Ovaj preglednik više nije podržan.
Prijeđite na Microsoft Edge, gdje vas čekaju najnovije značajke, sigurnosna ažuriranja i tehnička podrška.
Kerberos added support for domain-joined devices to sign-in using a certificate beginning with Windows Server 2012 and Windows 8. This change allows 3rd party vendors to create solutions to provision and initialize certificates for domain-joined devices to use for domain authentication.
Beginning with Windows 10 version 1507 and Windows Server 2016, domain-joined devices automatically provision a bound public key to a Windows Server 2016 domain controller (DC). Once a key is provisioned, then Windows can use public key authentication to the domain.
If the device is running Credential Guard, then a public/private key pair is created protected by Credential Guard.
If Credential Guard is not available and a TPM is, then a public/private key pair is created protected by the TPM.
If neither is available, then a key pair is not generated and the device can only authenticate using password.
When Windows starts up, it checks if a public key is provisioned for its computer account. If not, then it generates a bound public key and configures it for its account in AD using a Windows Server 2016 or higher DC. If all the DCs are down-level, then no key is provisioned.
If the Group Policy setting Support for device authentication using certificate is set to Force, then the device needs to find a DC that runs Windows Server 2016 or later to authenticate. The setting is under Administrative Templates > System > Kerberos.
If the Group Policy setting Support for device authentication using certificate is disabled, then password is always used. The setting is under Administrative Templates > System > Kerberos.
When Windows has a certificate for the domain-joined device, Kerberos first authenticates using the certificate and on failure retries with password. This allows the device to authenticate to down-level DCs.
Since the automatically provisioned public keys have a self-signed certificate, certificate validation fails on domain controllers that do not support Key Trust account mapping. By default, Windows retries authentication using the device's domain password.
Događaj
Sastanak na vrhu sustava Windows Server
29. tra 14 - 30. tra 19
Pridružite se vrhunskom virtualnom događaju sustava Windows Server od 29. do 30. travnja za detaljne tehničke sesije i pitanja i odgovore uživo s Microsoftovim inženjerima.
Odmah se registrirajteObuka
Modul
Manage device authentication - Training
In this module, you learn about device authentication and management in Microsoft Entra ID. MD-102
Certifikacija
Microsoft Certified: Windows Server Hybrid Administrator Associate - Certifications
As a Windows Server hybrid administrator, you integrate Windows Server environments with Azure services and manage Windows Server in on-premises networks.
Dokumentacija
Configuring Kerberos for IP Address
Kerberos support for IP-based SPNs
Kerberos Authentication Overview
Learn about Kerberos authentication in Windows Server 2012 and Windows 8.
Kerberos Constrained Delegation Overview
Learn about the new capabilities for Kerberos constrained delegation in Windows Server 2012 R2 and Windows Server 2012.