Windows 驗證的概觀Windows Authentication Overview

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

適用於 IT 專業人員本瀏覽主題列出文件,包括 product 評估版,取得入門的指南、程序、設計和部署指南、技術的資訊尋找參考資料,以及命令參照 Windows 驗證並登入技術資源。This navigation topic for the IT professional lists documentation resources for Windows authentication and logon technologies that include product evaluation, getting started guides, procedures, design and deployment guides, technical references, and command references.

描述的功能Feature description

驗證是以驗證身分物件、服務或連絡人的處理程序。Authentication is a process for verifying the identity of an object, service or person. 當您進行驗證物件時,目標是驗證物件是正版軟體。When you authenticate an object, the goal is to verify that the object is genuine. 當您進行驗證服務或連絡人時,目標是驗證使用者出示的真確。When you authenticate a service or person, the goal is to verify that the credentials presented are authentic.

網路功能的操作,以驗證是網路的應用程式或資源證明身分的行為。In a networking context, authentication is the act of proving identity to a network application or resource. 一般而言,身分是證明使用只使用者知道-與公用加密-或共用的按鍵任一個按鍵的密碼編譯作業。Typically, identity is proven by a cryptographic operation that uses either a key only the user knows - as with public key cryptography - or a shared key. 驗證換貨的伺服器端比較簽署的資料與已知驗證嘗試密碼編譯金鑰。The server side of the authentication exchange compares the signed data with a known cryptographic key to validate the authentication attempt.

延展性,而且可維護密碼編譯金鑰儲存在安全的中央位置可驗證程序。Storing the cryptographic keys in a secure central location makes the authentication process scalable and maintainable. Active Directory Domain Services 是建議與儲存的身分的資訊預設技術 \(包括密碼編譯金鑰的使用者的 credentials\)。Active Directory Domain Services is the recommended and default technology for storing identity information (including the cryptographic keys that are the user's credentials). Active Directory 是必要的預設 NTLM 和 Kerberos 實作。Active Directory is required for default NTLM and Kerberos implementations.

驗證技術範圍從簡單登入,將根據項目僅使用者知道-密碼,例如使用的使用者-權杖、公開金鑰憑證,並生物等項目越安全機制使用者辨識。Authentication techniques range from a simple logon, which identifies users based on something that only the user knows - like a password, to more powerful security mechanisms that use something that the user has - like tokens, public key certificates, and biometrics. 在企業環境中,服務或使用者可能會存取多個應用程式或許多類型的在單一位置或跨多個位置的伺服器上的資源。In a business environment, services or users might access multiple applications or resources on many types of servers within a single location or across multiple locations. 基於這些原因,驗證必須支援其他平台和其他 Windows 作業系統的環境。For these reasons, authentication must support environments for other platforms and for other Windows operating systems.

Windows 作業系統實作驗證通訊協定,包括 Kerberos,NTLM,預設設定傳輸層 Security\ 日安全通訊端層 (TLS/SSL),以及摘要、延伸架構的一部分。The Windows operating system implements a default set of authentication protocols, including Kerberos, NTLM, Transport Layer Security/Secure Sockets Layer (TLS/SSL), and Digest, as part of an extensible architecture. 此外,部分通訊協定的結合成交涉和認證安全性支援提供者驗證套件。In addition, some protocols are combined into authentication packages such as Negotiate and the Credential Security Support Provider. 這些通訊協定與套件讓驗證使用者、電腦及服務。驗證程序,就能授權的使用者與服務存取資源在安全的方式。These protocols and packages enable authentication of users, computers, and services; the authentication process, in turn, enables authorized users and services to access resources in a secure manner.

如需有關包括 Windows 驗證For more information about Windows Authentication including

查看Windows 驗證技術概觀see the Windows Authentication Technical Overview.

實用的應用程式Practical applications

若要確認是否的人員或電腦的物件,例如另一部電腦的資訊,都來自信任的來源,使用 Windows 驗證。Windows Authentication is used to verify that the information comes from a trusted source, whether from a person or computer object, such as another computer. Windows 提供許多不同的方法達成這個目標,如下所述。Windows provides many different methods to achieve this goal as described below.

若要...To... 功能Feature 描述Description
在 Active Directory domain 驗證Authenticate within an Active Directory domain KerberosKerberos Microsoft Windows 伺服器作業系統實作 Kerberos 5 版本驗證通訊協定與公開金鑰驗證擴充功能。The Microsoft Windows Server operating systems implement the Kerberos version 5 authentication protocol and extensions for public key authentication. 做為安全性支援提供者實作 Kerberos 驗證 client (SSP) 及可支援提供者介面安全性 (SSPI) 透過存取。The Kerberos authentication client is implemented as a security support provider (SSP) and can be accessed through the Security Support Provider Interface (SSPI). 初次使用者驗證整合 Winlogon 單一 sign\ 上架構。Initial user authentication is integrated with the Winlogon single sign-on architecture. 與其他 Windows Server 安全性服務執行的網域控制站 Kerberos 金鑰 Distribution 中心 (KDC) 整合。The Kerberos Key Distribution Center (KDC) is integrated with other Windows Server security services running on the domain controller. \ [KDC 使用網域的 Active Directory directory 服務資料庫做為其安全性 account 資料庫。The KDC uses the domain's Active Directory directory service database as its security account database. Active Directory 是必要的預設 Kerberos 實作。Active Directory is required for default Kerberos implementations.

資源,請查看Kerberos 驗證的概觀For additional resources, see Kerberos Authentication Overview.
安全網路上的驗證Secure authentication on the web TLS\ 日 SSL 實作 Schannel 安全性支援提供者TLS/SSL as implemented in the Schannel Security Support Provider Tls (TLS) 通訊協定 1.0,1.1、1.2 安全通訊端層 (SSL) 通訊協定,2.0 及 3.0 資料流 Tls 通訊協定第版版本 1.0,以及 (PCT) 私人通訊傳輸通訊協定 1.0,依據公開加密。The Transport Layer Security (TLS) protocol versions 1.0, 1.1, and 1.2, Secure Sockets Layer (SSL) protocol, versions 2.0 and 3.0, Datagram Transport Layer Security protocol version 1.0, and the Private Communications Transport (PCT) protocol, version 1.0, are based on public key cryptography. 安全通道 (Schannel) 提供者驗證通訊協定提供這些通訊協定。The Secure Channel (Schannel) provider authentication protocol suite provides these protocols. 所有 Schannel 通訊協定都使用 client 和伺服器模型。All Schannel protocols use a client and server model.

資源,請查看TLS-SSL 和 #40;Schannel SSP 和 #41;概觀For additional resources, see TLS - SSL (Schannel SSP) Overview.
驗證的應用程式或 web 服務Authenticate to a web service or application 整合式的 Windows 驗證Integrated Windows Authentication

摘要驗證Digest Authentication
適用於額外的資源,查看 [整合式 Windows 驗證] (http://technet.microsoft.com/library/cc758557(v=WS.10.aspx and Digest Authentication, and Advanced Digest Authentication.For additional resources, see [Integrated Windows Authentication](http://technet.microsoft.com/library/cc758557(v=WS.10.aspx and Digest Authentication, and Advanced Digest Authentication.
驗證舊版應用程式Authenticate to legacy applications NTLMNTLM NTLM 是驗證 challenge-回應樣式驗證 protocol.In 新增,對工作階段安全性-專門訊息完整性和機密性透過登入和密封 NTLM 中的功能也提供 NTLM 通訊協定。NTLM is a challenge-response style authentication protocol.In addition to authentication, the NTLM protocol optionally provides for session security--specifically message integrity and confidentiality through signing and sealing functions in NTLM.

資源,請查看NTLM 概觀For additional resources, see NTLM Overview.
利用要素Leverage multifactor authentication 智慧卡的支援Smart card support

生物特徵辨識支援Biometric support
智慧卡是 tamper\ 竄改和可移植來提供安全性方案 client 驗證,登入網域,例如工作的程式碼簽章和保護 e\ 郵件。Smart cards are a tamper-resistant and portable way to provide security solutions for tasks such as client authentication, logging on to domains, code signing, and securing e-mail.

測量的唯一找出該人員將某位連絡人不會變更實體特性依賴生物。Biometrics relies on measuring an unchanging physical characteristic of a person to uniquely identify that person. 指紋的其中一個最常使用的生物特徵辨識特性,數百萬指紋的個人電腦和周邊設備 embedded 的生物特徵辨識裝置。Fingerprints are one of the most frequently used biometric characteristics, with millions of fingerprint biometric devices that are embedded in personal computers and peripherals.

資源,請查看智慧卡技術參考For additional resources, see Smart Card Technical Reference.
提供本機管理、儲存及重複使用的憑證Provide local management, storage and reuse of credentials 認證管理Credentials management

本機安全性授權Local Security Authority

密碼Passwords
Windows 認證管理確保安全地儲存認證。Credential management in Windows ensures that credentials are stored securely. 在安全桌面上會收集認證 \(適用於本機或網域 access),透過應用程式或的網站,以便在正確的憑證會顯示每次存取資源。Credentials are collected on the Secure Desktop (for local or domain access), through apps or through websites so that the correct credentials are presented every time a resource is accessed.

延長現代化驗證傳統系統的保護Extend modern authentication protection to legacy systems 驗證延伸的保護Extended Protection for Authentication 這項功能美化保護與認證處理時使用的整合式 Windows 驗證 (IWA) 驗證網路連接。This feature enhances the protection and handling of credentials when authenticating network connections by using Integrated Windows Authentication (IWA).

軟體需求Software requirements

Windows 驗證被設計為先前的 Windows 作業系統版本與相容。Windows Authentication is designed to be compatible with previous versions of the Windows operating system. 不過,並非一定適用於舊版的每個版本的改進。However, improvements with each release are not necessarily applicable to previous versions. 如需詳細資訊的特定功能的相關文件,請參考。Refer to documentation about specific features for more information.

伺服器管理員資訊Server Manager information

您可以使用群組原則,可以使用伺服器管理員安裝設定許多驗證功能。Many authentication features can be configured using Group Policy, which can be installed using Server Manager. 使用伺服器管理員安裝 Windows 的生物特徵辨識架構功能。The Windows Biometric Framework feature is installed using Server Manager. 其他伺服器角色依賴驗證方法、網頁伺服器 (IIS) 和 Active Directory Domain Services,這也可以使用伺服器管理員會安裝。Other server roles which are dependent upon authentication methods, such as Web Server (IIS) and Active Directory Domain Services, can also be installed using Server Manager.

驗證技術Authentication technologies 資源Resources
Windows 驗證Windows authentication Windows 驗證技術概觀Windows Authentication Technical Overview
包含主題位址設定不同的版本,一般驗證概念、登入案例,針對支援的版本,並設定適用的架構。Includes topics addressing differences between versions, general authentication concepts, logon scenarios, architectures for supported versions, and applicable settings.
KerberosKerberos Kerberos 驗證的概觀Kerberos Authentication Overview

Kerberos 限制委派概觀Kerberos Constrained Delegation Overview

Kerberos 驗證技術參考(2003)Kerberos Authentication Technical Reference(2003)

Kerberos 存續指南(TechNet Wiki)Kerberos Survival Guide (TechNet Wiki)
TLS\ 日 SSL 和 DTLS \ (Schannel 安全性支援 provider)TLS/SSL and DTLS (Schannel security support provider) TLS-SSL 和 #40;Schannel SSP 和 #41;概觀TLS - SSL (Schannel SSP) Overview

Schannel 安全性支援提供者技術參考Schannel Security Support Provider Technical Reference
摘要驗證Digest authentication 摘要驗證技術參考(2003)Digest Authentication Technical Reference(2003)
NTLMNTLM NTLM 概觀NTLM Overview
包含目前與過去資源連結Contains links to current and past resources
PKU2UPKU2U 在 Windows 中可能造成 PKU2UIntroducing PKU2U in Windows
智慧卡Smart Card 智慧卡技術參考Smart Card Technical Reference

認證Credentials 認證保護與管理Credentials Protection and Management
包含目前與過去資源連結Contains links to current and past resources

密碼概觀Passwords Overview
包含目前與過去資源連結Contains links to current and past resources