Windows 身份验证中的凭据进程Credentials Processes in Windows Authentication

适用于:Windows Server(半年频道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

本参考主题面向 IT 专业人员,介绍了 Windows 身份验证如何处理凭据。This reference topic for the IT professional describes how Windows authentication processes credentials.

Windows 凭据管理是操作系统从服务或用户接收凭据的过程,并保护该信息以供将来呈现到身份验证目标。Windows credentials management is the process by which the operating system receives the credentials from the service or user and secures that information for future presentation to the authenticating target. 对于已加入域的计算机,身份验证目标为域控制器。In the case of a domain-joined computer, the authenticating target is the domain controller. 身份验证中使用的凭据是将用户标识关联到某种形式的身份验证(如证书、密码或 PIN)的数字文档。The credentials used in authentication are digital documents that associate the user's identity to some form of proof of authenticity, such as a certificate, a password, or a PIN.

默认情况下,将根据本地计算机上的安全帐户管理器(SAM)数据库或通过 Winlogon 服务在加入域的计算机上 Active Directory 验证 Windows 凭据。By default, Windows credentials are validated against the Security Accounts Manager (SAM) database on the local computer, or against Active Directory on a domain-joined computer, through the Winlogon service. 凭据是通过登录用户界面上的用户输入收集的,也可以通过应用程序编程接口(API)以编程方式通过向身份验证目标提供。Credentials are collected through user input on the logon user interface or programmatically via the application programming interface (API) to be presented to the authenticating target.

本地安全信息存储在HKEY_LOCAL_MACHINE\SECURITY下的注册表中。Local security information is stored in the registry under HKEY_LOCAL_MACHINE\SECURITY. 存储的信息包括策略设置、默认安全值和帐户信息,如缓存的登录凭据。Stored information includes policy settings, default security values, and account information, such as cached logon credentials. SAM 数据库的副本也存储在此处,尽管它是写保护的。A copy of the SAM database is also stored here, although it is write-protected.

下图显示了所需的组件和凭据通过系统对用户或进程进行身份验证以进行成功登录的路径。The following diagram shows the components that are required and the paths that credentials take through the system to authenticate the user or process for a successful logon.

此图显示了所需的组件和凭据通过系统对用户或进程进行身份验证以进行成功登录的路径。

下表介绍了在登录时管理身份验证过程中的凭据的每个组件。The following table describes each component that manages credentials in the authentication process at the point of logon.

所有系统的身份验证组件Authentication components for all systems

组件Component 描述Description
用户登录User logon Winlogon 是负责管理安全用户交互的可执行文件。Winlogon.exe is the executable file responsible for managing secure user interactions. Winlogon 服务通过 Secur32.dll 将用户操作在安全桌面上收集的凭据(登录 UI)传递给本地安全机构(LSA)来启动 Windows 操作系统的登录过程。The Winlogon service initiates the logon process for Windows operating systems by passing the credentials collected by user action on the secure desktop (Logon UI) to the Local Security Authority (LSA) through Secur32.dll.
应用程序登录Application logon 不需要交互式登录的应用程序或服务登录。Application or service logons that do not require interactive logon. 用户使用 Secur32.dll 在用户模式下运行的大多数进程,而在启动时启动的进程(如服务)使用 Ksecdd 在内核模式下运行。Most processes initiated by the user run in user mode by using Secur32.dll whereas processes initiated at startup, such as services, run in kernel mode by using Ksecdd.sys.

有关用户模式和内核模式的详细信息,请参阅本主题中的应用程序和用户模式或服务和内核模式。For more information about user mode and kernel mode, see Applications and User Mode or Services and Kernel Mode in this topic.
Secur32.dllSecur32.dll 构成身份验证过程基础的多身份验证提供程序。The multiple authentication providers that form the foundation of the authentication process.
Lsasrv.dllLsasrv.dll LSA 服务器服务,它强制实施安全策略,并充当 LSA 的安全包管理器。The LSA Server service, which both enforces security policies and acts as the security package manager for the LSA. LSA 包含 Negotiate 函数,该函数在确定要成功的协议后选择 NTLM 或 Kerberos 协议。The LSA contains the Negotiate function, which selects either the NTLM or Kerberos protocol after determining which protocol is to be successful.
安全支持提供程序Security Support Providers 一组可单独调用一个或多个身份验证协议的提供程序。A set of providers that can individually invoke one or more authentication protocols. 默认的提供程序集可以随每个版本的 Windows 操作系统一起更改,并可以编写自定义的提供程序。The default set of providers can change with each version of the Windows operating system, and custom providers can be written.
Netlogon.dllNetlogon.dll Net Logon 服务执行的服务如下所示:The services that the Net Logon service performs are as follows:

-维护计算机的安全通道(不要与 Schannel 混淆)到域控制器。- Maintains the computer's secure channel (not to be confused with Schannel) to a domain controller.
-通过安全通道将用户的凭据传递到域控制器,并为用户返回域安全标识符(Sid)和用户权限。- Passes the user's credentials through a secure channel to the domain controller and returns the domain security identifiers (SIDs) and user rights for the user.
-在域名系统(DNS)中发布服务资源记录,并使用 DNS 将名称解析为域控制器的 Internet 协议(IP)地址。- Publishes service resource records in the Domain Name System (DNS) and uses DNS to resolve names to the Internet Protocol (IP) addresses of domain controllers.
-根据远程过程调用(RPC)实现复制协议,以便同步主域控制器(Pdc)和备份域控制器(Bdc)。- Implements the replication protocol based on remote procedure call (RPC) for synchronizing primary domain controllers (PDCs) and backup domain controllers (BDCs).
SamsrvSamsrv.dll 安全帐户管理器(SAM),它存储本地安全帐户,强制实施本地存储的策略并支持 Api。The Security Accounts Manager (SAM), which stores local security accounts, enforces locally stored policies and supports APIs.
注册表Registry 注册表包含 SAM 数据库的副本、本地安全策略设置、默认安全值和仅可用于系统的帐户信息。The Registry contains a copy of the SAM database, local security policy settings, default security values, and account information that is only accessible to the system.

本主题包含以下各节:This topic contains the following sections:

用户登录凭据输入Credential input for user logon

在 Windows Server 2008 和 Windows Vista 中,图形标识和身份验证(GINA)体系结构已替换为凭据提供程序模型,这使得可以通过使用登录磁贴来枚举不同的登录类型。In Windows Server 2008 and Windows Vista, the Graphical Identification and Authentication (GINA) architecture was replaced with a credential provider model, which made it possible to enumerate different logon types through the use of logon tiles. 下面描述了这两种模型。Both models are described below.

图形标识和身份验证体系结构Graphical Identification and Authentication architecture

图形标识和身份验证(GINA)体系结构适用于 Windows Server 2003、Microsoft Windows 2000 Server、Windows XP 和 Windows 2000 Professional 操作系统。The Graphical Identification and Authentication (GINA) architecture applies to the Windows Server 2003, Microsoft Windows 2000 Server, Windows XP, and Windows 2000 Professional operating systems. 在这些系统中,每个交互登录会话都将创建一个单独的 Winlogon 服务实例。In these systems, every interactive logon session creates a separate instance of the Winlogon service. GINA 体系结构加载到 Winlogon 使用的进程空间,接收并处理凭据,并通过 LSALogonUser 调用身份验证接口。The GINA architecture is loaded into the process space used by Winlogon, receives and processes the credentials, and makes the calls to the authentication interfaces through LSALogonUser.

在会话0中运行交互式登录所用的 Winlogon 实例。The instances of Winlogon for an interactive logon run in Session 0. 会话0承载系统服务和其他关键进程,包括本地安全机构(LSA)进程。Session 0 hosts system services and other critical processes, including the Local Security Authority (LSA) process.

下图显示了 Windows Server 2003、Microsoft Windows 2000 Server、Windows XP 和 Microsoft Windows 2000 Professional 的凭据过程。The following diagram shows the credential process for Windows Server 2003, Microsoft Windows 2000 Server, Windows XP, and Microsoft Windows 2000 Professional.

显示 Windows Server 2003、Microsoft Windows 2000 Server、Windows XP 和 Microsoft Windows 2000 Professional 的凭据过程的示意图

凭据提供程序体系结构Credential provider architecture

凭据提供程序体系结构适用于本主题开头的 "适用于" 列表中指定的版本。The credential provider architecture applies to those versions designated in the Applies To list at the beginning of this topic. 在这些系统中,凭据输入体系结构通过使用凭据提供程序更改为可扩展的设计。In these systems, the credentials input architecture changed to an extensible design by using credential providers. 这些提供程序由安全桌面上的不同登录磁贴表示,这些磁贴允许使用任意数量的登录方案-同一用户使用不同的帐户,以及不同的身份验证方法,例如密码、智能卡和生物识别。These providers are represented by the different logon tiles on the secure desktop that permit any number of logon scenarios - different accounts for the same user and different authentication methods, such as password, smart card, and biometrics.

使用凭据提供程序体系结构,Winlogon 在收到安全注意序列事件之后始终会启动登录 UI。With the credential provider architecture, Winlogon always starts Logon UI after it receives a secure attention sequence event. 登录 UI 查询每个凭据提供程序,以了解提供程序配置为枚举的不同凭据类型的数量。Logon UI queries each credential provider for the number of different credential types the provider is configured to enumerate. 凭据提供程序可以选择将其中一个磁贴指定为默认磁贴。Credential providers have the option of specifying one of these tiles as the default. 在所有提供程序枚举其磁贴后,登录 UI 会将其显示给用户。After all providers have enumerated their tiles, Logon UI displays them to the user. 用户与磁贴交互以提供其凭据。The user interacts with a tile to supply their credentials. 登录用户界面提交这些凭据以进行身份验证。Logon UI submits these credentials for authentication.

凭据提供程序不是强制机制。Credential providers are not enforcement mechanisms. 它们用于收集和序列化凭据。They are used to gather and serialize credentials. 本地安全机构和身份验证包强制安全性。The Local Security Authority and authentication packages enforce security.

凭据提供程序在计算机上注册并负责以下操作:Credential providers are registered on the computer and are responsible for the following:

  • 描述身份验证所需的凭据信息。Describing the credential information required for authentication.

  • 通过外部身份验证机构处理通信和逻辑。Handling communication and logic with external authentication authorities.

  • 打包凭据以进行交互式和网络登录。Packaging credentials for interactive and network logon.

为交互式登录和网络登录打包凭据包括序列化过程。Packaging credentials for interactive and network logon includes the process of serialization. 通过序列化凭据,可以在登录 UI 上显示多个登录磁贴。By serializing credentials multiple logon tiles can be displayed on the logon UI. 因此,你的组织可以通过使用自定义凭据提供程序来控制登录显示,例如用户、用于登录的目标系统、网络和工作站锁定/解锁策略的预登录访问。Therefore, your organization can control the logon display such as users, target systems for logon, pre-logon access to the network and workstation lock/unlock policies - through the use of customized credential providers. 同一台计算机上可以共存多个凭据提供程序。Multiple credential providers can co-exist on the same computer.

单一登录(SSO)提供程序可以作为标准凭据提供程序或预登录访问提供程序来开发。Single sign-on (SSO) providers can be developed as a standard credential provider or as a Pre-Logon-Access Provider.

每个 Windows 版本都包含一个默认凭据提供程序和一个默认的预登录访问提供程序(PLAP)(也称为 SSO 提供程序)。Each version of Windows contains one default credential provider and one default Pre-Logon-Access Provider (PLAP), also known as the SSO provider. SSO 提供程序允许用户在登录到本地计算机之前与网络建立连接。The SSO provider permits users to make a connection to a network before logging on to the local computer. 实现此提供程序时,提供程序不会在登录 UI 上枚举磁贴。When this provider is implemented, the provider does not enumerate tiles on Logon UI.

SSO 提供程序用于以下方案:A SSO provider is intended to be used in the following scenarios:

  • 网络身份验证和计算机登录由不同的凭据提供程序处理。Network authentication and computer logon are handled by different credential providers. 此方案的变体包括:Variations to this scenario include:

    • 用户可以选择连接到网络,如连接到虚拟专用网络(VPN)、登录到计算机,但不需要进行此连接。A user has the option of connecting to a network, such as connecting to a virtual private network (VPN), before logging on to the computer but is not required to make this connection.

    • 若要检索在本地计算机上进行交互式身份验证时所使用的信息,需要进行网络身份验证。Network authentication is required to retrieve information used during interactive authentication on the local computer.

    • 多个网络身份验证后接其他方案之一。Multiple network authentications are followed by one of the other scenarios. 例如,用户向 Internet 服务提供商(ISP)进行身份验证,对 VPN 进行身份验证,然后使用他们的用户帐户凭据在本地登录。For example, a user authenticates to an Internet service provider (ISP), authenticates to a VPN, and then uses their user account credentials to log on locally.

    • 缓存的凭据处于禁用状态,并且本地登录之前需要通过 VPN 的远程访问服务连接来对用户进行身份验证。Cached credentials are disabled, and a Remote Access Services connection through VPN is required before local logon to authenticate the user.

    • 域用户在加入域的计算机上没有设置本地帐户,必须在完成交互式登录之前,通过 VPN 连接建立远程访问服务连接。A domain user does not have a local account set up on a domain-joined computer and must establish a Remote Access Services connection through VPN connection before completing interactive logon.

  • 网络身份验证和计算机登录由同一凭据提供程序进行处理。Network authentication and computer logon are handled by the same credential provider. 在此方案中,用户在登录到计算机之前需要连接到网络。In this scenario, the user is required to connect to the network before logging on to the computer.

登录磁贴枚举Logon tile enumeration

凭据提供程序枚举以下实例中的登录磁贴:The credential provider enumerates logon tiles in the following instances:

  • 本主题开头的 "适用于" 列表中指定的那些操作系统。For those operating systems designated in the Applies to list at the beginning of this topic.

  • 凭据提供程序枚举用于工作站登录的磁贴。The credential provider enumerates the tiles for workstation logon. 凭据提供程序通常会将凭据序列化为本地安全机构进行身份验证。The credential provider typically serializes credentials for authentication to the local security authority. 此过程显示特定于每个用户的磁贴,并特定于每个用户的目标系统。This process displays tiles specific for each user and specific to each user's target systems.

  • 登录和身份验证体系结构允许用户使用凭据提供程序枚举的磁贴来解锁工作站。The logon and authentication architecture lets a user use tiles enumerated by the credential provider to unlock a workstation. 通常,当前登录的用户是默认磁贴,但如果有多个用户登录,则会显示多个磁贴。Typically, the currently logged-on user is the default tile, but if more than one user is logged on, numerous tiles are displayed.

  • 凭据提供程序会枚举磁贴以响应用户请求,以更改其密码或其他专用信息(如 PIN)。The credential provider enumerates tiles in response to a user request to change their password or other private information, such as a PIN. 通常,当前登录的用户是默认磁贴;但是,如果有多个用户登录,则会显示多个磁贴。Typically, the currently logged-on user is the default tile; however, if more than one user is logged on, numerous tiles are displayed.

  • 凭据提供程序基于要在远程计算机上用于身份验证的序列化凭据来枚举磁贴。The credential provider enumerates tiles based on the serialized credentials to be used for authentication on remote computers. 凭据 UI 使用的访问接口实例不是登录 UI,无法解锁工作站或更改密码。Credential UI does not use the same instance of the provider as the Logon UI, Unlock Workstation, or Change Password. 因此,在凭据 UI 实例之间的提供程序中无法维护状态信息。Therefore, state information cannot be maintained in the provider between instances of Credential UI. 此结构为每台远程计算机登录生成一个磁贴,假设凭据已正确序列化。This structure results in one tile for each remote computer logon, assuming the credentials have been correctly serialized. 此方案还用于用户帐户控制(UAC),通过在允许可能影响计算机操作的操作之前提示用户提供权限或管理员密码,可以帮助防止对计算机进行未经授权的更改或者,它可能会更改影响计算机其他用户的设置。This scenario is also used in User Account Control (UAC), which can help prevent unauthorized changes to a computer by prompting the user for permission or an administrator password before permitting actions that could potentially affect the computer's operation or that could change settings that affect other users of the computer.

下图显示了本主题开头 "适用于" 列表中指定的操作系统的凭据过程。The following diagram shows the credential process for the operating systems designated in the Applies To list at the beginning of this topic.

此图显示了本主题开头的 "适用于 * * 的列表" 中指定的操作系统的凭据过程

应用程序和服务登录的凭据输入Credential input for application and service logon

Windows 身份验证设计用于管理不需要用户交互的应用程序或服务的凭据。Windows authentication is designed to manage credentials for applications or services that do not require user interaction. 用户模式下的应用程序在其有权访问的系统资源方面受到限制,而服务可以对系统内存和外部设备进行不受限制的访问。Applications in user mode are limited in terms of what system resources they have access to, while services can have unrestricted access to the system memory and external devices.

系统服务和传输级应用程序通过 Windows 中的安全支持提供程序接口(SSPI)访问安全支持提供程序(SSP),这提供了用于枚举系统上可用的安全包的功能,并选择打包,并使用该包获取经过身份验证的连接。System services and transport-level applications access an Security Support Provider (SSP) through the Security Support Provider Interface (SSPI) in Windows, which provides functions for enumerating the security packages available on a system, selecting a package, and using that package to obtain an authenticated connection.

当客户端/服务器连接经过身份验证时:When a client/server connection is authenticated:

  • 连接的客户端上的应用程序使用 SSPI 函数 InitializeSecurityContext (General) 将凭据发送到服务器。The application on the client side of the connection sends credentials to the server by using the SSPI function InitializeSecurityContext (General).

  • 连接服务器端上的应用程序会用 SSPI 函数 AcceptSecurityContext (General) 进行响应。The application on the server side of the connection responds with the SSPI function AcceptSecurityContext (General).

  • 如果已将所有必需的身份验证消息交换为成功或身份验证失败,则会重复 InitializeSecurityContext (General)AcceptSecurityContext (General)The SSPI functions InitializeSecurityContext (General) and AcceptSecurityContext (General) are repeated until all the necessary authentication messages have been exchanged to either succeed or fail authentication.

  • 对连接进行身份验证后,服务器上的 LSA 将使用客户端提供的信息来构建包含访问令牌的安全上下文。After the connection has been authenticated, the LSA on the server uses information from the client to build the security context, which contains an access token.

  • 服务器随后可以调用 SSPI 函数 ImpersonateSecurityContext 将访问令牌附加到服务的模拟线程。The server can then call the SSPI function ImpersonateSecurityContext to attach the access token to an impersonation thread for the service.

应用程序和用户模式Applications and user mode

Windows 中的用户模式由两个系统组成,这两个系统可以将 i/o 请求传递到相应的内核模式驱动程序:环境系统,它运行为多种不同类型的操作系统编写的应用程序,以及运行的整数系统代表环境系统的特定于系统的函数。User mode in Windows is composed of two systems capable of passing I/O requests to the appropriate kernel-mode drivers: the environment system, which runs applications written for many different types of operating systems, and the integral system, which operates system-specific functions on behalf of the environment system.

整型系统代表环境系统管理操作系统 system'specific 功能,包括安全系统进程(LSA)、工作站服务和服务器服务。The integral system manages operating system'specific functions on behalf of the environment system and consists of a security system process (the LSA), a workstation service, and a server service. 安全系统进程处理安全令牌,授予或拒绝基于资源权限访问用户帐户的权限,处理登录请求并启动登录身份验证,并确定操作系统需要审核。The security system process deals with security tokens, grants or denies permissions to access user accounts based on resource permissions, handles logon requests and initiates logon authentication, and determines which system resources the operating system needs to audit.

应用程序可以在用户模式下运行,在此模式下,应用程序可以作为任何主体运行,包括在本地系统(系统)的安全上下文中。Applications can run in user mode where the application can run as any principal, including in the security context of Local System (SYSTEM). 应用程序也可以在内核模式下运行,应用程序可在本地系统(系统)的安全上下文中运行。Applications can also run in kernel mode where the application can run in the security context of Local System (SYSTEM).

SSPI 是通过 Secur32.dll 模块提供的,它是一个用于获取用于身份验证、消息完整性和消息隐私的集成安全服务的 API。SSPI is available through the Secur32.dll module, which is an API used for obtaining integrated security services for authentication, message integrity, and message privacy. 它在应用程序级别协议和安全协议之间提供了一个抽象层。It provides an abstraction layer between application-level protocols and security protocols. 因为不同的应用程序需要不同的方式来标识或验证用户,以及在网络上传输数据时加密数据的不同方法,所以 SSPI 提供一种方法来访问包含不同身份验证的动态链接库(Dll)。和加密函数。Because different applications require different ways of identifying or authenticating users and different ways of encrypting data as it travels across a network, SSPI provides a way to access dynamic-link libraries (DLLs) that contain different authentication and cryptographic functions. 这些 Dll 称为安全支持提供程序(Ssp)。These DLLs are called Security Support Providers (SSPs).

Windows Server 2008 R2 和 Windows 7 中引入了托管服务帐户和虚拟帐户,以便提供关键应用程序(例如 Microsoft SQL Server 和 Internet Information Services (IIS)),同时隔离其自己的域帐户,同时无需管理员手动管理这些帐户的服务主体名称(SPN)和凭据。Managed service accounts and virtual accounts were introduced in Windows Server 2008 R2 and Windows 7 to provide crucial applications, such as Microsoft SQL Server and Internet Information Services (IIS), with the isolation of their own domain accounts, while eliminating the need for an administrator to manually administer the service principal name (SPN) and credentials for these accounts. 有关这些功能及其在身份验证中的角色的详细信息,请参阅适用于 windows 7 和 Windows Server 2008 R2 的托管服务帐户文档组托管服务帐户概述For more information about these features and their role in authentication, see Managed Service Accounts Documentation for Windows 7 and Windows Server 2008 R2 and Group Managed Service Accounts Overview.

服务和内核模式Services and kernel mode

即使大多数 Windows 应用程序在启动这些应用程序的用户的安全上下文中运行,服务也不是这样。Even though most Windows applications run in the security context of the user who starts them, this is not true of services. 许多 Windows 服务(如网络和打印服务)在用户启动计算机时由服务控制器启动。Many Windows services, such as network and printing services, are started by the service controller when the user starts the computer. 这些服务可能作为本地服务或本地系统运行,并且可能会在上次用户注销后继续运行。These services might run as Local Service or Local System and might continue to run after the last human user logs off.

备注

服务通常在称为 "本地系统(系统)"、"网络服务" 或 "本地服务" 的安全上下文中运行。Services normally run in security contexts known as Local System (SYSTEM), Network Service, or Local Service. Windows Server 2008 R2 引入了托管服务帐户下运行的服务,这些服务是域主体。Windows Server 2008 R2 introduced services that run under a managed service account, which are domain principals.

在启动服务之前,服务控制器使用为服务指定的帐户登录,然后为 LSA 提供用于身份验证的服务凭据。Before starting a service, the service controller logs on by using the account that is designated for the service, and then presents the service's credentials for authentication by the LSA. Windows 服务实现了服务控制器管理器可用于控制服务的编程接口。The Windows service implements a programmatic interface that the service controller manager can use to control the service. 当系统通过服务控制程序启动或手动启动时,可以自动启动 Windows 服务。A Windows service can be started automatically when the system is started or manually with a service control program. 例如,当 Windows 客户端计算机加入域时,计算机上的 messenger 服务将连接到域控制器并打开一个安全通道。For example, when a Windows client computer joins a domain, the messenger service on the computer connects to a domain controller and opens a secure channel to it. 若要获取经过身份验证的连接,该服务必须具有远程计算机的本地安全机构(LSA)信任的凭据。To obtain an authenticated connection, the service must have credentials that the remote computer's Local Security Authority (LSA) trusts. 与网络中的其他计算机进行通信时,LSA 使用本地计算机的域帐户的凭据,这与在本地系统和网络服务的安全上下文中运行的所有其他服务相同。When communicating with other computers in the network, LSA uses the credentials for the local computer's domain account, as do all other services running in the security context of the Local System and Network Service. 本地计算机上的服务作为系统运行,因此无需向 LSA 提供凭据。Services on the local computer run as SYSTEM so credentials do not need to be presented to the LSA.

文件 Ksecdd 管理和加密这些凭据,并使用本地过程调用到 LSA 中。The file Ksecdd.sys manages and encrypts these credentials and uses a local procedure call into the LSA. 文件类型为 WINSPOOL.DRV (driver),并且称为内核模式安全支持提供程序(SSP),并且在本主题开头的 "适用于" 列表中指定的版本中,该文件类型符合 FIPS 140-2 级别1。The file type is DRV (driver) and is known as the kernel-mode Security Support Provider (SSP) and, in those versions designated in the Applies To list at the beginning of this topic, is FIPS 140-2 Level 1-compliant.

内核模式对计算机的硬件和系统资源具有完全访问权限。Kernel mode has full access to the hardware and system resources of the computer. 内核模式阻止用户模式服务和应用程序访问其无权访问的操作系统的关键区域。The kernel mode stops user-mode services and applications from accessing critical areas of the operating system that they should not have access to.

本地安全机构Local Security Authority

本地安全机构(LSA)是一个受保护的系统进程,用于对用户进行身份验证并将用户登录到本地计算机。The Local Security Authority (LSA) is a protected system process that authenticates and logs users on to the local computer. 此外,LSA 还维护有关计算机上的本地安全的所有方面(这些方面统称为本地安全策略)的信息,并且提供了用于在名称和安全标识符(Sid)之间进行转换的各种服务。In addition, LSA maintains information about all aspects of local security on a computer (these aspects are collectively known as the local security policy), and it provides various services for translation between names and security identifiers (SIDs). 安全系统进程 "本地安全机构服务器服务(LSASS)" 跟踪安全策略以及计算机系统上的有效帐户。The security system process, Local Security Authority Server Service (LSASS), keeps track of the security policies and the accounts that are in effect on a computer system.

LSA 根据以下两个实体中的哪一个颁发用户帐户来验证用户的标识:The LSA validates a user's identity based on which of the following two entities issued the user's account:

  • 本地安全机构。Local Security Authority. LSA 可以通过检查位于同一台计算机上的安全帐户管理器(SAM)数据库来验证用户信息。The LSA can validate user information by checking the Security Accounts Manager (SAM) database located on the same computer. 任何工作站或成员服务器都可以存储本地用户帐户和有关本地组的信息。Any workstation or member server can store local user accounts and information about local groups. 但是,这些帐户只能用于访问工作站或计算机。However, these accounts can be used for accessing only that workstation or computer.

  • 本地域或受信任域的安全机构。Security authority for the local domain or for a trusted domain. LSA 联系颁发帐户的实体,并请求验证帐户是否有效以及请求是否源自帐户持有者。The LSA contacts the entity that issued the account and requests verification that the account is valid and that the request originated from the account holder.

本地安全机构子系统服务 (LSASS) 通过活动 Windows 会话以用户的名义将凭据存储在内存中。The Local Security Authority Subsystem Service (LSASS) stores credentials in memory on behalf of users with active Windows sessions. 使用存储的凭据,用户无需为每个远程服务重新输入其凭据,即可无缝访问网络资源(例如文件共享、Exchange Server 邮箱和 SharePoint 站点)。The stored credentials let users seamlessly access network resources, such as file shares, Exchange Server mailboxes, and SharePoint sites, without re-entering their credentials for each remote service.

LSASS 可以采用多种形式来存储凭据,包括:LSASS can store credentials in multiple forms, including:

  • 反向加密的纯文本Reversibly encrypted plaintext

  • Kerberos 票证(票证授予票证(Tgt)、服务票证)Kerberos tickets (ticket-granting tickets (TGTs), service tickets)

  • NT 哈希NT hash

  • LAN Manager (LM)哈希LAN Manager (LM) hash

如果用户使用智能卡登录到 Windows,则 LSASS 将不会存储纯文本密码,但会存储该帐户的相应 NT 哈希值以及智能卡的纯文本 PIN。If the user logs on to Windows by using a smart card, LSASS does not store a plaintext password, but it stores the corresponding NT hash value for the account and the plaintext PIN for the smart card. 如果为交互式登录所需智能卡启用了帐户属性,将自动为该帐户生成一个随机的 NT 哈希值(而非原始密码哈希)。If the account attribute is enabled for a smart card that is required for interactive logon, a random NT hash value is automatically generated for the account instead of the original password hash. 在设置属性时自动生成的密码哈希不会发生更改。The password hash that is automatically generated when the attribute is set does not change.

如果用户使用与 LAN Manager (LM)哈希兼容的密码登录到基于 Windows 的计算机,则此身份验证器存在于内存中。If a user logs on to a Windows-based computer with a password that is compatible with LAN Manager (LM) hashes, this authenticator is present in memory.

无法禁用内存中纯文本凭据的存储,即使禁用需要它们的凭据提供程序也是如此。The storage of plaintext credentials in memory cannot be disabled, even if the credential providers that require them are disabled.

存储的凭据与在上次重新启动后已启动且尚未关闭的本地安全机构子系统服务(LSASS)登录会话直接关联。The stored credentials are directly associated with the Local Security Authority Subsystem Service (LSASS) logon sessions that have been started after the last restart and have not been closed. 例如,当用户执行以下任何操作时,都会创建带有已存储 LSA 凭据的 LSA 会话:For example, LSA sessions with stored LSA credentials are created when a user does any of the following:

  • 登录到计算机上的本地会话或远程桌面协议(RDP)会话Logs on to a local session or Remote Desktop Protocol (RDP) session on the computer

  • 使用“RunAs”选项运行任务Runs a task by using the RunAs option

  • 在计算机上运行活动的 Windows 服务Runs an active Windows service on the computer

  • 运行计划任务或者批处理作业Runs a scheduled task or batch job

  • 使用远程管理工具在本地计算机上运行任务Runs a task on the local computer by using a remote administration tool

在某些情况下,LSA 机密(只能由系统帐户进程访问的机密数据片段)存储在硬盘驱动器上。In some circumstances, the LSA secrets, which are secret pieces of data that are accessible only to SYSTEM account processes, are stored on the hard disk drive. 其中一些机密是重新启动后必须保留的凭据,并且它们以加密的形式存储在硬盘驱动器上。Some of these secrets are credentials that must persist after reboot, and they are stored in encrypted form on the hard disk drive. 存储为 LSA 机密的凭据可能包括:Credentials stored as LSA secrets might include:

  • 计算机的 Active Directory 域服务(AD DS)帐户的帐户密码Account password for the computer's Active Directory Domain Services (AD DS) account

  • 在计算机上配置的 Windows 服务的帐户密码Account passwords for Windows services that are configured on the computer

  • 用于已配置的计划任务的帐户密码Account passwords for configured scheduled tasks

  • 用于 IIS 应用程序池和网站的帐户密码Account passwords for IIS application pools and websites

  • Microsoft 帐户的密码Passwords for Microsoft accounts

在 Windows 8.1 中引入的客户端操作系统为 LSA 提供附加保护,以防止未受保护的进程读取内存和代码注入。Introduced in Windows 8.1, the client operating system provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. 此保护增加了 LSA 存储和管理的凭据的安全性。This protection increases security for the credentials that the LSA stores and manages.

有关这些其他保护的详细信息,请参阅配置其他 LSA 保护For more information about these additional protections, see Configuring Additional LSA Protection.

缓存的凭据和验证Cached credentials and validation

验证机制依赖于在登录时显示凭据。Validation mechanisms rely on the presentation of credentials at the time of logon. 但是,当计算机从域控制器断开连接,并且用户正在提供域凭据时,Windows 将在验证机制中使用缓存凭据的进程。However, when the computer is disconnected from a domain controller, and the user is presenting domain credentials, Windows uses the process of cached credentials in the validation mechanism.

用户每次登录到域时,Windows 将缓存提供的凭据,并将其存储在操作系统注册表的安全配置单元中。Each time a user logs on to a domain, Windows caches the credentials supplied and stores them in the security hive in the registry of the operation system.

使用缓存的凭据,用户无需连接到域中的域控制器即可登录域成员。With cached credentials, the user can log on to a domain member without being connected to a domain controller within that domain.

凭据存储和验证Credential storage and validation

并非始终需要使用一组凭据来访问不同的资源。It is not always desirable to use one set of credentials for access to different resources. 例如,管理员可能希望在访问远程服务器时使用管理而不是用户凭据。For example, an administrator might want to use administrative rather than user credentials when accessing a remote server. 同样,如果用户访问外部资源(例如银行帐户),则该用户只能使用其域凭据以外的凭据。Similarly, if a user accesses external resources, such as a bank account, he or she can only use credentials that are different than their domain credentials. 以下各节介绍了当前版本的 Windows 操作系统与 Windows Vista 和 Windows XP 操作系统之间的凭据管理之间的差异。The following sections describe the differences in credential management between current versions of Windows operating systems and the Windows Vista and Windows XP operating systems.

远程登录凭据进程Remote logon credential processes

远程桌面协议(RDP)通过使用 Windows 8 中引入的远程桌面客户端管理连接到远程计算机的用户的凭据。The Remote Desktop Protocol (RDP) manages the credentials of the user who connects to a remote computer by using the Remote Desktop Client, which was introduced in Windows 8. 纯文本形式的凭据将发送到主机尝试执行身份验证过程的目标主机,如果成功,则将用户连接到允许的资源。The credentials in plaintext form are sent to the target host where the host attempts to perform the authentication process, and, if successful, connects the user to allowed resources. RDP 不会将凭据存储在客户端上,而是将用户的域凭据存储在 LSASS 中。RDP does not store the credentials on the client, but the user's domain credentials are stored in the LSASS.

受限制的管理模式是在 Windows Server 2012 R2 和 Windows 8.1 中引入的。Introduced in Windows Server 2012 R2 and Windows 8.1, Restricted Admin mode provides additional security to remote logon scenarios. 此远程桌面模式使客户端应用程序能够使用 NT 单向函数(NTOWF)执行网络登录质询响应,或在向远程主机进行身份验证时使用 Kerberos 服务票证。This mode of Remote Desktop causes the client application to perform a network logon challenge-response with the NT one-way function (NTOWF) or use a Kerberos service ticket when authenticating to the remote host. 对管理员进行身份验证后,管理员在 LSASS 中没有相应的帐户凭据,因为未向远程主机提供这些凭据。After the administrator is authenticated, the administrator does not have the respective account credentials in LSASS because they were not supplied to the remote host. 相反,管理员具有该会话的计算机帐户凭据。Instead, the administrator has the computer account credentials for the session. 不向远程主机提供管理员凭据,因此以计算机帐户执行操作。Administrator credentials are not supplied to the remote host, so actions are performed as the computer account. 资源也限制为计算机帐户,管理员无法使用自己的帐户访问资源。Resources are also limited to the computer account, and the administrator cannot access resources with his own account.

自动重启登录凭据过程Automatic restart sign-on credential process

当用户登录 Windows 8.1 设备时,LSA 会将用户凭据保存在只能由 LSASS.EXE 访问的加密内存中。When a user signs in on a Windows 8.1 device, LSA saves the user credentials in encrypted memory that are accessible only by LSASS.exe. 如果 Windows 更新启动自动重启而不显示用户,则使用这些凭据为用户配置自动登录。When Windows Update initiates an automatic restart without user presence, these credentials are used to configure Autologon for the user.

重新启动时,用户会通过自动登录机制自动登录,然后会进一步锁定计算机以保护用户会话。On restart, the user is automatically signed in via the Autologon mechanism, and then the computer is additionally locked to protect the user's session. 锁定通过 Winlogon 启动,而凭据管理由 LSA 完成。The locking is initiated through Winlogon whereas the credential management is done by LSA. 通过在控制台上自动登录和锁定用户会话,用户的锁屏应用程序将重新启动并可用。By automatically signing in and locking the user's session on the console, the user's lock screen applications is restarted and available.

有关 ARSO 的详细信息,请参阅Winlogon 自动重新启动登录(ARSO)For more information about ARSO, see Winlogon Automatic Restart Sign-On (ARSO).

Windows Vista 和 Windows XP 中存储的用户名和密码Stored user names and passwords in Windows Vista and Windows XP

在 Windows Server 2008、Windows Server 2003、Windows Vista 和 Windows XP 中,"控制面板" 中 "存储的用户名和密码" 简化了多组登录凭据的管理和使用,包括与智能卡一起使用的 x.509 证书和Windows Live 凭据(现在称为 Microsoft 帐户)。In Windows Server 2008 , Windows Server 2003, Windows Vista, and Windows XP, Stored User Names and Passwords in Control Panel simplifies the management and use of multiple sets of logon credentials, including X.509 certificates used with smart cards and Windows Live credentials (now called Microsoft account). 凭据-用户配置文件的一部分存储在需要的时间。The credentials - part of the user's profile - are stored until needed. 此操作可通过确保密码是否泄露来提高每个资源的安全性,而不会危及所有安全性。This action can increase security on a per-resource basis by ensuring that if one password is compromised, it does not compromise all security.

用户登录并尝试访问其他受密码保护的资源(例如服务器上的共享),并且如果用户的默认登录凭据不足以获取访问权限,则会查询存储的用户名和密码After a user logs on and attempts to access additional password-protected resources, such as a share on a server, and if the user's default logon credentials are not sufficient to gain access, Stored User Names and Passwords is queried. 如果在存储的用户名和密码中保存了具有正确登录信息的备用凭据,则将使用这些凭据获取访问权限。If alternate credentials with the correct logon information have been saved in Stored User Names and Passwords, these credentials are used to gain access. 否则,系统会提示用户提供新凭据,然后在登录会话期间或在后续会话期间,这些凭据可供重复使用。Otherwise, the user is prompted to supply new credentials, which can then be saved for reuse, either later in the logon session or during a subsequent session.

以下限制适用:The following restrictions apply:

  • 如果存储的用户名和密码包含特定资源的无效或不正确的凭据,则对资源的访问被拒绝,并且不会显示 "存储的用户名和密码" 对话框。If Stored User Names and Passwords contains invalid or incorrect credentials for a specific resource, access to the resource is denied, and the Stored User Names and Passwords dialog box does not appear.

  • 存储的用户名和密码仅存储 NTLM、Kerberos 协议、Microsoft 帐户(以前称为 WINDOWS Live ID)和安全套接字层(SSL)身份验证的凭据。Stored User Names and Passwords stores credentials only for NTLM, Kerberos protocol, Microsoft account (formerly Windows Live ID), and Secure Sockets Layer (SSL) authentication. 某些版本的 Internet Explorer 维护其自己的缓存以进行基本身份验证。Some versions of Internet Explorer maintain their own cache for basic authentication.

在 \Documents 和 Settings\Username\Application Data\Microsoft\Credentials 目录中,这些凭据会成为用户本地配置文件的加密部分。These credentials become an encrypted part of a user's local profile in the \Documents and Settings\Username\Application Data\Microsoft\Credentials directory. 因此,如果用户的网络策略支持漫游用户配置文件,则这些凭据可与用户漫游。As a result, these credentials can roam with the user if the user's network policy supports Roaming User Profiles. 但是,如果用户在两台不同的计算机上具有存储用户名和密码的副本,并更改与其中一台计算机上的资源关联的凭据,则更改不会传播到存储的用户名和密码在第二台计算机上。However, if the user has copies of Stored User Names and Passwords on two different computers and changes the credentials that are associated with the resource on one of these computers, the change is not propagated to Stored User Names and Passwords on the second computer.

Windows Vault 和凭据管理器Windows Vault and Credential Manager

在 Windows Server 2008 R2 和 Windows 7 中引入了 "凭据管理器" 作为存储和管理用户名和密码的控制面板功能。Credential Manager was introduced in Windows Server 2008 R2 and Windows 7 as a Control Panel feature to store and manage user names and passwords. 通过凭据管理器,用户可以存储与安全 Windows 保管库中的其他系统和网站相关的凭据。Credential Manager lets users store credentials relevant to other systems and websites in the secure Windows Vault. 某些版本的 Internet Explorer 使用此功能向网站进行身份验证。Some versions of Internet Explorer use this feature for authentication to websites.

使用凭据管理器管理凭据,由本地计算机用户控制。Credential management by using Credential Manager is controlled by the user on the local computer. 用户可以从支持的浏览器和 Windows 应用程序保存和存储凭据,需要登录到这些资源时非常方便。Users can save and store credentials from supported browsers and Windows applications to make it convenient when they need to sign in to these resources. 凭据保存在用户配置文件下计算机上的特殊加密文件夹中。Credentials are saved in special encrypted folders on the computer under the user's profile. 支持此功能(通过使用凭据管理器 Api)的应用程序(如 web 浏览器和应用)可能会在登录过程中向其他计算机和网站提供正确的凭据。Applications that support this feature (through the use of the Credential Manager APIs), such as web browsers and apps, can present the correct credentials to other computers and websites during the logon process.

当网站、应用程序或其他计算机通过 NTLM 或 Kerberos 协议请求身份验证时,将出现一个对话框,你可以在其中选择 "更新默认凭据" 或 "保存密码" 复选框。When a website, an application, or another computer requests authentication through NTLM or the Kerberos protocol, a dialog box appears in which you select the Update Default Credentials or Save Password check box. 此对话框允许用户在本地保存凭据,由支持凭据管理器 Api 的应用程序生成。This dialog box that lets a user save credentials locally is generated by an application that supports the Credential Manager APIs. 如果用户选中 "保存密码" 复选框,则凭据管理器将跟踪用户的用户名、密码和正在使用的身份验证服务的相关信息。If the user selects the Save Password check box, Credential Manager keeps track of the user's user name, password, and related information for the authentication service that is in use.

下次使用该服务时,凭据管理器会自动提供 Windows Vault 中存储的凭据。The next time the service is used, Credential Manager automatically supplies the credential that is stored in the Windows Vault. 如果未接受凭据,将提示用户提供正确的访问信息。If it is not accepted, the user is prompted for the correct access information. 如果使用新凭据授予访问权限,则凭据管理器会使用新凭据覆盖以前的凭据,然后将新凭据存储在 Windows 保管库中。If access is granted with the new credentials, Credential Manager overwrites the previous credential with the new one and then stores the new credential in the Windows Vault.

安全帐户管理器数据库Security Accounts Manager database

安全帐户管理器(SAM)是存储本地用户帐户和组的数据库。The Security Accounts Manager (SAM) is a database that stores local user accounts and groups. 它存在于每个 Windows 操作系统中;但是,在计算机加入域时,Active Directory 管理 Active Directory 域中的域帐户。It is present in every Windows operating system; however, when a computer is joined to a domain, Active Directory manages domain accounts in Active Directory domains.

例如,运行 Windows 操作系统的客户端计算机通过与域控制器通信来加入网络域,即使没有用户登录也是如此。For example, client computers running a Windows operating system participate in a network domain by communicating with a domain controller even when no human user is logged on. 若要启动通信,计算机必须在域中具有活动帐户。To initiate communications, the computer must have an active account in the domain. 在接受来自计算机的通信之前,域控制器上的 LSA 会对计算机的标识进行身份验证,然后构造计算机的安全上下文,就像它对人为安全主体的情况一样。Before accepting communications from the computer, the LSA on the domain controller authenticates the computer's identity and then constructs the computer's security context just as it does for a human security principal. 此安全上下文定义特定计算机或网络上的用户、服务或计算机上的用户或服务的标识和功能。This security context defines the identity and capabilities of a user or service on a particular computer or a user, service, or computer on a network. 例如,安全上下文中包含的访问令牌定义了可访问的资源(例如文件共享或打印机),以及该主体(用户、计算机或修改)可以执行的操作(如 "读取"、"写入" 或 "修改")。资源.For example, the access token contained within the security context defines the resources (such as a file share or printer) that can be accessed and the actions (such as Read, Write, or Modify) that can be performed by that principal - a user, computer, or service on that resource.

用户或计算机的安全上下文可能不同于一台计算机,例如当用户登录到服务器或工作站而不是用户自己的主工作站时。The security context of a user or computer can vary from one computer to another, such as when a user logs on to a server or a workstation other than the user's own primary workstation. 它也可能与一个会话不同,例如当管理员修改用户的权限时。It can also vary from one session to another, such as when an administrator modifies the user's rights and permissions. 此外,当用户或计算机在网络中或作为 Active Directory 域的一部分运行时,安全上下文通常是不同的。In addition, the security context is usually different when a user or computer is operating on a stand-alone basis, in a network, or as part of an Active Directory domain.

本地域和受信任域Local domains and trusted domains

如果两个域之间存在信任,则每个域的身份验证机制依赖于来自其他域的身份验证的有效性。When a trust exists between two domains, the authentication mechanisms for each domain rely on the validity of the authentications coming from the other domain. 信任通过验证传入身份验证请求是否来自受信任的颁发机构(可信域)来提供对资源域(信任域)中共享资源的受控访问权限。Trusts help to provide controlled access to shared resources in a resource domain (the trusting domain) by verifying that incoming authentication requests come from a trusted authority (the trusted domain). 通过这种方式,信任充当桥,只允许验证的身份验证请求在域之间传输。In this way, trusts act as bridges that let only validated authentication requests travel between domains.

特定信任通过身份验证请求的方式取决于其配置方式。How a specific trust passes authentication requests depends on how it is configured. 信任关系可以是单向的,即提供从受信任域到信任域中资源的访问权限,或通过提供从每个域到其他域中资源的访问权限来实现双向关系。Trust relationships can be one-way, by providing access from the trusted domain to resources in the trusting domain, or two-way, by providing access from each domain to resources in the other domain. 信任也是不可传递的,在这种情况下,信任关系仅存在于两个信任伙伴域之间或可传递,在这种情况下,信任会自动扩展到任何合作伙伴信任的其他域。Trusts are also either nontransitive, in which case a trust exists only between the two trust partner domains, or transitive, in which case a trust automatically extends to any other domains that either of the partners trusts.

有关与身份验证有关的域和林信任关系的信息,请参阅委派的身份验证和信任关系For information about domain and forest trust relationships regarding authentication, see Delegated Authentication and Trust Relationships.

Windows 身份验证中的证书Certificates in Windows authentication

公钥基础结构(PKI)是软件、加密技术、过程和服务的组合,使组织可以保护其通信和业务事务。A public key infrastructure (PKI) is the combination of software, encryption technologies, processes, and services that enable an organization to secure its communications and business transactions. PKI 用于保护通信和业务事务的能力基于经过身份验证的用户与可信资源之间的数字证书交换。The ability of a PKI to secure communications and business transactions is based on the exchange of digital certificates between authenticated users and trusted resources.

数字证书是一种电子文档,其中包含有关其所属实体、其颁发者、唯一序列号或一些其他唯一标识、颁发和到期日期以及数字指纹的信息。A digital certificate is an electronic document that contains information about the entity it belongs to, the entity it was issued by, a unique serial number or some other unique identification, issuance and expiration dates, and a digital fingerprint.

身份验证是确定远程主机是否可信任的过程。Authentication is the process of determining if a remote host can be trusted. 若要建立其可信任性,远程主机必须提供可接受的身份验证证书。To establish its trustworthiness, the remote host must provide an acceptable authentication certificate.

远程主机通过从证书颁发机构(CA)获取证书来建立信任。Remote hosts establish their trustworthiness by obtaining a certificate from a certification authority (CA). CA 反过来也可以从较高的机构获得认证,这会创建一个信任链。The CA can, in turn, have certification from a higher authority, which creates a chain of trust. 若要确定证书是否可信,应用程序必须确定根 CA 的标识,然后确定其是否可信。To determine whether a certificate is trustworthy, an application must determine the identity of the root CA, and then determine if it is trustworthy.

同样,远程主机或本地计算机必须确定用户或应用程序提供的证书是否可信。Similarly, the remote host or local computer must determine if the certificate presented by the user or application is authentic. 用户通过 LSA 和 SSPI 提供的证书在本地计算机上进行本地登录、在网络上或通过 Active Directory 中的证书存储在域中进行授权。The certificate presented by the user through the LSA and SSPI is evaluated for authenticity on the local computer for local logon, on the network, or on the domain through the certificate stores in Active Directory.

若要生成证书,身份验证数据通过哈希算法(如安全哈希算法1(SHA1))传递,以生成消息摘要。To produce a certificate, authentication data passes through hash algorithms, such as Secure Hash Algorithm 1 (SHA1), to produce a message digest. 然后使用发送方的私钥对消息摘要进行数字签名,以证明消息摘要是由发送方生成的。The message digest is then digitally signed by using the sender's private key to prove that the message digest was produced by the sender.

备注

SHA1 在 Windows 7 和 Windows Vista 中是默认设置,但在 Windows 8 中已更改为 SHA2。SHA1 is the default in Windows 7 and Windows Vista, but was changed to SHA2 in Windows 8.

智能卡身份验证Smart card authentication

智能卡技术是基于证书的身份验证的一个示例。Smart card technology is an example of certificate-based authentication. 使用智能卡登录到网络提供了一种强大的身份验证形式,因为它在向域验证用户身份时使用基于加密的标识和所有权证明。Logging on to a network with a smart card provides a strong form of authentication because it uses cryptography-based identification and proof of possession when authenticating a user to a domain. Active Directory 证书服务(AD CS)通过为每个智能卡颁发登录证书来提供基于加密的标识。Active Directory Certificate Services (AD CS) provides the cryptographic-based identification through the issuance of a logon certificate for each smart card.

有关智能卡身份验证的信息,请参阅Windows 智能卡技术参考For information about smart card authentication, see the Windows Smart Card Technical Reference.

Windows 8 中引入了虚拟智能卡技术。Virtual smart card technology was introduced in Windows 8. 它将智能卡的证书存储在电脑中,然后使用设备的防篡改受信任的平台模块(TPM)安全芯片来保护它。It stores the smart card's certificate in the PC, and then protects it by using the device's tamper-proof Trusted Platform Module (TPM) security chip. 通过这种方式,PC 实际上会成为智能卡,必须接收用户的 PIN 才能进行身份验证。In this way, the PC actually becomes the smart card which must receive the user's PIN in order to be authenticated.

远程和无线身份验证Remote and wireless authentication

远程和无线网络身份验证是使用证书进行身份验证的另一种技术。Remote and wireless network authentication is another technology that uses certificates for authentication. Internet 身份验证服务(IAS)和虚拟专用网络服务器使用可扩展的身份验证协议-传输层安全性(EAP-TLS)、受保护的可扩展身份验证协议(PEAP)或 Internet 协议安全性(IPsec)来针对多种类型的网络访问(包括虚拟专用网络(VPN)和无线连接)执行基于证书的身份验证。The Internet Authentication Service (IAS) and virtual private network servers use Extensible Authentication Protocol-Transport Level Security (EAP-TLS), Protected Extensible Authentication Protocol (PEAP), or Internet Protocol security (IPsec) to perform certificate-based authentication for many types of network access, including virtual private network (VPN) and wireless connections.

有关网络中基于证书的身份验证的信息,请参阅网络访问身份验证和证书For information about certificate-based authentication in networking, see Network access authentication and certificates.

另请参阅See also

Windows 身份验证概念Windows Authentication Concepts