驗證原則和驗證原則筒倉Authentication Policies and Authentication Policy Silos

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

本主題適用於 IT 專業人員描述驗證原則筒倉和只這些筒倉帳號的原則。This topic for the IT professional describes authentication policy silos and the policies that can restrict accounts to those silos. 它也會解釋限制帳號的範圍如何使用驗證原則。It also explains how authentication policies can be used to restrict the scope of accounts.

驗證原則筒倉和隨附原則提供包含高權限認證系統只所選的使用者、 電腦,或服務相關的方式。Authentication policy silos and the accompanying policies provide a way to contain high-privilege credentials to systems that are only pertinent to selected users, computers, or services. 筒倉可以定義,並使用 Active Directory 管理中心和 Active Directory Windows PowerShell cmdlet 管理在 Active Directory Domain Services (AD DS)。Silos can be defined and managed in Active Directory Domain Services (AD DS) by using the Active Directory Administrative Center and the Active Directory Windows PowerShell cmdlets.

驗證原則筒倉是的容器的系統管理員可以指定帳號,電腦帳號,並帳號服務。Authentication policy silos are containers to which administrators can assign user accounts, computer accounts, and service accounts. 帳號的設定然後受驗證原則已經套用至該容器。Sets of accounts can then be managed by the authentication policies that have been applied to that container. 這降低需要系統管理員存取資源個人帳號,並可防止惡意使用者透過認證竊取存取其他資源。This reduces the need for the administrator to track access to resources for individual accounts, and helps prevent malicious users from accessing other resources through credential theft.

在 Windows Server 2012 R2 推出的功能可讓您建立驗證原則筒倉,裝載高權限使用者的設定。Capabilities introduced in Windows Server 2012 R2 , allow you to create authentication policy silos, which host a set of high-privilege users. 然後您可以指定容器此驗證原則特殊權限的帳號,可用於網域限制。You can then assign authentication policies for this container to limit where privileged accounts can be used in the domain. 當帳號保護使用者安全性群組中,其他控制項會套用,例如專屬使用 Kerberos 通訊協定。When accounts are in the Protected Users security group, additional controls are applied, such as the exclusive use of the Kerberos protocol.

這些功能,您可以限制高價值的主機的高價值 account 使用量。With these capabilities, you can limit high-value account usage to high-value hosts. 例如,您可以建立新的樹系的系統管理員筒倉包含企業版、 架構,以及網域系統管理員。For example, you could create a new Forest Administrators silo that contains enterprise, schema, and domain administrators. 然後,讓密碼,以及從系統網域控制站和網域系統管理員主機以外的智慧卡驗證會失敗,您可能會設定筒倉驗證原則的。Then you could configure the silo with an authentication policy so that password and smartcard-based authentication from systems other than domain controllers and domain administrator consoles would fail.

適用於驗證原則筒倉和驗證原則設定的相關資訊,請查看設定保護帳號如何For information about configuring authentication policy silos and authentication policies, see How to Configure Protected Accounts.

關於驗證原則筒倉About authentication policy silos

驗證原則筒倉控制哪些帳號會受到筒倉和定義驗證原則套用到的成員。An authentication policy silo controls which accounts can be restricted by the silo and defines the authentication policies to apply to the members. 您可以建立筒倉根據您的組織的需求。You can create the silo based on the requirements of your organization. 筒倉的 Active Directory 物件的使用者、 電腦及服務在下表中的架構所定義。The silos are Active Directory objects for users, computers, and services as defined by the schema in the following table.

Active Directory 架構的驗證原則筒倉Active Directory schema for authentication policy silos

顯示名稱Display Name 描述Description
驗證原則筒倉Authentication Policy Silo 這個課程的執行個體定義驗證原則和相關的行為,適用於已指派的使用者、 電腦及服務。An instance of this class defines authentication policies and related behaviors for assigned users, computers, and services.
驗證原則筒倉Authentication Policy Silos 本等級容器可包含驗證原則筒倉物件。A container of this class can contain authentication policy silo objects.
驗證原則筒倉執行Authentication Policy Silo Enforced 指定驗證原則筒倉是否執行。Specifies whether the authentication policy silo is enforced.

不執行,預設的原則時稽核模式。When not enforced, the policy by default is in audit mode. 專活動,表示可能成功和失敗,但保護不會套用至系統。Events that indicate potential successes and failures are generated, but protections are not applied to the system.
指派的驗證原則筒倉 BacklinkAssigned Authentication Policy Silo Backlink 這是屬性返回 msDS-AssignedAuthNPolicySilo 的連結。This attribute is the back link for msDS-AssignedAuthNPolicySilo.
驗證原則筒倉成員Authentication Policy Silo Members 指定 AuthNPolicySilo 来指派的原則。Specifies which principals are assigned to the AuthNPolicySilo.
驗證原則筒倉成員 BacklinkAuthentication Policy Silo Members Backlink 這是屬性返回 msDS-AuthNPolicySiloMembers 的連結。This attribute is the back link for msDS-AuthNPolicySiloMembers.

驗證原則筒倉可以使用的 Active Directory 系統管理主控台 」 或 「 Windows PowerShell 來設定。Authentication policy silos can be configured by using the Active Directory Administrative Console or Windows PowerShell. 如需詳細資訊,請查看設定保護帳號如何For more information, see How to Configure Protected Accounts.

關於驗證原則About authentication policies

驗證原則定義 Kerberos 通訊協定票證授與票證 (TGT) 期間屬性和驗證存取控制項條件帳號類型。An authentication policy defines the Kerberos protocol ticket-granting ticket (TGT) lifetime properties and authentication access control conditions for an account type. 原則建置,以及控制稱為 [驗證原則筒倉 AD DS 容器。The policy is built on and controls the AD DS container known as the authentication policy silo.

驗證原則控制下列動作:Authentication policies control the following:

  • 適用於帳號,它會設定為非儲值 TGT 期間。The TGT lifetime for the account, which is set to be non-renewable.

  • 帳號裝置需要使用密碼或憑證登入符合的條件。The criteria that device accounts need to meet to sign in with a password or a certificate.

  • 使用者和裝置需要驗證服務執行的一部分 account 符合的條件。The criteria that users and devices need to meet to authenticate to services running as part of the account.

Active Directory account 類型判斷播報來電者的角色為下列其中一個動作:The Active Directory account type determines the caller's role as one of the following:

  • 使用者User

    使用者必須,預設會嘗試使用 NTLM 驗證拒絕的受保護的使用者安全性群組成員。Users should always be members of the Protected Users security group, which by default rejects attempts to authentication using NTLM.

    您可以設定較短的值帳號 TGT 期間或限制的使用者 account 可以登入的裝置設定原則。Policies can be configured to set the TGT lifetime of a user account to a shorter value or restrict the devices to which a user account can sign in. 豐富運算式可以在控制使用者,他們的裝置需要驗證服務符合的條件驗證原則設定。Rich expressions can be configured in the authentication policy to control the criteria that the users and their devices need to meet to authenticate to the service.

    如需詳細資訊請查看受保護的使用者安全性群組For more information see Protected Users Security Group.

  • 服務Service

    獨立管理服務帳號,受管理的群組服務帳號或衍生帳號的所用的服務的這兩種類型的自訂 account 物件。Standalone managed service accounts, group managed service accounts, or a custom account object that is derived from these two types of service accounts are used. 原則可以設定的裝置存取控制項條件,可用來管理的服務 account 認證限制的 Active Directory 身分特定裝置。Policies can set a device's access control conditions, which are used to restrict managed service account credentials to specific devices with an Active Directory identity. 服務不應保護使用者安全性群組成員因為所有收到的驗證將會失敗。Services should never be members of the Protected Users security group because all incoming authentication will fail.

  • 電腦Computer

    使用電腦 account 物件或衍生從電腦 account 物件自訂 account 物件。The computer account object or the custom account object that is derived from the computer account object is used. 原則可以設定存取控制項條件,以便驗證使用者及裝置屬性 account 所需的。Policies can set the access control conditions that are required to allow authentication to the account based on user and device properties. 電腦一律不應該保護使用者安全性群組成員因為所有收到的驗證將會失敗。Computers should never be members of the Protected Users security group because all incoming authentication will fail. 根據預設,取消所嘗試使用 NTLM 驗證。By default, attempts to use NTLM authentication are rejected. 適用於電腦帳號不應該設定 TGT 期間。A TGT lifetime should not be configured for computer accounts.

注意

很可能不相關的原則,以驗證原則筒倉帳號一組設定驗證原則。It is possible to set an authentication policy on a set of accounts without associating the policy to an authentication policy silo. 當您有保護單一帳號,您可以使用此策略。You can use this strategy when you have a single account to protect.

Active Directory 架構的驗證原則Active Directory schema for authentication policies

下表中的結構描述定義使用者、 電腦及服務的 Active Directory 物件的原則。The policies for the Active Directory objects for users, computers, and services are defined by the schema in the following table.

輸入Type 顯示名稱Display Name 描述Description
原則Policy 驗證原則Authentication Policy 這個課程的執行個體定義指派主體驗證原則的行為。An instance of this class defines authentication policy behaviors for assigned principals.
原則Policy 驗證原則Authentication Policies 本等級容器可包含驗證原則物件。A container of this class can contain authentication policy objects.
原則Policy 執行驗證原則Authentication Policy Enforced 指定是否執行此驗證原則。Specifies whether the authentication policy is enforced.

無法在執行,預設的原則在稽核模式,並專活動,表示可能成功和失敗,但保護不會套用至系統。When not enforced, the policy by default is in audit mode, and events that indicate potential successes and failures are generated, but protections are not applied to the system.
原則Policy 指派的驗證原則 BacklinkAssigned Authentication Policy Backlink 這是屬性返回 msDS-AssignedAuthNPolicy 的連結。This attribute is the back link for msDS-AssignedAuthNPolicy.
原則Policy 指派的驗證原則Assigned Authentication Policy 指定 AuthNPolicy 應該這項原則套用。Specifies which AuthNPolicy should be applied to this principal.
使用者User 使用者驗證原則User Authentication Policy 指定 AuthNPolicy 應該會套用至已指派給此筒倉物件的使用者。Specifies which AuthNPolicy should be applied to users who are assigned to this silo object.
使用者User 使用者驗證原則 BacklinkUser Authentication Policy Backlink 這是屬性返回 msDS-UserAuthNPolicy 的連結。This attribute is the back link for msDS-UserAuthNPolicy.
使用者User ms-DS-User-Allowed-To-Authenticate-Toms-DS-User-Allowed-To-Authenticate-To 此屬性用來判斷允許執行帳號服務驗證原則的集合。This attribute is used to determine the set of principals allowed to authenticate to a service running under the user account.
使用者User ms-DS-User-Allowed-To-Authenticate-Fromms-DS-User-Allowed-To-Authenticate-From 此屬性用來判斷的裝置的使用者 account 有權限來登入的設定。This attribute is used to determine the set of devices to which a user account has permission to sign in.
使用者User 使用者 TGT 期間User TGT Lifetime 指定最大世紀 Kerberos TGT 發行給使用者 (以秒)。Specifies the maximum age of a Kerberos TGT that is issued to a user (expressed in seconds). 結果 Tgt 的非儲值。Resultant TGTs are non-renewable.
電腦Computer 電腦驗證原則Computer Authentication Policy 指定 AuthNPolicy 應該會套用到電腦已指派給此筒倉物件。Specifies which AuthNPolicy should be applied to computers that are assigned to this silo object.
電腦Computer 電腦驗證原則 BacklinkComputer Authentication Policy Backlink 這是屬性返回 msDS-ComputerAuthNPolicy 的連結。This attribute is the back link for msDS-ComputerAuthNPolicy.
電腦Computer ms-DS-Computer-Allowed-To-Authenticate-Toms-DS-Computer-Allowed-To-Authenticate-To 此屬性用來判斷允許在的電腦帳號執行的服務驗證原則的設定。This attribute is used to determine the set of principals that are allowed to authenticate to a service running under the computer account.
電腦Computer 電腦 TGT 期間Computer TGT Lifetime 指定最大值 (以秒) 的電腦發給 Kerberos TGT 的年齡。Specifies the maximum age of a Kerberos TGT that is issued to a computer (expressed in seconds). 若要變更此設定不建議。It is not recommended to change this setting.
服務Service 服務驗證原則Service Authentication Policy 指定 AuthNPolicy 應該會套用至已指派給此筒倉物件的服務。Specifies which AuthNPolicy should be applied to services that are assigned to this silo object.
服務Service 服務驗證原則 BacklinkService Authentication Policy Backlink 這是屬性返回 msDS-ServiceAuthNPolicy 的連結。This attribute is the back link for msDS-ServiceAuthNPolicy.
服務Service ms-DS-Service-Allowed-To-Authenticate-Toms-DS-Service-Allowed-To-Authenticate-To 此屬性用來判斷的已獲授權的服務正在執行的服務帳號驗證原則設定。This attribute is used to determine the set of principals that are allowed to authenticate to a service running under the service account.
服務Service ms-DS-Service-Allowed-To-Authenticate-Fromms-DS-Service-Allowed-To-Authenticate-From 此屬性用來判斷的裝置的服務 account 有權限來登入的設定。This attribute is used to determine the set of devices to which a service account has permission to sign in.
服務Service 服務 TGT 期間Service TGT Lifetime 指定發出 (以秒) 服務來 Kerberos TGT 世紀最大。Specifies the maximum age of a Kerberos TGT that is issued to a service (expressed in seconds).

使用 Windows PowerShell 的 Active Directory 系統管理主控台驗證原則可以設定為每個筒倉。Authentication policies can be configured for each silo by using the Active Directory Administrative Console or Windows PowerShell. 如需詳細資訊,請查看設定保護帳號如何For more information, see How to Configure Protected Accounts.

它的運作方式How it works

本節驗證原則筒倉和驗證原則的受保護的使用者安全性群組和實作 Kerberos 通訊協定,以在 Windows 中搭配運作的方式。This section describes how authentication policy silos and authentication policies work in conjunction with the Protected Users security group and implementation of the Kerberos protocol in Windows.

帳號受保護狀態Protected accounts

保護使用者安全性群組觸發網域中執行 Windows Server 2012 R2 的主要網域控制站的網域控制站和裝置主機電腦執行 Windows 8.1、 Windows Server 2012 R2 上的非可設定保護。The Protected Users security group triggers non-configurable protection on devices and host computers running Windows Server 2012 R2 and Windows 8.1, and on domain controllers in domains with a primary domain controller running Windows Server 2012 R2 . 根據網域功能 account 的等級,保護使用者安全性群組成員進一步受保護的驗證方法支援在 Windows 中變更因為。Depending on the domain functional level of the account, members of the Protected Users security group are further protected because of changes in the authentication methods that are supported in Windows.

  • 使用 NTLM、 摘要驗證或 CredSSP 預設認證委派無法驗證保護使用者安全小組的成員。The member of the Protected Users security group cannot authenticate by using NTLM, Digest Authentication, or CredSSP default credential delegation. 在裝置上執行 Windows 8.1,可以使用其中一種這些安全性支援提供者 (層),將會失敗網域驗證,account 時的受保護的使用者安全性群組成員。On a device running Windows 8.1 that uses any one of these Security Support Providers (SSPs), authentication to a domain will fail when the account is a member of the Protected Users security group.

  • Kerberos 通訊協定不會預先驗證程序使用較弱 DES 或 RC4 加密類型。The Kerberos protocol will not use the weaker DES or RC4 encryption types in the preauthentication process. 這表示支援至少好一段加密類型,必須設定的網域。This means that the domain must be configured to support at least the AES encryption type.

  • 無法使用 Kerberos 限制或受限制地委派帳號委派。The user's account cannot be delegated with Kerberos constrained or unconstrained delegation. 這表示如果使用者的受保護的使用者安全性群組成員先前連接到其他系統可能會失敗。This means that former connections to other systems may fail if the user is a member of the Protected Users security group.

  • 藉由驗證原則和筒倉,您可以存取 Active Directory 管理中心透過是設定的四個小時的預設 Kerberos Tgt 期間設定。The default Kerberos TGTs lifetime setting of four hours is configurable by using authentication policies and silos, which can be accessed through the Active Directory Administrative Center. 這表示當超過四小時的時間,使用者必須驗證再試一次。This means that when four hours has passed, the user must authenticate again.

如需有關這個安全性群組的詳細資訊,請查看的受保護的使用者如何群組運作For more information about this security group, see How the Protected Users group works.

筒倉和驗證原則Silos and authentication policies

驗證原則筒倉和驗證原則利用現有的 Windows 驗證基礎結構。Authentication policy silos and authentication policies leverage the existing Windows authentication infrastructure. 遭拒使用 NTLM 通訊協定,並用 Kerberos 通訊協定,以使用較加密類型。The use of the NTLM protocol is rejected, and the Kerberos protocol with newer encryption types is used. 驗證原則補充提供一種方式可設定的限制適用於帳號,除了限制帳號提供的服務和電腦的受保護的使用者安全性群組。Authentication policies complement the Protected Users security group by providing a way to apply configurable restrictions to accounts, in addition to providing restrictions for accounts for services and computers. 驗證原則的票證授與服務 (TGS) 換貨或 Kerberos 通訊協定驗證服務 (為) 期間執行。Authentication policies are enforced during the Kerberos protocol authentication service (AS) or ticket-granting service (TGS) exchange. 如需有關如何使用 Windows Kerberos 通訊協定,以及變更所做支援驗證原則筒倉和驗證原則,查看:For more information about how Windows uses the Kerberos protocol, and what changes have been made to support authentication policy silos and authentication policies, see:

如何使用 Kerberos 通訊協定與驗證原則筒倉原則How the Kerberos protocol is used with authentication policy silos and policies

當核對連結到驗證原則筒倉,使用者登入時,安全性帳號管理員新增理賠要求驗證原則筒倉包含筒倉值類型。When a domain account is linked to an authentication policy silo, and the user signs in, the Security Accounts Manager adds the claim type of Authentication Policy Silo that includes the silo as the value. 此宣告帳號提供目標筒倉存取。This claim on the account provides the access to the targeted silo.

驗證原則執行為網域控制站收到核對驗證服務要求,網域控制站傳回設定期間的非儲值 TGT (除非網域 TGT 期間是短)。When an authentication policy is enforced and the authentication service request for a domain account is received on the domain controller, the domain controller returns a non-renewable TGT with the configured lifetime (unless the domain TGT lifetime is shorter).

注意

核對必須設定的 TGT 期間,而且必須直接連結原則或透過筒倉成員資格間接連結。The domain account must have a configured TGT lifetime and must be either directly linked to the policy or indirectly linked through the silo membership.

當驗證原則是以稽核模式,網域控制站上收到驗證服務要求核對的網域控制站會檢查是否允許驗證的裝置,讓它可以登入一則警告如果失敗。When an authentication policy is in audit mode and the authentication service request for a domain account is received on the domain controller, the domain controller checks if authentication is allowed for the device so that it can log a warning if there is a failure. 稽核的驗證原則不會變更程序,所以如果不符合原則的需求,無法將會失敗驗證要求。An audited authentication policy does not alter the process, so authentication requests will not fail if they do not meet the requirements of the policy.

注意

核對必須直接連接到原則或透過筒倉成員資格間接連結。The domain account must be either directly linked to the policy or indirectly linked through the silo membership.

當驗證原則執行與驗證服務裝甲時,核對驗證服務要求收到網域控制站時,網域控制站檢查驗證是否允許該裝置。When an authentication policy is enforced and the authentication service is armored, the authentication service request for a domain account is received on the domain controller, the domain controller checks if authentication is allowed for the device. 如果失敗,網域控制站傳回錯誤訊息,並登約會。If it fails, the domain controller returns an error message and logs an event.

注意

核對必須直接連接到原則或透過筒倉成員資格間接連結。The domain account must be either directly linked to the policy or indirectly linked through the silo membership.

驗證原則是以稽核模式時,核對的網域控制站收到服務票證授與要求,網域控制站檢查是否允許要求的票證權限屬性憑證 (PAC) 的資料,以驗證,如果您無法登入一則警告訊息。When an authentication policy is in audit mode and a ticket-granting service request is received by the domain controller for a domain account, the domain controller checks if authentication is allowed based on the request's ticket Privilege Attribute Certificate (PAC) data, and it logs a warning message if it fails. PAC 包含授權資訊,包括的使用者成員使用者有,權限的群組原則套用到使用者不同的類型。The PAC contains various types of authorization data, including groups that the user is a member of, rights the user has, and what policies apply to the user. 這項資訊用來產生使用者存取預付碼。This information is used to generate the user's access token. 如果是執行的驗證原則可讓使用者、 裝置或服務的驗證,驗證允許的網域控制站檢查基礎要求的票證 PAC 資料。If it is an enforced authentication policy which allows authentication to a user, device, or service, the domain controller checks if authentication is allowed based on the request's ticket PAC data. 如果失敗,網域控制站傳回錯誤訊息,並登約會。If it fails, the domain controller returns an error message and logs an event.

注意

核對必須將直接連結或透過筒倉成員資格稽核的驗證原則可讓使用者、 裝置或服務的驗證連結The domain account must be either directly linked or linked through silo membership to an audited authentication policy which allows authentication to a user, device or service,

您可以使用單一驗證原則的所有成員筒倉,或您可以使用原則的不同的使用者、 電腦及帳號受管理的服務。You can use a single authentication policy for all members of a silo, or you can use separate policies for users, computers, and managed service accounts.

使用 Windows PowerShell 的 Active Directory 系統管理主控台驗證原則可以設定為每個筒倉。Authentication policies can be configured for each silo by using the Active Directory Administrative Console or Windows PowerShell. 如需詳細資訊,請查看設定保護帳號如何For more information, see How to Configure Protected Accounts.

如何限制使用者登入的運作方式How restricting a user sign-in works

這些驗證原則已經套用到帳號,因為它也適用於帳號所使用的服務。Because these authentication policies are applied to an account, it also applies to accounts that are used by services. 如果您想要使用特定主機服務的密碼,則此設定會非常有用。If you want to limit the usage of a password for a service to specific hosts, this setting is useful. 例如,群組管理設定帳號主機允許從 Active Directory Domain Services 擷取密碼的位置服務。For example, group managed service accounts are configured where the hosts are allowed to retrieve the password from Active Directory Domain Services. 不過,該密碼可從任何主機的初始驗證。However, that password can be used from any host for initial authentication. 藉由套用存取控制項條件,可以藉由限制只可以擷取密碼主機一組密碼達成額外的保護層級。By applying an access control condition, an additional layer of protection can be achieved by limiting the password to only the set of hosts that can retrieve the password.

當系統、 網路的服務,或其他區域服務的身分執行的服務連接到網路的服務時,它們會使用主機的電腦 account。When services that run as system, network service, or other local service identity connect to network services, they use the host's computer account. 電腦帳號不會受到限制。Computer accounts cannot be restricted. 即使服務會使用許多 Windows 不是電腦帳號,它無法限制。So even if the service is using a computer account that is not for a Windows host, it cannot be restricted.

特定的主機限制使用者登入需要驗證主機的身分網域控制站。Restricting user sign-in to specific hosts requires the domain controller to validate the host's identity. 當使用 F:kerberos 驗證 Kerberos 保護 \ (即動態存取控制部分),金鑰 Distribution 中心隨附從中驗證使用者的主機 TGT。When using Kerberos authentication with Kerberos armoring (which is part of Dynamic Access Control), the Key Distribution Center is provided with the TGT of the host from which the user is authenticating. 使用這個裝甲 TGT 的 content 完成存取檢查以判斷是否允許該主機。The content of this armored TGT is used to complete an access check to determine if the host is allowed.

當使用者登入 Windows,或預設的應用程式中,輸入他們網域認證 credential 提示字元中時,Windows 會將傳送網域控制站護身的為需求。When a user signs in to Windows or enters their domain credentials in a credential prompt for an application, by default, Windows sends an unarmored AS-REQ to the domain controller. 如果使用者傳送要求的電腦不支援,保護 \,例如電腦執行的是 Windows 7 或 Windows Vista、 要求失敗。If the user is sending the request from a computer that does not support armoring, such as computers running Windows 7 or Windows Vista, the request fails.

下面描述處理程序:The following list describes the process:

  • 執行 Windows Server 2012 R2 網域中的網域控制站查詢使用者帳號,並判斷它設定的限制初始需要裝甲的要求驗證,驗證原則。The domain controller in a domain running Windows Server 2012 R2 queries for the user account and determines if it is configured with an authentication policy that restricts initial authentication that requires armored requests.

  • 網域控制站將會失敗要求。The domain controller will fail the request.

  • 因為需要護板,使用者可以嘗試使用電腦執行的是 Windows 8.1 或 Windows 8 功能的支援 Kerberos 保護 \ 來再試一次登入程序登入。Because armoring is required, the user can attempt to sign in by using a computer running Windows 8.1 or Windows 8, which is enabled to support Kerberos armoring to retry the sign-in process.

  • Windows 會偵測到網域支援 Kerberos 保護 \ 傳送裝甲的為-複製到再試一次登入的要求。Windows detects that the domain supports Kerberos armoring and sends an armored AS-REQ to retry the sign-in request.

  • 網域控制站執行存取檢查使用中,用於裝甲要求 TGT 設定的存取控制項條件和 client 作業系統的身分的資訊。The domain controller performs an access check by using the configured access control conditions and the client operating system's identity information in the TGT that was used to armor the request.

  • 如果您無法存取檢查,網域控制站請求。If the access check fails, the domain controller rejects the request.

作業系統支援 Kerberos 保護 \,即使存取控制需求可在套用和必須符合才能存取。Even when operating systems support Kerberos armoring, access control requirements can be applied and must be met before access is granted. 使用者登入 Windows,或他們網域認證 credential 提示字元中輸入應用程式。Users sign in to Windows or enter their domain credentials in a credential prompt for an application. 根據預設,Windows 會傳送給網域控制站護身的為需求。By default, Windows sends an unarmored AS-REQ to the domain controller. 如果使用者要求的支援護板,例如 Windows 8.1 或 Windows 8 的電腦傳送驗證原則的評估方式如下:If the user is sending the request from a computer that supports armoring, such as Windows 8.1 or Windows 8, authentication policies are evaluated as follows:

  1. 執行 Windows Server 2012 R2 網域中的網域控制站查詢使用者帳號,並判斷它設定的限制初始需要裝甲的要求驗證,驗證原則。The domain controller in a domain running Windows Server 2012 R2 queries for the user account and determines if it is configured with an authentication policy that restricts initial authentication that requires armored requests.

  2. 網域控制站執行存取檢查使用中,用於裝甲要求 TGT 設定的存取控制項條件和系統身分的資訊。The domain controller performs an access check by using the configured access control conditions and the system's identity information in the TGT that is used to armor the request. 存取檢查成功。The access check succeeds.

    注意

    設定舊版群組限制,如果那些也必須符合。If legacy workgroup restrictions are configured, those also need to be met.

  3. 網域控制站回覆與裝甲回覆 (以代表,),並驗證繼續。The domain controller replies with an armored reply (AS-REP), and the authentication continues.

限制服務票證發行的運作方式How restricting service ticket issuance works

時不允許帳號,並具有 TGT 的使用者,嘗試連接的服務 (例如下列程序發生,請打開需要驗證服務的服務主體名稱 (SPN) 由服務的應用程式,:When an account is not allowed and a user who has a TGT attempts to connect to the service (such as by opening an application that requires authentication to a service that is identified by the service's service principal name (SPN), the following sequence occurs:

  1. 在嘗試從 SPN 連接到 SPN1,Windows 會將傳送 TGS 需求網域控制站 SPN1 服務票證要求。In an attempt to connect to SPN1 from SPN, Windows sends a TGS-REQ to the domain controller that is requesting a service ticket to SPN1.

  2. 執行 Windows Server 2012 R2 網域中的網域控制站尋找 SPN1 尋找服務的 Active Directory Domain Services 帳號,並判斷該設定的限制服務票證發行驗證原則 account。The domain controller in a domain running Windows Server 2012 R2 looks up SPN1 to find the Active Directory Domain Services account for the service and determines that the account is configured with an authentication policy that restricts service ticket issuance.

  3. 網域控制站執行存取檢查使用中 TGT 設定的存取控制項條件和的使用者身分的資訊The domain controller performs an access check by using the configured access control conditions and the user's identity information in the TGT. 存取檢查將會失敗。The access check fails.

  4. 網域控制站請求。The domain controller rejects the request.

因為 account 符合存取控制項條件驗證原則,來設定,並嘗試服務連接的使用者,有 TGT 時允許 account (例如打開應用程式所需要驗證服務由服務的 SPN),下列程序發生:When an account is allowed because the account meets the access control conditions that are set by the authentication policy, and a user who has a TGT attempts to connect to the service (such as by opening an application that requires authentication to a service that is identified by the service's SPN), the following sequence occurs:

  1. 在連接到 SPN1 嘗試,Windows 會將傳送 TGS 需求網域控制站 SPN1 服務票證要求。In an attempt to connect to SPN1, Windows sends a TGS-REQ to the domain controller that is requesting a service ticket to SPN1.

  2. 執行 Windows Server 2012 R2 網域中的網域控制站尋找 SPN1 尋找服務的 Active Directory Domain Services 帳號,並判斷該設定的限制服務票證發行驗證原則 account。The domain controller in a domain running Windows Server 2012 R2 looks up SPN1 to find the Active Directory Domain Services account for the service and determines that the account is configured with an authentication policy that restricts service ticket issuance.

  3. 網域控制站執行存取檢查使用中 TGT 設定的存取控制項條件和的使用者身分的資訊The domain controller performs an access check by using the configured access control conditions and the user's identity information in the TGT. 存取檢查成功。The access check succeeds.

  4. 網域控制站回覆要求票證授與服務回覆 (TGS 代表) 使用。The domain controller replies to the request with a ticket-granting service reply (TGS-REP).

相關的錯誤和資訊事件訊息Associated error and informational event messages

下表描述保護使用者安全性群組相關聯的事件和適用於驗證原則筒倉驗證原則。The following table describes the events that are associated with Protected Users security group and the authentication policies that are applied to authentication policy silos.

事件記錄的應用程式與服務登,在Microsoft\Windows\AuthenticationThe events are recorded in the Applications and Services Logs at Microsoft\Windows\Authentication.

疑難排解步驟使用這些事件,請查看疑難排解驗證原則疑難排解事件相關保護使用者For troubleshooting steps that use these events, see Troubleshoot Authentication Policies and Troubleshoot events related to Protected Users.

事件 ID 和登入Event ID and Log 描述Description
101101

AuthenticationPolicyFailures-DomainControllerAuthenticationPolicyFailures-DomainController
理由: NTLM 登入失敗就會發生驗證原則。Reason: An NTLM sign-in failure occurs because the authentication policy is configured.

事件被登入,表示該 NTLM 驗證失敗,因為存取控制限制的需要,這些限制不會套用到 NTLM 網域控制站。An event is logged in the domain controller to indicate that NTLM authentication failed because access control restrictions are required, and those restrictions cannot be applied to NTLM.

顯示 account、 裝置、 原則和筒倉名稱。Displays the account, device, policy, and silo names.
105105

AuthenticationPolicyFailures-DomainControllerAuthenticationPolicyFailures-DomainController
理由: 不允許的特定裝置驗證是因為發生錯誤 Kerberos 限制。Reason: A Kerberos restriction failure occurs because the authentication from a particular device was not permitted.

事件被登入網域控制站指出 Kerberos TGT 遭拒因為裝置不符合執行的存取控制限制。An event is logged in the domain controller to indicate that a Kerberos TGT was denied because the device did not meet the enforced access control restrictions.

顯示帳號,裝置、 原則、 筒倉名稱、 和 TGT 期間。Displays the account, device, policy, silo names, and TGT lifetime.
305305

AuthenticationPolicyFailures-DomainControllerAuthenticationPolicyFailures-DomainController
理由: 潛在 Kerberos 限制錯誤可能是因為不允許的特定裝置驗證。Reason: A potential Kerberos restriction failure might occur because the authentication from a particular device was not permitted.

稽核模式,資訊的事件會登入網域控制站判斷是否 Kerberos TGT 都會無法因為裝置不符合存取控制限制。In audit mode, an informational event is logged in the domain controller to determine if a Kerberos TGT will be denied because the device did not meet the access control restrictions.

顯示帳號,裝置、 原則、 筒倉名稱、 和 TGT 期間。Displays the account, device, policy, silo names, and TGT lifetime.
106106

AuthenticationPolicyFailures-DomainControllerAuthenticationPolicyFailures-DomainController
理由: 伺服器驗證不允許的使用者或裝置,因為發生錯誤 Kerberos 限制。Reason: A Kerberos restriction failure occurs because the user or device was not allowed to authenticate to the server.

事件被登入網域控制站指出 Kerberos 服務票證遭拒因為使用者、 裝置或兩者不符合執行的存取控制限制。An event is logged in the domain controller to indicate that a Kerberos service ticket was denied because the user, device, or both do not meet the enforced access control restrictions.

裝置、 原則和筒倉顯示的名稱。Displays the device, policy, and silo names.
306306

AuthenticationPolicyFailures-DomainControllerAuthenticationPolicyFailures-DomainController
理由: Kerberos 限制錯誤可能是因為驗證伺服器不允許的使用者或裝置。Reason: A Kerberos restriction failure might occur because the user or device was not allowed to authenticate to the server.

稽核模式,資訊的事件登入,表示該 Kerberos 服務票證都會無法因為使用者、 裝置或兩者不符合存取控制限制的網域控制站。In audit mode, an informational event is logged on the domain controller to indicate that a Kerberos service ticket will be denied because the user, device, or both do not meet the access control restrictions.

裝置、 原則和筒倉顯示的名稱。Displays the device, policy, and silo names.

也了See also

如何設定帳號受保護狀態How to Configure Protected Accounts

認證保護與管理Credentials Protection and Management

使用者安全性群組受保護狀態Protected Users Security Group