設定 PEAP 與 EAP 需求的憑證範本Configure Certificate Templates for PEAP and EAP Requirements

適用於:Windows Server (半年通道),Windows Server 2016Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016

所有的憑證用於使用可延伸驗證通訊協定的網路存取驗證-傳輸層安全性(EAP-TLS),受保護的可延伸驗證通訊協定-傳輸層安全性(PEAP-TLS),與 PEAP-Microsoft Challenge Handshake 驗證通訊協定第 2 版(MS-MS-CHAP v2)必須符合 X.509 憑證的需求,並適用於使用安全通訊端層/傳輸層級安全性 (SSL/TLS) 的連線。All certificates that are used for network access authentication with Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS), and PEAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) must meet the requirements for X.509 certificates and work for connections that use Secure Socket Layer/Transport Level Security (SSL/TLS). 用戶端和伺服器憑證有其他需求。Both client and server certificates have additional requirements.

重要

本主題提供設定憑證範本的指示。This topic provides instructions for configuring certificate templates. 若要使用這些指示,則需要您已部署您自己公開金鑰基礎結構(PKI)與 Active Directory 憑證服務(AD CS)。To use these instructions, it is required that you have deployed your own Public Key Infrastructure (PKI) with Active Directory Certificate Services (AD CS).

最小的伺服器憑證需求Minimum server certificate requirements

使用 PEAP-MS-MS-CHAP v2,PEAP-TLS 或 EAP-作為驗證方法的 TLS,NPS 必須使用符合最小的伺服器憑證需求的伺服器憑證。With PEAP-MS-CHAP v2, PEAP-TLS, or EAP-TLS as the authentication method, the NPS must use a server certificate that meets the minimum server certificate requirements.

用戶端電腦可以設定為使用驗證伺服器憑證確認伺服器憑證用戶端電腦或群組原則中的選項。Client computers can be configured to validate server certificates by using the Validate server certificate option on the client computer or in Group Policy.

當伺服器憑證符合下列需求時,用戶端電腦會接受伺服器的驗證嘗試:The client computer accepts the authentication attempt of the server when the server certificate meets the following requirements:

  • 主體名稱中包含的值。The Subject name contains a value. 如果您將憑證發行到您的伺服器執行網路原則伺服器 (NPS) 具有空白的主體名稱時,憑證無法使用。 若要驗證您的 NPSIf you issue a certificate to your server running Network Policy Server (NPS) that has a blank Subject name, the certificate is not available to authenticate your NPS. 若要設定主體名稱的憑證範本:To configure the certificate template with a Subject name:

    1. 開啟 [憑證範本]。Open Certificate Templates.
    2. 在 詳細資料 窗格中,以滑鼠右鍵按一下您想要變更此項目,然後按一下 憑證範本屬性In the details pane, right-click the certificate template that you want to change, and then click Properties .
    3. 按一下 主體名稱索引標籤,然後再按一下Active Directory 資訊來建立Click the Subject Name tab, and then click Build from this Active Directory information.
    4. 主體名稱格式,選取的值不In Subject name format, select a value other than None.
  • 電腦憑證,伺服器鏈結到信任的根憑證授權單位 (CA) 而且不會失敗的遠端存取原則或網路原則中指定任何 CryptoAPI,所執行的檢查。The computer certificate on the server chains to a trusted root certification authority (CA) and does not fail any of the checks that are performed by CryptoAPI and that are specified in the remote access policy or network policy.

  • 在 NPS 或 VPN 伺服器的電腦憑證已使用伺服器驗證目的,在 擴充金鑰使用方法 (EKU) 延伸模組。The computer certificate for the NPS or VPN server is configured with the Server Authentication purpose in Extended Key Usage (EKU) extensions. (伺服器驗證的物件識別元為 1.3.6.1.5.5.7.3.1)。(The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1.)

  • 使用必要的密碼編譯設定來設定伺服器憑證:Configure the server certificate with the required cryptography setting:

    1. 開啟 [憑證範本]。Open Certificate Templates.
    2. 在 詳細資料 窗格中,以滑鼠右鍵按一下您想要變更此項目,然後按一下 憑證範本屬性In the details pane, right-click the certificate template that you want to change, and then click Properties.
    3. 按一下 Cryptography索引標籤,並請務必設定下列各項:Click the Cryptography tab and make sure to configure the following:
      • 提供者類別目錄: 金鑰儲存提供者Provider Category: Key Storage Provider
      • 演算法名稱: RSAAlgorithm Name: RSA
      • 提供者: Microsoft 平台密碼編譯提供者Providers: Microsoft Platform Crypto Provider
      • 最小金鑰大小: 2048Minimum key size: 2048
      • 雜湊演算法: SHA2Hash Algorithm: SHA2
    4. 按一下 [下一步] 。Click Next.
  • 使用主體別名 (SubjectAltName) 延伸,如果使用,必須包含伺服器的 DNS 名稱。The Subject Alternative Name (SubjectAltName) extension, if used, must contain the DNS name of the server. 若要設定註冊伺服器的網域名稱系統 (DNS) 名稱的憑證範本:To configure the certificate template with the Domain Name System (DNS) name of the enrolling server:

    1. 開啟 [憑證範本]。Open Certificate Templates.
    2. 在 詳細資料 窗格中,以滑鼠右鍵按一下您想要變更此項目,然後按一下 憑證範本屬性In the details pane, right-click the certificate template that you want to change, and then click Properties .
    3. 按一下 主體名稱索引標籤,然後再按一下Active Directory 資訊來建立Click the Subject Name tab, and then click Build from this Active Directory information.
    4. 在次要主體名稱中包含這項資訊,選取DNS 名稱In Include this information in alternate subject name, select DNS name.

當使用 PEAP 與 EAP-TLS,NPSs 就會顯示一份所有已安裝的憑證在電腦憑證存放區,但有下列例外狀況:When using PEAP and EAP-TLS, NPSs display a list of all installed certificates in the computer certificate store, with the following exceptions:

  • 不會顯示不包含伺服器驗證目的,EKU 延伸中的憑證。Certificates that do not contain the Server Authentication purpose in EKU extensions are not displayed.

  • 不會顯示不包含主體名稱的憑證。Certificates that do not contain a Subject name are not displayed.

  • 登錄為基礎並不會顯示智慧卡登入憑證。Registry-based and smart card-logon certificates are not displayed.

如需詳細資訊,請參閱 < 部署 802.1x 有線和無線部署的伺服器憑證For more information, see Deploy Server Certificates for 802.1X Wired and Wireless Deployments.

最低用戶端憑證需求Minimum client certificate requirements

透過 EAP-TLS 或 PEAP-TLS,伺服器會接受用戶端驗證嘗試,當憑證符合下列需求:With EAP-TLS or PEAP-TLS, the server accepts the client authentication attempt when the certificate meets the following requirements:

  • 企業 CA 所發出的用戶端憑證是否對應至使用者或電腦帳戶在 Active Directory 網域服務中(AD DS)。The client certificate is issued by an enterprise CA or mapped to a user or computer account in Active Directory Domain Services (AD DS).

  • 在用戶端鏈結至信任的根 CA,使用者或電腦憑證 EKU 延伸中包含用戶端驗證目的(用戶端驗證的物件識別碼是 1.3.6.1.5.5.7.3.2),且不會失敗檢查由 CryptoAPI 和之間指定的遠端存取原則或網路原則,也不在 NPS 網路原則中指定的憑證物件識別項檢查。The user or computer certificate on the client chains to a trusted root CA, includes the Client Authentication purpose in EKU extensions (the object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2), and fails neither the checks that are performed by CryptoAPI and that are specified in the remote access policy or network policy nor the Certificate object identifier checks that are specified in NPS network policy.

  • 802.1x 用戶端不會使用以登錄為基礎的憑證可能是智慧卡登入或受密碼保護的憑證。The 802.1X client does not use registry-based certificates that are either smart card-logon or password-protected certificates.

  • 對於使用者憑證,主體別名(SubjectAltName)憑證中的延伸模組包含的使用者主體名稱(UPN)。For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN). 若要在憑證範本中設定 UPN:To configure the UPN in a certificate template:

    1. 開啟 [憑證範本]。Open Certificate Templates.
    2. 在 詳細資料 窗格中,以滑鼠右鍵按一下您想要變更此項目,然後按一下 憑證範本屬性In the details pane, right-click the certificate template that you want to change, and then click Properties.
    3. 按一下 主體名稱索引標籤,然後再按一下Active Directory 資訊來建立Click the Subject Name tab, and then click Build from this Active Directory information.
    4. 在次要主體名稱中包含這項資訊,選取使用者主體名稱(UPN)In Include this information in alternate subject name, select User principal name (UPN).
  • 對於電腦憑證,主體別名(SubjectAltName)憑證中的延伸模組必須包含完整的網域名稱(FQDN)的用戶端,也稱為DNS 名稱For computer certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate must contain the fully qualified domain name (FQDN) of the client, which is also called the DNS name. 若要設定此名稱在 憑證範本:To configure this name in the certificate template:

    1. 開啟 [憑證範本]。Open Certificate Templates.
    2. 在 詳細資料 窗格中,以滑鼠右鍵按一下您想要變更此項目,然後按一下 憑證範本屬性In the details pane, right-click the certificate template that you want to change, and then click Properties.
    3. 按一下 主體名稱索引標籤,然後再按一下Active Directory 資訊來建立Click the Subject Name tab, and then click Build from this Active Directory information.
    4. 在次要主體名稱中包含這項資訊,選取DNS 名稱In Include this information in alternate subject name, select DNS name.

使用 PEAP-TLS 和 EAP-TLS 用戶端就會顯示所有已安裝憑證的清單顯示在 [憑證] 嵌入式管理單元中,但有下列例外狀況:With PEAP-TLS and EAP-TLS, clients display a list of all installed certificates in the Certificates snap-in, with the following exceptions:

  • 無線用戶端不會顯示登錄為基礎和智慧卡登入憑證。Wireless clients do not display registry-based and smart card-logon certificates.

  • 無線用戶端和 VPN 用戶端不會顯示受密碼保護的憑證。Wireless clients and VPN clients do not display password-protected certificates.

  • 不會顯示不包含用戶端驗證目的,EKU 延伸中的憑證。Certificates that do not contain the Client Authentication purpose in EKU extensions are not displayed.

如需 NPS 的詳細資訊,請參閱網路原則伺服器 (NPS)For more information about NPS, see Network Policy Server (NPS).