F:kerberos 驗證中的新功能What's New in Kerberos Authentication

適用於:Windows Server 2016 和 Windows 10Applies To: Windows Server 2016 and Windows 10

公開鍵信任型 client 驗證 \ [KDC 支援KDC support for Public Key Trust-based client authentication

開始使用 Windows Server 2016、 Kdc 支援公用按鍵對應的方式。Beginning with Windows Server 2016, KDCs support a way of public key mapping. 如果公用鍵提供帳號,\ [KDC 支援 Kerberos PKInit 明確使用該按鍵。If the public key is provisioned for an account, then the KDC supports Kerberos PKInit explicitly using that key. 因為有任何憑證驗證,支援自動簽署的憑證,並驗證機制保證不受支援。Since there is no certificate validation, self-signed certificates are supported and authentication mechanism assurance is not supported.

信任鍵時慣用帳號,無論 UseSubjectAltName 設定的設定。Key Trust is preferred when configured for an account regardless of the UseSubjectAltName setting.

Kerberos client 和 \ [KDC 支援 RFC 8070 PKInit 有效期限擴充功能Kerberos client and KDC support for RFC 8070 PKInit Freshness Extension

開始使用 Windows 10,版本 1607 年和 Windows Server 2016、Kerberos 戶端嘗試RFC 8070 PKInit 有效期限擴充功能以公用鍵為主的登入的附加元件。Beginning with Windows 10, version 1607 and Windows Server 2016, Kerberos clients attempt the RFC 8070 PKInit freshness extension for public key based sign-ons.

開始使用 Windows Server 2016、 Kdc 可支援 PKInit 有效期限擴充功能。Beginning with Windows Server 2016, KDCs can support the PKInit freshness extension. 根據預設,Kdc 不提供 PKInit 有效期限擴充功能。By default, KDCs do not offer the PKInit freshness extension. 若要讓它,使用新的 \ [KDC 支援 PKInit 有效期限擴充功能 KDC 系統管理範本原則設定的網域中的所有網域控制站在。To enable it, use the new KDC support for PKInit Freshness Extension KDC administrative template policy setting on all the DCs in the domain. 設定時,Windows Server 2016 網域功能等級 (DFL) 網域時支援下列選項:When configured, the following options are supported when the domain is Windows Server 2016 domain functional level (DFL):

  • 停用: \ [KDC 永遠不會提供 PKInit 有效期限擴充功能,並檢查有效期限不接受要求有效的驗證。Disabled: The KDC never offers the PKInit Freshness Extension and accepts valid authentication requests without checking for freshness. 使用者將不會收到新公開金鑰身分 SID。Users will never receive the fresh public key identity SID.
  • 支援的: PKInit 有效期限延伸支援要求。Supported: PKInit Freshness Extension is supported on request. 成功驗證 PKInit 有效期限副檔名 Kerberos 戶端收到全新公開金鑰身分 SID。Kerberos clients successfully authenticating with the PKInit Freshness Extension receive the fresh public key identity SID.
  • 需要: PKInit 有效期限擴充功能是必要的成功驗證。Required: PKInit Freshness Extension is required for successful authentication. 使用公用按鍵認證,一定會失敗 Kerberos 戶端不支援 PKInit 有效期限擴充功能。Kerberos clients that do not support the PKInit Freshness Extension will always fail when using public key credentials.

使用公用鍵驗證加入網域的裝置支援Domain-joined device support for authentication using public key

從 Windows 10 版本 1507年與 Windows Server 2016 加入網域的裝置是否可以與 Windows Server 2016 網域控制站 DC 登記其結合公用鍵開始,然後裝置可以使用驗證使用 Windows Server 2016 DC Kerberos 驗證公開鍵。Beginning with Windows 10 version 1507 and Windows Server 2016, if a domain-joined device is able to register its bound public key with a Windows Server 2016 domain controller (DC), then the device can authenticate with the public key using Kerberos authentication to a Windows Server 2016 DC. 如需詳細資訊,請查看加入網域的裝置公開鍵驗證For more information, see Domain-joined Device Public Key Authentication

Kerberos 戶端允許服務主體名稱 (Spn) 中的 [IPv4 和 IPv6 位址主機Kerberos clients allow IPv4 and IPv6 address hostnames in Service Principal Names (SPNs)

開始使用 Windows 10 1507 版和 Windows Server 2016、 Kerberos 戶端可以設定為支援 Spn IPv4 和 IPv6 主機。Beginning with Windows 10 version 1507 and Windows Server 2016, Kerberos clients can be configured to support IPv4 and IPv6 hostnames in SPNs.

登錄路徑:Registry path:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\ParametersHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters

若要設定 Spn IP 位址主機的支援,請建立 TryIPSPN 項目。To configure support for IP address hostnames in SPNs, create a TryIPSPN entry. 此項目不存在於登錄預設。This entry does not exist in the registry by default. 您所建立的項目後,變更 1 DWORD 值。After you have created the entry, change the DWORD value to 1. 如果未設定,並不會嘗試 IP 位址主機。If not configured, IP address hostnames are not attempted.

如果在 Active Directory 中為登記 SPN、驗證成功 Kerberos 使用。If the SPN is registered in Active Directory, then authentication succeeds with Kerberos.

\ [KDC 支援鍵信任 account 對應KDC support for Key Trust account mapping

開始使用 Windows Server 2016、dorian 控制器有鍵信任 account 對應,以及後援舊行為現有 AltSecID 和使用者主體名稱 (UPN) 的支援。Beginning with Windows Server 2016, dorian controllers have support for Key Trust account mapping as well as fallback to existing AltSecID and User Principal Name (UPN) in the SAN behavior. 當 UseSubjectAltName 設為︰When UseSubjectAltName is set to:

  • 0: 明確對應需要。0: Explicit mapping is required. 然後必須是:Then there must be either:
    • 按鍵信任 (新的 Windows Server 2016)Key Trust (new with Windows Server 2016)
    • ExplicitAltSecIDExplicitAltSecID
  • 1: 隱含對應允許 (預設值):1: Implicit mapping is allowed (default):
    1. 如果信任鍵設定為帳號,則它會使用對應 (新的 Windows Server 2016)。If Key Trust is configured for account, then it is used for mapping (new with Windows Server 2016).
    2. 如果舊中有不 UPN AltSecID 會嘗試對應。If there is no UPN in the SAN, then AltSecID is attempted for mapping.
    3. 如果在舊 UPN,UPN 會嘗試對應。If there is a UPN in the SAN, then UPN is attempted for mapping.

也了See Also