管理具有 NPS 所使用的憑證Manage Certificates Used with NPS

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

如果您的部署憑證為基礎的驗證方法、延伸驗證 Protocol-Tls (EAP-TLS)、受保護延伸驗證 Protocol-傳輸層級的安全性 (PEAP-TLS),和 PEAP\ Microsoft 挑戰交換驗證通訊協定第 2 \ (MS-CHAP v2),您必須到所有伺服器 NPS 都註冊伺服器的憑證。If you deploy a certificate-based authentication method, such as Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS), and PEAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2), you must enroll a server certificate to all of your NPS servers. 必須伺服器的憑證:The server certificate must:

  • 中所述,符合最低伺服器的憑證需求適用於 PEAP 和 EAP 需求設定憑證範本Meet the minimum server certificate requirements as described in Configure Certificate Templates for PEAP and EAP Requirements

  • 憑證授權單位發行 (CA) 信任 client 的電腦。Be issued by a certification authority (CA) that is trusted by client computers. CA 受信任,其憑證有目前使用者的本機電腦的受信任的根憑證授權單位憑證存放區。A CA is trusted when its certificate exists in the Trusted Root Certification Authorities certificate store for the current user and local computer.

下列指示協助管理的部署位置受信任的根 CA 是第三方 CA,例如 Verisign,或您已為您公用基礎結構部署 CA NPS 伺服器的憑證 (PKI) 使用 Active Directory 憑證服務 (AD CS)。The following instructions assist in managing NPS server certificates in deployments where the trusted root CA is a third-party CA, such as Verisign, or is a CA that you have deployed for your public key infrastructure (PKI) by using Active Directory Certificate Services (AD CS).

變更快取的 TLS 控點到期Change the Cached TLS Handle Expiry

在初始驗證程序 EAP\ TLS、PEAP\ TLS 和 PEAP-MS-CHAP v2,NPS 伺服器快取連接 client 的 TLS 連接屬性的一部分。During the initial authentication processes for EAP-TLS, PEAP-TLS, and PEAP-MS-CHAP v2, the NPS server caches a portion of the connecting client's TLS connection properties. Client 也會快取 NPS 伺服器的 TLS 連接屬性的一部分。The client also caches a portion of the NPS server's TLS connection properties.

每個人的收藏這些 TLS 連接屬性稱為 TLS 控點。Each individual collection of these TLS connection properties is called a TLS handle.

Client 電腦可以快取的 TLS 控點多驗證器,而 NPS 伺服器可以快取的許多 client 電腦的 TLS 控點。Client computers can cache the TLS handles for multiple authenticators, while NPS servers can cache the TLS handles of many client computers.

Client 伺服器上的快取的 TLS 控點可讓您更快速地重新驗證程序。The cached TLS handles on the client and server allow the reauthentication process to occur more rapidly. 例如,wireless 電腦 reauthenticates 具有 NPS 伺服器,NPS 伺服器 wireless client 可以檢查的 TLS 控點與快速可以判斷 client 連接為重新連線。For example, when a wireless computer reauthenticates with an NPS server, the NPS server can examine the TLS handle for the wireless client and can quickly determine that the client connection is a reconnect. NPS 伺服器授權連接而不需要執行完整的驗證。The NPS server authorizes the connection without performing full authentication.

相對地,client 檢查 NPS 伺服器 TLS 控點,、判斷它是重新連線,且不需要執行伺服器的驗證。Correspondingly, the client examines the TLS handle for the NPS server, determines that it is a reconnect, and does not need to perform server authentication.

在電腦上執行 Windows 10 與 Windows Server 2016,預設 TLS 控點到期是 10 小時。On computers running Windows 10 and Windows Server 2016, the default TLS handle expiry is 10 hours.

在某些情形下,您可能想要增加或減少 TLS 控點到期時間。In some circumstances, you might want to increase or decrease the TLS handle expiry time.

例如,您可以減少的 TLS 控點到期時間的位置,系統管理員的使用者的憑證已被撤銷和憑證已經過期的環境中。For example, you might want to decrease the TLS handle expiry time in circumstances where a user's certificate is revoked by an administrator and the certificate has expired. 在本案例中,使用者可以仍然連上網路如果 NPS 伺服器已過期不快取的 TLS 控點。In this scenario, the user can still connect to the network if an NPS server has a cached TLS handle that has not expired. 減少 TLS 控點到期可能協助防止撤銷憑證使用這類使用者重新連接。Reducing the TLS handle expiry might help prevent such users with revoked certificates from reconnecting.

注意

本案例最好的方法是停用在 Active Directory 帳號,或帳號移除連上網路原則的網路的權限授與的 Active Directory 群組。The best solution to this scenario is to disable the user account in Active Directory, or to remove the user account from the Active Directory group that is granted permission to connect to the network in network policy. 這些變更所有網域控制站的傳播可能也會延遲,不過,因為複寫延遲。The propagation of these changes to all domain controllers might also be delayed, however, due to replication latency.

在 Client 電腦上設定的 TLS 控點到期時間Configure the TLS Handle Expiry Time on Client Computers

若要變更的時間用 client 電腦快取 NPS 伺服器的 TLS 控點,您可以使用此程序。You can use this procedure to change the amount of time that client computers cache the TLS handle of an NPS server. 成功驗證 NPS 伺服器之後, client 電腦快 TLS 控點為取 NPS 伺服器的 TLS 連接屬性。After successfully authenticating an NPS server, client computers cache TLS connection properties of the NPS server as a TLS handle. TLS 控點有 (36,000,000 milliseconds) 10 小時的預設時持續時間。The TLS handle has a default duration of 10 hours (36,000,000 milliseconds). 您可以增加或減少 TLS 控點到期時間,使用下列程序。You can increase or decrease the TLS handle expiry time by using the following procedure.

資格在系統管理員,或相當於,才能完成此程序最小值。Membership in Administrators, or equivalent, is the minimum required to complete this procedure.

重要

必須在 NPS 伺服器,不 client 的電腦上執行此程序。This procedure must be performed on an NPS server, not on a client computer.

若要設定 TLS 處理 client 電腦上的到期時間To configure the TLS handle expiry time on client computers

  1. NPS 在伺服器上,開放作業系統。On an NPS server, open Registry Editor.

  2. 登錄鍵瀏覽HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNELBrowse to the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL

  3. 編輯功能表上,按,,然後按一下 [On the Edit menu, click New, and then click Key.

  4. 輸入ClientCacheTime,然後按 ENTER 鍵。Type ClientCacheTime, and then press ENTER.

  5. 以滑鼠右鍵按一下ClientCacheTime,按一下 [,然後按一下 [ DWORD(32 位元)值Right-click ClientCacheTime, click New, and then click DWORD (32-bit) Value.

  6. 輸入的時間,(毫秒),您想要 client 電腦之後的第一個成功驗證嘗試 NPS 伺服器快取 NPS 伺服器的 TLS 控點。Type the amount of time, in milliseconds, that you want client computers to cache the TLS handle of an NPS server after the first successful authentication attempt by the NPS server.

NPS 伺服器上設定的 TLS 控點到期時間Configure the TLS Handle Expiry Time on NPS Servers

若要變更的時間伺服器 NPS 快取 client 電腦的 TLS 控點,使用此程序。Use this procedure to change the amount of time that NPS servers cache the TLS handle of client computers. 在成功驗證存取 client 後, NPS 伺服器快為 TLS 控點取 client 電腦的 TLS 連接屬性。After successfully authenticating an access client, NPS servers cache TLS connection properties of the client computer as a TLS handle. TLS 控點有 (36,000,000 milliseconds) 10 小時的預設時持續時間。The TLS handle has a default duration of 10 hours (36,000,000 milliseconds). 您可以增加或減少 TLS 控點到期時間,使用下列程序。You can increase or decrease the TLS handle expiry time by using the following procedure.

資格在系統管理員,或相當於,才能完成此程序最小值。Membership in Administrators, or equivalent, is the minimum required to complete this procedure.

重要

必須在 NPS 伺服器,不 client 的電腦上執行此程序。This procedure must be performed on an NPS server, not on a client computer.

若要設定 TLS 處理 NPS 伺服器上的到期時間To configure the TLS handle expiry time on NPS servers

  1. NPS 在伺服器上,開放作業系統。On an NPS server, open Registry Editor.

  2. 登錄鍵瀏覽HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNELBrowse to the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL

  3. 編輯功能表上,按,,然後按一下 [On the Edit menu, click New, and then click Key.

  4. 輸入ServerCacheTime,然後按 ENTER 鍵。Type ServerCacheTime, and then press ENTER.

  5. 以滑鼠右鍵按一下ServerCacheTime,按一下 [,然後按一下 [ DWORD(32 位元)值Right-click ServerCacheTime, click New, and then click DWORD (32-bit) Value.

  6. 輸入的時間,(毫秒),您想要 NPS 伺服器成功驗證第一次嘗試透過 client 之後快取的 client 電腦的 TLS 控點。Type the amount of time, in milliseconds, that you want NPS servers to cache the TLS handle of a client computer after the first successful authentication attempt by the client.

取得 SHA-1 Hash 的受信任的根憑證Obtain the SHA-1 Hash of a Trusted Root CA Certificate

使用此程序的本機電腦已安裝的憑證取得的受信任的根憑證授權單位 hash 安全 Hash 演算法 (sha-1)。Use this procedure to obtain the Secure Hash Algorithm (SHA-1) hash of a trusted root certification authority (CA) from a certificate that is installed on the local computer. 在某些情形下,例如,在群組原則部署時,就必須使用 SHA-1 湊的憑證來指定憑證。In some circumstances, such as when deploying Group Policy, it is necessary to designate a certificate by using the SHA-1 hash of the certificate.

使用群組原則,您可以指定一或多個受信任的根 CA 憑證戶端必須使用以 EAP 或 PEAP 互加好友的驗證程序期間驗證 NPS 伺服器。When using Group Policy, you can designate one or more trusted root CA certificates that clients must use in order to authenticate the NPS server during the process of mutual authentication with EAP or PEAP. 若要指定受信任的根憑證戶端必須使用驗證伺服器的憑證,您可以輸入 SHA-1 湊的憑證。To designate a trusted root CA certificate that clients must use to validate the server certificate, you can enter the SHA-1 hash of the certificate.

此程序示範如何使用的憑證 Microsoft Management Console (MMC) 嵌入式管理單元,以取得的受信任的根憑證 SHA-1 湊。This procedure demonstrates how to obtain the SHA-1 hash of a trusted root CA certificate by using the Certificates Microsoft Management Console (MMC) snap-in.

若要完成此程序,您必須成員的使用者群組本機電腦上。To complete this procedure, you must be a member of the Users group on the local computer.

若要取得 SHA-1 hash 的 CA 信任的根憑證To obtain the SHA-1 hash of a trusted root CA certificate

  1. 在對話方塊中執行或 Windows PowerShell 中,輸入mmc,然後按 ENTER 鍵。In the Run dialog box or Windows PowerShell, type mmc, and then press ENTER. Microsoft Management Console (MMC) 開啟。The Microsoft Management Console (MMC) opens. 在 MMC 中,按一下 [檔案,然後按新增/移除 Snap\inIn the MMC, click File, then click Add/Remove Snap\in. 中新增或移除嵌入式管理單元對話方塊。The Add or Remove Snap-ins dialog box opens.

  2. 中新增或移除嵌入式管理單元,請在可用嵌入式管理單元,按兩下 [憑證In Add or Remove Snap-ins, in Available snap-ins, double-click Certificates. 嵌入式管理單元精靈開啟憑證。The Certificates snap-in wizard opens. 按一下電腦 account,然後按一下 [Click Computer account, and then click Next.

  3. 選擇電腦,確保本機電腦(的電腦執行此主控台)已選取,按一下 [完成,,然後按一下 [ [確定]In Select Computer, ensure that Local computer (the computer this console is running on) is selected, click Finish, and then click OK.

  4. 在左窗格中,按兩下 [憑證(本機電腦),然後按兩下 [受信任的根憑證授權單位資料夾。In the left pane, double-click Certificates (Local Computer), and then double-click the Trusted Root Certification Authorities folder.

  5. 的憑證資料夾是子資料夾的受信任的根憑證授權單位資料夾。The Certificates folder is a subfolder of the Trusted Root Certification Authorities folder. 按一下的憑證資料夾。Click the Certificates folder.

  6. 在詳細資料窗格中,瀏覽您信任的根 CA 憑證。In the details pane, browse to the certificate for your trusted root CA. 按兩下憑證。Double-click the certificate. 憑證對話方塊。The Certificate dialog box opens.

  7. 憑證對話方塊中,按的詳細資料索引標籤。In the Certificate dialog box, click the Details tab.

  8. 在清單中的欄位,捲動到 [並選取 [指紋In the list of fields, scroll to and select Thumbprint.

  9. 在較低窗格中,會顯示為您的憑證 SHA-1 湊十六進位字串。In the lower pane, the hexadecimal string that is the SHA-1 hash of your certificate is displayed. 選取 SHA-1 hash,並為副本然後按下的 Windows 鍵盤快速鍵的命令 (CTRL+C) 湊複製到剪貼簿 Windows。Select the SHA-1 hash, and then press the Windows keyboard shortcut for the Copy command (CTRL+C) to copy the hash to the Windows clipboard.

  10. 打開位置至您想要貼上 SHA-1 湊,正確地找出游標,然後按貼上的 Windows 鍵盤快速鍵的命令 (CTRL+V)。Open the location to which you want to paste the SHA-1 hash, correctly locate the cursor, and then press the Windows keyboard shortcut for the Paste command (CTRL+V).

如需有關憑證和 NPS 的詳細資訊,請查看設定憑證範本 PEAP 和 EAP 需求的For more information about certificates and NPS, see Configure Certificate Templates for PEAP and EAP Requirements.

如需 NPS 的詳細資訊,請查看的網路原則 Server (NPS)For more information about NPS, see Network Policy Server (NPS).