLM 不允许客户端验证服务器的身份,也不允许一个服务器验证另一个服务器的身份。NTLM does not enable clients to verify a server's identity or enable one server to verify the identity of another. NTLM 身份验证旨在用于服务器假定为真的网络环境。NTLM authentication was designed for a network environment in which servers were assumed to be genuine. Kerberos 协议不进行此假设。The Kerberos protocol makes no such assumption.

另请参阅See Also

Windows 身份验证概述Windows Authentication Overview