安全性支援提供者介面架構Security Support Provider Interface Architecture

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

這適用於 IT 專業人員的參考主題描述架構安全性支援提供者介面 (SSPI) 中可用的 Windows 驗證通訊協定。This reference topic for the IT professional describes the Windows authentication protocols that are used within the Security Support Provider Interface (SSPI) architecture.

Microsoft Security 支援提供者介面 (SSPI) 是 Windows 驗證的基礎配置。The Microsoft Security Support Provider Interface (SSPI) is the foundation for Windows authentication. 應用程式和需要驗證的基礎結構服務使用 SSPI 提供。Applications and infrastructure services that require authentication use SSPI to provide it.

SSPI 是實作的一般安全性服務 API (GSSAPI) 在 Windows Server 作業系統。SSPI is the implementation of the Generic Security Service API (GSSAPI) in Windows Server operating systems. 如需 GSSAPI,查看 RFC 2743 和 RFC 2744 IETF RFC 資料庫中。For more information about GSSAPI, see RFC 2743 and RFC 2744 in the IETF RFC Database.

預設安全性支援的提供者 (層) 叫用在 Windows 中的特定驗證通訊協定,會納入為 Dll SSPI。The default Security Support Providers (SSPs) that invoke specific authentication protocols in Windows are incorporated into the SSPI as DLLs. 這些預設層所述的下列區段。These default SSPs are described in the following sections. 如果他們使用 SSPI 可以運作,就可以加入層額外。Additional SSPs can be incorporated if they can operate with the SSPI.

在下列影像中所示,在 Windows 中的 SSPI 提供帶來透過現有的通訊通道 client 電腦之間伺服器的驗證權杖機制。As shown in the following image, the SSPI in Windows provides a mechanism that carries authentication tokens over the existing communication channel between the client computer and the server. 兩部電腦或裝置需要時進行驗證,讓他們可以通訊,要求驗證都會通過,SSPI,完成驗證程序,無論使用目前的網路通訊協定。When two computers or devices need to be authenticated so that they can communicate securely, the requests for authentication are routed to the SSPI, which completes the authentication process, regardless of the network protocol currently in use. SSPI 傳回透明二進位大物件。The SSPI returns transparent binary large objects. 這些應用程式,此時他們可以傳遞至 SSPI 層之間傳送。These are passed between the applications, at which point they can be passed to the SSPI layer. 因此,SSPI 可讓應用程式提供各種不同的安全性型號使用電腦或網路上,而無須更動介面安全性系統。Thus, the SSPI enables an application to use various security models available on a computer or network without changing the interface to the security system.

圖表顯示安全性支援提供者介面架構

下列章節描述與 SSPI 互動預設層。The following sections describe the default SSPs that interact with the SSPI. 層的宣傳安全通訊在安全的網路的環境中使用 Windows 作業系統以不同方式。The SSPs are used in different ways in Windows operating systems to promote secure communication in an unsecure network environment.

此主題也包含:Also included in this topic:

安全性支援提供者選取項目Security Support Provider selection

Kerberos 安全性支援提供者Kerberos Security Support Provider

這個 SSP 使用只 Kerberos 版本 5 通訊協定實作 microsoft。This SSP uses only the Kerberos version 5 protocol as implemented by Microsoft. 此通訊協定根據網路運作群組 RFC 4120 和草稿修訂。This protocol is based on the Network Working Group's RFC 4120 and draft revisions. 它是使用密碼或智慧卡用於互動式登入業界標準通訊協定。It is an industry standard protocol that is used with a password or a smart card for an interactive logon. 這也是 Windows 中的服務慣用的驗證方法。It is also the preferred authentication method for services in Windows.

所有網域服務 Kerberos 通訊協定已從 Windows 2000 預設驗證通訊協定,因為都支援 Kerberos SSP.Because the Kerberos protocol has been the default authentication protocol since Windows 2000, all domain services support the Kerberos SSP. 這些服務包括:These services include:

  • Active Directory 查詢使用的輕量型 Directory 存取通訊協定 (LDAP)Active Directory queries that use the Lightweight Directory Access Protocol (LDAP)

  • 遠端伺服器或工作站管理,使用遠端程序呼叫服務Remote server or workstation management that uses the Remote Procedure Call service

  • 列印服務Print services

  • Client 伺服器驗證Client-server authentication

  • 使用伺服器訊息區 (SMB) 通訊協定 (也稱為一般網際網路檔案系統或 CIFS) 的檔案遠端存取Remote file access that uses the Server Message Block (SMB) protocol (also known as Common Internet File System or CIFS)

  • 分散式的檔案系統管理和推薦Distributed file system management and referral

  • 內部驗證網際網路資訊服務 (IIS)Intranet authentication to Internet Information Services (IIS)

  • 安全性授權單位驗證的 「 網際網路通訊協定的安全性 (IPsec)Security authority authentication for Internet Protocol security (IPsec)

  • Active Directory 憑證服務使用者網域和電腦的憑證要求Certificate requests to Active Directory Certificate Services for domain users and computers

位置: %windir%\Windows\System32\kerberos.dllLocation: %windir%\Windows\System32\kerberos.dll

這提供者中指定的版本中的預設包含適用於清單此主題,以及 Windows Server 2003 及 Windows XP 的開頭。This provider is included by default in versions designated in the Applies to list at the beginning of this topic, plus Windows Server 2003 and Windows XP.

其他 Kerberos 通訊協定和 Kerberos SSP 資源Additional resources for the Kerberos protocol and the Kerberos SSP

以滑鼠NTLM Security Support Provider

以滑鼠 (NTLM SSP) 是二進位訊息通訊協定,允許 NTLM 挑戰回應驗證和商議完整性和機密性選項用來安全性支援提供者介面 (SSPI)。The NTLM Security Support Provider (NTLM SSP) is a binary messaging protocol used by the Security Support Provider Interface (SSPI) to allow NTLM challenge-response authentication and to negotiate integrity and confidentiality options. 只要使用 SSPI 驗證,驗證伺服器訊息區或 CIFS、 HTTP 交涉驗證 (例如,網際網路 Web 驗證),和遠端程序呼叫服務包括 NTLM 使用。NTLM is used wherever SSPI authentication is used, including for Server Message Block or CIFS authentication, HTTP Negotiate authentication (for example, Internet Web Authentication), and the Remote Procedure Call service. NTLM SSP 包括 NTLM 和 NTLM 版本 (NTLMv2) 2 驗證通訊協定。The NTLM SSP includes the NTLM and NTLM version 2 (NTLMv2) authentication protocols.

支援的 Windows 作業系統可以使用下列的 NTLM SSP:The supported Windows operating systems can use the NTLM SSP for the following:

  • Client 日伺服器驗證Client/server authentication

  • 列印服務Print services

  • 使用 CIFS (SMB) 的存取檔案File access by using CIFS (SMB)

  • 安全遠端程序呼叫服務或 DCOM 服務Secure Remote Procedure Call service or DCOM service

位置: %windir%\Windows\System32\msv1_0.dllLocation: %windir%\Windows\System32\msv1_0.dll

這提供者中指定的版本中的預設包含適用於清單此主題,以及 Windows Server 2003 及 Windows XP 的開頭。This provider is included by default in versions designated in the Applies to list at the beginning of this topic, plus Windows Server 2003 and Windows XP.

其他 NTLM 通訊協定和 NTLM SSP 資源Additional resources for the NTLM protocol and the NTLM SSP

摘要安全性支援提供者Digest Security Support Provider

摘要驗證是適用於輕量型 Directory 存取通訊協定 (LDAP) 和 web 驗證業界標準。Digest authentication is an industry standard that is used for Lightweight Directory Access Protocol (LDAP) and web authentication. 摘要驗證會 MD5 hash 或郵件摘要為傳輸在網路上的憑證。Digest authentication transmits credentials across the network as an MD5 hash or message digest.

使用下列摘要 SSP (Wdigest.dll):Digest SSP (Wdigest.dll) is used for the following:

  • Internet Explorer 和網際網路服務 (IIS) 存取Internet Explorer and Internet Information Services (IIS) access

  • LDAP 查詢LDAP queries

位置: %windir%\Windows\System32\Digest.dllLocation: %windir%\Windows\System32\Digest.dll

這提供者中指定的版本中的預設包含適用於清單此主題,以及 Windows Server 2003 及 Windows XP 的開頭。This provider is included by default in versions designated in the Applies to list at the beginning of this topic, plus Windows Server 2003 and Windows XP.

其他摘要通訊協定和摘要 SSP 資源Additional resources for the Digest protocol and the Digest SSP

Schannel 安全性支援提供者Schannel Security Support Provider

Web 架構伺服器的驗證,例如使用者嘗試存取安全的網頁伺服器使用最安全的通道 (Schannel)。The Secure Channel (Schannel) is used for web-based server authentication, such as when a user attempts to access a secure web server.

TLS 通訊協定、 SSL 通訊協定,私人通訊技術 (PCT) 通訊協定及資料流傳輸層 (DTLS) 通訊協定根據公開加密。The TLS protocol, SSL protocol , the Private Communications Technology (PCT) protocol, and the Datagram Transport Layer (DTLS) protocol are based on public key cryptography. Schannel 提供所有的這些通訊協定。Schannel provides all these protocols. 所有 Schannel 通訊協定都使用 client/伺服器的模型。All Schannel protocols use a client/server model. Schannel SSP 使用公開金鑰憑證,來驗證派對。The Schannel SSP uses public key certificates to authenticate parties. 驗證派對、 時 Schannel SSP 選取通訊協定以下列順序的喜好設定:When authenticating parties, Schannel SSP selects a protocol in the following order of preference:

  • 運送層安全性 (TLS) 1.0Transport Layer Security (TLS) version 1.0

  • 運送層安全性 (TLS) 1.1 版Transport Layer Security (TLS) version 1.1

  • 運送層安全性 (TLS) 1.2 版Transport Layer Security (TLS) version 1.2

  • 安全通訊端層 (SSL) 2.0Secure Socket Layer (SSL) version 2.0

  • 安全通訊端層 (SSL) 版本 3.0Secure Socket Layer (SSL) version 3.0

  • 私人通訊技術 (PCT)Private Communications Technology (PCT)

    注意PCT 預設停用。Note PCT is disabled by default.

通訊協定,選取 [是,可支援 client 和 server 慣用的驗證通訊協定。The protocol that is selected is the preferred authentication protocol that the client and the server can support. 例如,如果伺服器支援所有的 Schannel 通訊協定,client 支援僅 SSL 3.0 和 SSL 2.0 驗證程序使用 SSL 3.0。For example, if a server supports all the Schannel protocols and the client supports only SSL 3.0 and SSL 2.0, the authentication process uses SSL 3.0.

DTLS 明確應用程式呼叫時使用。DTLS is used when explicitly called by the application. 如需有關 DTLS Schannel 提供者所使用的其他通訊協定,請Schannel 安全性支援提供者技術參考For more information about DTLS and the other protocols that are used by the Schannel provider, see Schannel Security Support Provider Technical Reference.

位置: %windir%\Windows\System32\Schannel.dllLocation: %windir%\Windows\System32\Schannel.dll

這提供者中指定的版本中的預設包含適用於清單此主題,以及 Windows Server 2003 及 Windows XP 的開頭。This provider is included by default in versions designated in the Applies to list at the beginning of this topic, plus Windows Server 2003 and Windows XP.

注意

在此提供者,在 Windows Server 2008 R2 和 Windows 7 中引進 TLS 1.2。TLS 1.2 was introduced in this provider in Windows Server 2008 R2 and Windows 7. 在此提供者,在 Windows Server 2012 和 Windows 8 中引進 DTLS。DTLS was introduced in this provider in Windows Server 2012 and Windows 8.

其他的 TLS 和 SSL 通訊協定和 Schannel SSP 資源Additional resources for the TLS and SSL protocols and the Schannel SSP

交涉安全性支援提供者Negotiate Security Support Provider

簡單、 保護 GSS-API 交涉機制 (SPNEGO) 形成基礎交涉 ssp,whichcan 用於交涉特定驗證通訊協定。The Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) forms the basis for the Negotiate SSP, whichcan be used to negotiate a specific authentication protocol. 當應用程式呼叫到 SSPI 登入網路時,它可以指定 SSP 處理要求。When an application calls into SSPI to log on to a network, it can specify an SSP to process the request. 如果應用程式指定交涉 SSP,它會分析要求,並選取適當的提供者來處理要求,根據客戶設定的安全性原則。If the application specifies the Negotiate SSP, it analyzes the request and picks the appropriate provider to handle the request, based on customer-configured security policies.

指定 SPNEGO RFC 2478 中。SPNEGO is specified in RFC 2478.

支援的 Windows 作業系統版本、 交涉安全性支援 Kerberos 通訊協定與 NTLM 之間的提供者選取。In supported versions of the Windows operating systems, the Negotiate security support provider selects between the Kerberos protocol and NTLM. 交涉選取預設通訊協定 Kerberos,除非該通訊協定無法使用其中一個參與驗證、 系統或通話的應用程式並未提供的資訊用於 Kerberos 通訊協定不足。Negotiate selects the Kerberos protocol by default unless that protocol cannot be used by one of the systems involved in the authentication, or the calling application did not provide sufficient information to use the Kerberos protocol.

位置: %windir%\Windows\System32\lsasrv.dllLocation: %windir%\Windows\System32\lsasrv.dll

這提供者中指定的版本中的預設包含適用於清單此主題,以及 Windows Server 2003 及 Windows XP 的開頭。This provider is included by default in versions designated in the Applies to list at the beginning of this topic, plus Windows Server 2003 and Windows XP.

其他交涉 SSP 資源Additional resources for the Negotiate SSP

認證安全性支援提供者Credential Security Support Provider

開始新的車票服務和遠端桌面服務工作階段時,認證安全性服務提供者 (CredSSP) 提供單一登入 (SSO) 的使用者體驗。The Credential Security Service Provider (CredSSP) provides a single sign-on (SSO) user experience when starting new Terminal Services and Remote Desktop Services sessions. CredSSP 可以根據原則 client 的目標伺服器 (透過伺服器端 SSP),讓應用程式的 client 電腦的使用者的認證委派 (透過 client 端 SSP)。CredSSP enables applications to delegate users' credentials from the client computer (by using the client-side SSP) to the target server (through the server-side SSP), based on the client's policies. CredSSP 原則,使用群組原則、 設定和的認證委派預設為關閉。CredSSP policies are configured by using Group Policy, and the delegation of credentials is turned off by default.

位置: %windir%\Windows\System32\credssp.dllLocation: %windir%\Windows\System32\credssp.dll

這提供者中指定的版本中的預設包含適用於清單中的開頭本主題。This provider is included by default in versions designated in the Applies to list at the beginning of this topic.

其他認證 SSP 資源Additional resources for the Credentials SSP

交涉擴充功能安全性支援提供者Negotiate Extensions Security Support Provider

交涉擴充功能 (NegoExts) 是驗證套件,交涉層,以外 NTLM 或 Kerberos 通訊協定,使用的應用程式和案例實作 Microsoft 或其他軟體的公司。Negotiate Extensions (NegoExts) is an authentication package that negotiates the use of SSPs, other than NTLM or the Kerberos protocol, for applications and scenarios implemented by Microsoft and other software companies.

這個交涉套件延伸模組允許下列案例:This extension to the Negotiate package permits the following scenarios:

  • 豐富 client 可用性聯盟系統中。Rich client availability within a federated system. 可以存取 SharePoint 網站上的文件,並使用完整的 Microsoft Office 應用程式可以編輯它們。Documents can be accessed on SharePoint sites, and they can be edited by using a full-featured Microsoft Office application.

  • Microsoft Office 服務豐富 client 支援。Rich client support for Microsoft Office services. 使用者可以登入 Microsoft Office 服務,並使用完整的 Microsoft Office 應用程式。Users can sign in to Microsoft Office services and use a full-featured Microsoft Office application.

  • 裝載的 Microsoft Exchange Server 與 Outlook。Hosted Microsoft Exchange Server and Outlook. 還有不因為 Exchange Server 裝載在網路上建立的網域信任。There is no domain trust established because Exchange Server is hosted on the web. Outlook 驗證使用者使用 Windows Live 服務。Outlook uses the Windows Live service to authenticate users.

  • 豐富 client 可用性 client 電腦之間的伺服器。Rich client availability between client computers and servers. 使用作業系統的網路與驗證的元件。The operating system's networking and authentication components are used.

Windows 交涉套件會以相同的方式將 NegoExts SSP Kerberos 和 NTLM 一樣。The Windows Negotiate package treats the NegoExts SSP in the same manner as it does for Kerberos and NTLM. NegoExts.dll 載入到本機系統授權 (LSA) 在開機。NegoExts.dll is loaded into the Local System Authority (LSA) at startup. 當您收到的驗證要求,以要求的來源,NegoExts 交涉之間支援層。When an authentication request is received, based on the request's source, NegoExts negotiates between the supported SSPs. 它也會收集認證原則,已加密,並將資訊傳送至適當 SSP,建立的安全性權杖的位置。It gathers the credentials and policies, encrypts them, and sends that information to the appropriate SSP, where the security token is created.

支援 NegoExts 層的獨立層 Kerberos 和 NTLM。The SSPs supported by NegoExts are not stand-alone SSPs such as Kerberos and NTLM. 因此,NegoExts SSP,在任何原因而失敗的驗證方法時驗證失敗的訊息會顯示或登入。Therefore, within the NegoExts SSP, when the authentication method fails for any reason, an authentication failure message will be displayed or logged. 可能會無交涉或後援驗證方法。No renegotiation or fallback authentication methods are possible.

位置: %windir%\Windows\System32\negoexts.dllLocation: %windir%\Windows\System32\negoexts.dll

這提供者中指定的版本中的預設包含適用於清單本主題中,不包含 Windows Server 2008 和 Windows Vista 的開頭。This provider is included by default in versions designated in the Applies to list at the beginning of this topic, excluding Windows Server 2008 and Windows Vista.

PKU2U 安全性支援提供者PKU2U Security Support Provider

導入了 PKU2U 通訊協定,以在 Windows 7 和 Windows Server 2008 R2 SSP 實作。The PKU2U protocol was introduced and implemented as an SSP in Windows 7 and Windows Server 2008 R2 . 這個 SSP 可讓您對等驗證,尤其是透過媒體和檔案共用稱為 [在 Windows 7 家用群組的功能。This SSP enables peer-to-peer authentication, particularly through the media and file sharing feature called HomeGroup, which was introduced in Windows 7 . 此功能可以讓您不是成員加入網域的電腦之間共用。The feature permits sharing between computers that are not members of a domain.

位置: %windir%\Windows\System32\pku2u.dllLocation: %windir%\Windows\System32\pku2u.dll

這提供者中指定的版本中的預設包含適用於清單本主題中,不包含 Windows Server 2008 和 Windows Vista 的開頭。This provider is included by default in versions designated in the Applies to list at the beginning of this topic, excluding Windows Server 2008 and Windows Vista.

其他 PKU2U 通訊協定和 PKU2U SSP 資源Additional resources for the PKU2U protocol and the PKU2U SSP

安全性支援提供者選取項目Security Support Provider selection

Windows SSPI 可使用任何支援透過安裝安全性支援提供者通訊協定。The Windows SSPI can use any of the protocols that are supported through the installed Security Support Providers. 不過,並非所有的作業系統支援為任何特定的電腦執行的 Windows Server 的相同 SSP 套件,因為戶端與伺服器必須協議出使用這兩個他們支援的通訊協定。However, because not all operating systems support the same SSP packages as any given computer running Windows Server, clients and servers must negotiate to use a protocol that they both support. Windows Server 慣用 client 電腦及時,不過在作業系統持續允許 client 電腦及 client 不支援 Kerberos 通訊協定進行驗證的應用程式使用 Kerberos 通訊協定,穩固標準通訊協定,應用程式。Windows Server prefers client computers and applications to use the Kerberos protocol, a strong standards-based protocol, when possible, but the operating system continues to allow client computers and client applications that do not support the Kerberos protocol to authenticate.

驗證可能需要兩個位置聯繫之前,電腦必須同意通訊協定,它們都可以支援。Before authentication can take place the two communicating computers must agree on a protocol that they both can support. 若要透過 SSPI 可用的任何通訊協定,每個的電腦必須具備適當 SSP.For any protocol to be usable through the SSPI, each computer must have the appropriate SSP. 例如,client 電腦和伺服器使用 Kerberos 驗證通訊協定,他們必須同時支援 Kerberos v5。For example, for a client computer and server to use the Kerberos authentication protocol, they must both support Kerberos v5. Windows Server 使用函式EnumerateSecurityPackages這些層的功能是哪一個層支援的電腦,以及找出。Windows Server uses the function EnumerateSecurityPackages to identify which SSPs are supported on a computer and what the capabilities of those SSPs are.

在下列兩種方式可處理驗證通訊協定的選取項目:The selection of an authentication protocol can be handled in one of the following two ways:

  1. 單一驗證通訊協定Single authentication protocol

  2. 交涉選項Negotiate option

單一驗證通訊協定Single authentication protocol

在伺服器上指定的單一接受通訊協定時,電腦 client 必須支援指定的通訊協定或在通訊失敗。When a single acceptable protocol is specified on the server, the client computer must support the protocol specified or the communication fails. 指定單一接受通訊協定時,驗證交換進行時,如下所示:When a single acceptable protocol is specified, the authentication exchange takes place as follows:

  1. Client 電腦要求服務的存取。The client computer requests access to a service.

  2. 伺服器回覆要求,指定的通訊協定,將會使用。The server replies to the request and specifies the protocol that will be used.

  3. Client 的電腦檢查回覆及檢查以判斷它是否支援指定的通訊協定。The client computer examines the contents of the reply and checks to determine whether it supports the specified protocol. 如果 client 電腦支援指定的通訊協定,繼續進行驗證。If the client computer does support the specified protocol, the authentication continues. 如果 client 的電腦不支援的通訊協定,驗證失敗,無論 client 的電腦是否獲授權存取資源。If the client computer does not support the protocol, the authentication fails, regardless of whether the client computer is authorized to access the resource.

交涉選項Negotiate option

交涉選項可讓您嘗試尋找接受通訊協定 client 及伺服器。The negotiate option can be used to allow the client and server to attempt to find an acceptable protocol. 這根據簡單和保護 GSS-API 交涉機制 (SPNEGO)。This is based on the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO). 當驗證開頭交涉驗證通訊協定的選項時,SPNEGO 換貨會的地方,如下所示:When the authentication begins with the option to negotiate for an authentication protocol, the SPNEGO exchange takes place as follows:

  1. Client 電腦要求服務的存取。The client computer requests access to a service.

  2. 伺服器的驗證,它可支援的通訊協定驗證要求或根據其第一次選擇的通訊協定的回應清單回覆。The server replies with a list of authentication protocols that it can support and an authentication challenge or response, based on the protocol that is its first choice. 例如伺服器可能會列出 Kerberos 通訊協定與 NTLM,並傳送 Kerberos 驗證回覆。For example, the server might list the Kerberos protocol and NTLM, and send a Kerberos authentication response.

  3. Client 的電腦檢查回覆及檢查以判斷它是否支援的任何指定的通訊協定。The client computer examines the contents of the reply and checks to determine whether it supports any of the specified protocols.

    • 如果 client 電腦支援慣用的通訊協定,繼續進行驗證。If the client computer supports the preferred protocol, authentication proceeds.

    • 如果 client 的電腦不支援的慣用的通訊協定,但它伺服器所列出的其他通訊協定的其中一個支援,請 client 電腦讓知道進行驗證,支援的通訊協定與驗證的伺服器。If the client computer does not support the preferred protocol, but it does support one of the other protocols listed by the server, the client computer lets the server know which authentication protocol it supports, and the authentication proceeds.

    • 如果 client 的電腦不支援的任何列出的通訊協定,驗證交換將會失敗。If the client computer does not support any of the listed protocols, the authentication exchange fails.

也了See also

Windows 驗證架構Windows Authentication Architecture