Windows Hello for Business: Tsanangudzo yeHardware Keys neSSO

  • Windows Hello for Business inotsiva mapassword nemakiyi e cryptographic akachengetedzwa ne hardware (TPM), akavhurwa nePIN kana biometrics uye akanyoreswa muMicrosoft Entra ID uye/kana Active Directory.
  • Maitiro ese anosanganisira kunyoresa mudziyo, kupa, kuenderana kwemakiyi, uye zvingasarudzwa, zvitupa, zvichigonesa kusimbiswa kwakasimba, kusina password mu cloud uye panzvimbo.
  • Chiratidzo Chekutanga Chekuzorodza (PRT) ndicho hwaro hweSSO yemazuva ano, sezvo ichibvumira vashandisi vane hunyanzvi neWHfB kuwana maapplication akawanda vasina kudzokorora marekodhi, uku vachiremekedza mitemo yekupinda muchirongwa.
  • Munzvimbo dzakasanganiswa, zvakakosha kugadzirisa nemazvo PKI, CRL, uye domain controller certificates, pamwe nekuparadzira mudzi weCA kumidziyo, kuitira kuti kusimbiswa neWHfB uchipesana neActive Directory kugare kwakachengeteka uye kwakagadzikana.
Lorena Figueredo

18 maminitsi

Windows Hello for Business

Windows Mhoro yeBhizinesi (WHfB) Yave chinhu chakakosha muhurongwa hweMicrosoft hwekuzivikanwa kwemabhizinesi: siya mapassword echinyakare uye kwazisa modhi yekusimbisa yakavakirwa pamakiyi e cryptographic, biometrics, maPIN, uye zvishandiso zvinovimbwa nazvo. ID yekupinda muMicrosoft uye Kupinda Kwega (SSO)Inobvumira vashandisi kuwana zviwanikwa zvegore uye zviri panzvimbo imwe chete, uku vachichengetedza zvidzoro zvekuchengetedza padanho rebhizinesi.

Muchikamu chino tichaputsa, zvakadzikama asi zvakananga, Kusimbiswa kweWindows Hello for Business kunoshanda sei kana makiyi ehardware, zvishandiso zvinogonesa TPM, uye zviitiko zveSSO zvichibatanidzwa? Kana tichienzanisa neMicrosoft Entra ID neActive Directory, tichatarisa zvikamu zvemukati (kunyoresa mudziyo, kupa, kuenderana kwemakiyi, zvitupa, uye kusimbiswa), basa rePRT muSSO, kuti inobatanidzwa sei neKerberos munzvimbo dzakasanganiswa, uye zvinodiwa zvezvivakwa kuti zvese zvifambe zvakanaka.

Magadzirirwo akajairika eWindows Hello for Business uye modhi yayo isina password

Windows Hello for Business haisi nyaya yekungo "nyora PIN kana kuratidza chiso chako" chete. Kuti upinde, isystem yakapararira inosanganisa hunhu hwemushandisi, hunhu hwemudziyo, uye makiyi e cryptographic akachengetedzwa ne hardware. Kusimbiswa kunobva papeji yekiyi yeruzhinji/yakavanzika kana zvitupa, zvakabatana nemudziyo (TPM) uye zvinovhurwa nechimwe chinhu chinozivikanwa nemushandisi (PIN) kana chimwe chinhu chaari (biometrics).

Musiyano mukuru kana tichienzanisa nemapassword ekare Chikonzero ndechekuti hapasisina "chakavanzika chakagovaniswa" chinofamba ne network kana kuti chinochengetwa pakati: sevha (Microsoft Entra ID kana Active Directory) inongochengeta chikamu chevanhu vose chekiyi, nepo chikamu chemunhu oga chisingabvi mumudziyo. Kana mushandisi achida kuvimbisa, Windows inosaina chiratidzo che "nonce" nekiyi yemunhu oga, uye mupi wechiratidzo chemunhu anosimbisa siginecha iyoyo nekiyi yemunhu oga yakanyoreswa.

Maitiro aya anoita kuti WHfB isakwanise kubatwa nephishingKunyangwe kana murwisi akanyengedza mushandisi kuti aise zita rake rekushandisa panzvimbo ine njodzi, haakwanise kutevedzera kusimbiswa kwacho asina kiyi yakavanzika yakabatana neTPM yemudziyo. Mugumisiro wacho isystem yekusimbisa zvinhu zviviri (kiyi + PIN/biometrics) inosangana nezvinodiwa zvakasimba zveMFA, asi ine ruzivo rwakapfava uye kuchengetedzwa kwakawedzerwa. Windows 11.

WHfB inobatanidzwa neMicrosoft Entra ID uye Active Directory.Izvi zvinobvumira mamodheru akasiyana ekushandisa: ari mu "cloud-only", "hybrid", kana kuti ari panzvimbo imwe chete. Uyezve, inogona kushanda pamwe chete nemakadhi akangwara nemakiyi eFIDO2, uye inogona kushandisa zvakare PKI yesangano iripo kana ukasarudza mamodheru ane chitupa.

Chirongwa chekiyi yehardware uye SSO muWindows Hello for Business

Matanho ekushanda kweWindows Hello for Business

Kuti unzwisise zvizere zvinoitika "pasi pehood"Nzira inonyanya kushanda ndeyekupatsanura hupenyu hweWindows Hello for Business muzvikamu zvakasiyana-siyana zvakabatana: kunyoresa mudziyo, kupa, kuenderana kwekiyi (mune hybrid mode), kunyoresa chitupa (kana chakashandiswa), uye pakupedzisira, kusimbiswa uye SSO.

1. Kunyoresa Mudziyo

Usati wapa mushandisi zvitupa zveWHfB, mudziyo wacho unofanira kunge uine hunhu hwawo.Maitiro aya anonzi kunyoresa mudziyo uye anobatanidza mudziyo nesangano rinopa humbowo hwekuti ndiani (IdP).

Zvichienderana nerudzi rwekushandiswa, IdP uye sevhisi yekunyoresa zvinoshanduka.:

  • Kushandiswa kwegore kana kwemahybrid: IdP iMicrosoft Enter ID. Mudziyo uyu unonyoreswa ne Basa rekunyoresa mudziyo yeEntra ID uye inova "Microsoft Entra-joined device" kana "Microsoft Entra-joined hybrid".
  • Maitiro emunharaunda chete: IdP iAD ​​FS, uye mudziyo wacho wakanyoreswa mu sevhisi yekunyoresa michina yebhizinesi izvo zvinofumura AD FS.

Nekuda kwekunyoresa, IdP inopa mudziyo uyu zita rawo.Izvi zvichashandiswa mukuchinjana kwevashandisi uye kutora ma token. Kune "mhando dzakasiyana dzekubatanidza" kana ma join states (Login chete, hybrid, classic domain-joined + registered, nezvimwewo) zvinosarudza kuti mudziyo unoita sei munzvimbo dzakasiyana.

2. Kupa Windows Hello for Business

Chikamu chekupa rubatsiro ndechekuti zvitupa zveHello zvinogadzirwa kune mumwe mushandisi ari pachishandiso.Pano pane pfungwa huru inoonekwa: iyo Windows Hello mudziyo, inova chimiro chine musoro apo "zvinhu zvakakosha" zvese zvine chekuita neruzivo rwemushandisi pakombuta iyoyo zvinochengetwa.

Kufamba kwekutenga kwakajairika kunosanganisira matanho akati wandei akabatana:

  1. Mushandisi anopinda nemagwaro ake echinyakare (kazhinji zita rekushandisa nepassword) uye sisitimu inotanga ruzivo rwekugadzika kweWHfB, ichikumbira kusimbiswa kwezvinhu zvakawanda kubva kuIdP (Microsoft Entra ID kana AD FS).
  2. Mushure mekupedza MFA zvinobudirira, Mushandisi anokumbirwa kutsanangura PIN uye, kana hardware ichibvumira, kunyoresa biometrics. (tsoka, chiso, iris).
  3. Kana PIN yangosimbiswa, Windows inogadzira mudziyo weWindows Hello.
  4. A inogadzirwa kiyi yekusimbisa yeruzhinji neyepachivande, yakabatana neTPM (kana iripo) kana, zvikasadaro, yakachengetedzwa nesoftware.
  5. Kiyi yakavanzika inochengetwa munharaunda uye yakavharwa kuTPM, haigone kutumirwa kunze kwenyika.
  6. Kiyi yeruzhinji yakanyoreswa muIdP uye yakabatana neakaundi yemushandisi:
    1. Mumamiriro ezvinhu egore kana ehybrid, sevhisi yekunyoresa mudziyo inoinyorera kune chinhu cheMicrosoft Entra ID chemushandisi.
    2. Muzviitiko zvemunharaunda neAD FS, inochengetwa muActive Directory.

Mukati memudziyo, "mudziviriri" wega wega (PIN, biometric gesture, nezvimwewo) anochengetedza kopi yake yakavharidzirwa yekiyi yekuvimbisaKana TPM iripo, PIN inoshandiswa se entropy mukuita sealing; zvikasadaro, kiyi yakaenzana inotorwa kuti ivhare chinhu chacho. Izvi zvinobvumira mushandisi kuvhura kiyi imwe chete nezviito zvakasiyana, pasina kukanganisa kuchengetedzeka.

Kuwedzera kune kiyi yekutanga yekuvimbisa, mudziyo wacho unogona kusanganisira zvimwe zvinhu, zvakaita sekiyi yekutonga yePIN reset scenarios, mablobs ane TPM certificates, uye, pamusoro pezvose, marudzi akasiyana emakiyi ekuziva mushandisi anoshandiswa kune mamwe maprotocol (WebAuthn/FIDO2, Entra ID, user certificates yeVPN kana RDP, nezvimwewo).

Ruzivo rwemakiyi ekusimbisa uye chiziviso chemushandisi

Kiyi yekuvimbisa yeWindows Hello inogara iri peya isina kuenzana (yeruzhinji/yakavanzika) inogadzirwa panguva yekunyoresa. Nguva imwe neimwe painofanira kushandiswa, inofanira kuvhurwa nePIN kana biometrics. Kana mushandisi akagadzirisa PIN yake, paya itsva yekusimbisa inogadzirwa uye zvese zvinodzivirirwa nepaya yapfuura zvinonyorwazve.

Makiyi ekuziva mushandisi anogona kunge akafanana kana kuti asina kufanana.Zvichienderana neIdP nemamiriro ezvinhu. Munzvimbo dzebhizinesi dzemazuva ano (Microsoft Entra ID, Active Directory, maakaundi eMicrosoft emunhu), anowanzo kuve makiyi asina kuenzana, anogadzirwa uye anochengetwa pamudziyo, uye chikamu cheveruzhinji chakanyoreswa neanopa humbowo.

Kune nzira mbiri huru dzekugadzira makiyi ekuziva mushandisi mumasangano:

  • Vabatanidze ne PKI yekambanikuitira kuti kiyi ibatane nechitupa chakapihwa neCA yekambani. Izvi zvinoita kuti shanduko kubva pakuva nezvivakwa zvinoenderana nezvitupa (VPN, RDP nezvitupa zvevashandisi, nezvimwewo) kuenda kuWHfB.
  • Rega zvive zvakananga IdP (Entra ID kana AD FS) ndiyo inotarisira makiyi maviri zvinobatanidzwa nekuzivikanwa, zvichideredza kuoma kwePKI kana zvisiri zvakakosha.

Makiyi aya anoshandiswa kuratidza kuti ane muridzi nekusaina zvibvumirano kana zviratidzo zvekusimbisa, zvose zvinopesana nevanodzora madhomini (Kerberos) uye nemasevhisi ewebhu anoshandisa WebAuthn (FIDO2). Mudziyo mumwe chete unogona kuchengeta zvitupa zvakawanda zveFIDO zvine chekuita nemawebhusaiti akasiyana kana maapplication, zvese zvinotarisirwa mukati meWindows Hello container.

Kuchengetedzwa kwedata re biometric munharaunda

Chimwe chinhu chinowanzo netsa vashandisi nevaongorori vazhinji ndechekuti chii chinoitika kune maitiro avo e biometric.MuWindows Hello for Business, matemplate e biometric Zvinongochengetwa pamudziyo chete, mudhatabhesi yemuno isingawanikwe neMicrosoft uye isina kuwiriraniswa negore.

Sensor yega yega ye biometric inochengetedza database yayo yematemplate (semuenzaniso, mukati C:\WINDOWS\System32\WinBioDatabase), encrypted nekiyi isina kurongeka yakasarudzika padhatabhesi, yakachengetedzwa neAES muCBC mode uye neSHA-256 hashing. Kunyangwe kana munhu anorwisa akawana dhatabhesi iyi, haazokwanisi kugadzirazve mifananidzo "isina kurongeka" yechiso kana chigunwe; idata retemplate risingadzoreki.

Windows Mhoro yeBhizinesi, TPM neSSO

3. Kuwiriranisa kwakakosha munzvimbo dzakasanganiswa

Mukushandiswa kwehybrid, kiyi yeruzhinji yakanyoreswa muMicrosoft Entra ID inofanirawo kusvika kuActive Directory kuitira kuti mushandisi agone kubvumidza pasina password kune ese masevhisi egore uye zviwanikwa zvepanzvimbo.

Maitiro aya anotungamirwa neMicrosoft. Pinda Connect Sync., iyo inosanganisa kiyi yeruzhinji yemushandisi kubva kuEnter ID kuenda kuhunhu msDS-KeyCredentialLink yechinhu chemushandisi muActive Directory. Nenzira iyi, vanodzora madomeni vanogona kusimbisa ma key-based authentication (key trust scenario) kana kushandisa ruzivo rwakabatana nemaKerberos cloud trust models.

4. Kunyoreswa kwezvitupa (kana uchishandisa modhi yakavakirwa pazvitupa)

Kana sangano rako ratova nePKI yakatumirwa uye richida kuishandisa neWHfBNeimwe nzira, unogona kusarudza modhi yetrust inoenderana necertificate. Muchiitiko ichi, mushure mekunyoresa kiyi neIdP, mutengi anogadzira chikumbiro checertificate uye anochitumira kune certificate authority (CRA) inowanzo chengetwa paAD FS server.

CRA inosimbisa chikumbiro chacho yochitumira kuCA yekambaniiyo inopa chitupa chemushandisi. Chitupa ichocho chinochengetwa mukati meWindows Hello container uye chichashandiswa kusimbisa zviwanikwa zvemunharaunda zvinoda zvitupa zvemutengi (semuenzaniso, kusimbisa Kerberos nezvitupa kana IPsec VPN).

5. Chikamu chekusimbisa: kuti kiyi "inoburitswa sei"

Kana zvikamu zvekare zvapera, ruzivo rwemushandisi rwezuva nezuva runenge rwakanyanya nyore.Kuti upinde kana kuvhura mudziyo, shandisa PIN yako kana biometrics. Kutaura zvazviri, chiratidzo ichi "chinovhura" mukana wekuwana chikamu chakavanzika cheWHfB certifications yako yakachengetwa muTPM.

PIN kana kiyi yakavanzika hazvibvi mumudziyo kana kutumirwa kuIdPPIN inoshanda se entropy yemabasa ekusaina makiyi epachivande; nemamwe mazwi, inyaya yemuno inobvumira kushandiswa kwekiyi. Kana application kana system pachayo ichifanira kusimbiswa neIdentity Provider (IdP), Windows inosaina block yedata nekiyi yepachivande uye inotumira siginecha kuseva, iyo inosimbisa kushanda kwayo nekiyi yeruzhinji yakanyoreswa.

Maitiro aya anodzokororwa kune ese ari maviri authentication yakananga uye Enter ID. (kuburikidza newebhu protocols uye Cloud AP provider) senge zveKerberos authentications zvinopesana neActive Directory (kungave kuburikidza nekiyi, chitupa, kana Kerberos trust in the cloud).

Chiratidzo Chekutanga Chekuzorodza (PRT) uye Kupinda Kwega (SSO)

SSO yemazuva ano munzvimbo dzeMicrosoft inotenderera paPrimary Update Token kana kuti PRT.Kunyange zvazvo muKerberos yekare "master token" iri TGT, muEntra ID zviitiko PRT iJWT token ine ruzivo rwemushandisi nemudziyo, uye inobvumira kuwana ma access token emaapplication akasiyana pasina mushandisi achifanira kuzviratidza zvakajeka.

PRT inowanzo buda panguva yekupinda kana kuvhura mudziyo. Kana mushandisi aratidza kuti ane WHfB pakombiyuta yeMicrosoft Entra-joined kana Entra-joined hybrid. Pamidziyo yega yega yakanyoreswa chete, PRT inowanikwa nekuwedzera account yebasa kana yechikoro kuWindows.

Pasina PRT hapana SSO chaiyo kune mapurogiramu anodzivirirwa neEntra ID kana AD FSKana nekuda kwechimwe chikonzero mudziyo usina PRT inoshanda, vashandisi vachaona zvikumbiro zvemagwaro zvinodzokororwa uye mitemo yekupinda mumudziyo inoda ruzivo rwemudziyo (semuenzaniso, "midziyo yakanyorwa seyakakodzera chete") ndiyo ichakundikana.

Muzviitiko zvekusvika kure neVPN neSAML SSOKana mushandisi angobvumidzwa neWHfB pane operating system, PRT inobvumira Entra ID "kurangarira" kuti MFA inodzivirira phishing yatogutsikana. Saka, panguva yekupinda muVPN kuburikidza neSAML, Entra ID inogona kuratidza session seMFA-inoenderana neMFA pasina kuda chimwe chinhu chechipiri chekusimbisa, chimwe chinhu chinowanzo konzera gakava nevanoisa inishuwarenzi nevaongorori.

Kuyerera kwekusimbisa mudziyo wakabatana neMicrosoft: Pinda kuEnter ID

Pamudziyo wakabatana neEntra, ketani yezviitiko panguva yekupinda muWHfB Mumashoko akareruka, zvinotevera:

  • Mushandisi anobvisa skrini yekukiya oisa PIN yake kana biometrics muWHfB credential provider.
  • Winlogon anotumira zvitupa izvozvo kuLSASS, izvo zvinozozviendesa kune kambani inochengetedza Cloud authentication (Cloud AP).
  • Cloud AP inokumbira a nuncio Microsoft Enter ID; Enter ID inopindura nemutengo iwoyo.
  • Mutengi anosaina nonce nekiyi yakavanzika yemushandisi uye anotumira mhedzisiro yacho kuEntra ID.
  • Entra ID inosimbisa siginecha nekiyi yeruzhinji yakanyoreswa kare, uye kana zvese zvakarurama, inogadzira PRT, yakavanzika nekiyi yekufambisa yemudziyo.
  • Cloud AP inobvisa key yePRT session ichishandisa key yekutakura yega (yakachengetedzwa neTPM) uye inochengeta PRT mu cache yakachengetedzwa.
  • LSASS inozivisa Winlogon kuti kusimbiswa kwakabudirira uye nguva yekushandiswa kwemushandisi yakagadzirwa.

Kubva panguva iyoyo zvichienda mberi, PRT ichashandiswa kuwana ma token ekupinda nekusimudzira kune mapurogiramu akasiyana (Microsoft 365, SaaS yechitatu, SAML applications, nezvimwewo) pasina mushandisi achifanira kunyorazve chero chinhu, nguva dzose zvichitevedza mitemo yekupinda yakarongwa.

Windows Hello for Business Authentication vs. Active Directory

Kana mudziyo wacho "wakabatana neEntra" chete asi uchida kushandisa zviwanikwa zvemunharaundaApa ndipo panoshanda kubatanidzwa neActive Directory kuburikidza nemamodheru akasiyana-siyana: Kerberos cloud trust, key trust, uye certificate trust. Zvese izvi zvinobvumira WHfB credenti kugadzira matikiti eKerberos pasina kuda mapassword.

Vimba neKerberos mugore uchishandisa Microsoft. Tanga.

Mumuenzaniso weCloud Kerberos TrustMicrosoft Entra ID inoburitsa chikamu cheTGT chine chekuita nekuzivikanwa kwemushandisi uye chakasainwa neKerberos cloud service. Kana mudziyo uchida TGT yakazara kubva kune controller yedomain iri panzvimbo, inotumira chikamu cheTGT ichocho kuKDC yemuno, iyo inochisimbisa uye inoburitsa "chaiyo" TGT yemushandisi.

Maitiro aya anoita kuti zvivakwa zvive nyore zvikurunekuti inopa chikamu chepfungwa yekuvimbisa kuEntra ID, asi inoda kuti madomeni anodzora agadziriswe uye agadziridzwe zvakanaka kuti aone uye asimbise maTGT asina kukwana anobva mugore.

Muenzaniso weKuvimba Unokosha

Mumuenzaniso we key trust, domain controller inosimbisa zvakananga siginecha yakagadzirwa nekiyi yakavanzika yemushandisi. yakanyoreswa muActive Directory. Kuyerera kwepamusoro ndekwekuti:

  • Mupi weKerberos ari pamutengi anosaina data rekutanga rekusimbisa nekiyi yakavanzika uye anotumira siginecha pamwe nekiyi yeruzhinji (muchitupa chakasainwa iye pachake) kuKDC.
  • KDC inosimbisa kuti chitupa chakasainwa chega, ichiwana kiyi yeruzhinji muhunhu hwacho msDS-KeyCredentialLink kubva kumushandisi uye inosimbisa siginecha.
  • Kana zvese zvikafanana (UPN, makiyi, siginecha), KDC inodzosera TGT kumutengi.

Tevere, mutengi anosimbisa chitupa cheKDC (batanidzai kusvika pamudzi wekuvimba, KDC authentication EKU, zita rinoenderana nedomain, maalgorithms akachengeteka akadai seSHA-256 neRSA 2048, nezvimwewo) musati magamuchira TGT iyoyo uye kuichengeta kuti ishandiswe muzvikumbiro zvematikiti ebasa mune ramangwana.

Chitupa Chekuvimba

Mumuenzaniso unoenderana nezvitupa, mushandisi anopa KDC chitupa chemutengi chakapihwa neCA yesangano.Kerberos inoshandisa ruzivo rwechitupa (subject DN kana UPN muSAN) senzira yekuwana account muActive Directory.

Mutongi wedhomini anosimbisa cheni yesitifiketi kusvika pamudzi wekuvimbaInotarisa kuti chitupa chiri mukati menguva yacho chaiyo uye hachina kubviswa, uye inoshandisa kiyi yeruzhinji yechitupa kusimbisa data rakasainwa risati rasimbiswa. Kana zvese zvakarurama, inoburitsa TGT, iyo mutengi anogamuchira mushure mekusimbisa chitupa cheKDC.

Zvinodiwa zvezvivakwa zvenzvimbo dzakachengeteka dzakasanganiswa

Kuve nechokwadi chekuti mudziyo wakabatana neMicrosoft Entra wabudirira kusimbiswa kuActive Directory Izvi zvinosanganisira kunyatsoteerera magadzirirwo ePKI yekambani, maCRL distribution points, uye kuvimba nema domain controller certificates.

Mapoinzi Ekugovera Rondedzero Yekudzoserwa (CDP/CRL)

Chikanganiso chinowanzoitika ndechekuti CDP iri muLDAP chete mukati medomeni iyi.Midziyo yakabatana neEntra ID isiri chikamu chedomain haigone kuverenga nzira iyoyo yeLDAP isati yasimbisa, zvichigadzira loop: inofanirwa kusimbisa chitupa cheDC kuti chisimbiswe, asi haigone kuverenga CRL isina kusimbisa.

Mhinduro inokurudzirwa ndeyekuburitsa CRL panzvimbo inosvikika kuburikidza neHTTP pasina kusimbiswa.Iyi inowanzova webhusaiti yemukati, uye iyo URL inowedzerwa seCDP kune CA uye domain controller certificates. Maitiro acho anosanganisira:

  • Gadzira web server (IIS) ine dhairekitori rechokwadi (semuenzaniso, cdp) uye bvumira kubhurawuza dhairekitori.
  • Gadzirisa NTFS uye govera mvumo kuitira kuti CA ikwanise kuburitsa otomatiki mafaira eCRL kudhairekitori iroro.
  • Gadziridza magadzirirwo eCA kuti asanganise HTTP URL itsva seCDP uye senzvimbo yekuburitsa CRL nedelta CRL.
  • Bvisazve zvitupa zve domain controller kuti zvibatanidzwe neHTTP CDP itsva.

Mushure mematanho aya, zvishandiso zvakabatana neEntra zvinogona kusimbisa chitupa cheDC pasina kuda kusimbiswa.kubvisa dambudziko redenderedzwa uye kubvumira kusimbiswa kwemagwaro kana key-based authentication kuti kushande nemazvo.

Zvinodiwa zvechitupa chemutongi wedhomini

Kuti Windows Mhoro yeBhizinesi isimbise "kusimbiswa kweKDC kwakasimba" Paunenge uchisimbisa kubva pachishandiso chakabatana neEntra, zvitupa zvedomeni zvinodzora zvinofanira kusangana nezvinodiwa zvakati wandei:

  • Mudzi weCA unoburitsa unofanira kunge uri mudura re vane masimba ekusimbisa midzi akavimbika of mudziyo.
  • Chitupa chinofanira kunge chakavakirwa pa Template yekusimbiswa kweKerberos zvakakwana.
  • Inofanira kusanganisira EKU ye Kusimbiswa kweKDC.
  • Zita Rechinzvimbo reMusoro (SAN) rinofanira kunge riine zita reDNS rinoenderana nedhomini.
  • Nzira yekunyora chiratidzo inofanira kunge iri SHA-256 uye kiyi yeruzhinji inofanira kunge iri RSA inosvika 2048 bits.

Kana chimwe cheizvi chikakundikana, zvishandiso zvakabatana neEntra zvinogona kuramba chitupa cheDC. uye kusimbiswa neWHfB kuenda kuActive Directory hakuzoshande, kunyangwe zvese zvichiita sezviri kushanda zvakanaka nemapassword ekare.

Kugoverwa kweCA root certificate pamidziyo yeEntra-joined

Kuti vavimbe nezvitupa zve domain controllerMidziyo yakabatana neMicrosoft Entra inofanira kunge yakaiswa chitupa chemidzi cheCA chebhizinesi. Chitupa ichi chinowanzo tumirwa kubva kudhomini controller uye chinotumirwa kumakombiyuta achishandisa Microsoft Intune nemutemo we "trusted certificate".

Murairo uyu unofanira kunangidzira kuchitoro chezvitupa chechikwata (mudzi wekuvimba). uye ichapihwa kune vashandisi vakakodzera kana mapoka emidziyo. Kana yangoshandiswa, masisitimu acho achaona zvitupa zvakapihwa neCA iyoyo, kusanganisira chitupa cheKDC, se "zvinovimbwa," uye kusimbiswa kwakasimba kunogona kupedzwa zvinobudirira.

Mamodheru ekutumira vanhu, matambudziko, uye maitiro akanakisa

Windows Hello for Business inotsigira kuiswa kwemakombiyuta ari mugore chete, akasanganiswa, kana kuti ari panzvimbo imwe cheteuye modhi yega yega ine zvazvinoreva zvakasiyana maererano nekuoma, kuenderana, uye mitengo.

Mumasangano ekutanga mugore asina Active Directory panzvimbo yachoMhinduro iri nyore ndeye cloud-only model apo manejimendi ese ekugadzirisa nekubvumidza makiyi anobatwa neMicrosoft Entra ID, pasina kuda PKI kana AD FS yemuno. Vashandisi vanowana maapplication eMicrosoft 365 neSaaS kuburikidza neSSO vachishandisa WHfB senzira yekuvimbisa isina password.

Mumakambani mazhinji epakati nepakati neakuru, mamiriro ezvinhu chaiwo anoramba ari emhando yehybrid.Zvishandiso zvakakosha zvinoramba zviri munharaunda, maapplication eKerberos chaiwo aripo, uye masevhisi egore anoshandiswa panguva imwe chete. Apa ndipo panofanirwa kuitwa sarudzo pakati peKerberos cloud trust, key trust, uye certificate trust; kuenderana nemaapplication ekare kunofanirwa kuongororwa; uye, kazhinji, nzira dzinoshandisa password kana smart card dzinofanira kuramba dzichishandiswa kwenguva yakati.

Muzvikamu zvinotongwa zvakanyanya kana kune izvo zvine zvinodiwa zvakanyanya zvekutonga kwedata (hurumende, mamwe masangano emari kana ehutano), modhi yemunharaunda ine AD FS nePKI yayo ingave nemusoro, apo WHfB inoshandiswa senzira yekutsiva password asi pasina kuvimba negore. Zvisinei, izvi zvinouya nekuda kwekuoma kukuru kwekushanda nekugadzirisa.

Muzviitiko zvese, pane matambudziko akajairika: hardware inoenderana, nzvimbo dzekushandira pamwe chete, kuramba kwevashandisi kuchinja, uye kururamisa kune veinishuwarenzi nevaongorori kuti WHfB inoonekwa seMFA.Chinokosha ndechekubatanidza WHfB nemitemo yekuwana ine mamiriro ezvinhu inoda vagadziri vephishing-resistant, kugonesa kusimbiswazve kana kuwedzera MFA pazvinenge zvakakodzera (semuenzaniso, mumabasa anonyanya kubatwa nenjodzi kana kubatana kwakakosha kweVPN), uye kunyora zvakakwana muenzaniso wekutyisidzira.

Izvi zvinoperekedzwa nekudzidziswa kwakanaka, mitemo yakajeka yePIN, kutarisa kupinda kwedata, uye kuburitswa kwedata zvishoma nezvishoma kunotsigirwa neIntune kana GPO.Windows Hello for Business inobvumira masangano kutora danho repamusoro rekushandisa nzira isina password, kuderedza nzvimbo yekurwiswa, kuvandudza kutevedzera mitemo, uye kupa vashandisi mukana wekupinda nekukurumidza uye kwechisikigo.

Zvekuita nekupera kwe Windows 10 rutsigiro
Nyaya inoenderana:
Kupera kwe Windows 10 tsigiro uye yakachengeteka shanduko kuenda Windows 11