加入網域的裝置公開金鑰驗證Domain-joined Device Public Key Authentication

適用於︰ Windows Server 2016 年,在 Windows 10Applies To: Windows Server 2016, Windows 10

Kerberos 加入網域的裝置登入憑證開始使用 Windows Server 2012 和 Windows 8 的支援。Kerberos added support for domain-joined devices to sign-in using a certificate beginning with Windows Server 2012 and Windows 8. 這項變更可讓您建立來提供及初始化加入網域的裝置使用網域驗證憑證的方案 3 廠商。This change allows 3rd party vendors to create solutions to provision and initialize certificates for domain-joined devices to use for domain authentication.

自動公用金鑰提供Automatic public key provisioning

開始使用 Windows 10 1507 版和 Windows Server 2016、加入網域的裝置會自動提供 Windows Server 2016 網域控制站 DC 繫結公用鍵。Beginning with Windows 10 version 1507 and Windows Server 2016, domain-joined devices automatically provision a bound public key to a Windows Server 2016 domain controller (DC). 一旦按鍵時,Windows 可以網域使用公開金鑰驗證。Once a key is provisioned, then Windows can use public key authentication to the domain.

公開的主要代Public key generation

如果您在裝置執行的 Credential Guard,公用按鍵會建立受 Credential Guard。If the device is running Credential Guard, then a public key is created protected by Credential Guard.

如果不是可用 Credential Guard,TPM 是公用按鍵會建立 tpm 受保護。If Credential Guard is not available and a TPM is, then a public key is created protected by the TPM.

如果兩者都可使用,也不按鍵,然後裝置僅驗證使用密碼。If neither is available, then a key is not generated and the device can only authenticate using password.

提供電腦 account 公用鍵Provisioning computer account public key

Windows 時,它會檢查是否公用按鍵提供的。When Windows starts up, it checks if a public key is provisioned for its computer account. 如果無法使用,然後產生結合公開金鑰,並將它設定中使用 Windows Server 2016 或更高版本俠 AD 其 account。If not, then it generates a bound public key and configures it for its account in AD using a Windows Server 2016 or higher DC. 如果所有網域控制站向下層級,會不提供任何按鍵。If all the DCs are down-level, then no key is provisioned.

設定裝置只能使用公用鍵Configuring device to only use public key

如果群組原則設定裝置使用進行驗證憑證的支援設為推動,然後使用,裝置需要驗證尋找執行 Windows Server 2016 DC 或更新版本。If the Group Policy setting Support for device authentication using certificate is set to Force, then the device needs to find a DC that runs Windows Server 2016 or later to authenticate. 設定可在 [系統管理範本] > 系統 > Kerberos。The setting is under Administrative Templates > System > Kerberos.

設定裝置只能使用密碼Configuring device to only use password

如果群組原則設定裝置使用進行驗證憑證的支援已停用,然後永遠使用密碼。If the Group Policy setting Support for device authentication using certificate is disabled, then password is always used. 設定可在 [系統管理範本] > 系統 > Kerberos。The setting is under Administrative Templates > System > Kerberos.

使用公用鍵加入網域的裝置驗證Domain-joined device authentication using public key

當 Windows 已經加入網域的裝置的憑證時,Kerberos 先行驗證使用的憑證和失敗重試次數密碼。When Windows has a certificate for the domain-joined device, Kerberos first authenticates using the certificate and on failure retries with password. 這可以讓裝置舊版 Dc 驗證。This allows the device to authenticate to down-level DCs.

由於自動提供公用按鍵自動簽署的憑證,憑證驗證失敗網域控制站不支援鍵信任 account 對應。Since the automatically provisioned public keys have a self-signed certificate, certificate validation fails on domain controllers that do not support Key Trust account mapping. 根據預設,Windows 會重試驗證使用裝置的網域密碼。By default, Windows retries authentication using the device's domain password.