含有 Reporting Services 的驗證擴充保護Extended Protection for Authentication with Reporting Services

「擴充保護」是 MicrosoftMicrosoft Windows 作業系統最新版本的一組增強功能。Extended Protection is a set of enhancements to recent versions of the MicrosoftMicrosoft Windows operating system. 擴充保護會增強認證與驗證受到應用程式保護的方式。Extended protection enhances how credentials and authentication can be protected by applications. 此功能本身並不會針對認證轉送之類的特定攻擊直接提供保護,但是它會為 Reporting ServicesReporting Services 之類的應用程式提供基礎結構,以增強驗證擴充保護。The feature itself does not directly provide protection against specific attacks such as credential forwarding, but it provides an infrastructure for applications such as Reporting ServicesReporting Services to enforce Extended Protection for Authentication.

屬於擴充保護一部分的主要驗證增強功能為服務繫結與通道繫結。The main authentication enhancements that are part of extended protection are service binding and channel binding. 通道繫結使用通道繫結 Token (CBT) 驗證兩點端點之間建立的通道是否未受到危害。Channel binding uses a channel binding token (CBT), to verify that the channel established between two end points was not compromised. 服務繫結使用服務主要名稱 (SPN) 驗證預期的驗證 Token 目的地。Service binding uses Service Principal Names (SPN) to validate the intended destination of authentication tokens. 如需擴充保護的詳細背景資訊,請參閱 Integrated Windows Authentication with Extended Protection(具有擴充保護的整合式 Windows 驗證)。For more background information about extended protection, see Integrated Windows Authentication with Extended Protection.

SQL Server 2017SQL Server 2017 Reporting ServicesReporting Services 會支援並強制執行已在作業系統中啟用,且在 Reporting ServicesReporting Services中設定的擴充保護。Reporting ServicesReporting Services supports and enforces Extended Protection that has been enabled in the operating system and configured in Reporting ServicesReporting Services. 依預設, Reporting ServicesReporting Services 會接受指定交涉或 NTLM 驗證的要求,因此可以在作業系統與 Reporting ServicesReporting Services 擴充保護功能中獲得擴充保護支援。By default, Reporting ServicesReporting Services accepts requests that specify Negotiate or NTLM authentication and could therefore benefit from Extended Protection support in the operating system and the Reporting ServicesReporting Services extended protection features.

重要

Windows 預設不會啟用 [擴充保護]。By default, Windows does not enable Extended Protection. 如需如何在 Windows 中啟用 [擴充保護] 的資訊,請參閱 驗證延伸保護For information about how to enable Extended Protection in Windows, see Extended Protection for Authentication. 作業系統與用戶端驗證堆疊必須同時支援擴充保護,驗證才會成功。Both the operating system and client authentication stack must support Extended Protection so that authentication succeeds. 對於舊版作業系統,您可能需要針對完整具備擴充保護的電腦安裝多個更新。For older operating systems you may need to install more than one update for a complete, Extended Protection ready computer. 如需擴充保護之最近開發狀況的詳細資訊,請參閱 擴充保護的更新資訊For information on recent developments with Extended Protection, see updated information with Extended Protection.

Reporting Services 擴充保護概觀Reporting Services Extended Protection Overview

SQL Server 2017SQL Server 2017 Reporting ServicesReporting Services 支援並強制執行已在作業系統中啟用的擴充保護。Reporting ServicesReporting Services supports and enforces extended protection that has been enabled in the operating system. 如果作業系統不支援擴充保護,或者尚未啟用作業系統中的功能, Reporting ServicesReporting Services 擴充保護功能將會無法驗證。If the operating system does not support extended protection or the feature in the operating system has not been enabled, the Reporting ServicesReporting Services extended protection feature will fail authentication. Reporting ServicesReporting Services 擴充保護也需要 SSL 憑證。Extended Protection also requires an SSL Certificate. 如需詳細資訊,請參閱 在原生模式報表伺服器上設定 SSL 連接For more information, see Configure SSL Connections on a Native Mode Report Server

重要

Reporting ServicesReporting Services 預設為不會啟用 [擴充保護]。By default, Reporting ServicesReporting Services does not enable Extended Protection. 修改 rsreportserver.config 組態檔或使用 WMI API 更新組態檔,即可啟用該功能。The feature can be enabled by modifying the rsreportserver.config configuration file or using WMI APIs to update the configuration file. SQL Server 2017SQL Server 2017Reporting ServicesReporting Services 未提供使用者介面,以修改或檢視擴充保護設定。Reporting ServicesReporting Services does not provide a user interface to modify or view extended protection settings. 如需詳細資訊,請參閱本主題中的 組態設定 一節。For more information, see the configuration settings section in this topic.

因為擴充保護設定變更或進行之設定錯誤所造成的常見問題,不會以明顯的錯誤訊息或對話方塊視窗公開。Common issues that occur because of changes in extended protection settings or incorrectly configured settings are not be exposed with obvious error messages or dialog windows. 與擴充保護組態和相容性相關的問題會導致驗證失敗,並將錯誤記錄在 Reporting ServicesReporting Services 追蹤記錄中。Issues related to extended protection configuration and compatibility result in authentication failures and errors in the Reporting ServicesReporting Services trace logs.

重要

某些資料存取技術可能不支援擴充保護。Some data access technologies may not support extended protection. 資料存取技術可用於連接 SQL Server 資料來源與 Reporting ServicesReporting Services 目錄資料庫。A data access technology is used to connect to SQL Server data sources and to the Reporting ServicesReporting Services catalog database. 無法支援擴充保護的資料存取技術會以下列方式對 Reporting ServicesReporting Services 造成影響:Failure of a data access technology to support extended protection impacts Reporting ServicesReporting Services in the following ways:

  • 執行 Reporting ServicesReporting Services 目錄資料庫的 SQL Server 無法啟用擴充功能,否則報表伺服器將無法成功連接至目錄資料庫,並傳回驗證錯誤。The SQL Server that runs the Reporting ServicesReporting Services catalog database cannot have extended protection enabled or the report server will not successfully connect to the catalog database and return authentication errors.
  • 當作 Reporting ServicesReporting Services 報表資料來源使用的 SQL Servers 無法啟用擴充保護,否則報表伺服器為連接報表資料來源所做的嘗試將會失敗,並傳回驗證錯誤。SQL Servers that are used as Reporting ServicesReporting Services report data sources cannot have extended protection enabled or tries by the report server to connect to the report data source will fail and return authentication errors.

資料存取技術的文件應具有支援擴充保護的資訊。The documentation for a data access technology should have information about support for extended protection.

UPGRADEUpgrade

  • Reporting ServicesReporting Services 伺服器升級至 SQL Server 2017SQL Server 2017 時,會將具有預設值的組態設定加入至 rsreportserver.config 檔。Upgrading a Reporting ServicesReporting Services server to SQL Server 2017SQL Server 2017 adds configuration settings with default values to the rsreportserver.config file. 這些設定已經存在,如果SQL Server 2017SQL Server 2017安裝會將保留在rsreportserver.config檔案。If the settings were already present, the SQL Server 2017SQL Server 2017 installation will preserve them in the rsreportserver.config file.

  • 當組態設定加入至rsreportserver.config組態檔的預設行為是Reporting ServicesReporting Services擴充的保護功能關閉,因此您必須先啟用該功能,如本主題中所述。When the configuration settings are added to the rsreportserver.config configuration file, the default behavior is for the Reporting ServicesReporting Services extended protection feature to be off and you must enable the feature as described in this topic. 如需詳細資訊,請參閱本主題中的 組態設定 一節。For more information, see the configuration settings section in this topic.

  • RSWindowsExtendedProtectionLevel 設定的預設值為 OffThe default value for the setting RSWindowsExtendedProtectionLevel is Off.

  • RSWindowsExtendedProtectionScenario 設定的預設值為 ProxyThe default value for the setting RSWindowsExtendedProtectionScenario is Proxy.

  • SQL Server 2017SQL Server 2017 Upgrade Advisor 不會驗證作業系統或目前安裝的 Reporting ServicesReporting Services 是否已啟用擴充保護支援。Upgrade Advisor does not verify that the operating system or the current installation of Reporting ServicesReporting Services has Extended Protection support enabled.

Reporting Services 擴充保護不涵蓋的功能What Reporting Services extended protection does not cover

Reporting ServicesReporting Services 擴充保護功能不支援下列功能區與案例:The following feature areas and scenarios are not supported by the Reporting ServicesReporting Services extended protection feature:

  • Reporting ServicesReporting Services 自訂安全性延伸模組的作者必須將擴充保護的支援加入其自訂安全性延伸模組。Authors of Reporting ServicesReporting Services custom security extensions must add support for extended protection to their custom security extension.

  • Reporting ServicesReporting Services 安裝所加入或使用的協力廠商元件必須由協力廠商更新,才能支援擴充保護。Third-party components added to or used by a Reporting ServicesReporting Services installation must be updated by the third-party vendor, to support extended protection. 如需詳細資訊,請連絡協力廠商。For more information, contact the third-party vendor.

部署案例與建議Deployment Scenarios and recommendations

下列案例說明不同的部署與拓撲,以及使用 Reporting ServicesReporting Services 擴充保護來保護其安全的建議組態。The following scenarios illustrate different deployments and topologies and the recommended configuration to secure them with Reporting ServicesReporting Services Extended Protection.

直接Direct

此案例描述直接連接至報表伺服器,例如內部網路環境。This scenario describes directly connecting to a report server, for example, an intranet environment.

狀況Scenario 案例圖表Scenario Diagram 如何保護安全How to secure
直接 SSL 通訊。Direct SSL communication.

報表伺服器將會強制執行用戶端到報表伺服器的通道繫結。The report server will enforce client to report server Channel Binding.
RS_ExtendedProtection_DirectSSLRS_ExtendedProtection_DirectSSL

1) 用戶端應用程式1) Client application

2) 報表伺服器2) Report server
不需要服務繫結,因為 SSL 通道將用於通道繫結。Service Binding is not necessary because the SSL channel will be used for Channel Binding.

RSWindowsExtendedProtectionLevel 設定為 AllowRequireSet RSWindowsExtendedProtectionLevel to Allow or Require.

RSWindowsExtendedProtectionScenario 設定為 DirectSet RSWindowsExtendedProtectionScenario to Direct.
直接 HTTP 通訊。Direct HTTP communication. 報表伺服器將會強制執行用戶端到報表伺服器的服務繫結。The report server will enforce Client to report server Service Binding. RS_ExtendedProtection_DirectRS_ExtendedProtection_Direct

1) 用戶端應用程式1) Client application

2) 報表伺服器2) Report server
沒有 SSL 通道,因此無法強制執行通道繫結。There is no SSL Channel therefore no enforcement of Channel Binding is possible.

服務繫結可以經過驗證,不過,如果沒有自己的通道繫結和服務繫結,它將只能防範基本威脅,而不是完整的防禦。Service Binding can be validated, however, it is not a complete defense without Channel binding and Service Binding on its own will only protect from basic threats.

RSWindowsExtendedProtectionLevel 設定為 AllowRequireSet RSWindowsExtendedProtectionLevel to Allow or Require.

RSWindowsExtendedProtectionScenario 設定為 AnySet RSWindowsExtendedProtectionScenario to Any.

Proxy 與網路負載平衡Proxy and Network Load Balancing

用戶端應用程式所連接的裝置或軟體會執行 SSL 並通過伺服器的認證以進行驗證,例如外部網路、網際網路或安全的內部網路。Client applications connect to a device or software that performs SSL and passes through the credentials to the server for authentication, for example, an extranet, Internet, or Secure Intranet. 用戶端連接至 Proxy 或所有用戶端都使用 Proxy。The client connects to a Proxy or all clients use a proxy.

這個情況與您使用網路負載平衡 (NLB) 裝置相同。The situation is the same when you are using a Network Load Balancing (NLB) device.

狀況Scenario 案例圖表Scenario Diagram 如何保護安全How to secure
HTTP 通訊。HTTP communication. 報表伺服器將會強制執行用戶端到報表伺服器的服務繫結。The report server will enforce client to report server Service Binding. RS_ExtendedProtection_IndirectRS_ExtendedProtection_Indirect

1) 用戶端應用程式1) Client application

2) 報表伺服器2) Report server

3) Proxy3) Proxy
沒有 SSL 通道,因此無法強制執行通道繫結。There is no SSL Channel therefore no enforcement of Channel Binding is possible.

RSWindowsExtendedProtectionLevel 設定為 AllowRequireSet RSWindowsExtendedProtectionLevel to Allow or Require.

RSWindowsExtendedProtectionScenario 設定為 AnySet RSWindowsExtendedProtectionScenario to Any.

請注意,報表伺服器必須設定為知道 proxy 伺服器,以確保正確強制執行服務繫結的名稱。Note that the report server must be configured to know the name of the proxy server to make sure that the service binding is correctly enforced.
HTTP 通訊。HTTP communication.

報表伺服器將會強制執行用戶端到 Proxy 的通道繫結與用戶端到報表伺服器的服務繫結。The report server will enforce client to Proxy Channel Binding and client to report server Service Binding.
RS_ExtendedProtection_Indirect_SSLRS_ExtendedProtection_Indirect_SSL

1) 用戶端應用程式1) Client application

2) 報表伺服器2) Report server

3) Proxy3) Proxy
SSL 通道到 Proxy 的連線可以使用,因此可以強制執行 Proxy 的通道繫結。SSL channel to proxy is available therefore channel binding to the proxy can be enforced.

也可以強制執行服務繫結。Service Binding can also be enforced.

報表伺服器必須知道 Proxy 名稱,而且報表伺服器管理員應該為該 Proxy 建立一個包含主機標頭的保留 URL,或在 Windows 登錄項目 BackConnectionHostNames 中設定 Proxy 名稱。The Proxy name must be known to the report server and the report server administrator should either create a URL reservation for it, with a host header or configure the Proxy name in the Windows registry entry BackConnectionHostNames.

RSWindowsExtendedProtectionLevelAllowRequireRSWindowsExtendedProtectionLevel to Allow or Require.

RSWindowsExtendedProtectionScenario 設定為 ProxySet RSWindowsExtendedProtectionScenario to Proxy.
透過安全 Proxy 進行的間接 HTTPS 通訊。Indirect HTTPS communication with a secure proxy. 報表伺服器將會強制執行用戶端到 Proxy 的通道繫結與用戶端到報表伺服器的服務繫結。Report server will enforce client to proxy Channel Binding and Client to report server Service Binding. RS_ExtendedProtection_IndirectSSLandHTTPSRS_ExtendedProtection_IndirectSSLandHTTPS

1) 用戶端應用程式1) Client application

2) 報表伺服器2) Report server

3) Proxy3) Proxy
SSL 通道到 Proxy 的連線可以使用,因此可以強制執行 Proxy 的通道繫結。SSL channel to proxy is available therefore channel binding to the proxy can be enforced.

也可以強制執行服務繫結。Service Binding can also be enforced.

報表伺服器必須知道 Proxy 名稱,而且報表伺服器管理員應該為該 Proxy 建立一個包含主機標頭的保留 URL,或在 Windows 登錄項目 BackConnectionHostNames 中設定 Proxy 名稱。The Proxy name must be known to the report server and the report server administrator should either create a URL reservation for it, with a host header or configure the Proxy name in the Windows registry entry BackConnectionHostNames.

RSWindowsExtendedProtectionLevelAllowRequireRSWindowsExtendedProtectionLevel to Allow or Require.

RSWindowsExtendedProtectionScenario 設定為 ProxySet RSWindowsExtendedProtectionScenario to Proxy.

閘道Gateway

此案例描述連接至執行 SSL 並驗證使用者之裝置或軟體的用戶端應用程式。This scenario describes Client applications connecting to a device or software that performs SSL and authenticates the user. 接著,裝置或軟體會模擬使用者內容或不同的使用者內容,之後才對報表伺服器發出要求。Then the device or software impersonates the user context or a different user context before it makes a request to the report server.

狀況Scenario 案例圖表Scenario Diagram 如何保護安全How to secure
間接 HTTP 通訊。Indirect HTTP communication.

閘道將會強制執行用戶端到閘道的通道繫結。Gateway will enforce Client to Gateway channel binding. 此處有閘道到報表伺服器的服務繫結。There is a Gateway to report server Service Binding.
RS_ExtendedProtection_Indirect_SSLRS_ExtendedProtection_Indirect_SSL

1) 用戶端應用程式1) Client application

2) 報表伺服器2) Report server

3) 閘道裝置3) Gateway device
從用戶端到報表伺服器沒有通道繫結,因為閘道會模擬內容,並因而建立新的 NTLM Token。Channel Binding from client to report server is not possible because the gateway impersonates a context and therefore creates a new NTLM token.

從閘道到報表伺服器沒有 SSL,因此無法強制執行通道繫結。There is no SSL from the Gateway to report server therefore channel binding cannot be enforced.

可以強制執行服務繫結。Service Binding can be enforced.

RSWindowsExtendedProtectionLevel 設定為 AllowRequireSet RSWindowsExtendedProtectionLevel to Allow or Require.

RSWindowsExtendedProtectionScenario 設定為 AnySet RSWindowsExtendedProtectionScenario to Any.

系統管理員應該設定閘道裝置來強制執行通道繫結。The Gateway device should be configured by your administrator to enforce channel binding.
透過安全閘道進行的間接 HTTPS 通訊。Indirect HTTPS communication with a Secure Gateway. 閘道將會強制執行用戶端到閘道的通道繫結,而且報表伺服器將會強制執行閘道到報表伺服器的通道繫結。The Gateway will enforce Client to Gateway Channel Binding and the report server will enforce Gateway to report server Channel Binding. RS_ExtendedProtection_IndirectSSLandHTTPSRS_ExtendedProtection_IndirectSSLandHTTPS

1) 用戶端應用程式1) Client application

2) 報表伺服器2) Report server

3) 閘道裝置3) Gateway device
從用戶端到報表伺服器沒有通道繫結,因為閘道會模擬內容,並因而建立新的 NTLM Token。Channel Binding from client to report server is not possible because the gateway impersonates a context and therefore creates a new NTLM token.

從閘道到報表伺服器的 SSL,表示可以強制執行通道繫結。SSL from Gateway to the report server means channel binding can be enforced.

不需要服務繫結。Service Binding is not required.

RSWindowsExtendedProtectionLevel 設定為 AllowRequireSet RSWindowsExtendedProtectionLevel to Allow or Require.

RSWindowsExtendedProtectionScenario 設定為 DirectSet RSWindowsExtendedProtectionScenario to Direct.

系統管理員應該設定閘道裝置來強制執行通道繫結。The Gateway device should be configured by your administrator to enforce channel binding.

合併Combination

此案例描述用戶端連接 Proxy 的外部網路或網際網路環境。This scenario describes Extranet or Internet environments where the client connects a Proxy. 這是合併用戶端連接報表伺服器的內部網路環境。This is in combination with an intranet environment where a client connects to report server.

狀況Scenario 案例圖表Scenario Diagram 如何保護安全How to secure
在用戶端到 Proxy 或用戶端到報表伺服器連線沒有 SSL 的情況下,從用戶端到報表伺服器服務的間接和直接存取。Indirect and direct access from client to report server service without SSL on either of the client to proxy or client to report server connections. 1) 用戶端應用程式1) Client application

2) 報表伺服器2) Report server

3) Proxy3) Proxy

4) 用戶端應用程式4) Client application
可以強制執行從用戶端到報表伺服器的服務繫結。Service Binding from client to report server can be enforced.

報表伺服器必須知道 Proxy 名稱,而且報表伺服器管理員應該為該 Proxy 建立一個包含主機標頭的保留 URL,或在 Windows 登錄項目 BackConnectionHostNames 中設定 Proxy 名稱。The Proxy name must be known to the report server and the report server administrator should either create a URL reservation for it, with a host header or configure the Proxy name in the Windows registry entry BackConnectionHostNames.

RSWindowsExtendedProtectionLevel 設定為 AllowRequireSet RSWindowsExtendedProtectionLevel to Allow or Require.

RSWindowsExtendedProtectionScenario 設定為 AnySet RSWindowsExtendedProtectionScenario to Any.
在用戶端建立與 Proxy 或報表伺服器的 SSL 連接時,從用戶端到報表伺服器服務的間接和直接存取。Indirect and direct access from client to report server where the client establishes an SSL connection to the proxy or report server. RS_ExtendedProtection_CombinationSSLRS_ExtendedProtection_CombinationSSL

1) 用戶端應用程式1) Client application

2) 報表伺服器2) Report server

3) Proxy3) Proxy

4) 用戶端應用程式4) Client application
可以使用通道繫結。Channel Binding can be used

報表伺服器必須知道 Proxy 名稱,而且報表伺服器管理員應該為該 Proxy 建立一個包含主機標頭的保留 URL,或在 Windows 登錄項目 BackConnectionHostNames 中設定 Proxy 名稱。The Proxy name must be known to the report server and the report server administrator should either create a URL reservation for the proxy, with a host header or configure the Proxy name in the Windows registry entry BackConnectionHostNames.

RSWindowsExtendedProtectionLevel 設定為 AllowRequireSet RSWindowsExtendedProtectionLevel to Allow or Require.

RSWindowsExtendedProtectionScenario 設定為 ProxySet RSWindowsExtendedProtectionScenario to Proxy.

設定 Reporting Services 擴充保護Configuring Reporting Rervices extended protection

rsreportserver.config檔案包含控制行為的組態值Reporting ServicesReporting Services擴充保護。The rsreportserver.config file contains the configuration values that control the behavior of Reporting ServicesReporting Services extended protection.

如需有關使用和編輯rsreportserver.config檔案,請參閱 < RSReportServer Configuration FileFor more information on using and editing the rsreportserver.config file, see RSReportServer Configuration File. 擴充保護設定也可以透過 WMI API 變更與檢查。The extended protection settings can also be changed and inspected using WMI APIs. 如需詳細資訊,請參閱 SetExtendedProtectionSettings 方法 (WMI MSReportServer_ConfigurationSetting)(具有擴充保護的整合式 Windows 驗證)。For more information, see SetExtendedProtectionSettings Method (WMI MSReportServer_ConfigurationSetting).

當組態設定的驗證失敗時,報表伺服器上會停用驗證類型 RSWindowsNTLMRSWindowsKerberosRSWindowsNegotiateWhen validation of the configuration settings fail, the authentication types RSWindowsNTLM, RSWindowsKerberos and RSWindowsNegotiate are disabled on the report server.

Reporting Services 擴充保護的組態設定Configuration Settings for reporting services extended protection

下表提供的資訊有關 rsreportserver.config 中顯示之擴充保護的組態設定。The following table provides information about configuration settings that appear in the rsreportserver.config for extended protection.

設定Setting 描述Description
RSWindowsExtendedProtectionLevel 指定擴充保護的強制執行程度。Specifies the degree of enforcement of extended protection. 有效值為 OffAllowRequireValid values are Off, Allow, and Require.

預設值是 OffThe default value is Off.

值為 Off 時,不會指定通道繫結或服務繫結驗證。The value Off specifies no channel binding or service binding verification.

值為 Allow 時,則支援擴充保護但並不需要它。The value Allow supports extended protection but does not require it. Allow 這個值會指定:The value Allow specifies:

擴充保護將會針對在支援擴充保護之作業系統上執行的用戶端應用程式強制執行。Extended protection will be enforced for client applications that are running on operating systems that support extended protection. 您可以設定 RsWindowsExtendedProtectionScenario 來決定強制執行保護的方式。How protection is enforced is determined by setting RsWindowsExtendedProtectionScenario.

對於在不支援擴充保護之作業系統上執行的應用程式,不允許執行驗證。Authentication will be allowed for applications that are running on operating systems which do not support extended protection.

Require 這個值會指定:The value Require specifies:

擴充保護將會針對在支援擴充保護之作業系統上執行的用戶端應用程式強制執行。Extended protection will be enforced for client applications that are running on operating systems that support extended protection.

驗證會允許不支援擴充的保護之作業系統執行的應用程式。Authentication will not be allowed for applications that are running on operating systems which do not support extended protection.
RsWindowsExtendedProtectionScenario 指定驗證擴充保護的何種形式:通道繫結、 服務繫結,或兩者。Specifies what forms of extended protection are validated: Channel binding, Service Binding, or both. 有效值為 AnyProxyDirectValid values are Any, Proxy, and Direct.

預設值是 ProxyThe default value is Proxy.

Any 這個值會指定:The value Any specifies:

- Windows NTLM、Kerberos 和交涉驗證,而不需要通道繫結。-Windows NTLM, Kerberos, and Negotiate authentication and a channel binding are not required.

- 服務繫結會強制執行。-Service binding is enforced.

Proxy 這個值會指定:The value Proxy specifies:

- Windows NTLM、Kerberos 和交涉驗證 (當通道繫結權杖存在時)。-Windows NTLM, Kerberos, and Negotiate authentication when a channel binding token is present.

- 服務繫結會強制執行。-Service Binding is enforced.

Direct 這個值會指定:The value Direct specifies:

- Windows NTLM、Kerberos 和交涉驗證 (當 CBT 存在、目前服務的 SSL 連線存在,而且 SSL 連線的 CBT 與 NTLM、Kerberos 或交涉權杖的 CBT 相符時)。-Windows NTLM, Kerberos, and Negotiate authentication when a CBT is present, an SSL connection to the current service is present, and the CBT for the SSL connection matches the CBT of the NTLM, Kerberos or negotiate token.

- 服務繫結不會強制執行。-Service Binding is not enforced.



注意:如果這項設定就會忽略RsWindowsExtendedProtectionLevel設為OFFNote: This setting is ignored if RsWindowsExtendedProtectionLevel is set to OFF.

rsreportserver.config 組態檔中的範例項目:Example entries in the rsreportserver.config configuration file:

<Authentication>  
         <RSWindowsExtendedProtectionLevel>Allow</RSWindowsExtendedProtectionLevel>  
         <RSWindowsExtendedProtectionScenario>Proxy</RSWindowsExtendedProtectionLevel>  
</Authentication>  

服務繫結與隨附的 SPNService Binding and included SPNs

服務繫結使用服務主要名稱或 SPN 驗證預期的驗證 Token 目的地。Service binding uses Service Principal Names or SPN to validate the intended destination of authentication tokens. Reporting ServicesReporting Services 使用現有的 URL 保留資訊建立視為有效之 SPN 的清單。uses the existing URL reservation information to build a list of SPNs that are considered valid. 使用 URL 保留資訊同時驗證保留的 SPN 和 URL 可讓系統管理員從單一位置同時進行管理。Using the URL reservation information for validation of both SPN and URL reservations enables system administrators to manage both from a single location.

當報表伺服器啟動時、擴充保護的組態設定變更時,或應用程式定義域循環使用時,會更新有效 SPN 的清單。The list of valid SPNs is updated when the report server starts, the configuration settings for extended protection are changed, or when the application domain is recycled.

有效的 SPN 清單專屬於每個應用程式。The valid list of SPNs is specific for each application. 例如,報表管理員和報表伺服器會各自計算一份不同的有效 SPN 清單。For example, Report Manager and Report Server will each have a different list of valid SPNs calculated.

針對應用程式計算的有效 SPN 清單取決於下列因素:The list of valid SPNs calculated for an application is determined by the following factors:

  • 每個保留的 URL。Each URL reservation.

  • 從 Reporting Services 服務帳戶之網域控制站擷取的每個 SPN。Each SPN retrieved from the domain controller for the reporting services service account.

  • 如果保留的 URL 包括萬用字元 ('*' 或 '+'),則報表伺服器將會從主機集合加入每個項目。If a URL reservation includes wildcard characters ('*' or '+'), then Report Server will add each entry from the hosts collection.

主機集合來源。Hosts collection sources.

下表列出主機集合的潛在來源。The following table lists the potential sources for the Hosts collection.

來源類型Type of source 描述Description
ComputerNameDnsDomainComputerNameDnsDomain 指派給本機電腦之 DNS 網域的名稱。The name of the DNS domain assigned to the local computer. 如果本機電腦是叢集中的一個節點,則會使用叢集虛擬伺服器的 DNS 網域名稱。If the local computer is a node in a cluster, the DNS domain name of the cluster virtual server is used.
ComputerNameDnsFullyQualifiedComputerNameDnsFullyQualified 唯一識別本機電腦的完整 DNS 名稱。The fully qualified DNS name that uniquely identifies the local computer. 此名稱結合 DNS 主機名稱與 DNS 網域名稱,其格式為 HostName.DomainNameThis name is a combination of the DNS host name and the DNS domain name, using the form HostName.DomainName. 如果本機電腦是叢集中的一個節點,則會使用叢集虛擬伺服器的完整 DNS 名稱。If the local computer is a node in a cluster, the fully qualified DNS name of the cluster virtual server is used.
ComputerNameDnsHostnameComputerNameDnsHostname 本機電腦的 DNS 主機名稱。The DNS host name of the local computer. 如果本機電腦是叢集中的一個節點,則會使用叢集虛擬伺服器的 DNS 主機名稱。If the local computer is a node in a cluster, the DNS host name of the cluster virtual server is used.
ComputerNameNetBIOSComputerNameNetBIOS 本機電腦的 NetBIOS 名稱。The NetBIOS name of the local computer. 如果本機電腦是叢集中的一個節點,則會使用叢集虛擬伺服器的 NetBIOS 名稱。If the local computer is a node in a cluster, the NetBIOS name of the cluster virtual server is used.
ComputerNamePhysicalDnsDomainComputerNamePhysicalDnsDomain 指派給本機電腦之 DNS 網域的名稱。The name of the DNS domain assigned to the local computer. 如果本機電腦是叢集中的一個節點,則會使用本機電腦的 DNS 網域名稱,而非叢集虛擬伺服器的名稱。If the local computer is a node in a cluster, the DNS domain name of the local computer is used, not the name of the cluster virtual server.
ComputerNamePhysicalDnsFullyQualifiedComputerNamePhysicalDnsFullyQualified 唯一識別電腦的完整 DNS 名稱。The fully qualified DNS name that uniquely identifies the computer. 如果本機電腦是叢集中的一個節點,則會使用本機電腦的完整 DNS 名稱,而非叢集虛擬伺服器的名稱。If the local computer is a node in a cluster, the fully qualified DNS name of the local computer, is used not the name of the cluster virtual server.

完整的 DNS 名稱結合 DNS 主機名稱與 DNS 網域名稱,其格式為 HostName.DomainNameThe fully qualified DNS name is a combination of the DNS host name and the DNS domain name, using the form HostName.DomainName.
ComputerNamePhysicalDnsHostnameComputerNamePhysicalDnsHostname 本機電腦的 DNS 主機名稱。The DNS host name of the local computer. 如果本機電腦是叢集中的一個節點,則會使用本機電腦的 DNS 主機名稱,而非叢集虛擬伺服器的名稱。If the local computer is a node in a cluster, the DNS host name of the local computer is used, not the name of the cluster virtual server.
ComputerNamePhysicalNetBIOSComputerNamePhysicalNetBIOS 本機電腦的 NetBIOS 名稱。The NetBIOS name of the local computer. 如果本機電腦是叢集中的一個節點,則會使用本機電腦的 NetBIOS 名稱,而非叢集虛擬伺服器的名稱。If the local computer is a node in a cluster, the NetBIOS name of the local computer, not the name of the cluster virtual server.

由於系統已加入 SPN,因此會在追蹤記錄中加入一個項目,如下所示:As SPNs are added, an entry is added to the trace log that resembles the following:

rshost!rshost!10a8!01/07/2010-19:29:38:: i INFO: SPN Whitelist Added <ComputerNamePhysicalNetBIOS> - <theservername>.

rshost!rshost!10a8!01/07/2010-19:29:38:: i INFO: SPN Whitelist Added <ComputerNamePhysicalDnsHostname> - <theservername>.

如需詳細資訊,請參閱為報表伺服器註冊服務主要名稱 (SPN)關於 URL 保留項目和註冊 (SSRS 組態管理員)For more information, see Register a Service Principal Name (SPN) for a Report Server and About URL Reservations and Registration (SSRS Configuration Manager).

另請參閱See Also

使用擴充保護連接至 Database Engine Connect to the Database Engine Using Extended Protection
驗證擴充保護概觀 Extended Protection for Authentication Overview
Integrated Windows Authentication with Extended Protection Integrated Windows Authentication with Extended Protection
Microsoft 資訊安全諮詢:驗證延伸保護 Microsoft Security Advisory: Extended protection for authentication
報表伺服器服務追蹤記錄 Report Server Service Trace Log
RSReportServer 組態檔 RSReportServer Configuration File
SetExtendedProtectionSettings 方法 (WMI MSReportServer_ConfigurationSetting)SetExtendedProtectionSettings Method (WMI MSReportServer_ConfigurationSetting)