配置 Azure Active Directory 域服务中的 Kerberos 约束委派 (KCD)Configure Kerberos constrained delegation (KCD) in Azure Active Directory Domain Services

当你运行应用程序时,这些应用程序可能需要在不同用户的上下文中访问资源。As you run applications, there may be a need for those applications to access resources in the context of a different user. Active Directory 域服务 (AD DS) 支持可实现此用例的称为“Kerberos 委派”的机制。Active Directory Domain Services (AD DS) supports a mechanism called Kerberos delegation that enables this use-case. 然后,Kerberos 约束委派 (KCD) 将基于此机制进行构建,以定义可以在此用户的上下文中访问的特定资源。Kerberos constrained delegation (KCD) then builds on this mechanism to define specific resources that can be accessed in the context of the user.

与传统的本地 AD DS 环境相比,Azure Active Directory 域服务 (Azure AD DS) 托管域可以更安全地进行锁定,因此,请使用更安全的基于资源的 KCD。Azure Active Directory Domain Services (Azure AD DS) managed domains are more securely locked down than traditional on-premises AD DS environments, so use a more secure resource-based KCD.

本文介绍了如何在 Azure AD DS 托管域上配置基于资源的 Kerberos 约束委派。This article shows you how to configure resource-based Kerberos constrained delegation in an Azure AD DS managed domain.

先决条件Prerequisites

若要完成本文,需准备好以下资源:To complete this article, you need the following resources:

Kerberos 约束委派概述Kerberos constrained delegation overview

Kerberos 委派允许一个帐户模拟另一个帐户来访问资源。Kerberos delegation lets one account impersonate another account to access resources. 例如,访问后端 Web 组件的 Web 应用程序可以在建立后端连接时将其自身模拟为其他用户帐户。For example, a web application that accesses a back-end web component can impersonate itself as a different user account when it makes the back-end connection. Kerberos 委派不安全,因为它不会对模拟帐户可以访问哪些资源进行限制。Kerberos delegation is insecure as it doesn't limit what resources the impersonating account can access.

Kerberos 约束委派 (KCD) 限制指定的服务器或应用程序在模拟其他标识时可以连接的服务或资源。Kerberos constrained delegation (KCD) restricts the services or resources that a specified server or application can connect when impersonating another identity. 传统 KCD 需要域管理员权限才能配置服务的域帐户,并且会将该帐户限制为在单个域上运行。Traditional KCD requires domain administrator privileges to configure a domain account for a service, and it restricts the account to run on a single domain.

传统 KCD 也有一些问题。Traditional KCD also has a few issues. 例如,在早期操作系统中,服务管理员没有有效途径来了解哪些前端服务委派给了其拥有的资源服务。For example, in earlier operating systems, the service administrator had no useful way to know which front-end services delegated to the resource services they owned. 可委派给资源服务的任何前端服务都是一个潜在的攻击点。Any front-end service that could delegate to a resource service was a potential attack point. 如果托管着前端服务的服务器受到安全威胁,并且前端服务配置为委派给资源服务,则资源服务也会受到安全威胁。If a server that hosted a front-end service configured to delegate to resource services was compromised, the resource services could also be compromised.

在托管域中,你没有域管理员权限。In a managed domain, you don't have domain administrator privileges. 因此,无法在托管域中配置传统的基于帐户的 KCD。As a result, traditional account-based KCD can't be configured in a managed domain. 可以改为使用基于资源的 KCD,这也更安全。Resource-based KCD can instead be used, which is also more secure.

基于资源的 KCDResource-based KCD

在 Windows Server 2012 及更高版本中,服务管理员能够为其服务配置约束委派。Windows Server 2012 and later gives service administrators the ability to configure constrained delegation for their service. 此模型称为基于资源的 KCD。This model is known as resource-based KCD. 使用此方法,后端服务管理员可以允许或拒绝特定前端服务使用 KCD。With this approach, the back-end service administrator can allow or deny specific front-end services from using KCD.

可使用 PowerShell 配置基于资源的 KCD。Resource-based KCD is configured using PowerShell. 可以使用 Set-ADComputerSet-ADUser cmdlet,具体取决于模拟帐户是计算机帐户还是用户帐户/服务帐户。You use the Set-ADComputer or Set-ADUser cmdlets, depending on whether the impersonating account is a computer account or a user account / service account.

为计算机帐户配置基于资源的 KCDConfigure resource-based KCD for a computer account

在此方案中,假设你有一个在名为 contoso-webapp.aaddscontoso.com 的计算机上运行的 Web 应用。In this scenario, let's assume you have a web app that runs on the computer named contoso-webapp.aaddscontoso.com.

此 Web 应用需要在域用户的上下文中访问在名为 contoso-api.aaddscontoso.com 的计算机上运行的 Web API。The web app needs to access a web API that runs on the computer named contoso-api.aaddscontoso.com in the context of domain users.

请完成以下步骤来配置此方案:Complete the following steps to configure this scenario:

  1. 创建自定义 OUCreate a custom OU. 可以将管理此自定义 OU 的权限委托给托管域中的用户。You can delegate permissions to manage this custom OU to users within the managed domain.

  2. 将运行 Web 应用的虚拟机和运行 Web API 的虚拟机加入到托管域Domain-join the virtual machines, both the one that runs the web app, and the one that runs the web API, to the managed domain. 在上一步的自定义 OU 中创建这些计算机帐户。Create these computer accounts in the custom OU from the previous step.

    备注

    Web 应用和 Web API 的计算机帐户必须位于你有权配置基于资源的 KCD 的自定义 OU 中。The computer accounts for the web app and the web API must be in a custom OU where you have permissions to configure resource-based KCD. 无法为内置“AAD DC 计算机”容器中的计算机帐户配置基于资源的 KCD。You can't configure resource-based KCD for a computer account in the built-in AAD DC Computers container.

  3. 最后,使用 Set-ADComputer PowerShell cmdlet 配置基于资源的 KCD。Finally, configure resource-based KCD using the Set-ADComputer PowerShell cmdlet.

    在已加入域的管理 VM 中,使用属于“Azure AD DC 管理员”组成员的用户帐户登录,运行以下 cmdlet。From your domain-joined management VM and logged in as user account that's a member of the Azure AD DC administrators group, run the following cmdlets. 根据需要提供你自己的计算机名称:Provide your own computer names as needed:

    $ImpersonatingAccount = Get-ADComputer -Identity contoso-webapp.aaddscontoso.com
    Set-ADComputer contoso-api.aaddscontoso.com -PrincipalsAllowedToDelegateToAccount $ImpersonatingAccount
    

为用户帐户配置基于资源的 KCDConfigure resource-based KCD for a user account

在此方案中,假设你有一个作为名为 appsvc 的服务帐户运行的 Web 应用。In this scenario, let's assume you have a web app that runs as a service account named appsvc. 此 Web 应用需要访问一个 Web API,后者在域用户的上下文中作为名为 backendsvc 的服务帐户运行。The web app needs to access a web API that runs as a service account named backendsvc in the context of domain users. 请完成以下步骤来配置此方案:Complete the following steps to configure this scenario:

  1. 创建自定义 OUCreate a custom OU. 可以将管理此自定义 OU 的权限委托给托管域中的用户。You can delegate permissions to manage this custom OU to users within the managed domain.

  2. 将运行后端 Web API/资源的虚拟机加入到托管域Domain-join the virtual machines that run the backend web API/resource to the managed domain. 在自定义 OU 中创建计算机帐户。Create its computer account within the custom OU.

  3. 在自定义 OU 中创建用于运行 Web 应用的服务帐户(如“appsvc”)。Create the service account (for example, appsvc) used to run the web app within the custom OU.

    备注

    同样,Web API VM 的计算机帐户和 Web 应用的服务帐户都必须位于你有权配置基于资源的 KCD 的自定义 OU 中。Again, the computer account for the web API VM, and the service account for the web app, must be in a custom OU where you have permissions to configure resource-based KCD. 你无法为内置“AAD DC 计算机”容器或“AAD DC 用户”容器中的帐户配置基于资源的 KCD。 You can't configure resource-based KCD for accounts in the built-in AAD DC Computers or AAD DC Users containers. 这也意味着你无法使用从 Azure AD 同步的用户帐户来设置基于资源的 KCD。This also means that you can't use user accounts synchronized from Azure AD to set up resource-based KCD. 你必须创建并使用专门在 Azure AD DS 中创建的服务帐户。You must create and use service accounts specifically created in Azure AD DS.

  4. 最后,使用 Set-ADUser PowerShell cmdlet 配置基于资源的 KCD。Finally, configure resource-based KCD using the Set-ADUser PowerShell cmdlet.

    在已加入域的管理 VM 中,使用属于“Azure AD DC 管理员”组成员的用户帐户登录,运行以下 cmdlet。From your domain-joined management VM and logged in as user account that's a member of the Azure AD DC administrators group, run the following cmdlets. 根据需要提供你自己的服务名称:Provide your own service names as needed:

    $ImpersonatingAccount = Get-ADUser -Identity appsvc
    Set-ADUser backendsvc -PrincipalsAllowedToDelegateToAccount $ImpersonatingAccount
    

后续步骤Next steps

若要详细了解委派在 Active Directory 域服务中的工作原理,请参阅 Kerberos 约束委派概述To learn more about how delegation works in Active Directory Domain Services, see Kerberos Constrained Delegation Overview.