在 Azure Active Directory Domain Services 中設定 Kerberos 限制委派(KCD)Configure Kerberos constrained delegation (KCD) in Azure Active Directory Domain Services

當您執行應用程式時,可能需要這些應用程式才能存取不同使用者內容中的資源。As you run applications, there may be a need for those applications to access resources in the context of a different user. Active Directory Domain Services (AD DS)支援一種稱為Kerberos 委派的機制,可啟用此使用案例。Active Directory Domain Services (AD DS) supports a mechanism called Kerberos delegation that enables this use-case. Kerberos限制委派(KCD)接著會建立此機制,以定義可在使用者內容中存取的特定資源。Kerberos constrained delegation (KCD) then builds on this mechanism to define specific resources that can be accessed in the context of the user.

Azure Active Directory Domain Services (Azure AD DS)受控網域比傳統的內部部署 AD DS 環境更安全地鎖定,因此,請使用更安全的以資源為基礎的 KCD。Azure Active Directory Domain Services (Azure AD DS) managed domains are more securely locked down than traditional on-premises AD DS environments, so use a more secure resource-based KCD.

本文說明如何在 Azure AD DS 受控網域中設定以資源為基礎的 Kerberos 限制委派。This article shows you how to configure resource-based Kerberos constrained delegation in an Azure AD DS managed domain.

必要條件Prerequisites

若要完成本文,您需要下列資源:To complete this article, you need the following resources:

Kerberos 限制委派總覽Kerberos constrained delegation overview

Kerberos 委派可讓一個帳戶模擬另一個帳戶,以存取資源。Kerberos delegation lets one account impersonate another account to access resources. 例如,存取後端 web 元件的 web 應用程式可以在建立後端連接時,以不同的使用者帳戶模擬自己。For example, a web application that accesses a back-end web component can impersonate itself as a different user account when it makes the back-end connection. Kerberos 委派並不安全,因為它不會限制模擬帳戶可以存取的資源。Kerberos delegation is insecure as it doesn't limit what resources the impersonating account can access.

Kerberos限制委派(KCD)會限制指定的伺服器或應用程式在模擬另一個身分識別時可以連接的服務或資源。Kerberos constrained delegation (KCD) restricts the services or resources that a specified server or application can connect when impersonating another identity. 傳統 KCD 需要網域系統管理員許可權才能設定服務的網域帳戶,而且它會限制帳戶在單一網域上執行。Traditional KCD requires domain administrator privileges to configure a domain account for a service, and it restricts the account to run on a single domain.

傳統的 KCD 也有幾個問題。Traditional KCD also has a few issues. 例如,在舊版的作業系統中,服務系統管理員沒有實用的方式可以得知哪些前端服務已委派給他們擁有的資源服務。For example, in earlier operating systems, the service administrator had no useful way to know which front-end services delegated to the resource services they owned. 可以委派給資源服務的任何前端服務都是潛在的攻擊點。Any front-end service that could delegate to a resource service was a potential attack point. 如果裝載前端服務的伺服器已設定為委派給資源服務,則資源服務可能也會受到危害。If a server that hosted a front-end service configured to delegate to resource services was compromised, the resource services could also be compromised.

在受控網域中,您沒有網域系統管理員許可權。In a managed domain, you don't have domain administrator privileges. 因此,無法在受控網域中設定傳統以帳戶為基礎的 KCD。As a result, traditional account-based KCD can't be configured in a managed domain. 以資源為基礎的 KCD 可以改為使用,這也會更安全。Resource-based KCD can instead be used, which is also more secure.

資源型 KCDResource-based KCD

Windows Server 2012 和更新版本讓服務系統管理員能夠設定其服務的限制委派。Windows Server 2012 and later gives service administrators the ability to configure constrained delegation for their service. 此模型稱為資源型 KCD。This model is known as resource-based KCD. 使用此方法,後端服務系統管理員可以允許或拒絕使用 KCD 的特定前端服務。With this approach, the back-end service administrator can allow or deny specific front-end services from using KCD.

資源型 KCD 是使用 PowerShell 所設定的。Resource-based KCD is configured using PowerShell. 視模擬帳戶是電腦帳戶或使用者帳戶/服務帳戶而定,您可以使用get-adcomputeradserviceaccount Cmdlet。You use the Set-ADComputer or Set-ADUser cmdlets, depending on whether the impersonating account is a computer account or a user account / service account.

針對電腦帳戶設定以資源為基礎的 KCDConfigure resource-based KCD for a computer account

在此案例中,假設您有一個在名為contoso-webapp.aaddscontoso.com的電腦上執行的 web 應用程式。In this scenario, let's assume you have a web app that runs on the computer named contoso-webapp.aaddscontoso.com.

Web 應用程式需要存取在網域使用者內容中名為contoso-api.aaddscontoso.com的電腦上執行的 Web API。The web app needs to access a web API that runs on the computer named contoso-api.aaddscontoso.com in the context of domain users.

請完成下列步驟來設定此案例:Complete the following steps to configure this scenario:

  1. 建立自訂 OUCreate a custom OU. 您可以將管理這個自訂 OU 的權限委派給受控網域內的使用者。You can delegate permissions to manage this custom OU to users within the managed domain.

  2. 將虛擬機器(執行 web 應用程式的電腦)和執行 Web API 的客戶端加入至受控網域。Domain-join the virtual machines, both the one that runs the web app, and the one that runs the web API, to the managed domain. 在上一個步驟的自訂 OU 中建立這些電腦帳戶。Create these computer accounts in the custom OU from the previous step.

    注意

    Web 應用程式和 Web API 的電腦帳戶必須位於您有權設定以資源為基礎之 KCD 的自訂 OU 中。The computer accounts for the web app and the web API must be in a custom OU where you have permissions to configure resource-based KCD. 您無法在內建AAD DC 電腦容器中,為電腦帳戶設定以資源為基礎的 KCD。You can't configure resource-based KCD for a computer account in the built-in AAD DC Computers container.

  3. 最後,使用 Get-adcomputer PowerShell Cmdlet 來設定以資源為基礎的 KCD。Finally, configure resource-based KCD using the Set-ADComputer PowerShell cmdlet.

    從已加入網域的管理 VM,並以屬於AZURE AD DC administrators群組成員的使用者帳戶登入,執行下列 Cmdlet。From your domain-joined management VM and logged in as user account that's a member of the Azure AD DC administrators group, run the following cmdlets. 視需要提供您自己的電腦名稱稱:Provide your own computer names as needed:

    $ImpersonatingAccount = Get-ADComputer -Identity contoso-webapp.aaddscontoso.com
    Set-ADComputer contoso-api.aaddscontoso.com -PrincipalsAllowedToDelegateToAccount $ImpersonatingAccount
    

為使用者帳戶設定以資源為基礎的 KCDConfigure resource-based KCD for a user account

在此案例中,假設您有一個以名為appsvc的服務帳戶執行的 web 應用程式。In this scenario, let's assume you have a web app that runs as a service account named appsvc. Web 應用程式需要存取以網域使用者內容中名為backendsvc的服務帳戶身分執行的 Web API。The web app needs to access a web API that runs as a service account named backendsvc in the context of domain users. 請完成下列步驟來設定此案例:Complete the following steps to configure this scenario:

  1. 建立自訂 OUCreate a custom OU. 您可以將管理這個自訂 OU 的權限委派給受控網域內的使用者。You can delegate permissions to manage this custom OU to users within the managed domain.

  2. 網域-將執行後端 Web API/資源的虛擬機器加入受控網域。Domain-join the virtual machines that run the backend web API/resource to the managed domain. 請在自訂 OU 內建立其電腦帳戶。Create its computer account within the custom OU.

  3. 建立用來在自訂 OU 內執行 web 應用程式的服務帳戶(例如, appsvc)。Create the service account (for example, appsvc) used to run the web app within the custom OU.

    注意

    同樣地,Web API VM 的電腦帳戶和 web 應用程式的服務帳戶,必須位於您有權設定以資源為基礎之 KCD 的自訂 OU 中。Again, the computer account for the web API VM, and the service account for the web app, must be in a custom OU where you have permissions to configure resource-based KCD. 您無法為內建AAD Dc 電腦AAD dc 使用者容器中的帳戶設定以資源為基礎的 KCD。You can't configure resource-based KCD for accounts in the built-in AAD DC Computers or AAD DC Users containers. 這也表示您無法使用從 Azure AD 同步處理的使用者帳戶來設定以資源為基礎的 KCD。This also means that you can't use user accounts synchronized from Azure AD to set up resource-based KCD. 您必須建立並使用特別在 Azure AD DS 中建立的服務帳戶。You must create and use service accounts specifically created in Azure AD DS.

  4. 最後,使用 Adserviceaccount PowerShell Cmdlet 來設定以資源為基礎的 KCD。Finally, configure resource-based KCD using the Set-ADUser PowerShell cmdlet.

    從已加入網域的管理 VM,並以屬於AZURE AD DC administrators群組成員的使用者帳戶登入,執行下列 Cmdlet。From your domain-joined management VM and logged in as user account that's a member of the Azure AD DC administrators group, run the following cmdlets. 視需要提供您自己的服務名稱:Provide your own service names as needed:

    $ImpersonatingAccount = Get-ADUser -Identity appsvc
    Set-ADUser backendsvc -PrincipalsAllowedToDelegateToAccount $ImpersonatingAccount
    

後續步驟Next steps

若要深入瞭解委派在 Active Directory Domain Services 中的運作方式,請參閱Kerberos 限制委派總覽To learn more about how delegation works in Active Directory Domain Services, see Kerberos Constrained Delegation Overview.