Kerberos 驗證的概觀Kerberos Authentication Overview

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

Kerberos 是用來確認使用者或主機的身分驗證通訊協定。Kerberos is an authentication protocol that is used to verify the identity of a user or host. 本主題包含在 Windows Server 2012 和 Windows 8 中 F:kerberos 驗證資訊。This topic contains information about Kerberos authentication in Windows Server 2012 and Windows 8.

描述的功能Feature description

Windows?伺服器作業系統實作 Kerberos 5 版本驗證通訊協定與公用按鍵驗證傳輸授權資料,以及委派擴充功能。The Windows??Server operating systems implement the Kerberos version 5 authentication protocol and extensions for public key authentication, transporting authorization data, and delegation. 實作 Kerberos 驗證 client security 支援提供者 (SSP),而且它可以透過存取安全性支援提供者介面 (SSPI)。The Kerberos authentication client is implemented as a security support provider (SSP), and it can be accessed through the Security Support Provider Interface (SSPI). 初次使用者驗證整合 Winlogon 單一 sign\ 上架構。Initial user authentication is integrated with the Winlogon single sign-on architecture.

與其他 Windows Server 整合 Kerberos 金鑰 Distribution 中心 (KDC)?安全性服務執行的網域控制站。The Kerberos Key Distribution Center (KDC) is integrated with other Windows Server??security services that run on the domain controller. \ [KDC 使用網域的 Active Directory Domain Services 資料庫做為其安全性 account 資料庫。The KDC uses the domain's Active Directory Domain Services database as its security account database. 需要預設 Kerberos 實作網域或樹系的 active Directory Domain Services。Active Directory Domain Services is required for default Kerberos implementations within the domain or forest.

實用的應用程式Practical applications

藉由 domain\ 驗證 Kerberos 獲得權益︰The benefits gained by using Kerberos for domain-based authentication are:

  • 委派的驗證。Delegated authentication.

    Windows 作業系統執行的服務存取代表 client 的資源時,可模擬 client 的電腦。Services that run on Windows operating systems can impersonate a client computer when accessing resources on the client's behalf. 很多時候,服務可以存取本機電腦上的資源完成 client 的工作。In many cases, a service can complete its work for the client by accessing resources on the local computer. 當 client 電腦驗證服務時,請 NTLM 和 Kerberos 通訊協定提供服務的需要模擬 client 本機電腦的授權資訊。When a client computer authenticates to the service, NTLM and Kerberos protocol provide the authorization information that a service needs to impersonate the client computer locally. 不過,有些分散式應用程式的設計,front\ 後端服務連接到其他電腦上的 back\ 後端服務時,必須使用 client 電腦的身分。However, some distributed applications are designed so that a front-end service must use the client computer's identity when it connects to back-end services on other computers. F:kerberos 驗證支援委派機制,可連接到其他服務時,代表它 client 做的服務。Kerberos authentication supports a delegation mechanism that enables a service to act on behalf of its client when connecting to other services.

  • 單一登入。Single sign on.

    使用 Kerberos 驗證網域中或樹系可讓使用者或服務存取資源允許的系統管理員而多個要求的認證。Using Kerberos authentication within a domain or in a forest allows the user or service access to resources permitted by administrators without multiple requests for credentials. 在初始網域登入透過 Winlogon 之後, Kerberos 每次嘗試存取資源時管理樹系的認證。After initial domain sign on through Winlogon, Kerberos manages the credentials throughout the forest whenever access to resources is attempted.

  • 交互操作。Interoperability.

    Microsoft Kerberos V5 通訊協定實作根據網際網路工程設計工作人員 (IETF) 建議的曲目 standards\ 規格。The implementation of the Kerberos V5 protocol by Microsoft is based on standards-track specifications that are recommended to the Internet Engineering Task Force (IETF). 如此一來,Windows 作業系統,在 Kerberos 通訊協定列出跨平台與其他網路 Kerberos 通訊協定使用進行驗證基本知識。As a result, in Windows operating systems, the Kerberos protocol lays a foundation for interoperability with other networks in which the Kerberos protocol is used for authentication. 此外,Microsoft 發行 Windows 的通訊協定實作 Kerberos 通訊協定的文件。In addition, Microsoft publishes Windows Protocols documentation for implementing the Kerberos protocol. 文件包含技術需求,限制,相依性,以及 Kerberos 通訊協定 Microsoft 實作 Windows\ 特定通訊協定行為。The documentation contains the technical requirements, limitations, dependencies, and Windows-specific protocol behavior for Microsoft's implementation of the Kerberos protocol.

  • 伺服器的驗證更有效率。More efficient authentication to servers.

    之前 Kerberos,NTLM 驗證無法使用,這需要應用程式連接到網域控制站伺服器驗證每個 client 電腦或服務。Before Kerberos, NTLM authentication could be used, which requires an application server to connect to a domain controller to authenticate every client computer or service. Kerberos 通訊協定,以儲值活動門票取代 pass\ 透過驗證。With the Kerberos protocol, renewable session tickets replace pass-through authentication. 不需要移至網域控制站伺服器 \(除非該需要驗證權限屬性憑證 (PAC))。The server is not required to go to a domain controller (unless it needs to validate a Privilege Attribute Certificate (PAC)). 而是伺服器可以檢查認證出示 client 驗證 client 電腦。Instead, the server can authenticate the client computer by examining credentials presented by the client. Client 電腦可以一次取得特定伺服器的憑證,並在網路工作階段登入認證重複使用。Client computers can obtain credentials for a particular server once and then reuse those credentials throughout a network logon session.

  • 互加好友的驗證。Mutual authentication.

    使用 Kerberos 通訊協定,上網結尾處一方可以確認的另一端派對的實體就越高。By using the Kerberos protocol, a party at either end of a network connection can verify that the party on the other end is the entity it claims to be. NTLM 無法讓戶端驗證伺服器的身分,或讓驗證身分另一部伺服器。NTLM does not enable clients to verify a server's identity or enable one server to verify the identity of another. 網路環境中伺服器已被視為正版軟體被設計 NTLM 驗證。NTLM authentication was designed for a network environment in which servers were assumed to be genuine. Kerberos 通訊協定可讓任何這類假設。The Kerberos protocol makes no such assumption.

也了See Also

Windows 驗證的概觀Windows Authentication Overview