Windows 驗證概念Windows Authentication Concepts

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

這個參考概觀主題描述 Windows 驗證所依據的概念。This reference overview topic describes the concepts on which Windows authentication is based.

驗證是來確認人員或物件的身分處理程序。Authentication is a process for verifying the identity of an object or person. 當您進行驗證物件時,目標是驗證物件是正版軟體。When you authenticate an object, the goal is to verify that the object is genuine. 當您進行驗證的人員時,目標是來確認人員不詐欺。When you authenticate a person, the goal is to verify that the person is not an imposter.

網路功能的操作,以驗證是網路的應用程式或資源證明身分的行為。In a networking context, authentication is the act of proving identity to a network application or resource. 一般而言,身分是證明密碼編譯作業任一個按鍵僅使用者知道(如同公開加密)該使用或共用的按鍵。Typically, identity is proven by a cryptographic operation that uses either a key only the user knows (as with public key cryptography) or a shared key. 驗證換貨的伺服器端比較簽署的資料與已知驗證嘗試密碼編譯金鑰。The server side of the authentication exchange compares the signed data with a known cryptographic key to validate the authentication attempt.

延展性,而且可維護密碼編譯金鑰儲存在安全的中央位置可驗證程序。Storing the cryptographic keys in a secure central location makes the authentication process scalable and maintainable. Active Directory 建議,預設儲存身分的資訊,包括密碼編譯金鑰的技術按鍵的使用者的認證。Active Directory is the recommended and default technology for storing identity information, which include the cryptographic keys that are the user's credentials. Active Directory 是必要的預設 NTLM 和 Kerberos 實作。Active Directory is required for default NTLM and Kerberos implementations.

驗證技術範圍從簡單的登入至作業系統或登入服務或使用者將辨識應用程式根據項目僅使用者知道,密碼,例如使用權杖公開金鑰憑證,為使用者 has'such 圖片、的項目越安全機制或:屬性。Authentication techniques range from a simple logon to an operating system or a sign-in to a service or application, which identifies users based on something that only the user knows, such as a password, to more powerful security mechanisms that use something that the user has'such as tokens, public key certificates, pictures, or biological attributes. 在企業環境中,使用者可能會存取許多類型的在單一位置或跨多個位置的伺服器上的多個應用程式。In a business environment, users might access multiple applications on many types of servers within a single location or across multiple locations. 基於這些原因,驗證必須支援其他平台和其他 Windows 作業系統的環境。For these reasons, authentication must support environments for other platforms and for other Windows operating systems.

驗證和授權:旅行類比Authentication and authorization: A travel analogy

旅行類比可以解釋驗證的運作方式。A travel analogy can help explain how authentication works. 一些準備工作,都是通常是為了開始旅程。A few preparatory tasks are usually necessary to begin the journey. 旅行者必須向其主機授權單位證明他們為 true 的身分。The traveler must prove their true identity to their host authorities. 此證明可證明表現、出生地點、個人化的憑證,相片,或任何所需的主機國家/地區的法律的格式。This proof can be in the form of proof of citizenship, birth place, a personal voucher, photographs, or whatever is required by the law of the host country. Passport,這是發行,管理組織-的安全性原則系統 account 類似的發行驗證時旅行的身分。The traveler's identity is validated by the issuance of a passport, which is analogous to a system account issued and administered by an organization--the security principal. Passport 預期的目的根據一組規則及法規發出政府授權。The passport and the intended destination are based on a set of rules and regulations issued by the governmental authority.

之旅The journey

當旅行到達國際外框時,邊境 guard 要求的認證,和旅行者,會顯示她或護照。When the traveler arrives at the international border, a border guard asks for credentials, and the traveler presents his or her passport. 此程序是雙重:The process is two-fold:

  • 藉由驗證的發行安全性授權單位本機政府信任(信任,至少發行護照),並藉由驗證 passport 未經過修改,guard 驗證護照。The guard authenticates the passport by verifying that it was issued by a security authority that the local government trusts (trusts, at least, to issue passports) and by verifying that the passport has not been modified.

  • Guard 驗證旅行者確認臉部符合附圖護照之人員的臉孔和其他必要的認證,是很好的順序。The guard authenticates the traveler by verifying that the face matches the face of the person pictured on the passport and that other required credentials are in good order.

如果確實有效 passport 旅行證明做為其擁有者,驗證成功,且旅行者可以存取允許邊境上。If the passport proves to be valid and the traveler proves to be its owner, authentication is successful, and the traveler can be allowed access across the border.

轉移信任之間安全性授權單位是驗證; 的基礎驗證時國際類型根據信任。Transitive trust between security authorities is the foundation of authentication; the type of authentication that takes place at an international border is based on trust. 本機政府不知道旅行者,但它信任主機政府,並會。The local government does not know the traveler, but it trusts that the host government does. 當主機政府發出護照時,它不知道旅行者架構。When the host government issued the passport, it did not know the traveler either. 信任的憑證出生或其他文件發出機構。It trusted the agency that issued the birth certificate or other documentation. 發行出生憑證,機構,信任醫師簽署的憑證。The agency that issued the birth certificate, in turn, trusted the physician who signed the certificate. 醫師見證旅行的生日,並選取憑證直接證明的身分,這種情形下與新生的使用量。The physician witnessed the traveler's birth and stamped the certificate with direct proof of the identity, in this case with the newborn's footprint. 信任傳輸受信任的橋樑,透過這種方式,是轉移。Trust that is transferred in this way, through trusted intermediaries, is transitive.

轉移信任是在 Windows server client 日架構網路安全性基本知識。Transitive trust is the foundation for network security in Windows client/server architecture. 建立信任關係整個設定的網域,例如「網域樹狀結構流程和網域和所有的網域信任的網域之間的關係。A trust relationship flows throughout a set of domains, such as a domain tree, and forms a relationship between a domain and all domains that trust that domain. 例如,網域 A 轉移信任的網域 B,如果,如果 B 網域信任的網域 C 然後網域 A 信任網域 c。For example, if domain A has a transitive trust with domain B, and if domain B trusts domain C, then domain A trusts domain C.

還有驗證與授權之間的人而有所不同。There is a difference between authentication and authorization. 使用驗證時,系統證明您是您的身分。With authentication, the system proves that you are who you say you are. 授權,系統會確認您具有權限,才能執行您想要的項目。With authorization, the system verifies that you have rights to do what you want to do. 若要需要邊境類比下一個步驟,只驗證旅行正確的有效 passport 擁有者會不一定授權旅行輸入國家/地區。To take the border analogy to the next step, merely authenticating that the traveler is the proper owner of a valid passport does not necessarily authorize the traveler to enter a country. 輸入其他國家/地區,只要只能在輸入的國家/地區位置授與無限制的權限所有市民該特定國家之輸入情形簡報 passport 允許居民特定國家/地區。Residents of a particular country are allowed to enter another country by simply presenting a passport only in situations where the country being entered grants unlimited permission for all citizens of that particular country to enter.

同樣地,您可以授與所有使用者從存取資源特定網域權限。Similarly, you can grant all users from a certain domain permissions to access a resource. 所屬的網域擁有的存取權的資源,就像加拿大我們美國市民輸入加拿大所有使用者。Any user who belongs to that domain has access to the resource, just as Canada lets U.S. citizens enter Canada. 不過,嘗試輸入巴西或印度美國市民找到,他們無法只是透過簡報 passport,因為這兩個這些國家/地區需要有有效的 visa 美國市民瀏覽輸入這些國家/地區。However, U.S. citizens attempting to enter Brazil or India find that they cannot enter those countries merely by presenting a passport because both of those countries require visiting U.S. citizens to have a valid visa. 因此,驗證,並不保證資源或使用資源授權的存取權。Thus, authentication does not guarantee access to resources or authorization to use resources.


Passport 與 visas 可能相關聯的旅行的接受的認證。A passport and possibly associated visas are the accepted credentials for a traveler. 不過,這些認證可能會讓旅客輸入或存取所有資源國家/地區中。However, those credentials might not let a traveler enter or access all resources within a country. 例如,需要額外的認證出席研討會」。For instance, additional credentials are required to attend a conference. 在 Windows 中,可讓您存取網路上的資源,而不必重複提供認證 account 持有可能管理認證。In Windows, credentials can be managed to make it possible for account holders to access resources over the network without repeatedly having to supply their credentials. 這種類型的存取可讓使用者一次系統存取 [所有應用程式驗證,資料來源,它們授權使用,而不輸入另一個 account 識別碼或密碼。This type of access lets users be authenticated one time by the system to access all applications and data sources that they are authorized to use without entering another account identifier or password. Windows 平台將使用在網路上的單一的使用者身分(維護的 Active Directory)本機快取使用者的認證在作業系統的本機安全性授權單位 (LSA) 的功能。The Windows platform capitalizes on the ability to use a single user identity (maintained by Active Directory) across the network by locally caching user credentials in the operating system's Local Security Authority (LSA). 當使用者登入網域時,Windows 驗證套件無障礙使用認證驗證憑證的網路資源時提供單一登入。When a user logs on to the domain, Windows authentication packages transparently use the credentials to provide single sign-on when authenticating the credentials to network resources. 如需有關的認證,請查看在 Windows 驗證認證處理程序For more information about credentials, see Credentials Processes in Windows Authentication.

一種旅行多因素驗證可能會執行並顯示多個文件,以驗證他的身分,例如 passport 與會議登記資訊的需求。A form of multi-factor authentication for the traveler might be the requirement to carry and present multiple documents to authenticate his identity such as a passport and conference registration information. Windows 會實作表單或智慧卡、virtual 智慧卡,與生物特徵辨識技術透過驗證。Windows implements this form or authentication through smart cards, virtual smart cards, and biometric technologies.

安全性主體和帳號Security principals and accounts

在 Windows 中,任何使用者、服務、群組或電腦,就可以開始行動是安全性原則。In Windows, any user, service, group, or computer that can initiate action is a security principal. 安全性主體有帳號,這可以是本機電腦或網域型。Security principals have accounts, which can be local to a computer or be domain-based. 例如,Windows client 加入網域的電腦可以參與,即使在不人性化使用者登入通訊的網域控制站網路網域。For example, Windows client domain-joined computers can participate in a network domain by communicating with a domain controller even when no human user is logged on. 若要開始進行通訊,電腦必須使用帳號網域中。To initiate communications, the computer must have an active account in the domain. 之前接受電腦的通訊,網域控制站的本機安全性授權單位會電腦的身分、驗證和人性化安全性主體一樣,然後定義電腦的安全性操作。Before accepting communications from the computer, the local security authority on the domain controller authenticates the computer's identity, and then defines the computer's security context just as it would for a human security principal. 本文中的安全性定義特定電腦或使用者、服務、群組中或在網路上的電腦上的身分和使用者或服務的功能。This security context defines the identity and capabilities of a user or service on a particular computer or a user, service, group, or computer on a network. 例如,它會定義共用檔案或印表機,可以存取和的動作,例如朗讀、寫入或修改,使用者、服務,或從資源的電腦可執行的資源。For example, it defines the resources, such as a file share or printer, that can be accessed and the actions, such as Read, Write, or Modify, that can be performed by a user, service, or computer on that resource. 如需詳細資訊,請查看安全性主體For more information, see Security Principals.

Account 是一種方法來找出 claimant-人性化的使用者或服務-要求存取或資源。An account is a means to identify a claimant--the human user or service--requesting access or resources. 會真確 passport 旅行擁有 account 主機國家/地區使用。The traveler who holds the authentic passport possesses an account with the host country. 使用者的使用者、物件和服務群組都能個人帳號或共用帳號。Users, groups of users, objects, and services can all have individual accounts or share accounts. 帳號特定的權利和權限] 可指派,而且可以群組成員。Accounts can be member of groups and can be assigned specific rights and permissions. 帳號可以限制本機電腦位於工作群組、網路,或指定成員資格加入網域。Accounts can be restricted to the local computer, workgroup, network, or be assigned membership to a domain.

每個版本的 Windows 定義建帳號及安全性群組他們的成員。Built-in accounts and the security groups, of which they are members, are defined on each version of Windows. 使用安全性群組,您可以相同安全性將權限指派給成功驗證,許多使用者的簡化存取管理。By using security groups, you can assign the same security permissions to many users who are successfully authenticated, which simplifies access administration. 發行護照規則可能需要旅行給 business 或政府旅遊資訊,例如特定群組。Rules for issuing passports might require that the traveler be assigned to certain groups, such as business, or tourist, or government. 此程序群組的所有成員確保一致的安全性權限。This process ensures consistent security permissions across all members of a group. 使用安全性群組將權限指派常且容易管理和稽核,app 會維持表示存取資源的控制項。By using security groups to assign permissions means that access control of resources remains constant and easy to manage and audit. 新增或移除視需要從安全性群組適當存取權的使用者,您可以將最小化變更存取控制清單 (Acl) 的頻率。By adding and removing users who require access from the appropriate security groups as needed, you can minimize the frequency of changes to access control lists (ACLs).

獨立管理服務帳號,並 virtual 帳號帶來 Windows Server 2008 R2 和 Windows 7 中提供所需的應用程式,例如 Microsoft Exchange Server 和網際網路資訊服務 (IIS),以他們自己的網域帳號的隔離時手動不需要系統管理員可以管理這些帳號認證與服務主體名稱 (SPN)。Standalone managed service accounts and virtual accounts were introduced in Windows Server 2008 R2 and Windows 7 to provide necessary applications, such as Microsoft Exchange Server and Internet Information Services (IIS), with the isolation of their own domain accounts, while eliminating the need for an administrator to manually administer the service principal name (SPN) and credentials for these accounts. 群組受管理的服務帳號帶來 Windows Server 2012 和提供相同功能網域中的,但也到多部伺服器擴充功能。Group managed service accounts were introduced in Windows Server 2012 and provides the same functionality within the domain but also extends that functionality over multiple servers. 連接到服務,伺服器發電廠,例如網路負載平衡裝載時支援互加好友的驗證,驗證通訊協定要求服務的所有執行個體使用相同的原則。When connecting to a service hosted on a server farm, such as Network Load Balance, the authentication protocols supporting mutual authentication require that all instances of the services use the same principal.

如需有關帳號:For more information about accounts, see:

委派的驗證Delegated authentication

若要使用的旅行類比,國家可能會發出相同的存取權官方政府委派的所有成員只要代理人是已知。To use the travel analogy, countries might issue the same access to all members of an official governmental delegation, just as long as the delegates are well-known. 這個委派我們一個成員處理的其他成員的授權。This delegation lets one member act on the authority of another member. 在 Windows 中,委派的驗證時發生網路服務接受要求驗證使用者以及假設的使用者身分,以開始新的連接到第二個網路的服務。In Windows, delegated authentication occurs when a network service accepts an authentication request from a user and assumes the identity of that user in order to initiate a new connection to a second network service. 若要支援委派的驗證,您必須建立前端或第一層伺服器,例如 web 伺服器,是負責處理 client 驗證要求和後端或 n 層伺服器,例如大型資料庫,是負責儲存資訊。To support delegated authentication, you must establish front-end or first-tier servers, such as web servers, that are responsible for handling client authentication requests and back-end or n-tier servers, such as large databases, that are responsible for storing information. 您可以委派委派驗證使用者在組織中設定降低負載管理您的系統管理員權限。You can delegate the right to set up delegated authentication to users in your organization to reduce the administrative load on your administrators.

透過建立服務或電腦做為委派受信任,您可以讓該服務或電腦完成委派的驗證、收到提出要求,使用者的票證,然後存取的使用者的資訊。By establishing a service or computer as trusted for delegation, you let that service or computer complete delegated authentication, receive a ticket for the user who is making the request, and then access information for that user. 此模型限制後端的伺服器上的資料的存取權的使用者或服務來具有正確的存取控制權杖該出現認證。This model restricts data access on back-end servers just to those users or services that present credentials with the correct access control tokens. 此外,它可讓存取稽核那些後端資源。In addition, it allows for access auditing of those back-end resources. 藉由要求的認證委派伺服器代表 client 使用透過存取所有的資料,就可以確保伺服器無法受到和,您可以存取敏感資訊的已儲存在其他伺服器上。By requiring that all data be accessed by means of credentials that are delegated to the server for use on behalf of the client, you ensure that the server cannot be compromised and that you can gain access to sensitive information that is stored on other servers. 委派的驗證非常適合多設計用來在多部電腦之間,使用單一登入功能的應用程式。Delegated authentication is useful for multitier applications that are designed to use single sign-on capabilities across multiple computers.

在信任的網域之間的關係驗證Authentication in trust relationships between domains

有一個以上的網域有合法大部分組織必須使用者存取不同的網域中的共用的資源,就像旅行允許搭乘國家/地區不同地區。Most organizations that have more than one domain have a legitimate need for users to access shared resources that are located in a different domain, just as the traveler is permitted travel to different regions in the country. 控制此存取需要也可以 authenticated 和授權使用另一部網域中的資源一個網域中的使用者。Controlling this access requires that users in one domain can also be authenticated and authorized to use resources in another domain. 若要提供戶端之間不同網域中的伺服器的驗證和授權功能,必須有信任在兩個網域。To provide authentication and authorization capabilities between clients and servers in different domains, there must be a trust between the two domains. 信任的基礎技術安全 Active Directory 通訊發生和是 Windows Server 網路架構不可或缺的安全性元件。Trusts are the underlying technology by which secured Active Directory communications occur and are an integral security component of the Windows Server network architecture.

信任的網域兩個之間時,每個網域驗證機制信任來自其他網域驗證。When a trust exists between two domains, the authentication mechanisms for each domain trust the authentications coming from the other domain. 信任協助提供資源網域-信任的網域-中共用資源存取控制藉由驗證連入驗證要求都來自信任的授權單位-受信任的網域。Trusts help provide for controlled access to shared resources in a resource domain--the trusting domain--by verifying that incoming authentication requests come from a trusted authority--the trusted domain. 如此一來,信任做為只讓橋接器已驗證網域之間驗證要求出差。In this way, trusts act as bridges that let only validated authentication requests travel between domains.

如何特定信任通過驗證要求的設定方式而定。How a specific trust passes authentication requests depends on how it is configured. 藉由提供給其他網域中的資源的存取權的每個網域可以單向提供存取來自受信任的網域信任的網域中的資源或雙向,信任關係。Trust relationships can be one-way, by providing access from the trusted domain to resources in the trusting domain, or two-way, by providing access from each domain to resources in the other domain. 也是個非轉移,案例信任存在只之間的兩個信任合作夥伴網域,或轉移,此時信任自動延伸到其他合作夥伴之一信任的網域信任。Trusts are also either nontransitive, in which case trust exists only between the two trust partner domains, or transitive, in which case trust automatically extends to any other domains that either of the partners trusts.

信任的運作方式的相關資訊,請查看如何網域和信任的樹系工作For information about how a trust works, see How Domain and Forest Trusts Work.

通訊協定轉換Protocol transition

通訊協定轉換協助設計的應用程式的工具,可讓應用程式支援不同的驗證,驗證使用者層的機制並切換到 Kerberos 通訊協定的安全性功能,例如互加好友的驗證並限制委派,在 [應用程式後續層級。Protocol transition assists application designers by letting applications support different authentication mechanisms at the user authentication tier and by switching to the Kerberos protocol for security features, such as mutual authentication and constrained delegation, in the subsequent application tiers.

如需通訊協定轉換,查看Kerberos 通訊協定轉換和限制委派For more information about protocol transition, see Kerberos Protocol Transition and Constrained Delegation.

限制的委派Constrained delegation

限制的委派提供系統管理員指定並執行的應用程式信任邊界藉由限制位置服務的應用程式可以做代表使用者範圍的功能。Constrained delegation gives administrators the ability to specify and enforce application trust boundaries by limiting the scope where application services can act on behalf of a user. 您可以指定委派受信任的電腦,可以要求資源特定的服務。You can specify particular services from which a computer that is trusted for delegation can request resources. 處於限制授權服務的權限來協助改進的應用程式安全性設計服務未減少危害的機會。The flexibility to constrain authorization rights for services helps improve application security design by reducing the opportunities for compromise by untrusted services.

如需委派限制的詳細資訊,請查看Kerberos 限制委派概觀For more information about constrained delegation, see Kerberos Constrained Delegation Overview.

也了See also

Windows 登入和驗證的技術概觀Windows Logon and Authentication Technical Overview