在 Windows 驗證認證處理程序Credentials Processes in Windows Authentication

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

這適用於 IT 專業人員的參考主題描述 Windows 驗證憑證的處理方式。This reference topic for the IT professional describes how Windows authentication processes credentials.

Windows 認證管理是作業系統接收服務或使用者的認證並保護未來簡報驗證目標該資訊的程序。Windows credentials management is the process by which the operating system receives the credentials from the service or user and secures that information for future presentation to the authenticating target. 加入網域的電腦,在驗證目標是網域控制站。In the case of a domain-joined computer, the authenticating target is the domain controller. 驗證中使用的憑證的數位相關聯的使用者身分某種類型的真確性,例如 PIN、密碼或憑證證明文件。The credentials used in authentication are digital documents that associate the user's identity to some form of proof of authenticity, such as a certificate, a password, or a PIN.

根據預設,Windows 認證驗證對安全性帳號 Manager(坡)資料庫在本機電腦上,或根據 Active Directory 加入網域的電腦上,透過 Winlogon 服務。By default, Windows credentials are validated against the Security Accounts Manager (SAM) database on the local computer, or against Active Directory on a domain-joined computer, through the Winlogon service. 登入的使用者介面或應用程式介面 (API) 呈現驗證目標透過程式設計方式,會收集使用者輸入認證。Credentials are collected through user input on the logon user interface or programmatically via the application programming interface (API) to be presented to the authenticating target.

本機安全性資訊會儲存在下HKEY_LOCAL_MACHINE\SECURITYLocal security information is stored in the registry under HKEY_LOCAL_MACHINE\SECURITY. 儲存的資訊包括原則設定、預設安全性值和 account 資訊,例如快取登入認證。Stored information includes policy settings, default security values, and account information, such as cached logon credentials. 雖然防也,儲存一份坡資料庫。A copy of the SAM database is also stored here, although it is write-protected.

下圖顯示所需的元件和路徑認證需要透過系統驗證程序成功登入的使用者。The following diagram shows the components that are required and the paths that credentials take through the system to authenticate the user or process for a successful logon.

圖表顯示所需的元件和認證需要透過系統驗證使用者或成功登入程序的路徑。

下表描述管理認證登入在此驗證程序中的每個元件。The following table describes each component that manages credentials in the authentication process at the point of logon.

適用於所有系統驗證元件Authentication components for all systems

ComponentComponent 描述Description
使用者登入User logon Winlogon.exe 是可執行檔負責管理安全的使用者互動。Winlogon.exe is the executable file responsible for managing secure user interactions. Winlogon 服務會透過收集使用者動作安全桌面上 (登入 UI) 到本機安全性授權單位 (LSA) Secur32.dll 透過認證起始 Windows 作業系統的登入程序。The Winlogon service initiates the logon process for Windows operating systems by passing the credentials collected by user action on the secure desktop (Logon UI) to the Local Security Authority (LSA) through Secur32.dll.
應用程式登入Application logon 應用程式或服務登入不需要互動式登入。Application or service logons that do not require interactive logon. 使用者模式在執行利用 Secur32.dll 而處理程序車載機起始開機的服務,例如在執行利用 Ksecdd.sys 核心模式使用者車載機起始大部分的處理程序。Most processes initiated by the user run in user mode by using Secur32.dll whereas processes initiated at startup, such as services, run in kernel mode by using Ksecdd.sys.

如需有關使用者模式核心模式,查看 [應用程式及使用者模式或服務核心模式本主題中。For more information about user mode and kernel mode, see Applications and User Mode or Services and Kernel Mode in this topic.
Secur32.dllSecur32.dll 多個驗證的提供者從驗證的基本知識處理。The multiple authentication providers that form the foundation of the authentication process.
Lsasrv.dllLsasrv.dll LSA 伺服器服務,同時執行的安全性原則,做為 LSA 的安全性封裝管理員。The LSA Server service, which both enforces security policies and acts as the security package manager for the LSA. LSA 包含交涉函式,選取 [NTLM] 或 [Kerberos 通訊協定之後判斷哪一個通訊協定已成功。The LSA contains the Negotiate function, which selects either the NTLM or Kerberos protocol after determining which protocol is to be successful.
安全性支援提供者Security Support Providers 一組排列可以叫用一或多個驗證通訊協定的提供者。A set of providers that can individually invoke one or more authentication protocols. 預設設定的提供者可以變更的每個版本的 Windows 作業系統,可以撰寫自訂提供者。The default set of providers can change with each version of the Windows operating system, and custom providers can be written.
Netlogon.dllNetlogon.dll 網路登入服務執行的服務如下:The services that the Net Logon service performs are as follows:

-維護電腦的安全通道(不會與 Schannel 混淆)為網域控制站。- Maintains the computer's secure channel (not to be confused with Schannel) to a domain controller.
-透過安全的頻道的使用者的認證通過網域控制站並傳回網域安全性識別碼 (Sid) 和使用者權利。- Passes the user's credentials through a secure channel to the domain controller and returns the domain security identifiers (SIDs) and user rights for the user.
-發行服務資源記錄網域名稱系統」(DNS) 中,使用 DNS 名稱解析為網域控制站的網際網路通訊協定」(IP) 位址。- Publishes service resource records in the Domain Name System (DNS) and uses DNS to resolve names to the Internet Protocol (IP) addresses of domain controllers.
-實作複寫通訊協定根據遠端程序呼叫 (RPC) 上同步處理主要網域控制站 (Pdc) 與備份網域控制站 (Bdc)。- Implements the replication protocol based on remote procedure call (RPC) for synchronizing primary domain controllers (PDCs) and backup domain controllers (BDCs).
Samsrv.dllSamsrv.dll 安全性帳號 Manager(坡),會儲存在本機安全性帳號,執行儲存在本機原則和支援的 Api。The Security Accounts Manager (SAM), which stores local security accounts, enforces locally stored policies and supports APIs.
登錄Registry 登錄包含了一份坡資料庫、本機安全性原則設定,預設安全性值和 account 資訊,只系統的存取。The Registry contains a copy of the SAM database, local security policy settings, default security values, and account information that is only accessible to the system.

此主題可包含下列區段:This topic contains the following sections:

輸入認證使用者登入Credential input for user logon

在 Windows Server 2008 和 Windows Vista,圖形驗證,驗證 (GINA) 架構已經取代認證的提供者型號的進行可能列舉其他登入類型登入磚關聯。In Windows Server 2008 and Windows Vista, the Graphical Identification and Authentication (GINA) architecture was replaced with a credential provider model, which made it possible to enumerate different logon types through the use of logon tiles. 這兩個模型如下所述。Both models are described below.

圖形驗證,驗證架構Graphical Identification and Authentication architecture

圖形驗證,驗證 (GINA) 架構適用於 Windows Server 2003、Microsoft Windows 2000 Server、Windows XP 和 Windows 2000 專業版的作業系統。The Graphical Identification and Authentication (GINA) architecture applies to the Windows Server 2003, Microsoft Windows 2000 Server, Windows XP, and Windows 2000 Professional operating systems. 這些系統互動式登入的每個工作階段建立 Winlogon 服務的另一個執行個體。In these systems, every interactive logon session creates a separate instance of the Winlogon service. GINA 架構載入 Winlogon 所使用的程序空間,接收處理認證,並透過 LSALogonUser 驗證介面呼叫。The GINA architecture is loaded into the process space used by Winlogon, receives and processes the credentials, and makes the calls to the authentication interfaces through LSALogonUser.

執行個體 Winlogon 執行中工作階段 0 互動式登入。The instances of Winlogon for an interactive logon run in Session 0. 0 工作階段主機系統服務和其他重要的程序,包括本機安全性授權單位 (LSA) 處理程序。Session 0 hosts system services and other critical processes, including the Local Security Authority (LSA) process.

下圖顯示 credential 程序適用於 Windows Server 2003、Microsoft Windows 2000 Server、Windows XP、與 Microsoft Windows 2000 專業版。The following diagram shows the credential process for Windows Server 2003, Microsoft Windows 2000 Server, Windows XP, and Microsoft Windows 2000 Professional.

圖表顯示 credential 程序適用於 Windows Server 2003、Microsoft Windows 2000 Server、Windows XP、與 Microsoft Windows 2000 專業版

認證提供者架構Credential provider architecture

這些版本中指定認證提供者架構適用於適用於清單中的開頭本主題。The credential provider architecture applies to those versions designated in the Applies To list at the beginning of this topic. 在這些系統中,輸入的認證架構延伸設計使用變更認證提供者。In these systems, the credentials input architecture changed to an extensible design by using credential providers. 這些提供者會以允許許多登入案例的其他登入磚安全桌面上。不同的相同使用者和密碼,例如不同的驗證方法、帳號智慧卡,與生物。These providers are represented by the different logon tiles on the secure desktop that permit any number of logon scenarios???different accounts for the same user and different authentication methods, such as password, smart card, and biometrics.

Credential 提供者架構 Winlogon 永遠開始 UI 登入後收到的安全注意順序事件。With the credential provider architecture, Winlogon always starts Logon UI after it receives a secure attention sequence event. 登入 UI 查詢提供者已列舉 credential 不同類型的每個 credential 提供的者。Logon UI queries each credential provider for the number of different credential types the provider is configured to enumerate. 認證提供者已為預設值來指定這些磚的其中一個選項。Credential providers have the option of specifying one of these tiles as the default. 所有的提供者已列舉他們的磚之後,登入 UI 它們向使用者顯示。After all providers have enumerated their tiles, Logon UI displays them to the user. 使用者提供的認證磚進行互動。The user interacts with a tile to supply their credentials. 登入 UI 送出驗證這些的認證。Logon UI submits these credentials for authentication.

認證提供者未執法機制。Credential providers are not enforcement mechanisms. 它們用來收集和序列化認證。They are used to gather and serialize credentials. 本機安全性授權,並驗證套件執行的安全性。The Local Security Authority and authentication packages enforce security.

認證提供者會在電腦上進行登記與負責下列:Credential providers are registered on the computer and are responsible for the following:

  • 請描述驗證所需資訊。Describing the credential information required for authentication.

  • 處理通訊和邏輯外部驗證授權單位。Handling communication and logic with external authentication authorities.

  • 封裝認證互動式和網路登入。Packaging credentials for interactive and network logon.

封裝認證互動式和網路登入包含序列化的程序。Packaging credentials for interactive and network logon includes the process of serialization. 序列化認證登入的多個磚可顯示 UI 登入。By serializing credentials multiple logon tiles can be displayed on the logon UI. 因此,您的組織都可以控制登入 display'such 在目標系統的登入的使用者,預先登入的存取權的網路及工作站解除鎖定日原則。透過使用的自訂認證提供者。Therefore, your organization can control the logon display'such as users, target systems for logon, pre-logon access to the network and workstation lock/unlock policies???through the use of customized credential providers. 多個 credential 提供者可以同時存在相同的電腦上。Multiple credential providers can co-exist on the same computer.

為標準認證提供者或前 Logon 存取提供者可以開發單一登入 (SSO) 提供者。Single sign-on (SSO) providers can be developed as a standard credential provider or as a Pre-Logon-Access Provider.

每個版本的 Windows 會包含一個預設認證提供者和一個預設前-Logon 存取提供者 (PLAP),也就是 SSO 提供者。Each version of Windows contains one default credential provider and one default Pre-Logon-Access Provider (PLAP), also known as the SSO provider. SSO 提供者可讓使用者進行之前,請先登入本機電腦連接到網路。The SSO provider permits users to make a connection to a network before logging on to the local computer. 這個提供者實作時,提供者會列舉登入 UI 上的磚。When this provider is implemented, the provider does not enumerate tiles on Logon UI.

適用於下列案例中 SSO 提供者:A SSO provider is intended to be used in the following scenarios:

  • 網路驗證及電腦的登入是由不同 credential 提供者來處理。Network authentication and computer logon are handled by different credential providers. 本案例變化包括:Variations to this scenario include:

    • 使用者之前,請先登入電腦已連接到連接到 virtual 私人網路 (VPN),例如網路的選項,但不是一定要進行此連接。A user has the option of connecting to a network, such as connecting to a virtual private network (VPN), before logging on to the computer but is not required to make this connection.

    • 網路驗證,才能取得互動式本機電腦上進行驗證時使用的資訊。Network authentication is required to retrieve information used during interactive authentication on the local computer.

    • 多個網路驗證後面其中其他的案例。Multiple network authentications are followed by one of the other scenarios. 例如,使用者驗證網際網路服務提供者 (ISP)、vpn、驗證,然後使用其使用者 account 認證登入本機。For example, a user authenticates to an Internet service provider (ISP), authenticates to a VPN, and then uses their user account credentials to log on locally.

    • 停用快取的憑證,並遠端存取服務需要有連接 VPN 透過在本機登入前驗證使用者。Cached credentials are disabled, and a Remote Access Services connection through VPN is required before local logon to authenticate the user.

    • 使用者網域不已經加入網域的電腦上設定本機帳號,必須連接遠端存取服務透過 VPN 連接之前完成互動式登入。A domain user does not have a local account set up on a domain-joined computer and must establish a Remote Access Services connection through VPN connection before completing interactive logon.

  • 網路驗證及電腦的登入被處理相同 credential 提供者。Network authentication and computer logon are handled by the same credential provider. 在本案例中,使用者會需要連上網路之前,請先登入電腦。In this scenario, the user is required to connect to the network before logging on to the computer.

登入磚列舉Logon tile enumeration

認證提供者列舉登入磚中的下執行個體:The credential provider enumerates logon tiles in the following instances:

  • 這些作業系統中指定的適用於清單中的開頭本主題。For those operating systems designated in the Applies to list at the beginning of this topic.

  • 認證提供者列舉工作站登入的磚。The credential provider enumerates the tiles for workstation logon. 認證提供者通常會序列化認證驗證到本機安全性授權單位。The credential provider typically serializes credentials for authentication to the local security authority. 此程序會顯示每個使用者的目標系統針對每個使用者及特定的磚。This process displays tiles specific for each user and specific to each user's target systems.

  • 登入和驗證架構可讓使用者使用列舉認證者磚以解除鎖定工作站。The logon and authentication architecture lets a user use tiles enumerated by the credential provider to unlock a workstation. 通常是目前登入的使用者的預設磚,但如果多個使用者登入,會顯示很多的磚。Typically, the currently logged-on user is the default tile, but if more than one user is logged on, numerous tiles are displayed.

  • 認證提供者列舉回應使用者要求變更他們的密碼或其他私人資訊,例如釘選的磚。The credential provider enumerates tiles in response to a user request to change their password or other private information, such as a PIN. 目前登入的使用者通常是預設磚。不過,如果多位使用者登入,會顯示很多的磚。Typically, the currently logged-on user is the default tile; however, if more than one user is logged on, numerous tiles are displayed.

  • 認證提供者列舉根據序列化憑證以用於驗證遠端電腦上的磚。The credential provider enumerates tiles based on the serialized credentials to be used for authentication on remote computers. 認證 UI 未使用相同的執行個體的提供者的登入 UI、解除鎖定工作站或變更密碼。Credential UI does not use the same instance of the provider as the Logon UI, Unlock Workstation, or Change Password. 因此,無法在執行個體的認證 UI 之間的提供者維護狀態的資訊。Therefore, state information cannot be maintained in the provider between instances of Credential UI. 這個結構會導致每個遠端電腦登入,假設正確序列化認證一個磚。This structure results in one tile for each remote computer logon, assuming the credentials have been correctly serialized. 本案例也會使用中的使用者 Account 控制項 (UAC),這可以協助防止未經授權的變更電腦的使用者的授權或系統管理員密碼提示才允許的動作,也可能影響電腦操作,或變更可能影響電腦上的其他使用者的設定。This scenario is also used in User Account Control (UAC), which can help prevent unauthorized changes to a computer by prompting the user for permission or an administrator password before permitting actions that could potentially affect the computer's operation or that could change settings that affect other users of the computer.

下圖顯示作業系統中指定的認證程序適用於清單中的開頭本主題。The following diagram shows the credential process for the operating systems designated in the Applies To list at the beginning of this topic.

圖表顯示作業系統中指定的認證程序 * * 適用於 * * 清單本主題的開頭

輸入應用程式與服務登入認證Credential input for application and service logon

Windows 驗證的設計可以管理認證的應用程式或服務,不需要與使用者互動。Windows authentication is designed to manage credentials for applications or services that do not require user interaction. 使用者模式中的應用程式是則有哪些系統資源其所存取,而服務可不受限制存取的系統記憶體和外部裝置。Applications in user mode are limited in terms of what system resources they have access to, while services can have unrestricted access to the system memory and external devices.

系統服務及傳輸層級應用程式存取透過安全性支援提供者介面 (SSPI) 在 Windows 中提供給列舉適用於系統的安全性套件,選取套件,並使用該套件取得驗證的連接函式的安全性支援提供者 (SSP)。System services and transport-level applications access an Security Support Provider (SSP) through the Security Support Provider Interface (SSPI) in Windows, which provides functions for enumerating the security packages available on a system, selecting a package, and using that package to obtain an authenticated connection.

當 client/伺服器連接驗證:When a client/server connection is authenticated:

  • 連接 client 端的應用程式認證伺服器使用傳送 SSPI 函式InitializeSecurityContext (General)The application on the client side of the connection sends credentials to the server by using the SSPI function InitializeSecurityContext (General).

  • 伺服器端的應用程式連接的回應 SSPI 函式的AcceptSecurityContext (General)The application on the server side of the connection responds with the SSPI function AcceptSecurityContext (General).

  • SSPI 函式InitializeSecurityContext (General)AcceptSecurityContext (General)直到您需要驗證訊息有已成功或失敗驗證換貨的重複。The SSPI functions InitializeSecurityContext (General) and AcceptSecurityContext (General) are repeated until all the necessary authentication messages have been exchanged to either succeed or fail authentication.

  • 已經過驗證連接之後,在伺服器上的 LSA 會使用 client 的資訊來建置安全性操作,其中包含存取預付碼。After the connection has been authenticated, the LSA on the server uses information from the client to build the security context, which contains an access token.

  • 然後伺服器撥打電話 SSPI 函式ImpersonateSecurityContext服務模擬執行緒連接存取預付碼。The server can then call the SSPI function ImpersonateSecurityContext to attach the access token to an impersonation thread for the service.

應用程式和使用者模式Applications and user mode

在 Windows 中的使用者模式由兩個系統傳遞 I/O 要求適當核心模式驅動程式的能力所組成:環境系統中,執行許多不同類型的作業系統撰寫應用程式,並不可或缺的系統代表環境系統系統特定功能的運作方式。User mode in Windows is composed of two systems capable of passing I/O requests to the appropriate kernel-mode drivers: the environment system, which runs applications written for many different types of operating systems, and the integral system, which operates system-specific functions on behalf of the environment system.

不可或缺的系統管理代表環境系統作業 system'specific 功能,並包含安全性系統處理程序所以無法、工作站服務,以及伺服器服務。The integral system manages operating system'specific functions on behalf of the environment system and consists of a security system process (the LSA), a workstation service, and a server service. 安全性系統處理程序獨享優惠安全性權杖、授與或拒絕帳號根據資源」權限的存取權限,處理登入要求起始登入驗證,並判斷需要稽核作業系統的系統資源。The security system process deals with security tokens, grants or denies permissions to access user accounts based on resource permissions, handles logon requests and initiates logon authentication, and determines which system resources the operating system needs to audit.

應用程式可執行的使用者模式可執行應用程式為任何原則,包括安全性層級本機系統(系統)。Applications can run in user mode where the application can run as any principal, including in the security context of Local System (SYSTEM). 應用程式也可以執行核心模式位置的應用程式可以執行的安全性層級本機系統(系統)。Applications can also run in kernel mode where the application can run in the security context of Local System (SYSTEM).

SSPI 可透過 Secur32.dll 模組,也就是用來取得整合式的安全性驗證、訊息完整性和訊息隱私權服務 API。SSPI is available through the Secur32.dll module, which is an API used for obtaining integrated security services for authentication, message integrity, and message privacy. 它可以提供應用程式層級通訊協定的安全性通訊協定之間抽象層級。It provides an abstraction layer between application-level protocols and security protocols. 不同的應用程式要求的認證或驗證使用者與不同的網路上的資料加密的方式不同的方式,因為 SSPI 提供方式存取動態連結媒體櫃 (Dll) 包含不同的驗證並密碼編譯函數。Because different applications require different ways of identifying or authenticating users and different ways of encrypting data as it travels across a network, SSPI provides a way to access dynamic-link libraries (DLLs) that contain different authentication and cryptographic functions. 這些 Dll 稱為安全性支援提供者(層)。These DLLs are called Security Support Providers (SSPs).

管理服務帳號及 virtual 帳號帶來 Windows Server 2008 R2 和提供重要的應用程式,例如 Microsoft SQL Server 和網際網路資訊服務 (IIS),以他們自己的網域帳號的隔離的 Windows 7 時手動不需要系統管理員可以管理這些帳號認證與服務主體名稱 (SPN)。Managed service accounts and virtual accounts were introduced in Windows Server 2008 R2 and Windows 7 to provide crucial applications, such as Microsoft SQL Server and Internet Information Services (IIS), with the isolation of their own domain accounts, while eliminating the need for an administrator to manually administer the service principal name (SPN) and credentials for these accounts. 如需有關這些功能,而且在驗證中的角色,請查看管理服務帳號文件,適用於 Windows 7 和 Windows Server 2008 R2群組管理服務帳號概觀For more information about these features and their role in authentication, see Managed Service Accounts Documentation for Windows 7 and Windows Server 2008 R2 and Group Managed Service Accounts Overview.

服務及核心模式Services and kernel mode

雖然大部分的 Windows 應用程式執行的安全性部分的使用者,他們開始,這不正確的服務。Even though most Windows applications run in the security context of the user who starts them, this is not true of services. 當使用者開始電腦服務控制器是開始使用很多的 Windows 服務,例如網路與列印服務。Many Windows services, such as network and printing services, are started by the service controller when the user starts the computer. 這些服務是本機服務或本機系統可能會執行,並執行一個人性化使用者登出之後可能繼續。These services might run as Local Service or Local System and might continue to run after the last human user logs off.

注意

在安全性稱為 [本機系統(系統)、網路的服務或本機服務的環境中通常會執行的服務。Services normally run in security contexts known as Local System (SYSTEM), Network Service, or Local Service. Windows Server 2008 R2 推出的服務執行在受管理的服務帳號的網域原則。Windows Server 2008 R2 introduced services that run under a managed service account, which are domain principals.

開始之前服務,服務控制器使用登入帳號,指定的服務,然後展示 LSA 驗證服務的認證。Before starting a service, the service controller logs on by using the account that is designated for the service, and then presents the service's credentials for authentication by the LSA. Windows 服務實作程式設計介面服務控制器管理員可控制服務使用。The Windows service implements a programmatic interface that the service controller manager can use to control the service. 當系統開始或手動服務控制項程式,可以自動開始 Windows 服務。A Windows service can be started automatically when the system is started or manually with a service control program. 例如 Windows client 電腦加入網域,在電腦上的 messenger 服務連接至網域控制站和開啟它的安全的通道。For example, when a Windows client computer joins a domain, the messenger service on the computer connects to a domain controller and opens a secure channel to it. 若要取得驗證的連接,請服務必須遠端電腦的本機安全性授權單位 (LSA) 信任的憑證。To obtain an authenticated connection, the service must have credentials that the remote computer's Local Security Authority (LSA) trusts. 當與其他網路中電腦的通訊,LSA 使用認證本機電腦的網域帳號,為所有其他網路服務和本機系統的安全性環境中執行的服務。When communicating with other computers in the network, LSA uses the credentials for the local computer's domain account, as do all other services running in the security context of the Local System and Network Service. 服務,不需要向 LSA 認證執行系統本機電腦上。Services on the local computer run as SYSTEM so credentials do not need to be presented to the LSA.

檔案 Ksecdd.sys 管理這些認證會加密及使用 LSA 本機程序呼叫。The file Ksecdd.sys manages and encrypts these credentials and uses a local procedure call into the LSA. 檔案類型是磁碟機(驅動程式),以及為核心模式安全性支援提供者 (SSP),在指定的版本中稱為適用於清單本主題的開頭,FIPS 140-2 層級 1 相容。The file type is DRV (driver) and is known as the kernel-mode Security Support Provider (SSP) and, in those versions designated in the Applies To list at the beginning of this topic, is FIPS 140-2 Level 1-compliant.

核心模式擁有完整存取權的電腦的硬體及系統資源。Kernel mode has full access to the hardware and system resources of the computer. 使用者模式服務和應用程式存取的作業系統,它們不應該存取重要的區域,就會停止核心模式。The kernel mode stops user-mode services and applications from accessing critical areas of the operating system that they should not have access to.

本機安全性授權Local Security Authority

本機安全性授權單位 (LSA) 是受保護的系統處理程序的驗證並登入本機電腦的使用者。The Local Security Authority (LSA) is a protected system process that authenticates and logs users on to the local computer. 此外,LSA 維護的相關資訊各個層面本機安全性在電腦上(這些層面統稱為本機安全性原則),並提供各種不同名稱和安全性識別碼 (Sid) 翻譯服務。In addition, LSA maintains information about all aspects of local security on a computer (these aspects are collectively known as the local security policy), and it provides various services for translation between names and security identifiers (SIDs). 安全性系統處理程序本機安全性授權單位伺服器服務 (LSASS),記錄的安全性原則和作用中的電腦系統帳號。The security system process, Local Security Authority Server Service (LSASS), keeps track of the security policies and the accounts that are in effect on a computer system.

LSA 驗證依據發行帳號下列兩個實體的使用者身分:The LSA validates a user's identity based on which of the following two entities issued the user's account:

  • 本機安全性授權單位。Local Security Authority. LSA 可以檢查位於該相同電腦的安全性帳號 Manager(坡)資料庫,以驗證使用者的資訊。The LSA can validate user information by checking the Security Accounts Manager (SAM) database located on the same computer. 帳號本機使用者和群組區域的相關資訊,可以將任何工作站或成員伺服器。Any workstation or member server can store local user accounts and information about local groups. 不過,下列帳號可用於存取只該工作站或電腦。However, these accounts can be used for accessing only that workstation or computer.

  • 安全性授權單位本機網域或信任的網域。Security authority for the local domain or for a trusted domain. LSA 連絡人的實體發行 account 和要求驗證帳號,並要求源自 account 擁有者。The LSA contacts the entity that issued the account and requests verification that the account is valid and that the request originated from the account holder.

本機安全性授權單位子系統服務 (LSASS) 會儲存在記憶體中的認證,代表使用者的使用中視窗工作階段。The Local Security Authority Subsystem Service (LSASS) stores credentials in memory on behalf of users with active Windows sessions. 儲存的認證,讓使用者順暢地進行存取網路資源,例如檔案共用、Exchange Server 信箱及 SharePoint 網站,不需要重新輸入認證為每個遠端服務。The stored credentials let users seamlessly access network resources, such as file shares, Exchange Server mailboxes, and SharePoint sites, without re-entering their credentials for each remote service.

LSASS 可以儲存認證多個形式,包括:LSASS can store credentials in multiple forms, including:

  • 加密反轉純文字Reversibly encrypted plaintext

  • Kerberos 門票(票證授與門票 (Tgt),服務票證)Kerberos tickets (ticket-granting tickets (TGTs), service tickets)

  • NT hashNT hash

  • Hash 區域網路管理員 (LM)LAN Manager (LM) hash

如果使用者登入 windows 使用智慧卡,LSASS 不會儲存純文字密碼,但儲存 account 和智慧卡的 pin 碼純文字對應 NT hash 值。If the user logs on to Windows by using a smart card, LSASS does not store a plaintext password, but it stores the corresponding NT hash value for the account and the plaintext PIN for the smart card. 如果 account 屬性可以進行所需的互動式登入智慧卡,隨機 NT hash 值是自動因帳號,而不是原始湊密碼。If the account attribute is enabled for a smart card that is required for interactive logon, a random NT hash value is automatically generated for the account instead of the original password hash. 密碼湊所自動屬性設時不會變更。The password hash that is automatically generated when the attribute is set does not change.

如果使用者登入 windows 相容的區域網路管理員 (LM) hashes 密碼與電腦,此 authenticator 在於記憶體。If a user logs on to a Windows-based computer with a password that is compatible with LAN Manager (LM) hashes, this authenticator is present in memory.

儲存在記憶體中純文字憑證的無法停用,即使它們需要 credential 提供者已停用。The storage of plaintext credentials in memory cannot be disabled, even if the credential providers that require them are disabled.

儲存的認證會直接相關聯的本機安全性授權單位子系統服務 (LSASS) 登入工作階段已經開始在最後一個之後重新開機和尚未關閉。The stored credentials are directly associated with the Local Security Authority Subsystem Service (LSASS) logon sessions that have been started after the last restart and have not been closed. 例如,LSA 工作階段使用儲存 LSA 認證建立時的使用者,執行下列其中一項:For example, LSA sessions with stored LSA credentials are created when a user does any of the following:

  • 登入本機工作階段或遠端桌面通訊協定 (RDP) 的電腦上的工作階段Logs on to a local session or Remote Desktop Protocol (RDP) session on the computer

  • 執行的工作,使用RunAs選項Runs a task by using the RunAs option

  • 在電腦上執行的作用中的 Windows 服務Runs an active Windows service on the computer

  • 會執行排定的工作或批次工作Runs a scheduled task or batch job

  • 使用遠端系統管理工具,在本機電腦上執行的工作Runs a task on the local computer by using a remote administration tool

在有時 LSA 機密資料的秘密的資料,只系統 account 處理程序可以存取的項目,會儲存在硬碟上。In some circumstances, the LSA secrets, which are secret pieces of data that are accessible only to SYSTEM account processes, are stored on the hard disk drive. 這些機密部分的認證,必須重新開機後, 持續,其儲存在硬碟磁碟機加密表單。Some of these secrets are credentials that must persist after reboot, and they are stored in encrypted form on the hard disk drive. 可能會包含儲存為 LSA 機密認證:Credentials stored as LSA secrets might include:

  • 適用於電腦的 Active Directory Domain Services (AD DS) account 密碼Account password for the computer's Active Directory Domain Services (AD DS) account

  • 已在電腦的 Windows 服務的密碼Account passwords for Windows services that are configured on the computer

  • 設定排定的工作的密碼Account passwords for configured scheduled tasks

  • 密碼 IIS 應用程式集區與網站Account passwords for IIS application pools and websites

  • Microsoft 帳號的密碼Passwords for Microsoft accounts

Client 作業系統引進了 Windows 8.1 中,提供額外 LSA 避免朗讀記憶體和注入由未受保護的處理程序的程式碼保護。Introduced in Windows 8.1, the client operating system provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. 這項保護增加安全性 LSA 儲存和管理的認證。This protection increases security for the credentials that the LSA stores and manages.

如需有關這些額外的保護,請查看設定額外的 LSA 保護For more information about these additional protections, see Configuring Additional LSA Protection.

快取的認證與驗證Cached credentials and validation

驗證機制依賴一次登入的認證的簡報。Validation mechanisms rely on the presentation of credentials at the time of logon. 不過,當電腦中斷網域控制站使用者簡報網域認證,Windows 會使用的程序的快取的認證驗證機制中。However, when the computer is disconnected from a domain controller, and the user is presenting domain credentials, Windows uses the process of cached credentials in the validation mechanism.

每次使用者網域,登入 Windows 快取提供的認證,並將它們儲存在作業系統登錄中的安全性區。Each time a user logs on to a domain, Windows caches the credentials supplied and stores them in the security hive in the registry of the operation system.

快取的憑證的使用者可以登入網域成員不連接到網域控制站在這個網域中。With cached credentials, the user can log on to a domain member without being connected to a domain controller within that domain.

憑證存放區與驗證Credential storage and validation

它並不一定需要使用一組認證存取不同的資源。It is not always desirable to use one set of credentials for access to different resources. 例如系統管理員可能會想要使用系統除了使用者的認證時存取遠端伺服器。For example, an administrator might want to use administrative rather than user credentials when accessing a remote server. 同樣地,如果使用者存取外部資源,例如銀行帳號,他只能使用不同的網域認證認證。Similarly, if a user accesses external resources, such as a bank account, he or she can only use credentials that are different than their domain credentials. 下列章節描述認證新版的 Windows 作業系統和 Windows Vista 和 Windows XP 作業系統的管理不同。The following sections describe the differences in credential management between current versions of Windows operating systems and the Windows Vista and Windows XP operating systems.

登入遠端 credential 處理程序Remote logon credential processes

遠端桌面通訊協定 (RDP) 管理使用遠端桌面 Client,在 Windows 8 來連接遠端電腦的使用者的認證。The Remote Desktop Protocol (RDP) manages the credentials of the user who connects to a remote computer by using the Remote Desktop Client, which was introduced in Windows 8. 純文字形式認證會傳送至目標主機位置主機嘗試執行驗證程序,如果成功,連接使用者允許資源。The credentials in plaintext form are sent to the target host where the host attempts to perform the authentication process, and, if successful, connects the user to allowed resources. RDP 不會將認證儲存在 client,但使用者的網域認證儲存在 LSASS。RDP does not store the credentials on the client, but the user's domain credentials are stored in the LSASS.

限制的管理模式引進了 Windows Server 2012 R2 和 Windows 8.1 中,提供額外的安全性,登入遠端案例。Introduced in Windows Server 2012 R2 and Windows 8.1, Restricted Admin mode provides additional security to remote logon scenarios. 這種遠端桌面模式,會導致 client 應用程式執行網路登入挑戰回應 NT 單向函式 (NTOWF) 或驗證遠端主機時,使用 Kerberos 服務票證。This mode of Remote Desktop causes the client application to perform a network logon challenge-response with the NT one-way function (NTOWF) or use a Kerberos service ticket when authenticating to the remote host. 系統管理員已之後,系統管理員會不需要的各自 account 認證 LSASS 中因為他們已不提供給遠端主機。After the administrator is authenticated, the administrator does not have the respective account credentials in LSASS because they were not supplied to the remote host. 而是系統管理員必須電腦 account 認證工作階段。Instead, the administrator has the computer account credentials for the session. 系統管理員認證不提供給遠端主機,以便為電腦 account 執行動作。Administrator credentials are not supplied to the remote host, so actions are performed as the computer account. 資源也是電腦帳號,及系統管理員也無法存取使用自己 account 資源。Resources are also limited to the computer account, and the administrator cannot access resources with his own account.

自動重新登入認證程序Automatic restart sign-on credential process

當使用者登入時在 Windows 8.1 的裝置上時,LSA 儲存加密記憶體只有 LSASS.exe 可以存取的使用者的認證。When a user signs in on a Windows 8.1 device, LSA saves the user credentials in encrypted memory that are accessible only by LSASS.exe. Windows Update 自動重新開機,而使用者卡時,使用這些認證設定自動登入的使用者。When Windows Update initiates an automatic restart without user presence, these credentials are used to configure Autologon for the user.

在重新開機,使用者會自動透過自動登入機制,登入,然後電腦此外鎖定保護使用者的工作階段。On restart, the user is automatically signed in via the Autologon mechanism, and then the computer is additionally locked to protect the user's session. 鎖定時車載機起始透過 Winlogon 而 LSA 來管理 credential 完成。The locking is initiated through Winlogon whereas the credential management is done by LSA. 來自動登入,鎖定使用者的工作階段主機使用者的鎖定畫面應用程式是重新啟動和可用。By automatically signing in and locking the user's session on the console, the user's lock screen applications is restarted and available.

如需 ARSO 的詳細資訊,請查看Winlogon 自動重新登入和 #40;ARSO 與 #41;.For more information about ARSO, see Winlogon Automatic Restart Sign-On (ARSO).

已儲存的使用者名稱和密碼的 Windows Vista 和 Windows XPStored user names and passwords in Windows Vista and Windows XP

Windows Server 2008、Windows Server 2003、Windows Vista 和 Windows XP 中,儲存的使用者名稱和密碼在 [控制台] 中簡化管理,使用多個設定的登入認證,包括 x.509 搭配智慧卡,以及 Windows Live 認證(現在稱為 Microsoft account)。In Windows Server 2008 , Windows Server 2003, Windows Vista, and Windows XP, Stored User Names and Passwords in Control Panel simplifies the management and use of multiple sets of logon credentials, including X.509 certificates used with smart cards and Windows Live credentials (now called Microsoft account). 認證。使用者設定檔的一部分。儲存起來。The credentials???part of the user's profile???are stored until needed. 這個動作會增加-資源為基礎的安全性確保,如果受到危害的密碼,它會不會影響所有安全性。This action can increase security on a per-resource basis by ensuring that if one password is compromised, it does not compromise all security.

使用者登入,並嘗試存取其他受密碼保護的資源,例如伺服器上的共用之後,如果使用者的預設登入認證不足存取,儲存的使用者名稱和密碼會查詢。After a user logs on and attempts to access additional password-protected resources, such as a share on a server, and if the user's default logon credentials are not sufficient to gain access, Stored User Names and Passwords is queried. 如果其他認證正確的登入資訊儲存在儲存的使用者名稱和密碼,這些認證會用來存取。If alternate credentials with the correct logon information have been saved in Stored User Names and Passwords, these credentials are used to gain access. 否則,使用者會提供新的憑證,可以儲存的重複使用,稍後再登入活動中或後續工作階段期間提示。Otherwise, the user is prompted to supply new credentials, which can then be saved for reuse, either later in the logon session or during a subsequent session.

適用於以下限制︰The following restrictions apply:

  • 如果儲存的使用者名稱和密碼包含認證無效或不正確的遭拒特定的資源,存取的資源,和儲存的使用者名稱和密碼對話方塊中未顯示。If Stored User Names and Passwords contains invalid or incorrect credentials for a specific resource, access to the resource is denied, and the Stored User Names and Passwords dialog box does not appear.

  • 儲存的使用者名稱和密碼儲存認證的 NTLM,Kerberos 通訊協定,僅限 Microsoft account (前身為 Windows Live ID),並驗證安全通訊端層 (SSL)。Stored User Names and Passwords stores credentials only for NTLM, Kerberos protocol, Microsoft account (formerly Windows Live ID), and Secure Sockets Layer (SSL) authentication. 某些版本的 Internet Explorer 維護基本驗證他們自己的快取。Some versions of Internet Explorer maintain their own cache for basic authentication.

這些認證會變成 \Documents 和您 Data\Microsoft\Credentials directory 使用者的本機的個人檔案已加密的一部分。These credentials become an encrypted part of a user's local profile in the \Documents and Settings\Username\Application Data\Microsoft\Credentials directory. 因此,這些認證可以將他到的使用者如果使用者的網路原則支援漫遊使用者設定檔。As a result, these credentials can roam with the user if the user's network policy supports Roaming User Profiles. 不過,如果使用者有複本儲存的使用者名稱和密碼在兩個不同的電腦和變更的其中一部電腦上的資源相關聯的認證變更未傳送至儲存的使用者名稱和密碼在第二部電腦上。However, if the user has copies of Stored User Names and Passwords on two different computers and changes the credentials that are associated with the resource on one of these computers, the change is not propagated to Stored User Names and Passwords on the second computer.

Windows 保存庫和認證管理員Windows Vault and Credential Manager

認證管理員已在 Windows Server 2008 R2 和 Windows 7 中引進了做為儲存及管理使用者名稱和密碼一個 [控制台] 的功能。Credential Manager was introduced in Windows Server 2008 R2 and Windows 7 as a Control Panel feature to store and manage user names and passwords. 認證管理員可讓使用者的認證相關的其他系統和網站儲存在安全的 Windows 保存庫中。Credential Manager lets users store credentials relevant to other systems and websites in the secure Windows Vault. 某些版本的 Internet Explorer 會使用此功能的驗證網站。Some versions of Internet Explorer use this feature for authentication to websites.

使用「認證管理員認證管理受本機電腦上的使用者。Credential management by using Credential Manager is controlled by the user on the local computer. 使用者可以儲存,並從支援的瀏覽器,並讓它方便時所需下列資源來登入 Windows 應用程式認證。Users can save and store credentials from supported browsers and Windows applications to make it convenient when they need to sign in to these resources. 特殊加密的資料夾中儲存認證使用者的設定檔在電腦上。Credentials are saved in special encrypted folders on the computer under the user's profile. 支援的網頁瀏覽器與應用程式,例如(關聯認證管理員 Api),這項功能的應用程式可以在登入時展示到其他電腦及網站正確的認證。Applications that support this feature (through the use of the Credential Manager APIs), such as web browsers and apps, can present the correct credentials to other computers and websites during the logon process.

當網站、應用程式或透過 NTLM 或 Kerberos 通訊協定的另一部電腦要求驗證,會出現一個對話方塊中,選取 [更新預設認證儲存密碼核取方塊。When a website, an application, or another computer requests authentication through NTLM or the Kerberos protocol, a dialog box appears in which you select the Update Default Credentials or Save Password check box. 支援「認證管理員 Api 的應用程式,也可讓使用者儲存在本機認證此對話方塊。This dialog box that lets a user save credentials locally is generated by an application that supports the Credential Manager APIs. 如果使用者選取[儲存密碼核取方塊,認證管理員會的使用者的使用者名稱、密碼、驗證服務使用中的和相關的資訊。If the user selects the Save Password check box, Credential Manager keeps track of the user's user name, password, and related information for the authentication service that is in use.

下一次使用該服務,則認證管理員會自動提供的認證,就會儲存在 Windows 保存庫中。The next time the service is used, Credential Manager automatically supplies the credential that is stored in the Windows Vault. 如果無法接受,使用者會提示正確存取的資訊。If it is not accepted, the user is prompted for the correct access information. 如果存取授與的新的認證,認證管理員覆寫新前認證,然後將新認證儲存在 Windows 保存庫。If access is granted with the new credentials, Credential Manager overwrites the previous credential with the new one and then stores the new credential in the Windows Vault.

安全性帳號管理員資料庫Security Accounts Manager database

安全性帳號 Manager(坡)是資料庫儲存帳號本機使用者和群組。The Security Accounts Manager (SAM) is a database that stores local user accounts and groups. 出現在每個 Windows 作業系統中。不過,當您的電腦已經加入網域,Active Directory 管理網域帳號 Active Directory 網域中。It is present in every Windows operating system; however, when a computer is joined to a domain, Active Directory manages domain accounts in Active Directory domains.

例如 client 電腦執行的 Windows 作業系統網路網域中加入的網域控制站的通訊,即使在不人性化使用者登入。For example, client computers running a Windows operating system participate in a network domain by communicating with a domain controller even when no human user is logged on. 若要開始進行通訊,電腦必須使用帳號網域中。To initiate communications, the computer must have an active account in the domain. 接受電腦的通訊前, 網域控制站 LSA 驗證電腦的身分,並再建構電腦的安全性操作人性化安全性主體一樣。Before accepting communications from the computer, the LSA on the domain controller authenticates the computer's identity and then constructs the computer's security context just as it does for a human security principal. 本文中的安全性定義特定電腦或使用者、服務或網路上的電腦上的身分和使用者或服務的功能。This security context defines the identity and capabilities of a user or service on a particular computer or a user, service, or computer on a network. 例如,包含中的安全性層級的存取權杖定義的資源(例如共用檔案或印表機),可以存取及當事人都能執行的動作(例如朗讀、寫入或修改):使用者、電腦或從資源服務。For example, the access token contained within the security context defines the resources (such as a file share or printer) that can be accessed and the actions (such as Read, Write, or Modify) that can be performed by that principal???a user, computer, or service on that resource.

使用者或電腦的安全性操作到另一個,例如使用者登入時伺服器或以外的使用者自己的主要工作站工作站會從某部電腦。The security context of a user or computer can vary from one computer to another, such as when a user logs on to a server or a workstation other than the user's own primary workstation. 它也會從一個工作階段到另一個,例如時,系統管理員的身分修改使用者的權利和權限。It can also vary from one session to another, such as when an administrator modifies the user's rights and permissions. 此外的安全性層級通常是不同的使用者或電腦操作單獨,在網路,或在 Active Directory domain 時。In addition, the security context is usually different when a user or computer is operating on a stand-alone basis, in a network, or as part of an Active Directory domain.

本機網域和受信任的網域Local domains and trusted domains

信任的網域兩個之間時,每個網域驗證機制需依賴的來自其他網域驗證有效性。When a trust exists between two domains, the authentication mechanisms for each domain rely on the validity of the authentications coming from the other domain. 信任藉由驗證連入驗證要求提供控制的存取共用(信任的網域)資源網域中的資源協助來自信任的授權單位(受信任的網域)。Trusts help to provide controlled access to shared resources in a resource domain (the trusting domain) by verifying that incoming authentication requests come from a trusted authority (the trusted domain). 如此一來,信任做為只讓橋接器已驗證網域之間驗證要求出差。In this way, trusts act as bridges that let only validated authentication requests travel between domains.

如何特定信任通過驗證要求的設定方式而定。How a specific trust passes authentication requests depends on how it is configured. 藉由提供給其他網域中的資源的存取權的每個網域可以單向提供存取來自受信任的網域信任的網域中的資源或雙向,信任關係。Trust relationships can be one-way, by providing access from the trusted domain to resources in the trusting domain, or two-way, by providing access from each domain to resources in the other domain. 信任的也轉移,此時信任存在,只會之間的兩個信任合作夥伴網域,或轉移,此時信任自動延伸到任何其他合作夥伴之一信任的網域。Trusts are also either nontransitive, in which case a trust exists only between the two trust partner domains, or transitive, in which case a trust automatically extends to any other domains that either of the partners trusts.

適用於相關驗證網域和森林信任關係的相關資訊,請查看委派驗證和信任關係For information about domain and forest trust relationships regarding authentication, see Delegated Authentication and Trust Relationships.

在 Windows 驗證憑證Certificates in Windows authentication

公開基礎結構 (PKI) 是組合軟體、加密技術、處理程序,並讓它通訊和商務交易安全公司的服務。A public key infrastructure (PKI) is the combination of software, encryption technologies, processes, and services that enable an organization to secure its communications and business transactions. 安全通訊和商務交易 PKI 的能力為基礎的受信任的資源驗證的使用者與數位憑證交換。The ability of a PKI to secure communications and business transactions is based on the exchange of digital certificates between authenticated users and trusted resources.

數位憑證是電子文件,包含所屬的實體、發行實體、唯一的序號或其他獨特的驗證,發行到期日,並數位指紋相關資訊。A digital certificate is an electronic document that contains information about the entity it belongs to, the entity it was issued by, a unique serial number or some other unique identification, issuance and expiration dates, and a digital fingerprint.

驗證是判斷是否遠端主機可信任的程序。Authentication is the process of determining if a remote host can be trusted. 若要建立可信度,遠端主機必須提供接受驗證憑證。To establish its trustworthiness, the remote host must provide an acceptable authentication certificate.

遠端伺服器的憑證授權單位取得憑證建立彼此。Remote hosts establish their trustworthiness by obtaining a certificate from a certification authority (CA). CA 接下來,已從較高的授權,建立一連串信任的憑證。The CA can, in turn, have certification from a higher authority, which creates a chain of trust. 若要判斷是否為信任的憑證,應用程式必須判斷根加拿大的身分,並再判斷是否信任。To determine whether a certificate is trustworthy, an application must determine the identity of the root CA, and then determine if it is trustworthy.

同樣地,在本機電腦的主機的遠端必須判斷是否真確提出的使用者或應用程式的憑證。Similarly, the remote host or local computer must determine if the certificate presented by the user or application is authentic. 透過在 Active Directory 中的憑證存放區的真確性的本機登入本機電腦上、網路,或網域評估透過 LSA 和 SSPI 使用者提出的憑證。The certificate presented by the user through the LSA and SSPI is evaluated for authenticity on the local computer for local logon, on the network, or on the domain through the certificate stores in Active Directory.

製作憑證、驗證資料通過製作訊息摘要 hash 演算法,例如安全 Hash 演算法 1 (SHA1)。To produce a certificate, authentication data passes through hash algorithms, such as Secure Hash Algorithm 1 (SHA1), to produce a message digest. 藉由寄件者私密金鑰證明摘要訊息由寄件者然後數位簽章訊息摘要。The message digest is then digitally signed by using the sender's private key to prove that the message digest was produced by the sender.

注意

SHA1 是 Windows 7 和 Windows Vista 中的預設值,但已變更為 SHA2 Windows 8 中。SHA1 is the default in Windows 7 and Windows Vista, but was changed to SHA2 in Windows 8.

智慧卡驗證Smart card authentication

智慧卡技術是憑證式驗證的範例。Smart card technology is an example of certificate-based authentication. 網路使用智慧卡來登入提供有力的驗證,因為它會使用密碼編譯架構的驗證並的擁有權校正驗證使用者網域時。Logging on to a network with a smart card provides a strong form of authentication because it uses cryptography-based identification and proof of possession when authenticating a user to a domain. Active Directory 憑證 Services (AD CS) 提供密碼編譯型驗證透過發行的每個智慧卡憑證登入。Active Directory Certificate Services (AD CS) provides the cryptographic-based identification through the issuance of a logon certificate for each smart card.

適用於驗證智慧卡的相關資訊,請查看Windows 智慧卡技術參考For information about smart card authentication, see the Windows Smart Card Technical Reference.

Windows 8 中引進 virtual 智慧卡技術。Virtual smart card technology was introduced in Windows 8. 它會儲存在電腦的智慧卡上的憑證,然後使用裝置的竄改信賴平台模組 (TPM) 安全性晶片來保護它。It stores the smart card's certificate in the PC, and then protects it by using the device's tamper-proof Trusted Platform Module (TPM) security chip. 如此一來,電腦會成為智慧卡,必須接收使用者的 pin 碼以驗證。In this way, the PC actually becomes the smart card which must receive the user's PIN in order to be authenticated.

遠端和 wireless 驗證Remote and wireless authentication

遠端和 wireless 網路驗證是另一個用於驗證憑證的技術。Remote and wireless network authentication is another technology that uses certificates for authentication. 伺服器 virtual 私人網路與網際網路驗證服務 (IAS) 使用最具擴充性驗證通訊協定傳輸層級安全性 (EAP-TLS)、受保護延伸驗證通訊協定 (PEAP) 或網際網路通訊協定 (IPsec) 的安全性憑證驗證執行許多類型的網路存取權,包括 virtual 私人網路 (VPN) 和 wireless 連接。The Internet Authentication Service (IAS) and virtual private network servers use Extensible Authentication Protocol-Transport Level Security (EAP-TLS), Protected Extensible Authentication Protocol (PEAP), or Internet Protocol security (IPsec) to perform certificate-based authentication for many types of network access, including virtual private network (VPN) and wireless connections.

如憑證驗證網路中相關資訊,請查看網路存取驗證,以及憑證For information about certificate-based authentication in networking, see Network access authentication and certificates.

也了See also

Windows 驗證概念Windows Authentication Concepts