Kerberos 限制委派概觀Kerberos Constrained Delegation Overview

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

適用於 IT 專業人員此概觀主題描述 Kerberos 限制委派 Windows Server 2012 R2 和 Windows Server 2012 中的新功能。This overview topic for the IT professional describes new capabilities for Kerberos constrained delegation in Windows Server 2012 R2 and Windows Server 2012 .

描述的功能Feature description

Windows Server 2003,以提供更安全地表單的委派無法使用的服務中引進委派 Kerberos 限制。Kerberos constrained delegation was introduced in Windows Server 2003 to provide a safer form of delegation that could be used by services. 設定之後,限制的委派限制的使用者代表指定的伺服器可做的服務。When it is configured, constrained delegation restricts the services to which the specified server can act on the behalf of a user. 這需要設定核對服務網域系統管理員權限,而且會限制 account 單一網域。This requires domain administrator privileges to configure a domain account for a service and is restricts the account to a single domain. 今天的企業版,前端服務並未設計成限於整合只他們網域中的服務。In today's enterprise, front-end services are not designed to be limited to integration with only services in their domain.

更早版本作業系統網域系統管理員位置設定的服務,在服務系統管理員必須知道委派給其所擁有的資源服務的前端服務不實用的方式。In earlier operating systems where the domain administrator configured the service, the service administrator had no useful way to know which front-end services delegated to the resource services they owned. 並無法委派給資源服務任何前端服務代表潛在的攻擊點。And any front-end service that could delegate to a resource service represented a potential attack point. 如果受損裝載前端服務的伺服器,並設定委派給資源服務,可能也入侵資源服務。If a server that hosted a front-end service was compromised, and it was configured to delegate to resource services, the resource services could also be compromised.

Windows Server 2012 R2 和 Windows Server 2012 中,若要設定限制的委派服務的能力已經傳輸網域系統管理員從服務系統管理員。In Windows Server 2012 R2 and Windows Server 2012 , ability to configure constrained delegation for the service has been transferred from the domain administrator to the service administrator. 如此一來後, 端服務系統管理員可以允許或拒絕前端服務。In this way, the back-end service administrator can allow or deny front-end services.

限制委派的詳細資訊的為引進了 Windows Server 2003,查看Kerberos 通訊協定轉換和限制委派For detailed information about constrained delegation as introduced in Windows Server 2003, see Kerberos Protocol Transition and Constrained Delegation.

Windows Server 2012 R2 和 Windows Server 2012 的 Kerberos 通訊協定實作包括專為限制委派擴充功能。The Windows Server 2012 R2 and Windows Server 2012 implementation of the Kerberos protocol includes extensions specifically for constrained delegation. 使用者 Proxy (S4U2Proxy) 服務可讓您使用使用者其 Kerberos 服務票證後端服務取得的服務票證金鑰 Distribution 中心 (KDC) 的服務。Service for User to Proxy (S4U2Proxy) allows a service to use its Kerberos service ticket for a user to obtain a service ticket from the Key Distribution Center (KDC) to a back-end service. 這些擴充功能讓限制的委派後端服務的帳號,另一個網域中的設定。These extensions allow constrained delegation to be configured on the back-end service's account, which can be in another domain. 如需有關這些擴充功能的詳細資訊,請查看[MS-SFU]: Kerberos 通訊協定擴充功能:使用者和限制委派通訊協定規格服務MSDN 媒體櫃中。For more information about these extensions, see [MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained Delegation Protocol Specification in the MSDN Library.

實用的應用程式Practical applications

限制的委派提供服務的系統管理員指定並執行的應用程式信任邊界藉由限制位置服務的應用程式可以依據代表使用者範圍的功能。Constrained delegation gives service administrators the ability to specify and enforce application trust boundaries by limiting the scope where application services can act on a user's behalf. 服務系統管理員可以設定,可以將前端服務帳號委派給他們後端服務。Service administrators can configure which front-end service accounts can delegate to their back-end services.

藉由支援限制的委派網域中的 Windows Server 2012 R2 和 Windows Server 2012 上,可以使用限制的委派給其他網域中的伺服器的驗證設定前端服務,例如 Microsoft 網際網路安全性加速 (ISA) 伺服器、Microsoft Forefront 威脅管理閘道、Microsoft Exchange Outlook Web Access (OWA),並 Microsoft SharePoint 伺服器。By supporting constrained delegation across domains in Windows Server 2012 R2 and Windows Server 2012 , front-end services such as Microsoft Internet Security and Acceleration (ISA) Server, Microsoft Forefront Threat Management Gateway, Microsoft Exchange Outlook Web Access (OWA), and Microsoft SharePoint Server can be configured to use constrained delegation to authenticate to servers in other domains. 這提供支援跨網域服務方案,使用現有的 Kerberos 基礎結構。This provides support for across domains service solutions by using an existing Kerberos infrastructure. 網域系統管理員或服務的系統管理員可以管理委派 Kerberos 限制。Kerberos constrained delegation can be managed by domain administrators or service administrators.

新功能和變更功能New and changed functionality

跨網域型資源限制的委派Resource-based constrained delegation across domains

當前端服務和資源服務不在相同的網域中提供限制的委派可委派 Kerberos 限制。Kerberos constrained delegation can be used to provide constrained delegation when the front-end service and the resource services are not in the same domain. 服務管理員是可以指定前端服務,可模擬 account 物件的資源服務使用者的網域帳號設定新委派。Service administrators are able to configure the new delegation by specifying the domain accounts of the front-end services which can impersonate users on the account objects of the resource services.

這項變更新增值為何?What value does this change add?

藉由支援限制的委派跨網域,可以使用限制的委派中其他網域,而不要使用 [無限制的委派伺服器驗證服務設定。By supporting constrained delegation across domains, services can be configured to use constrained delegation to authenticate to servers in other domains rather than using unconstrained delegation. 這信任前端服務委派給任何服務,而不需要使用現有 Kerberos 基礎結構提供驗證支援跨網域服務方案。This provides authentication support for across domain service solutions by using an existing Kerberos infrastructure without needing to trust front-end services to delegate to any service.

有哪些方式各不相同?What works differently?

變更基礎通訊協定跨網域可限制的委派。A change in the underlying protocol allows constrained delegation across domains. Windows Server 2012 R2 和 Windows Server 2012 的 Kerberos 通訊協定實作包含 Proxy (S4U2Proxy) 通訊協定使用者服務擴充功能。The Windows Server 2012 R2 and Windows Server 2012 implementation of the Kerberos protocol includes extensions to Service for User to Proxy (S4U2Proxy) protocol. 這是一組擴充功能來 Kerberos 通訊協定,允許使用使用者其 Kerberos 服務票證後端服務取得的服務票證金鑰 Distribution 中心 (KDC) 的服務。This is a set of extensions to the Kerberos protocol that allows a service to use its Kerberos service ticket for a user to obtain a service ticket from the Key Distribution Center (KDC) to a back-end service.

這些擴充功能實作資訊,請查看[MS-SFU]: Kerberos 通訊協定擴充功能:使用者和限制委派通訊協定規格服務在 MSDN。For implementation information about these extensions, see [MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained Delegation Protocol Specification in MSDN.

基本訊息順序 Kerberos 委派與轉送票證授與票證 (TGT) 相較於服務使用者 (S4U) 擴充功能的相關詳細資訊,會看到一節1.3.3 通訊協定概觀在 [MS-SFU]: Kerberos 通訊協定擴充功能:使用者和限制委派通訊協定規格服務。For more information about the basic message sequence for Kerberos delegation with a forwarded ticket-granting ticket (TGT) as compared to Service for User (S4U) extensions, see section 1.3.3 Protocol Overview in the [MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained Delegation Protocol Specification.

若要設定允許前端服務存取的使用者代表資源服務,請使用 Windows PowerShell cmdlet。To configure a resource service to allow a front-end service access on the behalf of users, use Windows PowerShell cmdlets.

  • 擷取一系列原則,使用取得-ADComputer取得-ADServiceAccount,並取得-ADUser cmdlet 使用屬性 PrincipalsAllowedToDelegateToAccount參數。To retrieve a list of principals, use the Get-ADComputer, Get-ADServiceAccount, and Get-ADUser cmdlets with the Properties PrincipalsAllowedToDelegateToAccount parameter.

  • 若要設定資源服務,使用新-ADComputer新-ADServiceAccount新-ADUser設定-ADComputer設定-ADServiceAccount,和設定-ADUser cmdlet 與PrincipalsAllowedToDelegateToAccount參數。To configure the resource service, use the New-ADComputer, New-ADServiceAccount, New-ADUser, Set-ADComputer, Set-ADServiceAccount, and Set-ADUser cmdlets with the PrincipalsAllowedToDelegateToAccount parameter.

軟體需求Software requirements

資源型限制的委派只能執行 Windows Server 2012、Windows Server 2012 R2 網域控制站設定,但可以在混合模式樹系套用。Resource-based constrained delegation can only be configured on a domain controller running Windows Server 2012 R2 and Windows Server 2012, but can be applied within a mixed-mode forest.

您必須將下列 hotfix 套用到所有執行 Windows Server 2012 中使用者 account 網域推薦路徑更早版本與 Windows Server 執行作業系統前端和端網域之間的網域控制站:資源型限制委派 KDC_ERR_POLICY 失敗 Windows Server 2008 R2 網域控制站環境中。You must apply the following hotfix to all domain controllers running Windows Server 2012 in user account domains on the referral path between the front-end and back-end domains that are running operating systems earlier than Windows Server: Resource-based constrained delegation KDC_ERR_POLICY failure in environments that have Windows Server 2008 R2-based domain controllers.