Windows 登入案例Windows Logon Scenarios

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

這適用於 IT 專業人員的參考主題摘要通用 Windows 登入並登入案例。This reference topic for the IT professional summarizes common Windows logon and sign-in scenarios.

Windows 作業系統需要所有使用者登入來存取本機有效 account 的電腦及網路資源。The Windows operating systems require all users to log on to the computer with a valid account to access local and network resources. Windows 的電腦安全資源實作驗證使用者登入程序。Windows-based computers secure resources by implementing the logon process, in which users are authenticated. 驗證使用者後、授權及存取控制技術實作保護資源的第二個階段。判斷驗證的使用者是否獲得授權存取資源。After a user is authenticated, authorization and access control technologies implement the second phase of protecting resources???determining if the authenticated user is authorized to access a resource.

版本的 Windows 中指定到本主題適用於適用於清單中的開頭本主題。The contents of this topic apply to versions of Windows designated in the Applies to list at the beginning of this topic.

此外,應用程式與服務可以要求使用者登入來存取提供的應用程式或服務的資源。In addition, applications and services can require users to sign in to access those resources that are offered by the application or service. 登入程序很類似登入程序,在於有效的帳號,並正確的認證,但登入資訊儲存在本機電腦上的安全性 Account 管理員(坡)資料庫和 Active Directory 適用。The sign-in process is similar to the logon process, in that a valid account and correct credentials are required, but logon information is stored in the Security Account Manager (SAM) database on the local computer and in Active Directory where applicable. 登入 account 和認證資訊的應用程式或服務由,也可以儲存在本機 Credential 購物服務區中。Sign-in account and credential information is managed by the application or service, and optionally can be stored locally in Credential Locker.

若要了解驗證方式,請查看Windows 驗證概念To understand how authentication works, see Windows Authentication Concepts.

本主題描述如下:This topic describes the following scenarios:

互動式登入Interactive logon

登入程序開始,當使用者的認證項對話方塊中,輸入認證或使用者智慧卡插入智慧卡讀卡機或時使用的生物特徵辨識裝置的使用者互動。The logon process begins either when a user enters credentials in the credentials entry dialog box, or when the user inserts a smart card into the smart card reader, or when the user interacts with a biometric device. 使用者可以使用當地帳號或核對登入電腦執行互動式登入。Users can perform an interactive logon by using a local user account or a domain account to log on to a computer.

下圖顯示互動式登入的項目和登入程序。The following diagram shows the interactive logon elements and logon process.

圖表顯示互動式登入的項目和登入程序

Windows Client 驗證架構Windows Client Authentication Architecture

本機和網域登入Local and domain logon

網域登入的使用者提供的認證包含的所有項目所需的本機登入,例如 account 名稱與密碼,或憑證,以及 Active Directory domain 資訊。Credentials that the user presents for a domain logon contain all the elements necessary for a local logon, such as account name and password or certificate, and Active Directory domain information. 此程序確認使用者的本機電腦上的安全性資料庫或 Active Directory domain 使用者的驗證。The process confirms the user's identification to the security database on the user's local computer or to an Active Directory domain. 這個管轄登入程序無法網域中的使用者關閉。This mandatory logon process cannot be turned off for users in a domain.

使用者可以執行互動式登入電腦中的兩種方式:Users can perform an interactive logon to a computer in either of two ways:

  • 本機,當使用者可以直接存取實體存取到電腦,或電腦的網路的電腦屬於。Locally, when the user has direct physical access to the computer, or when the computer is part of a network of computers.

    登入本機授與的使用者存取本機電腦上的 Windows 資源的權限。A local logon grants a user permission to access Windows resources on the local computer. 本機登入需要使用者有帳號中安全性帳號 Manager(坡)本機電腦上。A local logon requires that the user has a user account in the Security Accounts Manager (SAM) on the local computer. 薩姆保護及管理使用者和群組資訊儲存在本機電腦登錄安全性帳號的格式。The SAM protects and manages user and group information in the form of security accounts stored in the local computer registry. 電腦都可以有網路存取權,而不需要。The computer can have network access, but it is not required. 本機使用者 account 與群組成員資格資訊用來管理本機資源的存取權。Local user account and group membership information is used to manage access to local resources.

    網路登入授與使用者的權限存取網路的電腦上的任何資源除了本機電腦上的 Windows 資源所定義的憑證存取預付碼。A network logon grants a user permission to access Windows resources on the local computer in addition to any resources on networked computers as defined by the credential's access token. 本機登入和網路登入需要使用者有帳號中安全性帳號 Manager(坡)本機電腦上。Both a local logon and a network logon require that the user has a user account in the Security Accounts Manager (SAM) on the local computer. 本機使用者 account 與群組成員資格資訊用來管理存取本機資源,以及存取的使用者權杖定義資源可以存取網路的電腦上。Local user account and group membership information is used to manage access to local resources, and the access token for the user defines what resources can be accessed on networked computers.

    本機登入和網路登入並非足以授與的使用者及電腦權限存取並使用網域資源。A local logon and a network logon are not sufficient to grant the user and computer permission to access and to use domain resources.

  • 遠端電腦上,到車票服務或遠端桌面服務 (RDS),其中案例登入是進一步限定為遠端互動。Remotely, through Terminal Services or Remote Desktop Services (RDS), in which case the logon is further qualified as remote interactive.

後互動式登入,Windows 執行的應用程式的使用者,代表,使用者可以使用這些應用程式互動。After an interactive logon, Windows runs applications on behalf of the user, and the user can interact with those applications.

登入本機授與的本機電腦上的存取資源或網路的電腦上的資源使用者權限。A local logon grants a user permission to access resources on the local computer or resources on networked computers. 如果電腦已經加入網域,Winlogon 功能嘗試登入的網域。If the computer is joined to a domain, then the Winlogon functionality attempts to log on to that domain.

登入網域授與使用者的權限存取本機和網域資源。A domain logon grants a user permission to access local and domain resources. 登入網域需要使用者有帳號 Active Directory 中。A domain logon requires that the user has a user account in Active Directory. 電腦在 Active Directory domain 必須帳號,並實際連接到網路。The computer must have an account in the Active Directory domain and be physically connected to the network. 使用者必須也有使用者登入本機電腦或網域的權限。Users must also have the user rights to log on to a local computer or a domain. 網域使用者 account 群組成員資格資訊和可用來管理存取網域和本機資源。Domain user account information and group membership information are used to manage access to domain and local resources.

遠端登入Remote logon

在 Windows 中,透過登入遠端存取其他電腦需要在 [遠端桌面通訊協定 (RDP)。In Windows, accessing another computer through remote logon relies on the Remote Desktop Protocol (RDP). 使用者必須已經有成功登入 client 的電腦之前,請先嘗試遠端連接,因為已成功完成登入互動式處理程序。Because the user must already have successfully logged on to the client computer before attempting a remote connection, interactive logon processes have successfully finished.

RDP 管理使用者透過遠端桌面 Client 輸入認證。RDP manages the credentials that the user enters by using the Remote Desktop Client. 這些認證供的目標電腦上,以及使用者必須帳號的目標電腦上。Those credentials are intended for the target computer, and the user must have an account on that target computer. 此外,必須接受連接遠端設定目標電腦。In addition, the target computer must be configured to accept a remote connection. 傳送目標電腦認證嘗試執行驗證程序。The target computer credentials are sent to attempt to perform the authentication process. 如果成功驗證,到本機連接使用者及網路資源,都可供使用提供的認證。If authentication is successful, the user is connected to local and network resources that are accessible by using the supplied credentials.

網路登入Network logon

驗證使用者、服務或電腦發生之後,可以只使用網路登入。A network logon can only be used after user, service, or computer authentication has taken place. 網路登入時程序不會收集資料使用對話方塊認證項目。During network logon, the process does not use the credentials entry dialog boxes to collect data. 而是先前建立的認證或收集認證另一個方法使用。Instead, previously established credentials or another method to collect credentials is used. 此程序確認使用者的身分,以使用者想要存取的任何網路的服務。This process confirms the user's identity to any network service that the user is attempting to access. 這個程序會向使用者通常看不到,除非替代憑證有提供。This process is typically invisible to the user unless alternate credentials have to be provided.

若要提供這種類型的驗證,安全性系統包含這些驗證機制:To provide this type of authentication, the security system includes these authentication mechanisms:

  • Kerberos 5 版本通訊協定Kerberos version 5 protocol

  • 公開憑證Public key certificates

  • 安全通訊端層日 Tls (SSL 日 TLS)Secure Sockets Layer/Transport Layer Security (SSL/TLS)

  • 摘要Digest

  • 適用於 Microsoft Windows nt4.0 與相容性 NTLM:根據的系統NTLM, for compatibility with Microsoft Windows NT 4.0???based systems

資訊的項目和處理程序,會看到上互動式登入圖。For information about the elements and processes, see the interactive logon diagram above.

智慧卡登入Smart card logon

登入,才能網域帳號,而不是本機帳號,可以使用智慧卡。Smart cards can be used to log on only to domain accounts, not local accounts. 智慧卡驗證要求 Kerberos 驗證通訊協定的使用。Smart card authentication requires the use of the Kerberos authentication protocol. 引進 Windows 2000 Server、中的 Windows 架構作業系統公開金鑰延伸實作通訊協定的初始驗證要求 Kerberos。Introduced in Windows 2000 Server, in Windows-based operating systems a public key extension to the Kerberos protocol's initial authentication request is implemented. 相較於共用密碼加密,公用加密非對稱式,也就是需要兩個不同的金鑰。加密解密另一個。In contrast to shared secret key cryptography, public key cryptography is asymmetric, that is, two different keys are needed???one to encrypt, another to decrypt. 在一起,按鍵,才能執行兩項作業組成公開私密金鑰日的金鑰。Together, the keys that are required to perform both operations make up a private/public key pair.

若要初始化一般工作階段,使用者必須證明對方可用自己的身分提供只有知道使用者和基礎 Kerberos 通訊協定基礎結構的資訊。To initiate a typical logon session, a user must prove his or her identity by providing information known only to the user and the underlying Kerberos protocol infrastructure. 秘密資訊是密碼編譯共用的按鍵推斷的使用者的密碼。The secret information is a cryptographic shared key derived from the user's password. 共用的私密金鑰是對稱,這表示相同的按鍵用於加密與解密。A shared secret key is symmetric, which means that the same key is used for both encryption and decryption.

下圖顯示的項目和所需的智慧卡登入的處理程序。The following diagram shows the elements and processes required for smart card logon.

圖表顯示的項目和處理程序所需的智慧卡登入

智慧卡認證提供者架構Smart Card credential provider architecture

而非密碼使用智慧卡時,會取代公開私密金鑰日的金鑰儲存在使用者的智慧卡上共用金鑰,從使用者的密碼。When a smart card is used instead of a password, a private/public key pair stored on the user's smart card is substituted for the shared secret key, which is derived from the user's password. 私密金鑰儲存只能在智慧卡上。The private key is stored only on the smart card. 公開鍵可提供給任何人收件者的擁有者想要交換機密資訊。The public key can be made available to anyone with whom the owner wants to exchange confidential information.

如需 Windows 中的智慧卡登入程序,請查看智慧卡登入方式 Windows 在For more information about the smart card logon process in Windows, see How smart card sign-in works in Windows.

生物特徵辨識登入Biometric logon

使用擷取和組建數位特性成品,例如指紋的裝置。A device is used to capture and build a digital characteristic of an artifact, such as a fingerprint. 這個數位表示然後相較於樣本的相同成品,和這兩個成功相較於,當發生驗證。This digital representation is then compared to a sample of the same artifact, and when the two are successfully compared, authentication can occur. 電腦執行的作業系統中指定的任何適用於清單中的開頭本主題,可以設定接受這種登入。Computers running any of the operating systems designated in the Applies to list at the beginning of this topic can be configured to accept this form of logon. 不過,如果生物特徵辨識登入只本機登入的設定,使用者必須存取 Active Directory domain 時顯示網域認證。However, if biometric logon is only configured for local logon, the user needs to present domain credentials when accessing an Active Directory domain.

其他資源Additional resources

適用於 Windows 管理提交在登入時憑證的方式的相關資訊,請查看在 Windows 驗證認證管理For information about how Windows manages credentials submitted during the logon process, see Credentials Management in Windows Authentication.

Windows 登入和驗證的技術概觀Windows Logon and Authentication Technical Overview