Windows 驗證架構Windows Authentication Architecture

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

適用於 IT 專業人員此概觀主題解釋 Windows 驗證的基本架構配置。This overview topic for the IT professional explains the basic architectural scheme for Windows authentication.

驗證是處理程序,讓系統驗證使用者登入或登入資訊。Authentication is the process by which the system validates a user's logon or sign-in information. 使用者名稱和密碼比較授權的清單,以及存取權的使用者清單中指定的範圍授與系統偵測到相符項目。A user's name and password are compared against an authorized list, and if the system detects a match, access is granted to the extent specified in the permission list for that user.

延伸架構的一部分,在 Windows Server 作業系統實作驗證安全性支援提供者,包括交涉、Kerberos 通訊協定,NTLM、Schannel(安全通道),以及摘要的預設設定。As part of an extensible architecture, the Windows Server operating systems implement a default set of authentication security support providers, which include Negotiate, the Kerberos protocol, NTLM, Schannel (secure channel), and Digest. 使用這些提供者通訊協定可讓使用者、電腦及服務的驗證,驗證程序可讓使用者的授權與服務存取資源在安全的方式。The protocols used by these providers enable authentication of users, computers, and services, and the authentication process enables authorized users and services to access resources in a secure manner.

在 Windows Server、應用程式使用驗證使用者 SSPI 提取電話驗證。In Windows Server, applications authenticate users by using the SSPI to abstract calls for authentication. 因此,開發人員不需要了解特定驗證通訊協定的複雜或驗證通訊協定建置到他們的應用程式。Thus, developers do not need to understand the complexities of specific authentication protocols or build authentication protocols into their applications.

Windows Server 作業系統整套組成 Windows 安全性模型安全性元件。Windows Server operating systems include a set of security components that make up the Windows security model. 這些元件確保的應用程式無法獲得資源驗證而授權的存取權。These components ensure that applications cannot gain access to resources without authentication and authorization. 下列章節描述驗證架構的項目。The following sections describe the elements of the authentication architecture.

本機安全性授權Local Security Authority

本機安全性授權單位 (LSA) 是受保護的子系統的驗證並登入本機電腦的使用者。The Local Security Authority (LSA) is a protected subsystem that authenticates and signs in users to the local computer. 此外,LSA 保留的相關資訊各方面的本機安全性在電腦上(這些層面統稱為本機安全性原則)。In addition, LSA maintains information about all aspects of local security on a computer (these aspects are collectively known as the local security policy). 它也會提供各種不同名稱和安全性識別碼 (Sid) 翻譯服務。It also provides various services for translation between names and security identifiers (SIDs).

安全性子系統記錄的安全性原則和帳號的電腦系統上。The security subsystem keeps track of the security policies and the accounts that are on a computer system. 在網域控制器這些原則和帳號是指的網域控制站位於的網域才會生效。In the case of a domain controller, these policies and accounts are those that are in effect for the domain in which the domain controller is located. 這些原則和帳號儲存在 Active Directory 中。These policies and accounts are stored in Active Directory. LSA 子系統提供服務驗證物件的存取權,檢查使用者權限,以及產生稽核訊息。The LSA subsystem provides services for validating access to objects, checking user rights, and generating audit messages.

安全性支援提供者介面Security Support Provider Interface

安全性支援提供者介面 (SSPI) 是取得整合式的安全性驗證,訊息完整性、 訊息隱私權,安全性品質服務分散式應用程式中的任何通訊協定服務的 API。The Security Support Provider Interface (SSPI) is the API that obtains integrated security services for authentication, message integrity, message privacy, and security quality-of-service for any distributed application protocol.

SSPI 是實作的一般安全性服務 API (GSSAPI)。SSPI is the implementation of the Generic Security Service API (GSSAPI). SSPI 提供分散式應用程式可以依據呼叫安全性提供者以取得驗證的連結,而不知道的通訊協定的安全性的詳細資訊的其中一個機制。SSPI provides a mechanism by which a distributed application can call one of several security providers to obtain an authenticated connection without knowledge of the details of the security protocol.

也了See also