領域名稱Realm Names

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

您可以使用本主題的網路原則伺服器連接要求處理中使用領域名稱的概觀。You can use this topic for an overview of using realm names in Network Policy Server connection request processing.

使用者名稱 RADIUS 屬性是字元字串,通常會包含使用者 account 位置和使用者 account 名稱。The User-Name RADIUS attribute is a character string that typically contains a user account location and a user account name. 使用者 account 位置也稱為領域或領域名稱,並為等於網域,包括 DNS 網域、Active Directory® 網域及 Windows nt4.0 網域的概念。The user account location is also called the realm or realm name, and is synonymous with the concept of domain, including DNS domains, Active Directory® domains, and Windows NT 4.0 domains. 例如,如果位使用者的網域名稱 example.com 帳號資料庫中帳號,然後 example.com 是領域名稱。For example, if a user account is located in the user accounts database for a domain named example.com, then example.com is the realm name.

在另一部範例中,如果您的使用者名稱 RADIUS 屬性包含的使用者名稱user1@example.com、user1 account 使用者名稱,example.com 且領域名稱。In another example, if the User-Name RADIUS attribute contains the user name user1@example.com, user1 is the user account name and example.com is the realm name. 開頭或結尾可以在 [使用者名稱呈現領域名稱:Realm names can be presented in the user name as a prefix or as a suffix:

  • Example\user1Example\user1. 在此範例中,領域名稱範例是前置詞。它也是 Active Directory 名稱®Domain Services (AD DS) 網域。In this example, the realm name Example is a prefix; and it is also the name of an Active Directory® Domain Services (AD DS) domain.

  • user1@example.com.在此範例中,領域名稱example.com是尾碼;而且它是 DNS 網域名稱或 AD DS 網域名稱。user1@example.com. In this example, the realm name example.com is a suffix; and it is either a DNS domain name or the name of an AD DS domain.

您可以使用領域中時設計和部署 RADIUS 基礎結構連接要求原則設定的名稱,以確保連接要求的都會傳送從 RADIUS,也稱為網路存取伺服器的驗證並可以授權連接要求 RADIUS 伺服器。You can use realm names configured in connection request policies while designing and deploying your RADIUS infrastructure to ensure that connection requests are routed from RADIUS clients, also called network access servers, to RADIUS servers that can authenticate and authorize the connection request.

NPS 設定為預設連接要求原則 RADIUS 伺服器、時 NPS 處理連接要求網域中的 NPS 伺服器是成員,以及受信任的網域。When NPS is configured as a RADIUS server with the default connection request policy, NPS processes connection requests for the domain in which the NPS server is a member and for trusted domains.

若要設定做為 RADIUS proxy 和往後連接要求受信任的網域 NPS,您必須建立新連接要求原則。To configure NPS to act as a RADIUS proxy and forward connection requests to untrusted domains, you must create a new connection request policy. 在新連接要求原則中,您必須將會包含在您想要向前連接要求的使用者名稱屬性領域名稱與設定的使用者名稱屬性。In the new connection request policy, you must configure the User Name attribute with the realm name that will be contained in the User-Name attribute of connection requests that you want to forward. 您還必須設定連接要求原則遠端 RADIUS 伺服器群組。You must also configure the connection request policy with a remote RADIUS server group. 連接要求原則可 NPS 計算哪些連接要求轉寄給根據領域部分的使用者名稱屬性遠端 RADIUS 伺服器群組。The connection request policy allows NPS to calculate which connection requests to forward to the remote RADIUS server group based on the realm portion of the User-Name attribute.

取得領域名稱Acquiring the realm name

當使用者類型密碼認證期間連接嘗試或連接管理員(公分)設定檔使用者的電腦上已設定為自動提供領域名稱提供領域名稱部分的使用者名稱。The realm name portion of the user name is provided when the user types password-based credentials during a connection attempt or when a Connection Manager (CM) profile on the user's computer is configured to provide the realm name automatically.

您可以指定時輸入認證網路連接嘗試在網路中的使用者,提供他們領域的名稱。You can designate that users of your network provide their realm name when typing their credentials during network connection attempts.

例如,您可以要求使用者輸入使用者名稱,包括 account 使用者名稱和領域名稱,在的使用者名稱連接對話方塊中時建立連接撥號或 virtual 私人網路 (VPN)。For example, you can require users to type their user name, including the user account name and the realm name, in User name in the Connect dialog box when making a dial-up or virtual private network (VPN) connection.

此外,如果您建立自訂撥號套件連接管理員管理組件 (CMAK) 使用時,您可以協助使用者透過公分設定檔使用者的電腦上已安裝的使用者名稱 account 自動新增領域名稱。In addition, if you create a custom dialing package with the Connection Manager Administration Kit (CMAK), you can assist users by adding the realm name automatically to the user account name in CM profiles that are installed on users' computers. 例如,您可以指定語法領域名稱和使用者名稱公分設定檔,讓使用者只有時輸入認證,指定的使用者 account 名稱。For example, you can specify a realm name and user name syntax in the CM profile so that the user only has to specify the user account name when typing credentials. 在這個情況,使用者會不需要知道或記住的網域他們帳號所在的位置。In this circumstance, the user does not need to know or remember the domain where their user account is located.

驗證程序期間使用者輸入的密碼型憑證後, 的使用者名稱被傳遞存取 client 從網路存取伺服器。During the authentication process, after users type their password-based credentials, the user name is passed from the access client to the network access server. 網路存取伺服器建構連接要求,並包含領域中的使用者名稱 RADIUS 屬性名稱傳送到或 RADIUS proxy 伺服器的存取要求訊息中。The network access server constructs a connection request and includes the realm name within the User-Name RADIUS attribute in the Access-Request message that is sent to the RADIUS proxy or server.

如果 RADIUS 伺服器 NPS 伺服器,要求存取訊息被評估的一組設定的連接要求原則。If the RADIUS server is an NPS server, the Access-Request message is evaluated against the set of configured connection request policies. 在連接要求原則條件可以包含使用者名稱屬性到的規格。Conditions on the connection request policy can include the specification of the contents of the User-Name attribute.

您可以設定連接要求原則的特定領域中收到的簡訊的使用者名稱屬性名稱是一組。You can configure a set of connection request policies that are specific to the realm name within the User-Name attribute of incoming messages. 這可讓您建立路由規則 NPS RADIUS proxy 為時,向前 RADIUS 訊息特定領域組特定 RADIUS 伺服器的名稱。This allows you to create routing rules that forward RADIUS messages with a specific realm name to a specific set of RADIUS servers when NPS is used as a RADIUS proxy.

屬性操作規則Attribute manipulation rules

RADIUS 訊息處理本機(當正 NPS RADIUS 伺服器為)或轉送到另一個 RADIUS 伺服器(使用 NPS RADIUS proxy 為)時之前,可以修改訊息中的使用者名稱屬性屬性操作規則。Before the RADIUS message is either processed locally (when NPS is being used as a RADIUS server) or forwarded to another RADIUS server (when NPS is being used as a RADIUS proxy), the User-Name attribute in the message can be modified by attribute manipulation rules. 您可以設定屬性操作規則的使用者名稱屬性,選取 [的使用者名稱條件索引標籤中連接要求原則的屬性。You can configure attribute manipulation rules for the User-Name attribute by selecting User name on the Conditions tab in the properties of a connection request policy. NPS 屬性操作規則使用標準運算式。NPS attribute manipulation rules use regular expression syntax.

您可以設定屬性操作規則的使用者名稱屬性變更下列設定:You can configure attribute manipulation rules for the User-Name attribute to change the following:

  • 移除的使用者名稱領域名稱 \ (也稱為領域 stripping)。Remove the realm name from the user name (also known as realm stripping). 使用者名稱,例如user1@example.com以 user1 變更。For example, the user name user1@example.com is changed to user1.

  • 變更,但不是其語法領域名稱。Change the realm name but not its syntax. 使用者名稱,例如user1@example.com以變更的user1@wcoast.example.com。For example, the user name user1@example.com is changed to user1@wcoast.example.com.

  • 變更語法領域名稱。Change the syntax of the realm name. 若要變更使用者名稱 example\user1,例如user1@example.com。For example, the user name example\user1 is changed to user1@example.com.

根據您所設定的屬性操作規則的使用者名稱屬性修改之後,在第一次對應連接要求原則額外的設定用來判斷是否:After the User-Name attribute is modified according to the attribute manipulation rules that you configure, additional settings of the first matching connection request policy are used to determine whether:

  • NPS 伺服器處理存取要求訊息本機(時 NPS RADIUS 伺服器為正在使用)。The NPS server processes the Access-Request message locally (when NPS is being used as a RADIUS server).

  • NPS 伺服器轉送到另一個 RADIUS 伺服器的訊息(時 NPS RADIUS proxy 為正在使用)。The NPS server forwards the message to another RADIUS server (when NPS is being used as a RADIUS proxy).

設定 NPS 提供網域名稱Configuring the the NPS-supplied domain name

當使用者名稱未包含網域名稱時、NPS 提供一個。When the user name does not contain a domain name, NPS supplies one. 根據預設,NPS 提供網域名稱是網域之 NPS 伺服器。By default, the NPS-supplied domain name is the domain of which the NPS server is a member. 您可以透過下列登錄設定 NPS 提供網域名稱:You can specify the NPS-supplied domain name through the following registry setting:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\PPP\ControlProtocols\BuiltIn\DefaultDomain

警告

編輯登錄錯誤可以嚴重損壞您的系統。Incorrectly editing the registry can severely damage your system. 變更登錄以前,您應該備份在電腦上的任何重要的資料。Before making changes to the registry, you should back up any valued data on the computer.

某些非 Microsoft 的網路存取伺服器 delete 或修改所指定的使用者的網域名稱。Some non-Microsoft network access servers delete or modify the domain name as specified by the user. 因此,網路存取要求驗證預設網域,可能不是帳號的網域。As the result, the network access request is authenticated against the default domain, which might not be the domain for the user's account. 這個問題,設定您的使用者名稱變更成正確精確的網域名稱的格式的 RADIUS 伺服器。To resolve this problem, configure your RADIUS servers to change the user name into the correct format with the accurate domain name.