安全支持提供程序接口体系结构Security Support Provider Interface Architecture

适用于:Windows Server(半年频道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

本参考主题面向 IT 专业人员,介绍了在安全支持提供程序接口(SSPI)体系结构中使用的 Windows 身份验证协议。This reference topic for the IT professional describes the Windows authentication protocols that are used within the Security Support Provider Interface (SSPI) architecture.

Microsoft 安全支持提供程序接口(SSPI)是 Windows 身份验证的基础。The Microsoft Security Support Provider Interface (SSPI) is the foundation for Windows authentication. 要求身份验证的应用程序和基础结构服务会使用 SSPI 提供它。Applications and infrastructure services that require authentication use SSPI to provide it.

SSPI 是 Windows Server 操作系统中通用安全服务 API (GSSAPI)的实现。SSPI is the implementation of the Generic Security Service API (GSSAPI) in Windows Server operating systems. 有关 GSSAPI 的详细信息,请参阅 IETF RFC 数据库中的 RFC 2743 和 RFC 2744。For more information about GSSAPI, see RFC 2743 and RFC 2744 in the IETF RFC Database.

在 Windows 中调用特定身份验证协议的默认安全支持提供程序(Ssp)作为 Dll 合并到 SSPI。The default Security Support Providers (SSPs) that invoke specific authentication protocols in Windows are incorporated into the SSPI as DLLs. 以下各节介绍了这些默认的 Ssp。These default SSPs are described in the following sections. 如果可以对 SSPI 进行操作,则可以合并其他 Ssp。Additional SSPs can be incorporated if they can operate with the SSPI.

如下图所示,Windows 中的 SSPI 提供一种机制,该机制通过客户端计算机和服务器之间的现有通信通道携带身份验证令牌。As shown in the following image, the SSPI in Windows provides a mechanism that carries authentication tokens over the existing communication channel between the client computer and the server. 当需要对两台计算机或设备进行身份验证,以便它们能够安全地通信时,针对身份验证的请求会路由到 SSPI,后者完成身份验证过程,而不考虑当前使用的网络协议。When two computers or devices need to be authenticated so that they can communicate securely, the requests for authentication are routed to the SSPI, which completes the authentication process, regardless of the network protocol currently in use. SSPI 返回透明的二进制大型对象。The SSPI returns transparent binary large objects. 它们在应用程序之间传递,在这种情况下,它们可以传递到 SSPI 层。These are passed between the applications, at which point they can be passed to the SSPI layer. 因此,SSPI 允许应用程序使用计算机或网络上可用的各种安全模型,而无需更改安全系统的接口。Thus, the SSPI enables an application to use various security models available on a computer or network without changing the interface to the security system.

显示安全支持提供程序接口体系结构的关系图

以下各节介绍与 SSPI 交互的默认 Ssp。The following sections describe the default SSPs that interact with the SSPI. 在 Windows 操作系统中,使用 Ssp 以不同的方式来在不安全的网络环境中进行安全通信。The SSPs are used in different ways in Windows operating systems to promote secure communication in an unsecure network environment.

本主题还包括:Also included in this topic:

安全支持提供程序选择Security Support Provider selection

Kerberos 安全支持提供程序Kerberos Security Support Provider

此 SSP 仅使用 Microsoft 实现的 Kerberos 版本5协议。This SSP uses only the Kerberos version 5 protocol as implemented by Microsoft. 此协议基于网络工作组的 RFC 4120 和草稿版本。This protocol is based on the Network Working Group's RFC 4120 and draft revisions. 它是一种行业标准协议,用于交互式登录的密码或智能卡。It is an industry standard protocol that is used with a password or a smart card for an interactive logon. 它也是 Windows 中服务的首选身份验证方法。It is also the preferred authentication method for services in Windows.

由于从 Windows 2000 开始,Kerberos 协议是默认的身份验证协议,因此所有域服务都支持 Kerberos SSP。Because the Kerberos protocol has been the default authentication protocol since Windows 2000, all domain services support the Kerberos SSP. 这些服务包括:These services include:

  • 使用轻型目录访问协议(LDAP) Active Directory 查询Active Directory queries that use the Lightweight Directory Access Protocol (LDAP)

  • 使用远程过程调用服务的远程服务器或工作站管理Remote server or workstation management that uses the Remote Procedure Call service

  • 打印服务Print services

  • 客户端-服务器身份验证Client-server authentication

  • 使用服务器消息块(SMB)协议(也称为通用 Internet 文件系统或 CIFS)的远程文件访问Remote file access that uses the Server Message Block (SMB) protocol (also known as Common Internet File System or CIFS)

  • 分布式文件系统管理和引用Distributed file system management and referral

  • Intranet 到 Internet Information Services 的身份验证(IIS)Intranet authentication to Internet Information Services (IIS)

  • Internet 协议安全(IPsec)的安全机构身份验证Security authority authentication for Internet Protocol security (IPsec)

  • 用于域用户和计算机 Active Directory 证书服务的证书请求Certificate requests to Active Directory Certificate Services for domain users and computers

位置:% windir% \Windows\System32\kerberos.dllLocation: %windir%\Windows\System32\kerberos.dll

默认情况下,此提供程序包含在本主题开头的 "应用于" 列表中指定的版本中,以及 windows Server 2003 和 windows XP。This provider is included by default in versions designated in the Applies to list at the beginning of this topic, plus Windows Server 2003 and Windows XP.

Kerberos 协议和 Kerberos SSP 的其他资源Additional resources for the Kerberos protocol and the Kerberos SSP

NTLM 安全支持提供程序NTLM Security Support Provider

NTLM 安全支持提供程序(NTLM SSP)是安全支持提供程序接口(SSPI)使用的一种二进制消息传递协议,可用于实现 NTLM 质询-响应身份验证以及协商完整性和机密性选项。The NTLM Security Support Provider (NTLM SSP) is a binary messaging protocol used by the Security Support Provider Interface (SSPI) to allow NTLM challenge-response authentication and to negotiate integrity and confidentiality options. 如果使用 SSPI 身份验证,则使用 NTLM,其中包括服务器消息块或 CIFS 身份验证、HTTP 协商身份验证(例如 Internet Web 身份验证)和远程过程调用服务。NTLM is used wherever SSPI authentication is used, including for Server Message Block or CIFS authentication, HTTP Negotiate authentication (for example, Internet Web Authentication), and the Remote Procedure Call service. NTLM SSP 包括 NTLM 和 NTLM 版本2(NTLMv2)身份验证协议。The NTLM SSP includes the NTLM and NTLM version 2 (NTLMv2) authentication protocols.

受支持的 Windows 操作系统可将 NTLM SSP 用于以下内容:The supported Windows operating systems can use the NTLM SSP for the following:

  • 客户端/服务器身份验证Client/server authentication

  • 打印服务Print services

  • 使用 CIFS (SMB)进行文件访问File access by using CIFS (SMB)

  • 安全远程过程调用服务或 DCOM 服务Secure Remote Procedure Call service or DCOM service

位置:% windir% \Windows\System32\msv1_0.dllLocation: %windir%\Windows\System32\msv1_0.dll

默认情况下,此提供程序包含在本主题开头的 "应用于" 列表中指定的版本中,以及 windows Server 2003 和 windows XP。This provider is included by default in versions designated in the Applies to list at the beginning of this topic, plus Windows Server 2003 and Windows XP.

NTLM 协议和 NTLM SSP 的其他资源Additional resources for the NTLM protocol and the NTLM SSP

摘要式安全支持提供程序Digest Security Support Provider

摘要式身份验证是一种行业标准,用于轻型目录访问协议(LDAP)和 web 身份验证。Digest authentication is an industry standard that is used for Lightweight Directory Access Protocol (LDAP) and web authentication. 摘要式身份验证通过网络以 MD5 哈希或消息摘要形式传输凭据。Digest authentication transmits credentials across the network as an MD5 hash or message digest.

摘要式 SSP (Wdigest.dll)用于以下内容:Digest SSP (Wdigest.dll) is used for the following:

  • Internet Explorer 和 Internet Information Services (IIS)访问Internet Explorer and Internet Information Services (IIS) access

  • LDAP 查询LDAP queries

位置:% windir% \Windows\System32\Digest.dllLocation: %windir%\Windows\System32\Digest.dll

默认情况下,此提供程序包含在本主题开头的 "应用于" 列表中指定的版本中,以及 windows Server 2003 和 windows XP。This provider is included by default in versions designated in the Applies to list at the beginning of this topic, plus Windows Server 2003 and Windows XP.

摘要式协议和摘要 SSP 的其他资源Additional resources for the Digest protocol and the Digest SSP

Schannel 安全支持提供程序Schannel Security Support Provider

安全通道(Schannel)用于基于 web 的服务器身份验证,例如,当用户尝试访问安全 web 服务器时。The Secure Channel (Schannel) is used for web-based server authentication, such as when a user attempts to access a secure web server.

TLS 协议、SSL 协议、专用通信技术(PCT)协议和数据报传输层(DTLS)协议基于公钥加密。The TLS protocol, SSL protocol , the Private Communications Technology (PCT) protocol, and the Datagram Transport Layer (DTLS) protocol are based on public key cryptography. Schannel 提供所有这些协议。Schannel provides all these protocols. 所有 Schannel 协议均使用客户端/服务器模型。All Schannel protocols use a client/server model. Schannel SSP 使用公钥证书验证参与方。The Schannel SSP uses public key certificates to authenticate parties. 对参与方进行身份验证时,Schannel SSP 按以下优先顺序选择协议:When authenticating parties, Schannel SSP selects a protocol in the following order of preference:

  • 传输层安全性(TLS)版本1。0Transport Layer Security (TLS) version 1.0

  • 传输层安全性(TLS)版本1。1Transport Layer Security (TLS) version 1.1

  • 传输层安全性(TLS)版本1。2Transport Layer Security (TLS) version 1.2

  • 安全套接字层(SSL)版本2。0Secure Socket Layer (SSL) version 2.0

  • 安全套接字层(SSL)版本3。0Secure Socket Layer (SSL) version 3.0

  • 专用通信技术(百分比)Private Communications Technology (PCT)

    注意默认情况下,PCT 处于禁用状态。Note PCT is disabled by default.

选择的协议是客户端和服务器可以支持的首选身份验证协议。The protocol that is selected is the preferred authentication protocol that the client and the server can support. 例如,如果服务器支持所有 Schannel 协议,而客户端仅支持 SSL 3.0 和 SSL 2.0,则身份验证过程使用 SSL 3.0。For example, if a server supports all the Schannel protocols and the client supports only SSL 3.0 and SSL 2.0, the authentication process uses SSL 3.0.

当应用程序显式调用 DTLS 时使用。DTLS is used when explicitly called by the application. 有关 Schannel 提供程序使用的 DTLS 和其他协议的详细信息,请参阅Schannel 安全支持提供程序技术参考For more information about DTLS and the other protocols that are used by the Schannel provider, see Schannel Security Support Provider Technical Reference.

位置:% windir% \Windows\System32\Schannel.dllLocation: %windir%\Windows\System32\Schannel.dll

默认情况下,此提供程序包含在本主题开头的 "应用于" 列表中指定的版本中,以及 windows Server 2003 和 windows XP。This provider is included by default in versions designated in the Applies to list at the beginning of this topic, plus Windows Server 2003 and Windows XP.

备注

此提供程序在 Windows Server 2008 R2 和 Windows 7 中引入了 TLS 1.2。TLS 1.2 was introduced in this provider in Windows Server 2008 R2 and Windows 7. Windows Server 2012 和 Windows 8 中的此提供程序中引入了 DTLS。DTLS was introduced in this provider in Windows Server 2012 and Windows 8.

TLS 和 SSL 协议以及 Schannel SSP 的其他资源Additional resources for the TLS and SSL protocols and the Schannel SSP

协商安全支持提供程序Negotiate Security Support Provider

简单且受保护的 GSS-API 协商机制(SPNEGO)构成协商 SSP 的基础,whichcan 用于协商特定身份验证协议。The Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) forms the basis for the Negotiate SSP, whichcan be used to negotiate a specific authentication protocol. 当某个应用程序调入 SSPI 以登录到网络时,该应用程序可以指定一个 SSP 来处理请求。When an application calls into SSPI to log on to a network, it can specify an SSP to process the request. 如果应用程序指定 Negotiate SSP,则它会分析请求,并根据客户配置的安全策略选择相应的提供程序来处理请求。If the application specifies the Negotiate SSP, it analyzes the request and picks the appropriate provider to handle the request, based on customer-configured security policies.

RFC 2478 中指定了 SPNEGO。SPNEGO is specified in RFC 2478.

在支持的 Windows 操作系统版本中,协商安全支持提供程序在 Kerberos 协议和 NTLM 之间选择。In supported versions of the Windows operating systems, the Negotiate security support provider selects between the Kerberos protocol and NTLM. 默认情况下,协商将选择 Kerberos 协议,除非该协议不能由身份验证中涉及的系统之一使用,或调用应用程序没有提供足够的信息来使用 Kerberos 协议。Negotiate selects the Kerberos protocol by default unless that protocol cannot be used by one of the systems involved in the authentication, or the calling application did not provide sufficient information to use the Kerberos protocol.

位置:% windir% \Windows\System32\lsasrv.dllLocation: %windir%\Windows\System32\lsasrv.dll

默认情况下,此提供程序包含在本主题开头的 "应用于" 列表中指定的版本中,以及 windows Server 2003 和 windows XP。This provider is included by default in versions designated in the Applies to list at the beginning of this topic, plus Windows Server 2003 and Windows XP.

用于协商 SSP 的其他资源Additional resources for the Negotiate SSP

凭据安全支持提供程序Credential Security Support Provider

凭据安全服务提供程序(CredSSP)提供启动新终端服务和远程桌面服务会话时的单一登录(SSO)用户体验。The Credential Security Service Provider (CredSSP) provides a single sign-on (SSO) user experience when starting new Terminal Services and Remote Desktop Services sessions. 使用 CredSSP,应用程序可以根据客户端的策略,将用户的凭据从客户端计算机(通过使用客户端 SSP)委托给目标服务器(通过服务器端 SSP)。CredSSP enables applications to delegate users' credentials from the client computer (by using the client-side SSP) to the target server (through the server-side SSP), based on the client's policies. CredSSP 策略通过使用组策略进行配置,并且默认情况下禁用凭据的委派。CredSSP policies are configured by using Group Policy, and the delegation of credentials is turned off by default.

位置:% windir% \Windows\System32\credssp.dllLocation: %windir%\Windows\System32\credssp.dll

默认情况下,此提供程序包含在本主题开头的 "适用于" 列表中指定的版本中。This provider is included by default in versions designated in the Applies to list at the beginning of this topic.

凭据 SSP 的其他资源Additional resources for the Credentials SSP

协商扩展安全支持提供程序Negotiate Extensions Security Support Provider

协商扩展(NegoExts)是一种身份验证包,用于协商由 Microsoft 和其他软件公司实施的应用程序和方案所使用的 Ssp (NTLM 或 Kerberos 协议除外)。Negotiate Extensions (NegoExts) is an authentication package that negotiates the use of SSPs, other than NTLM or the Kerberos protocol, for applications and scenarios implemented by Microsoft and other software companies.

协商包的这一扩展允许以下方案:This extension to the Negotiate package permits the following scenarios:

  • 联合系统中丰富的客户端可用性。Rich client availability within a federated system. 可以在 SharePoint 站点上访问文档,还可以使用功能完备的 Microsoft Office 应用程序对其进行编辑。Documents can be accessed on SharePoint sites, and they can be edited by using a full-featured Microsoft Office application.

  • 为 Microsoft Office 服务提供丰富的客户端支持。Rich client support for Microsoft Office services. 用户可以登录到 Microsoft Office services 并使用全功能 Microsoft Office 应用程序。Users can sign in to Microsoft Office services and use a full-featured Microsoft Office application.

  • 托管的 Microsoft Exchange 服务器和 Outlook。Hosted Microsoft Exchange Server and Outlook. 由于 Exchange Server 托管在 web 上,因此没有建立域信任。There is no domain trust established because Exchange Server is hosted on the web. Outlook 使用 Windows Live 服务对用户进行身份验证。Outlook uses the Windows Live service to authenticate users.

  • 客户端计算机和服务器之间的丰富客户端可用性。Rich client availability between client computers and servers. 使用操作系统的网络和身份验证组件。The operating system's networking and authentication components are used.

Windows 协商包与 NegoExts SSP 的处理方式与 Kerberos 和 NTLM 的处理方式相同。The Windows Negotiate package treats the NegoExts SSP in the same manner as it does for Kerberos and NTLM. 在启动时,NegoExts.dll 会加载到本地系统机构(LSA)中。NegoExts.dll is loaded into the Local System Authority (LSA) at startup. 当收到基于请求源的身份验证请求时,NegoExts 会在支持的 Ssp 之间进行协商。When an authentication request is received, based on the request's source, NegoExts negotiates between the supported SSPs. 它将收集凭据和策略,对其进行加密,并将该信息发送到创建安全令牌的相应 SSP。It gathers the credentials and policies, encrypts them, and sends that information to the appropriate SSP, where the security token is created.

NegoExts 支持的 Ssp 不是独立的 Ssp,如 Kerberos 和 NTLM。The SSPs supported by NegoExts are not stand-alone SSPs such as Kerberos and NTLM. 因此,在 NegoExts SSP 内,如果出于任何原因而导致身份验证方法失败,则将显示或记录身份验证失败消息。Therefore, within the NegoExts SSP, when the authentication method fails for any reason, an authentication failure message will be displayed or logged. 不能重新协商或回退身份验证方法。No renegotiation or fallback authentication methods are possible.

位置:% windir% \Windows\System32\negoexts.dllLocation: %windir%\Windows\System32\negoexts.dll

默认情况下,此提供程序包含在本主题开头的 "适用于" 列表中指定的版本中,不包括 windows Server 2008 和 windows Vista。This provider is included by default in versions designated in the Applies to list at the beginning of this topic, excluding Windows Server 2008 and Windows Vista.

PKU2U 安全支持提供程序PKU2U Security Support Provider

Windows 7 和 Windows Server 2008 R2 中引入了 PKU2U 协议,并将其作为 SSP 实现。The PKU2U protocol was introduced and implemented as an SSP in Windows 7 and Windows Server 2008 R2 . 此 SSP 启用对等身份验证,特别是在 Windows 7 中引入了名为 "家庭组" 的媒体和文件共享功能。This SSP enables peer-to-peer authentication, particularly through the media and file sharing feature called HomeGroup, which was introduced in Windows 7 . 此功能允许在非域成员的计算机之间共享。The feature permits sharing between computers that are not members of a domain.

位置:% windir% \Windows\System32\pku2u.dllLocation: %windir%\Windows\System32\pku2u.dll

默认情况下,此提供程序包含在本主题开头的 "适用于" 列表中指定的版本中,不包括 windows Server 2008 和 windows Vista。This provider is included by default in versions designated in the Applies to list at the beginning of this topic, excluding Windows Server 2008 and Windows Vista.

PKU2U 协议和 PKU2U SSP 的其他资源Additional resources for the PKU2U protocol and the PKU2U SSP

安全支持提供程序选择Security Support Provider selection

Windows SSPI 可以使用通过安装的安全支持提供程序支持的任何协议。The Windows SSPI can use any of the protocols that are supported through the installed Security Support Providers. 但是,由于并非所有操作系统都支持与运行 Windows Server 的任何给定计算机相同的 SSP 包,因此,客户端和服务器必须协商使用两者都支持的协议。However, because not all operating systems support the same SSP packages as any given computer running Windows Server, clients and servers must negotiate to use a protocol that they both support. Windows Server 倾向于客户端计算机和应用程序使用 Kerberos 协议,这是一种基于标准的强大协议,但操作系统继续允许不支持 Kerberos 协议进行身份验证的客户端计算机和客户端应用程序。Windows Server prefers client computers and applications to use the Kerberos protocol, a strong standards-based protocol, when possible, but the operating system continues to allow client computers and client applications that do not support the Kerberos protocol to authenticate.

在进行身份验证之前,两台通信计算机必须同意它们都可以支持的协议。Before authentication can take place the two communicating computers must agree on a protocol that they both can support. 对于任何可通过 SSPI 使用的协议,每台计算机都必须具有相应的 SSP。For any protocol to be usable through the SSPI, each computer must have the appropriate SSP. 例如,要使客户端计算机和服务器使用 Kerberos 身份验证协议,它们必须都支持 Kerberos v5。For example, for a client computer and server to use the Kerberos authentication protocol, they must both support Kerberos v5. Windows Server 使用函数EnumerateSecurityPackages来确定计算机上支持的 ssp 以及这些 ssp 的功能。Windows Server uses the function EnumerateSecurityPackages to identify which SSPs are supported on a computer and what the capabilities of those SSPs are.

可以通过以下两种方式之一来处理身份验证协议的选择:The selection of an authentication protocol can be handled in one of the following two ways:

  1. 单个身份验证协议Single authentication protocol

  2. Negotiate 选项Negotiate option

单个身份验证协议Single authentication protocol

在服务器上指定一个可接受的协议时,客户端计算机必须支持指定的协议,否则通信将失败。When a single acceptable protocol is specified on the server, the client computer must support the protocol specified or the communication fails. 当指定了一个可接受的协议时,将按如下所示进行身份验证交换:When a single acceptable protocol is specified, the authentication exchange takes place as follows:

  1. 客户端计算机请求对服务的访问权限。The client computer requests access to a service.

  2. 服务器会回复请求并指定要使用的协议。The server replies to the request and specifies the protocol that will be used.

  3. 客户端计算机检查回复的内容并检查以确定它是否支持指定的协议。The client computer examines the contents of the reply and checks to determine whether it supports the specified protocol. 如果客户端计算机确实支持指定的协议,则会继续进行身份验证。If the client computer does support the specified protocol, the authentication continues. 如果客户端计算机不支持协议,则身份验证将失败,无论客户端计算机是否有权访问该资源。If the client computer does not support the protocol, the authentication fails, regardless of whether the client computer is authorized to access the resource.

Negotiate 选项Negotiate option

Negotiate 选项可用于允许客户端和服务器尝试查找可接受的协议。The negotiate option can be used to allow the client and server to attempt to find an acceptable protocol. 这基于简单且受保护的 GSS-API 协商机制(SPNEGO)。This is based on the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO). 使用协商身份验证协议的选项开始身份验证时,SPNEGO 交换的发生方式如下:When the authentication begins with the option to negotiate for an authentication protocol, the SPNEGO exchange takes place as follows:

  1. 客户端计算机请求对服务的访问权限。The client computer requests access to a service.

  2. 服务器会根据第一次选择的协议,使用它可以支持的身份验证协议列表和身份验证质询或响应进行回复。The server replies with a list of authentication protocols that it can support and an authentication challenge or response, based on the protocol that is its first choice. 例如,服务器可能会列出 Kerberos 协议和 NTLM,并发送 Kerberos 身份验证响应。For example, the server might list the Kerberos protocol and NTLM, and send a Kerberos authentication response.

  3. 客户端计算机检查回复的内容并进行检查以确定它是否支持任何指定的协议。The client computer examines the contents of the reply and checks to determine whether it supports any of the specified protocols.

    • 如果客户端计算机支持首选协议,则会继续进行身份验证。If the client computer supports the preferred protocol, authentication proceeds.

    • 如果客户端计算机不支持首选协议,但它支持服务器列出的其他协议之一,则客户端计算机将使服务器知道它支持的身份验证协议,并且身份验证将继续。If the client computer does not support the preferred protocol, but it does support one of the other protocols listed by the server, the client computer lets the server know which authentication protocol it supports, and the authentication proceeds.

    • 如果客户端计算机不支持任何列出的协议,则身份验证交换会失败。If the client computer does not support any of the listed protocols, the authentication exchange fails.

其他参考Additional References

Windows 身份验证体系结构Windows Authentication Architecture