Windows 身份验证体系结构Windows Authentication Architecture

适用于:Windows Server(半年频道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

本概述主题面向 IT 专业人员,介绍了 Windows 身份验证的基本体系结构方案。This overview topic for the IT professional explains the basic architectural scheme for Windows authentication.

身份验证是指系统验证用户的登录或登录信息时所使用的过程。Authentication is the process by which the system validates a user's logon or sign-in information. 用户的名称和密码与授权列表进行比较,如果系统检测到匹配项,则将访问权限授予该用户的权限列表中指定的范围。A user's name and password are compared against an authorized list, and if the system detects a match, access is granted to the extent specified in the permission list for that user.

作为可扩展体系结构的一部分,Windows Server 操作系统将实现一组默认身份验证安全支持提供程序,其中包括 Negotiate、Kerberos 协议、NTLM、Schannel (安全通道) 和摘要。As part of an extensible architecture, the Windows Server operating systems implement a default set of authentication security support providers, which include Negotiate, the Kerberos protocol, NTLM, Schannel (secure channel), and Digest. 这些提供程序使用的协议允许用户、计算机和服务进行身份验证,并且身份验证过程使授权的用户和服务能够安全地访问资源。The protocols used by these providers enable authentication of users, computers, and services, and the authentication process enables authorized users and services to access resources in a secure manner.

在 Windows Server 中,应用程序通过使用 SSPI 对身份验证调用进行身份验证来对用户进行身份验证。In Windows Server, applications authenticate users by using the SSPI to abstract calls for authentication. 因此,开发人员不需要了解特定身份验证协议的复杂性,也不需要在其应用程序中构建身份验证协议。Thus, developers do not need to understand the complexities of specific authentication protocols or build authentication protocols into their applications.

Windows Server 操作系统包括组成 Windows 安全模型的一组安全组件。Windows Server operating systems include a set of security components that make up the Windows security model. 这些组件确保应用程序不需要进行身份验证和授权即可访问资源。These components ensure that applications cannot gain access to resources without authentication and authorization. 以下各节介绍身份验证体系结构的元素。The following sections describe the elements of the authentication architecture.

本地安全机构Local Security Authority

本地安全机构 (LSA) 是受保护的子系统,可对用户进行身份验证并登录到本地计算机。The Local Security Authority (LSA) is a protected subsystem that authenticates and signs in users to the local computer. 此外,LSA 在计算机上保留有关本地安全的所有方面的信息 (这些方面统称为本地安全策略) 。In addition, LSA maintains information about all aspects of local security on a computer (these aspects are collectively known as the local security policy). 它还提供各种服务,用于在 Sid) (名称和安全标识符之间进行转换。It also provides various services for translation between names and security identifiers (SIDs).

安全子系统将跟踪计算机系统上的安全策略和帐户。The security subsystem keeps track of the security policies and the accounts that are on a computer system. 如果是域控制器,则这些策略和帐户是对域控制器所在的域生效的策略和帐户。In the case of a domain controller, these policies and accounts are those that are in effect for the domain in which the domain controller is located. 这些策略和帐户存储在 Active Directory 中。These policies and accounts are stored in Active Directory. LSA 子系统提供的服务可用于验证对对象的访问权限、检查用户权限以及生成审核消息。The LSA subsystem provides services for validating access to objects, checking user rights, and generating audit messages.

安全支持提供程序接口Security Support Provider Interface

(SSPI) 的安全支持提供程序接口是为任何分布式应用程序协议获取用于身份验证、消息完整性、消息隐私和安全服务质量的集成安全服务的 API。The Security Support Provider Interface (SSPI) is the API that obtains integrated security services for authentication, message integrity, message privacy, and security quality-of-service for any distributed application protocol.

SSPI 是通用安全服务 API 的实现 (GSSAPI) 。SSPI is the implementation of the Generic Security Service API (GSSAPI). SSPI 提供一种机制,通过该机制,分布式应用程序可以调用多个安全提供程序之一来获取经过身份验证的连接,而无需了解安全协议的详细信息。SSPI provides a mechanism by which a distributed application can call one of several security providers to obtain an authenticated connection without knowledge of the details of the security protocol.

其他参考Additional References