NTLM 概觀NTLM Overview

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

本主題適用於 IT 專業人員描述 NTLM 任何變更功能,並提供 Windows 驗證 NTLM for Windows Server 2012 和舊版的技術資源的連結。This topic for the IT professional describes NTLM, any changes in functionality, and provides links to technical resources to Windows Authentication and NTLM for Windows Server 2012 and previous versions.

描述的功能Feature description

NTLM 驗證」會包含在 Windows Msv1_0.dll 驗證通訊協定的家庭。NTLM authentication is a family of authentication protocols that are encompassed in the Windows Msv1_0.dll. NTLM 驗證通訊協定包括 At 版本 1、2、和 NTLM 第 1 版和 2。The NTLM authentication protocols include LAN Manager version 1 and 2, and NTLM version 1 and 2. NTLM 驗證通訊協定驗證使用者與電腦根據證明使用者知道密碼 account 相關聯的網域控制站伺服器或回應 challenge\ 日機制。The NTLM authentication protocols authenticate users and computers based on a challenge/response mechanism that proves to a server or domain controller that a user knows the password associated with an account. 資源伺服器 NTLM 通訊協定使用時,必須執行下列動作,以驗證身分使用者或電腦時需要新的憑證存取其中一項:When the NTLM protocol is used, a resource server must take one of the following actions to verify the identity of a computer or user whenever a new access token is needed:

  • Account 核對是否尋求的電腦或使用者 account 網域網域控制站網域驗證服務。Contact a domain authentication service on the domain controller for the computer's or user's account domain, if the account is a domain account.

  • 如果 account 本機 account,查看電腦或使用者的本機 account 資料庫中 account。Look up the computer's or user's account in the local account database, if the account is a local account.

目前的應用程式Current applications

NTLM 驗證仍然受支援,及 Windows 驗證必須使用與系統設定為工作群組成員。NTLM authentication is still supported and must be used for Windows authentication with systems configured as a member of a workgroup. NTLM 驗證也可用於 non\ 網域控制站在登入本機驗證。NTLM authentication is also used for local logon authentication on non-domain controllers. F:kerberos 版本 5 驗證慣用的驗證方法 Active Directory 環境中,但 non\ Microsoft 或 Microsoft 應用程式可能仍然會使用 NTLM。Kerberos version 5 authentication is the preferred authentication method for Active Directory environments, but a non-Microsoft or Microsoft application might still use NTLM.

減少 IT 環境中 NTLM 通訊協定] 的使用量需要部署的應用程式需求的兩個知識 NTLM 策略和步驟來設定電腦環境使用其他通訊協定。Reducing the usage of the NTLM protocol in an IT environment requires both the knowledge of deployed application requirements on NTLM and the strategies and steps necessary to configure computing environments to use other protocols. 已可協助您了解如何使用 NTLM 以選擇性限制 NTLM 流量新增新的工具與設定。New tools and settings have been added to help you discover how NTLM is used in order to selectively restrict NTLM traffic. 如如何分析及限制 NTLM 使用您的環境中相關資訊,請查看簡介限制 NTLM 驗證存取稽核和限制 NTLM 使用量指南。For information about how to analyze and restrict NTLM usage in your environments, see Introducing the Restriction of NTLM Authentication to access the Auditing and restricting NTLM usage guide.

新功能和變更功能New and changed functionality

Windows Server 2012 的 NTLM 的功能有任何變更。There are no changes in functionality for NTLM for Windows Server 2012 .

移除或已取代功能Removed or deprecated functionality

還有移除或已被取代 NTLM for Windows Server 2012 的功能。There is no removed or deprecated functionality for NTLM for Windows Server 2012 .

伺服器管理員資訊Server Manager information

您無法從伺服器管理員設定 NTLM。NTLM cannot be configured from Server Manager. 您可以使用的安全性原則設定或群組原則管理之間的電腦系統 NTLM 驗證使用量。You can use Security Policy settings or Group Policies to manage NTLM authentication usage between computer systems. 在網域中,Kerberos 是預設驗證通訊協定。In a domain, Kerberos is the default authentication protocol.

下表列出相關資源 NTLM 和其他 Windows 驗證技術。The following table lists relevant resources for NTLM and other Windows authentication technologies.

內容類型Content type 資訊尋找參考資料References
Product 評估Product evaluation 簡介 NTLM 驗證的限制Introducing the Restriction of NTLM Authentication

變更 NTLM 驗證Changes in NTLM Authentication
規劃Planning IT 基礎結構威脅模型指南IT Infrastructure Threat Modeling Guide

威脅和措施:在 Windows Server 2003 及 Windows XP 的安全性設定Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP

威脅和措施快速入門:Windows Server 2008 和 Windows Vista 中的安全性設定Threats and Countermeasures Guide: Security Settings in Windows Server 2008 and Windows Vista

威脅和措施快速入門:Windows Server 2008 R2 和 Windows 7 中的安全性設定Threats and Countermeasures Guide: Security Settings in Windows Server 2008 R2 and Windows 7
部署Deployment 驗證延伸的保護Extended Protection for Authentication

稽核和限制 NTLM 使用指南Auditing and restricting NTLM usage guide

要求服務 Directory 小組:NTLM 封鎖與您:應用程式分析及稽核在 Windows 7 中的方法Ask the Directory Services Team : NTLM Blocking and You: Application Analysis and Auditing Methodologies in Windows 7

Windows 驗證部落格Windows Authentication Blog

設定 MaxConcurrentAPI NTLM pass\ 透過驗證Configuring MaxConcurrentAPI for NTLM pass-through authentication
開發Development Microsoft NTLM (Windows)Microsoft NTLM (Windows)

[MS-NLMP]: NT At (NTLM) 驗證通訊協定規格[MS-NLMP]: NT LAN Manager (NTLM) Authentication Protocol Specification

[MS-NNTP]: NT At (NTLM) 驗證:網路消息傳輸通訊協定 (NNTP) 擴充功能[MS-NNTP]: NT LAN Manager (NTLM) Authentication: Network News Transfer Protocol (NNTP) Extension

[MS-NTHT]: HTTP 通訊協定規格透過 NTLM[MS-NTHT]: NTLM Over HTTP Protocol Specification
疑難排解Troubleshooting 未提供Not yet available
社群資源Community resources 死亡尚未,這個馬:NTLM 瓶頸和 RPC 執行階段Is this horse dead yet: NTLM Bottlenecks and the RPC runtime