什么是主刷新令牌?What is a Primary Refresh Token?

主刷新令牌 (PRT) 是 Windows 10、Windows Server 2016 及更高版本、iOS 和 Android 设备上 Azure AD 身份验证的关键项目。A Primary Refresh Token (PRT) is a key artifact of Azure AD authentication on Windows 10, Windows Server 2016 and later versions, iOS, and Android devices. 它是专门颁发给 Microsoft 第一方令牌代理的 JSON Web 令牌 (JWT),用于在这些设备上使用的应用程序之间实现单一登录 (SSO)。It is a JSON Web Token (JWT) specially issued to Microsoft first party token brokers to enable single sign-on (SSO) across the applications used on those devices. 本文将详细介绍如何在 Windows 10 设备上颁发、使用和保护 PRT。In this article, we will provide details on how a PRT is issued, used, and protected on Windows 10 devices.

本文假设你已了解 Azure AD 中的不同设备状态以及 Windows 10 中单一登录的工作原理。This article assumes that you already understand the different device states available in Azure AD and how single sign-on works in Windows 10. 要详细了解 Azure AD 中的设备,请参阅 Azure Active Directory 中的设备管理是什么?For more information about devices in Azure AD, see the article What is device management in Azure Active Directory?

关键术语和组件Key terminology and components

以下 Windows 组件在请求和使用 PRT 时起着重要作用:The following Windows components play a key role in requesting and using a PRT:

  • 云身份验证提供程序 (CloudAP):CloudAP 是 Windows 登录的新式身份验证提供程序,用于验证登录到 Windows 10 设备的用户。Cloud Authentication Provider (CloudAP): CloudAP is the modern authentication provider for Windows sign in, that verifies users logging to a Windows 10 device. CloudAP 提供一个插件框架,可基于该框架构建标识提供者,以便使用该标识提供者的凭据完成 Windows 身份验证。CloudAP provides a plugin framework that identity providers can build on to enable authentication to Windows using that identity provider’s credentials.
  • Web 帐户管理器 (WAM):WAM 是 Windows 10 设备上的默认令牌代理。Web Account Manager (WAM): WAM is the default token broker on Windows 10 devices. WAM 也提供一个插件框架,可基于该框架构建标识提供者,并为依赖该标识提供者的应用程序启用 SSO。WAM also provides a plugin framework that identity providers can build on and enable SSO to their applications relying on that identity provider.
  • Azure AD CloudAP 插件:基于 CloudAP 框架构建的 Azure AD 特定插件,用于在 Windows 登录期间通过 Azure AD 验证用户凭据。Azure AD CloudAP plugin: An Azure AD specific plugin built on the CloudAP framework, that verifies user credentials with Azure AD during Windows sign in.
  • Azure AD WAM 插件:基于 WAM 框架构建的 Azure AD 特定插件,可为依赖于 Azure AD 进行身份验证的应用程序启用 SSO。Azure AD WAM plugin: An Azure AD specific plugin built on the WAM framework, that enables SSO to applications that rely on Azure AD for authentication.
  • Dsreg:Windows 10 上的 Azure AD 特定组件,用于处理所有设备状态的设备注册过程。Dsreg: An Azure AD specific component on Windows 10, that handles the device registration process for all device states.
  • 受信任的平台模块 (TPM):TPM 是内置于设备的硬件组件,为用户和设备机密提供基于硬件的安全功能。Trusted Platform Module (TPM): A TPM is a hardware component built into a device, that provides hardware-based security functions for user and device secrets. 可在受信任的平台模块技术概述一文中查看更多详细信息。More details can be found in the article Trusted Platform Module Technology Overview.

PRT 包含哪些内容?What does the PRT contain?

PRT 包含任何 Azure AD 刷新令牌中通常包含的声明。A PRT contains claims generally contained in any Azure AD refresh token. 此外,PRT 中还包含一些特定于设备的声明。In addition, there are some device-specific claims included in the PRT. 这些限制如下:They are as follows:

  • 设备 ID:PRT 将颁发给特定设备上的用户。Device ID: A PRT is issued to a user on a specific device. 设备 ID 声明 deviceID 确定要将 PRT 颁发给哪台设备上的用户。The device ID claim deviceID determines the device the PRT was issued to the user on. 此声明稍后将颁发给通过 PRT 获取的令牌。This claim is later issued to tokens obtained via the PRT. 设备 ID 声明用于根据设备状态或合规性来确定条件性访问的授权。The device ID claim is used to determine authorization for Conditional Access based on device state or compliance.
  • 会话密钥:会话密钥是 Azure AD 身份验证服务生成的加密对称密钥,作为 PRT 的一部分颁发。Session key: The session key is an encrypted symmetric key, generated by the Azure AD authentication service, issued as part of the PRT. 当使用 PRT 为其他应用程序获取令牌时,会话密钥将用作所有权证明。The session key acts as the proof of possession when a PRT is used to obtain tokens for other applications.

我可以看到 PRT 中的内容吗?Can I see what’s in a PRT?

PRT 是从 Azure AD 发送的不透明 blob,其内容对于任何客户端组件都是不可见的。A PRT is an opaque blob sent from Azure AD whose contents are not known to any client components. 你无法看到 PRT 中的内容。You cannot see what’s inside a PRT.

PRT 是如何颁发的?How is a PRT issued?

在 Azure AD 中,设备注册是基于设备的身份验证的必备条件。Device registration is a prerequisite for device based authentication in Azure AD. 仅对已注册设备上的用户颁发 PRT。A PRT is issued to users only on registered devices. 有关设备注册的更深入详细信息,请参阅 Windows Hello 企业版和设备注册一文。For more in-depth details on device registration, see the article Windows Hello for Business and Device Registration. 在设备注册过程中,dsreg 组件会生成两组加密密钥对:During device registration, the dsreg component generates two sets of cryptographic key pairs:

  • 设备密钥 (dkpub/dkpriv)Device key (dkpub/dkpriv)
  • 传输密钥 (tkpub/tkpriv)Transport key (tkpub/tkpriv)

如果设备具有有效且正常的 TPM,则私钥会绑定到设备的 TPM,而公钥将在设备注册过程中发送到 Azure AD。The private keys are bound to the device’s TPM if the device has a valid and functioning TPM, while the public keys are sent to Azure AD during the device registration process. 这些密钥用于在 PRT 请求中验证设备状态。These keys are used to validate the device state during PRT requests.

在以下两种方案中,当用户在 Windows 10 设备上进行身份验证时,会颁发 PRT:The PRT is issued during user authentication on a Windows 10 device in two scenarios:

  • 已建立 Azure AD 联接已建立混合 Azure AD 联接:当用户使用组织凭据登录时,在 Windows 登录过程中将颁发 PRT。Azure AD joined or Hybrid Azure AD joined: A PRT is issued during Windows logon when a user signs in with their organization credentials. 使用 Windows 10 支持的所有凭据(例如密码和 Windows Hello 企业版)颁发 PRT。A PRT is issued with all Windows 10 supported credentials, for example, password and Windows Hello for Business. 在此方案中,Azure AD CloudAP 插件是 PRT 的主要颁发机构。In this scenario, Azure AD CloudAP plugin is the primary authority for the PRT.
  • Azure AD 注册设备:当用户将辅助工作帐户添加到 Windows 10 设备时,将颁发 PRT。Azure AD registered device: A PRT is issued when a user adds a secondary work account to their Windows 10 device. 用户可以通过两种不同的方式将帐户添加到 Windows 10:Users can add an account to Windows 10 in two different ways -
    • 登录到某个应用(例如 Outlook)后,会出现“在此设备上的所有位置使用此帐户”提示,通过该提示添加帐户Adding an account via the Use this account everywhere on this device prompt after signing in to an app (for example, Outlook)
    • 通过“设置” > “帐户” > “访问工作或学校” > “连接”添加帐户 Adding an account from Settings > Accounts > Access Work or School > Connect

在设备已注册 Azure AD 的方案中,Azure AD WAM 插件是 PRT 的主要颁发机构,因为此 Azure AD 帐户未发生 Windows 登录。In Azure AD registered device scenarios, the Azure AD WAM plugin is the primary authority for the PRT since Windows logon is not happening with this Azure AD account.

备注

第三方标识提供者需要支持 WS-Trust 协议,才能在 Windows 10 设备上颁发 PRT。3rd party identity providers need to support the WS-Trust protocol to enable PRT issuance on Windows 10 devices. 若没有 WS-Trust,则无法将 PRT 颁发给已建立混合 Azure AD 联接或已建立 Azure AD 联接的设备上的用户。Without WS-Trust, PRT cannot be issued to users on Hybrid Azure AD joined or Azure AD joined devices. 在 ADFS 上仅需要 usernamemixed 终结点。On ADFS only usernamemixed endpoints are required. adfs/services/trust/2005/windowstransport 和 adfs/services/trust/13/windowstransport 应仅作为面向 Intranet 的终结点启用,不能通过 Web 应用程序代理作为面向 Extranet 的终结点公开Both adfs/services/trust/2005/windowstransport and adfs/services/trust/13/windowstransport should be enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web Application Proxy

PRT 的生存期有多长?What is the lifetime of a PRT?

一经颁发,PRT 的有效期为 14 天,只要用户活跃地使用该设备,就会持续地续订。Once issued, a PRT is valid for 14 days and is continuously renewed as long as the user actively uses the device.

如何使用 PRT?How is a PRT used?

PRT 由 Windows 中的两个关键组件使用:A PRT is used by two key components in Windows:

  • Azure AD CloudAP 插件:在 Windows 登录过程中,Azure AD CloudAP 插件使用用户提供的凭据从 Azure AD 请求一个 PRT。Azure AD CloudAP plugin: During Windows sign in, the Azure AD CloudAP plugin requests a PRT from Azure AD using the credentials provided by the user. 当用户无权访问 Internet 连接时,它还会缓存 PRT 以启用缓存的登录。It also caches the PRT to enable cached sign in when the user does not have access to an internet connection.
  • Azure AD WAM 插件:当用户尝试访问应用程序时,Azure AD WAM 插件将使用 PRT 在 Windows 10 上启用 SSO。Azure AD WAM plugin: When users try to access applications, the Azure AD WAM plugin uses the PRT to enable SSO on Windows 10. Azure AD WAM 插件使用 PRT 为依赖 WAM 来请求令牌的应用程序请求刷新和访问令牌。Azure AD WAM plugin uses the PRT to request refresh and access tokens for applications that rely on WAM for token requests. 它还通过将 PRT 注入浏览器请求在浏览器上启用 SSO。It also enables SSO on browsers by injecting the PRT into browser requests. Microsoft Edge(原生)和 Chrome(通过 Windows 10 AccountsOffice Online 扩展)支持 Windows 10 中的浏览器 SSO。Browser SSO in Windows 10 is supported on Microsoft Edge (natively) and Chrome (via the Windows 10 Accounts or Office Online extensions).

如何续订 PRT?How is a PRT renewed?

PRT 通过两种不同的方法续订:A PRT is renewed in two different methods:

  • 通过 Azure AD CloudAP 插件每 4 小时续订一次:在 Windows 登录过程中,CloudAP 插件每 4 小时就会续订一次 PRT。Azure AD CloudAP plugin every 4 hours: The CloudAP plugin renews the PRT every 4 hours during Windows sign in. 如果在这段时间内用户没有 Internet 连接,CloudAP 插件将在设备连接到 Internet 后续订 PRT。If the user does not have internet connection during that time, CloudAP plugin will renew the PRT after the device is connected to the internet.
  • 通过 Azure AD WAM 插件在应用令牌请求中续订:WAM 插件通过启用应用程序的无提示令牌请求,在 Windows 10 设备上启用 SSO。Azure AD WAM plugin during app token requests: The WAM plugin enables SSO on Windows 10 devices by enabling silent token requests for applications. WAM 插件可以通过两种不同的方式在这些令牌请求中续订 PRT:The WAM plugin can renew the PRT during these token requests in two different ways:
    • 应用以无提示的方式向 WAM 请求访问令牌,但没有该应用可用的刷新令牌。An app requests WAM for an access token silently but there’s no refresh token available for that app. 在这种情况下,WAM 使用 PRT 请求应用的令牌,并在响应中返回新的 PRT。In this case, WAM uses the PRT to request a token for the app and gets back a new PRT in the response.
    • 应用向 WAM 请求访问令牌,但 PRT 无效或 Azure AD 需要额外的授权(例如 Azure AD 多重身份验证)。An app requests WAM for an access token but the PRT is invalid or Azure AD requires additional authorization (for example, Azure AD Multi-Factor Authentication). 在此方案中,WAM 会启动交互式登录,要求用户重新进行身份验证或提供附加验证,并会在身份验证成功后颁发新的 PRT。In this scenario, WAM initiates an interactive logon requiring the user to reauthenticate or provide additional verification and a new PRT is issued on successful authentication.

在 ADFS 环境中,续订 PRT 无需直连域控制器。In an ADFS environment, direct line of sight to the domain controller isn't required to renew the PRT. PRT 续订只需使用 WS-TRUST 协议在代理上启用 /adfs/services/trust/2005/usernamemixed 和 /adfs/services/trust/13/usernamemixed 终结点。PRT renewal requires only /adfs/services/trust/2005/usernamemixed and /adfs/services/trust/13/usernamemixed endpoints enabled on proxy by using WS-Trust protocol.

只有在更改了密码时才需要使用 Windows 传输终结点进行密码身份验证,而不是进行 PRT 续订。Windows transport endpoints are required for password authentication only when a password is changed, not for PRT renewal.

重要注意事项Key considerations

  • 仅在原生应用身份验证期间颁发并续订 PRT。A PRT is only issued and renewed during native app authentication. 在浏览器会话期间,不会续订或颁发 PRT。A PRT is not renewed or issued during a browser session.
  • 在已建立 Azure AD 连接和已建立混合 Azure AD 联接的设备中,CloudAP 插件是 PRT 的主要颁发机构。In Azure AD joined and hybrid Azure AD joined devices, the CloudAP plugin is the primary authority for a PRT. 如果在基于 WAM 的令牌请求中续订了 PRT,则会将 PRT 发回 CloudAP 插件,该插件会在接受该 PRT 之前使用 Azure AD 验证其有效性。If a PRT is renewed during a WAM-based token request, the PRT is sent back to CloudAP plugin, which verifies the validity of the PRT with Azure AD before accepting it.

PRT 是如何受到保护的?How is the PRT protected?

通过将 PRT 绑定到用户已登录的设备,对其进行保护。A PRT is protected by binding it to the device the user has signed in to. Azure AD 和 Windows 10 通过以下方法实现对 PRT 的保护:Azure AD and Windows 10 enable PRT protection through the following methods:

  • 首次登录期间:首次登录时,会使用在设备注册过程以加密方式生成的设备密钥对请求进行签名,从而颁发 PRT。During first sign in: During first sign in, a PRT is issued by signing requests using the device key cryptographically generated during device registration. 在具有有效且正常的 TPM 的设备上,TPM 会保护设备密钥以阻止所有恶意访问。On a device with a valid and functioning TPM, the device key is secured by the TPM preventing any malicious access. 如果无法验证相应的设备密钥签名,则不会颁发 PRT。A PRT is not issued if the corresponding device key signature cannot be validated.
  • 在令牌请求和续订过程中:颁发 PRT 时,Azure AD 还会向设备颁发一个加密会话密钥。During token requests and renewal: When a PRT is issued, Azure AD also issues an encrypted session key to the device. 它通过生成的公共传输密钥 (tkpub) 进行加密,并在设备注册过程中发送到 Azure AD。It is encrypted with the public transport key (tkpub) generated and sent to Azure AD as part of device registration. 此会话密钥只能由受 TPM 保护的专用传输密钥 (tkpriv) 解密。This session key can only be decrypted by the private transport key (tkpriv) secured by the TPM. 会话密钥是发送到 Azure AD 的任何请求的所有权证明 (POP) 密钥。The session key is the Proof-of-Possession (POP) key for any requests sent to Azure AD. 会话密钥也受 TPM 保护,并且其他 OS 组件都不能访问它。The session key is also protected by the TPM and no other OS component can access it. 令牌请求或 PRT 续订请求通过 TPM 由该会话密钥安全地签名,以此确保不会被篡改。Token requests or PRT renewal requests are securely signed by this session key through the TPM and hence, cannot be tampered with. 若设备发出的请求未由相应的会话密钥签名,则 Azure AD 将使之无效。Azure AD will invalidate any requests from the device that are not signed by the corresponding session key.

通过使用 TPM 保护这些密钥,恶意活动的参与者就不能盗取密钥,也无法在其他位置重播 PRT,因为即使攻击者已实际占用了该设备,也无法访问 TPM。By securing these keys with the TPM, malicious actors cannot steal the keys nor replay the PRT elsewhere as the TPM is inaccessible even if an attacker has physical possession of the device. 因此,使用 TPM 极大地增强了已建立 Azure AD 联接、已建立混合 Azure AD 联接以及已注册 Azure AD 的设备的安全性,可防止凭据被盗。Thus, using a TPM greatly enhances the security of Azure AD Joined, Hybrid Azure AD joined, and Azure AD registered devices against credential theft. 至于性能和可靠性,Windows 10 上的所有 Azure AD 设备注册方案都推荐使用 TPM 2.0 版。For performance and reliability, TPM 2.0 is the recommended version for all Azure AD device registration scenarios on Windows 10.

应用令牌和浏览器 cookie 是如何受到保护的?How are app tokens and browser cookies protected?

应用令牌:当应用通过 WAM 请求令牌时,Azure AD 会颁发一个刷新令牌和一个访问令牌。App tokens: When an app requests token through WAM, Azure AD issues a refresh token and an access token. 但是,WAM 只会将访问令牌返回到应用,而在缓存中保护刷新令牌,方法是使用用户的数据保护应用程序编程接口 (DPAPI) 密钥来对其进行加密。However, WAM only returns the access token to the app and secures the refresh token in its cache by encrypting it with the user’s data protection application programming interface (DPAPI) key. WAM 通过使用会话密钥对请求进行签名来安全地使用刷新令牌,以进一步颁发访问令牌。WAM securely uses the refresh token by signing requests with the session key to issue further access tokens. DPAPI 密钥由 Azure AD 中基于 Azure AD 的对称密钥保护。The DPAPI key is secured by an Azure AD based symmetric key in Azure AD itself. 当设备需要使用 DPAPI 密钥对用户配置文件进行解密时,Azure AD 提供由会话密钥加密的 DPAPI 密钥,CloudAP 插件会请求 TPM 对其进行解密。When the device needs to decrypt the user profile with the DPAPI key, Azure AD provides the DPAPI key encrypted by the session key, which CloudAP plugin requests TPM to decrypt. 此功能可在保护刷新令牌方面确保一致性,并避免应用程序实现自己的保护机制。This functionality ensures consistency in securing refresh tokens and avoids applications implementing their own protection mechanisms.

浏览器 cookie:在 Windows 10 中,Azure AD 以原生方式支持 Internet Explorer 和 Microsoft Edge 中的浏览器 SSO,或通过 Windows 10 帐户扩展支持 Google Chrome 中的浏览器 SSO。Browser cookies: In Windows 10, Azure AD supports browser SSO in Internet Explorer and Microsoft Edge natively or in Google Chrome via the Windows 10 accounts extension. 建立安全性不仅是为了保护 cookie,还可以保护要将 cookie 发送到的终结点。The security is built not only to protect the cookies but also the endpoints to which the cookies are sent. 浏览器 cookie 的保护方式与 PRT 相同,也是使用会话密钥对 cookie 进行签名和保护。Browser cookies are protected the same way a PRT is, by utilizing the session key to sign and protect the cookies.

当用户启动浏览器交互时,浏览器(或扩展)会调用 COM 原生客户端主机。When a user initiates a browser interaction, the browser (or extension) invokes a COM native client host. 原生客户端主机确保该页面来自允许的域。The native client host ensures that the page is from one of the allowed domains. 浏览器可以将其他参数发送到原生客户端主机(包括 nonce),但原生客户端主机保证对主机名进行验证。The browser could send other parameters to the native client host, including a nonce, however the native client host guarantees validation of the hostname. 原生客户端主机从 CloudAP 插件请求 PRT-cookie,此插件使用受 TPM 保护的会话密钥创建 PRT-cookie 并对其进行签名。The native client host requests a PRT-cookie from CloudAP plugin, which creates and signs it with the TPM-protected session key. 因为 PRT-cookie 由会话密钥签名,所以不会被篡改。As the PRT-cookie is signed by the session key, it cannot be tampered with. 此 PRT-cookie 包括在 Azure AD 的请求标头中,用于验证发出请求的设备。This PRT-cookie is included in the request header for Azure AD to validate the device it is originating from. 如果使用的是 Chrome 浏览器,则只有在原生客户端主机的清单中显式定义的扩展才能调用它,从而防止任意扩展发出这些请求。If using the Chrome browser, only the extension explicitly defined in the native client host’s manifest can invoke it preventing arbitrary extensions from making these requests. Azure AD 验证 PRT cookie 后,会向浏览器颁发会话 cookie。Once Azure AD validates the PRT cookie, it issues a session cookie to the browser. 此会话 cookie 还包含使用 PRT 颁发的相同会话密钥。This session cookie also contains the same session key issued with a PRT. 在后续请求中,会验证会话密钥,以将 cookie 绑定到设备,并阻止在其他位置重播。During subsequent requests, the session key is validated effectively binding the cookie to the device and preventing replays from elsewhere.

PRT 何时获得 MFA 声明?When does a PRT get an MFA claim?

在特定方案中,PRT 可以获取多重身份验证 (MFA) 声明。A PRT can get a multi-factor authentication (MFA) claim in specific scenarios. 当使用基于 MFA 的 PRT 请求应用程序的令牌时,MFA 声明会传输到这些应用令牌。When an MFA-based PRT is used to request tokens for applications, the MFA claim is transferred to those app tokens. 此功能可为每个需要 MFA 质询的应用阻止 MFA 质询,从而为用户提供无缝体验。This functionality provides a seamless experience to users by preventing MFA challenge for every app that requires it. PRT 可以通过下列方式获取 MFA 声明:A PRT can get an MFA claim in the following ways:

  • 使用 Windows Hello 企业版登录:Windows Hello 企业版替换密码,并使用加密密钥来提供强双重身份验证。Sign in with Windows Hello for Business: Windows Hello for Business replaces passwords and uses cryptographic keys to provide strong two-factor authentication. Windows Hello 企业版特定于设备上的用户,且其自身需要 MFA 才能进行预配。Windows Hello for Business is specific to a user on a device, and itself requires MFA to provision. 当用户使用 Windows Hello 企业版登录时,用户的 PRT 会获取 MFA 声明。When a user logs in with Windows Hello for Business, the user’s PRT gets an MFA claim. 此方案还适用于使用智能卡登录的用户(如果智能卡身份验证通过 ADFS 生成 MFA 声明)。This scenario also applies to users logging in with smartcards if smartcard authentication produces an MFA claim from ADFS.
    • 由于 Windows Hello 企业版被视为多重身份验证,因此在刷新 PRT 本身时,会更新 MFA 声明,当用户登录到 WIndows Hello 企业版时,MFA 的持续时间会不断延长As Windows Hello for Business is considered multi-factor authentication, the MFA claim is updated when the PRT itself is refreshed, so the MFA duration will continually extend when users sign in with WIndows Hello for Business
  • WAM 交互式登录中的 MFA:在通过 WAM 请求令牌时,如果用户需要进行 MFA 才能访问应用,则在此交互过程中续订的 PRT 将带有 MFA 声明。MFA during WAM interactive sign in: During a token request through WAM, if a user is required to do MFA to access the app, the PRT that is renewed during this interaction is imprinted with an MFA claim.
    • 在这种情况下,MFA 声明不会持续更新,因此,MFA 的持续时间取决于目录上设置的生存期。In this case, the MFA claim is not updated continuously, so the MFA duration is based on the lifetime set on the directory.
    • 使用已有的 PRT 和 RT 访问应用时,PRT 和 RT 将被视为身份验证的第一项证明。When a previous existing PRT and RT are used for access to an app, the PRT and RT will be regarded as the first proof of authentication. 将需要具有第二项证明和 MFA 声明的新 AT。A new AT will be required with a second proof and an imprinted MFA claim. 这还将颁发新的 PRT 和 RT。This will also issue a new PRT and RT.
  • 设备注册期间的 MFA:如果管理员已将 Azure AD 中的设备设置配置为 需要完成 MFA 才能注册设备,则用户需要进行 MFA 才能完成注册。MFA during device registration: If an admin has configured their device settings in Azure AD to require MFA to register devices, the user needs to do MFA to complete the registration. 在此过程中,颁发给用户的 PRT 具有在注册期间获得的 MFA 声明。During this process, the PRT that is issued to the user has the MFA claim obtained during the registration. 此功能仅适用于执行联接操作的用户,不适用于登录到该设备的其他用户。This capability only applies to the user who did the join operation, not to other users who sign in to that device.
    • 与 WAM 交互式登录类似,MFA 声明不会持续更新,因此,MFA 的持续时间取决于目录上设置的生存期。Similar to the WAM interactive sign in, the MFA claim is not updated continuously, so the MFA duration is based on the lifetime set on the directory.

Windows 10 维护每个凭据的 PRT 分区列表。Windows 10 maintains a partitioned list of PRTs for each credential. Windows Hello 企业版、密码或智能卡中的每一个都有 PRT。So, there’s a PRT for each of Windows Hello for Business, password, or smartcard. 此分区确保根据使用的凭据隔离 MFA 声明,而不会在令牌请求过程中混合在一起。This partitioning ensures that MFA claims are isolated based on the credential used, and not mixed up during token requests.

PRT 会如何失效?How is a PRT invalidated?

在以下方案中,PRT 会失效:A PRT is invalidated in the following scenarios:

  • 用户无效:如果用户在 Azure AD 中被删除或禁用,则其 PRT 将失效,且无法用于获取应用程序的令牌。Invalid user: If a user is deleted or disabled in Azure AD, their PRT is invalidated and cannot be used to obtain tokens for applications. 如果已删除或已禁用的用户以前已登录到某个设备,则可以进行缓存登录,直到 CloudAP 识别其无效状态。If a deleted or disabled user already signed in to a device before, cached sign-in would log them in, until CloudAP is aware of their invalid state. CloudAP 判定用户无效后,会阻止其再进行登录。Once CloudAP determines that the user is invalid, it blocks subsequent logons. 自动阻止无效的用户登录到未缓存凭据的新设备。An invalid user is automatically blocked from sign in to new devices that don’t have their credentials cached.
  • 设备无效:如果设备在 Azure AD 中被删除或禁用,则通过该设备获取的 PRT 将失效,且无法用于获取其他应用程序的令牌。Invalid device: If a device is deleted or disabled in Azure AD, the PRT obtained on that device is invalidated and cannot be used to obtain tokens for other applications. 如果用户已登录到无效设备,则可以继续登录。If a user is already signed in to an invalid device, they can continue to do so. 但设备上的所有令牌都已失效,并且用户不具有该设备中任何资源的 SSO。But all tokens on the device are invalidated and the user does not have SSO to any resources from that device.
  • 密码更改:用户更改其密码后,Azure AD 会将使用旧密码获取的 PRT 判定为无效。Password change: After a user changes their password, the PRT obtained with the previous password is invalidated by Azure AD. 当密码更改时,用户需要获取新的 PRT。Password change results in the user getting a new PRT. 这种失效会发生于以下两种情况:This invalidation can happen in two different ways:
    • 如果用户使用新密码登录到 Windows,则 CloudAP 会弃用旧的 PRT 并使用新密码请求 Azure AD 颁发新的 PRT。If user signs in to Windows with their new password, CloudAP discards the old PRT and requests Azure AD to issue a new PRT with their new password. 如果用户没有 Internet 连接,则无法验证新密码,Windows 可能会要求用户输入其旧密码。If user does not have an internet connection, the new password cannot be validated, Windows may require the user to enter their old password.
    • 如果用户已使用旧密码登录或在登录 Windows 后更改了密码,则会将旧的 PRT 用于任何基于 WAM 的令牌请求。If a user has logged in with their old password or changed their password after signing into Windows, the old PRT is used for any WAM-based token requests. 在此方案中,系统会提示用户在 WAM 令牌请求中重新完成身份验证,并获得新的 PRT。In this scenario, the user is prompted to reauthenticate during the WAM token request and a new PRT is issued.
  • TPM 问题:有时设备的 TPM 会出现故障,导致受 TPM 保护的密钥无法访问。TPM issues: Sometimes, a device’s TPM can falter or fail, leading to inaccessibility of keys secured by the TPM. 在这种情况下,设备不能使用现有的 PRT 获取 PRT 或请求令牌,因为不能证明自己拥有加密密钥。In this case, the device is incapable of getting a PRT or requesting tokens using an existing PRT as it cannot prove possession of the cryptographic keys. 所以 Azure AD 会将所有现有 PRT 判定为无效。As a result, any existing PRT is invalidated by Azure AD. 当 Windows 10 检测到故障时,它会启动一个恢复流,以使用新的加密密钥重新注册设备。When Windows 10 detects a failure, it initiates a recovery flow to re-register the device with new cryptographic keys. 利用混合 Azure AD 联接,恢复会以无提示的方式进行,无需用户输入,这一点与初始注册相似。With Hybrid Azure Ad join, just like the initial registration, the recovery happens silently without user input. 对于已建立 Azure AD 联接或已注册 Azure AD 的设备,需要由对设备具有管理员权限的用户执行恢复。For Azure AD joined or Azure AD registered devices, the recovery needs to be performed by a user who has administrator privileges on the device. 在此方案中,系统会通过 Windows 提示启动恢复流,引导用户成功恢复设备。In this scenario, the recovery flow is initiated by a Windows prompt that guides the user to successfully recover the device.

详细流程Detailed flows

下图展示了颁发、更新以及使用 PRT 来请求应用程序访问令牌的基本细节。The following diagrams illustrate the underlying details in issuing, renewing, and using a PRT to request an access token for an application. 此外,这些步骤还描述了如何在这些交互过程中应用上述安全机制。In addition, these steps also describe how the aforementioned security mechanisms are applied during these interactions.

首次登录时的 PRT 颁发PRT issuance during first sign in

首次登录时颁发 PRT 的详细流程

备注

在已建立 Azure AD 联接的设备中,会同步进行此交换,以在用户登录到 Windows 之前颁发 PRT。In Azure AD joined devices, this exchange happens synchronously to issue a PRT before the user can logon to Windows. 在已建立混合 Azure AD 联接的设备中,本地 Active Directory 是主要颁发机构。In hybrid Azure AD joined devices, on-premises Active Directory is the primary authority. 所以用户仅等待获取 TGT 以登录,同时异步颁发 PRT。So, the user is only waiting until they can acquire a TGT to login, while the PRT issuance happens asynchronously. 此方案不适用于已注册 Azure AD 的设备,因为登录不使用 Azure AD 凭据。This scenario does not apply to Azure AD registered devices as logon does not use Azure AD credentials.

步骤Step 说明Description
AA 用户在登录 UI 中输入自己的密码。User enters their password in the sign in UI. LogonUI 会将身份验证缓冲区中的凭据传递到 LSA,后者会在内部将其传递到 CloudAP。LogonUI passes the credentials in an auth buffer to LSA, which in turns passes it internally to CloudAP. CloudAP 会将此请求转发到 CloudAP 插件。CloudAP forwards this request to the CloudAP plugin.
BB CloudAP 插件会发起领域发现请求,以识别用户的标识提供者。CloudAP plugin initiates a realm discovery request to identify the identity provider for the user. 如果用户的租户安装了联合身份验证提供程序,Azure AD 将返回联合身份验证提供程序的元数据交换 (MEX) 终结点。If user’s tenant has a federation provider setup, Azure AD returns the federation provider’s Metadata Exchange endpoint (MEX) endpoint. 如果没有安装联合身份验证提供程序,Azure AD 将返回“用户是托管用户”的消息,表示用户可以使用 Azure AD 进行身份验证。If not, Azure AD returns that the user is managed indicating that user can authenticate with Azure AD.
CC 如果用户是托管用户,CloudAP 将从 Azure AD 获取 nonce。If the user is managed, CloudAP will get the nonce from Azure AD. 如果用户是联合用户,则 CloudAP 插件将使用用户的凭据从联合身份验证提供程序请求 SAML 令牌。If the user is federated, CloudAP plugin requests a SAML token from the federation provider with the user’s credentials. 收到 SAML 令牌后,会从 Azure AD 请求 nonce。Once it receives, the SAML token, it requests a nonce from Azure AD.
DD CloudAP 插件使用用户的凭据、nonce 和代理作用域构造身份验证请求,使用设备密钥 (dkpriv) 对请求进行签名,并将其发送到 Azure AD。CloudAP plugin constructs the authentication request with the user’s credentials, nonce, and a broker scope, signs the request with the Device key (dkpriv) and sends it to Azure AD. 在联合环境中,CloudAP 插件会使用联合身份验证提供程序返回的 SAML 令牌,而不是用户的凭据。In a federated environment, CloudAP plugin uses the SAML token returned by the federation provider instead of the user’ credentials.
EE Azure AD 验证用户凭据、nonce 和设备签名,验证设备在租户中是否有效,然后颁发加密的 PRT。Azure AD validates the user credentials, the nonce, and device signature, verifies that the device is valid in the tenant and issues the encrypted PRT. 除了 PRT,Azure AD 还颁发对称密钥,称为“会话密钥”,该密钥由 Azure AD 使用传输密钥 (tkpub) 加密。Along with the PRT, Azure AD also issues a symmetric key, called the Session key encrypted by Azure AD using the Transport key (tkpub). 此外,会话密钥还会嵌入在 PRT 中。In addition, the Session key is also embedded in the PRT. 在使用 PRT 进行后续请求时,该会话密钥将充当所有权证明 (PoP) 密钥。This Session key acts as the Proof-of-possession (PoP) key for subsequent requests with the PRT.
FF CloudAP 插件将加密的 PRT 和会话密钥传递到 CloudAP。CloudAP plugin passes the encrypted PRT and Session key to CloudAP. CloudAP 请求 TPM 使用传输密钥 (tkpriv) 对会话密钥进行解密,并使用 TPM 自己的密钥对其重新加密。CloudAP request the TPM to decrypt the Session key using the Transport key (tkpriv) and re-encrypt it using the TPM’s own key. CloudAP 将加密的会话密钥与 PRT 一起存储在其缓存中。CloudAP stores the encrypted Session key in its cache along with the PRT.

后续登录中的 PRT 续订PRT renewal in subsequent logons

后续登录中的 PRT 续订

步骤Step 说明Description
AA 用户在登录 UI 中输入自己的密码。User enters their password in the sign in UI. LogonUI 会将身份验证缓冲区中的凭据传递到 LSA,后者会在内部将其传递到 CloudAP。LogonUI passes the credentials in an auth buffer to LSA, which in turns passes it internally to CloudAP. CloudAP 会将此请求转发到 CloudAP 插件。CloudAP forwards this request to the CloudAP plugin.
BB 如果用户以前已登录到该设备,则 Windows 将启动缓存登录并验证凭据以让用户登录。If the user has previously logged on to the user, Windows initiates cached sign in and validates credentials to log the user in. CloudAP 插件每 4 小时异步启动一次 PRT 续订。Every 4 hours, the CloudAP plugin initiates PRT renewal asynchronously.
CC CloudAP 插件会发起领域发现请求,以识别用户的标识提供者。CloudAP plugin initiates a realm discovery request to identify the identity provider for the user. 如果用户的租户安装了联合身份验证提供程序,Azure AD 将返回联合身份验证提供程序的元数据交换 (MEX) 终结点。If user’s tenant has a federation provider setup, Azure AD returns the federation provider’s Metadata Exchange endpoint (MEX) endpoint. 如果没有安装联合身份验证提供程序,Azure AD 将返回“用户是托管用户”的消息,表示用户可以使用 Azure AD 进行身份验证。If not, Azure AD returns that the user is managed indicating that user can authenticate with Azure AD.
DD 如果用户是联合用户,则 CloudAP 插件将使用用户的凭据从联合身份验证提供程序请求 SAML 令牌。If the user is federated, CloudAP plugin requests a SAML token from the federation provider with the user’s credentials. 收到 SAML 令牌后,会从 Azure AD 请求 nonce。Once it receives, the SAML token, it requests a nonce from Azure AD. 如果用户是托管用户,CloudAP 将直接从 Azure AD 获取 nonce。If the user is managed, CloudAP will directly get the nonce from Azure AD.
EE CloudAP 插件使用用户的凭据、nonce 和现有 PRT 构造身份验证请求,使用会话密钥对请求进行签名,并将其发送到 Azure AD。CloudAP plugin constructs the authentication request with the user’s credentials, nonce, and the existing PRT, signs the request with the Session key and sends it to Azure AD. 在联合环境中,CloudAP 插件会使用联合身份验证提供程序返回的 SAML 令牌,而不是用户的凭据。In a federated environment, CloudAP plugin uses the SAML token returned by the federation provider instead of the user’ credentials.
FF Azure AD 通过将会话密钥签名与 PRT 中嵌入的会话密钥进行比较来验证该签名,验证 nonce,并验证设备在租户中是否有效,然后颁发新的 PRT。Azure AD validates the Session key signature by comparing it against the Session key embedded in the PRT, validates the nonce and verifies that the device is valid in the tenant and issues a new PRT. 如上所示,PRT 再次附带由传输密钥 (tkpub) 加密的会话密钥。As seen before, the PRT is again accompanied with the Session key encrypted by Transport key (tkpub).
GG CloudAP 插件将加密的 PRT 和会话密钥传递到 CloudAP。CloudAP plugin passes the encrypted PRT and Session key to CloudAP. CloudAP 请求 TPM 使用传输密钥 (tkpriv) 对会话密钥进行解密,并使用 TPM 自己的密钥对其重新加密。CloudAP requests the TPM to decrypt the Session key using the Transport key (tkpriv) and re-encrypt it using the TPM’s own key. CloudAP 将加密的会话密钥与 PRT 一起存储在其缓存中。CloudAP stores the encrypted Session key in its cache along with the PRT.

备注

当从外部启用 usernamemixed 终结点时,在不需要 VPN 连接的情况下可以从外部续订 PRT。A PRT can be renewed externally without the need of a VPN connection when usernamemixed endpoints are enabled externally.

应用令牌请求过程中的 PRT 使用PRT usage during app token requests

应用令牌请求过程中的 PRT 使用

步骤Step 说明Description
AA 应用程序(例如 Outlook、OneNote 等)向 WAM 发出令牌请求。An application (for example, Outlook, OneNote etc.) initiates a token request to WAM. 随后 WAM 会要求 Azure AD WAM 插件处理该令牌请求。WAM, in turn, asks the Azure AD WAM plugin to service the token request.
BB 如果应用程序的刷新令牌已可用,Azure AD WAM 插件将使用该令牌来请求访问令牌。If a Refresh token for the application is already available, Azure AD WAM plugin uses it to request an access token. 为了提供设备绑定的证明,WAM 插件会使用会话密钥对请求进行签名。To provide proof of device binding, WAM plugin signs the request with the Session key. Azure AD 验证会话密钥,颁发应用的访问令牌和新的刷新令牌,并使用会话密钥进行加密。Azure AD validates the Session key and issues an access token and a new refresh token for the app, encrypted by the Session key. WAM 插件请求 Cloud AP 插件对令牌进行解密,再由 Cloud AP 插件请求 TPM 使用会话密钥进行解密,从而让 WAM 插件获取这两个令牌。WAM plugin requests Cloud AP plugin to decrypt the tokens, which, in turn, requests the TPM to decrypt using the Session key, resulting in WAM plugin getting both the tokens. 接下来,WAM 插件仅提供应用程序的访问令牌,同时使用 DPAPI 重新加密刷新令牌并将其存储在自己的缓存中Next, WAM plugin provides only the access token to the application, while it re-encrypts the refresh token with DPAPI and stores it in its own cache
CC 如果应用程序的刷新令牌不可用,Azure AD WAM 插件将使用 PRT 来请求访问令牌。If a Refresh token for the application is not available, Azure AD WAM plugin uses the PRT to request an access token. 为了提供所有权证明,WAM 插件会使用会话密钥对包含 PRT 的请求进行签名。To provide proof of possession, WAM plugin signs the request containing the PRT with the Session key. Azure AD 通过将会话密钥签名与 PRT 中嵌入的会话密钥进行比较来验证该签名,并验证设备是否有效,然后颁发应用程序的访问令牌和刷新令牌。Azure AD validates the Session key signature by comparing it against the Session key embedded in the PRT, verifies that the device is valid and issues an access token and a refresh token for the application. 此外,Azure AD 可以基于刷新周期颁发新的 PRT,这些内容全都由会话密钥加密。in addition, Azure AD can issue a new PRT (based on refresh cycle), all of them encrypted by the Session key.
DD WAM 插件请求 Cloud AP 插件对令牌进行解密,再由 Cloud AP 插件请求 TPM 使用会话密钥进行解密,从而让 WAM 插件获取这两个令牌。WAM plugin requests Cloud AP plugin to decrypt the tokens, which, in turn, requests the TPM to decrypt using the Session key, resulting in WAM plugin getting both the tokens. 接下来,WAM 插件仅提供应用程序的访问令牌,同时使用 DPAPI 重新加密刷新令牌并将其存储在自己的缓存中。Next, WAM plugin provides only the access token to the application, while it re-encrypts the refresh token with DPAPI and stores it in its own cache. WAM 插件从此会将刷新密钥用于该应用程序。WAM plugin will use the refresh token going forward for this application. WAM 插件还将新的 PRT 返回至 Cloud AP 插件,该插件会先通过 Azure AD 验证该 PRT,然后再在其自己的缓存中进行更新。WAM plugin also gives back the new PRT to Cloud AP plugin, which validates the PRT with Azure AD before updating it in its own cache. Cloud AP 插件从此将使用新的 PRT。Cloud AP plugin will use the new PRT going forward.
EE WAM 向 WAM 提供新颁发的访问令牌,随后 WAM 又将其返回至调用应用程序WAM provides the newly issued access token to WAM, which in turn, provides it back to the calling application

使用 PRT 的浏览器 SSOBrowser SSO using PRT

使用 PRT 的浏览器 SSO

步骤Step 说明Description
AA 用户使用其凭据登录到 Windows 以获取 PRT。User logs in to Windows with their credentials to get a PRT. 用户打开浏览器后,浏览器(或扩展)将从注册表加载 URL。Once user opens the browser, browser (or extension) loads the URLs from the registry.
BB 当用户打开 Azure AD 登录 URL 时,浏览器或扩展会使用从注册表获取的 URL 来验证该 URL。When a user opens an Azure AD login URL, the browser or extension validates the URL with the ones obtained from the registry. 如果它们匹配,则浏览器调用原生客户端主机以获取令牌。If they match, the browser invokes the native client host for getting a token.
CC 原生客户端主机验证 URL 是否属于 Microsoft 标识提供者(Microsoft 帐户或 Azure AD),提取从 URL 发送的 nonce,并调用 CloudAP 插件以获取 PRT cookie。The native client host validates that the URLs belong to the Microsoft identity providers (Microsoft account or Azure AD), extracts a nonce sent from the URL and makes a call to CloudAP plugin to get a PRT cookie.
DD CloudAP 插件将创建 PRT cookie,使用 TPM 绑定的会话密钥进行登录,然后将其发送回原生客户端主机。The CloudAP plugin will create the PRT cookie, sign in with the TPM-bound session key and send it back to the native client host. 因为 cookie 由会话密钥签名,所以不会被篡改。As the cookie is signed by the session key, it cannot be tampered with.
EE 原生客户端主机会将此 PRT cookie 返回到浏览器,浏览器会将其包含在名为 x-ms-RefreshTokenCredential 的请求标头中,并从 Azure AD 请求令牌。The native client host will return this PRT cookie to the browser, which will include it as part of the request header called x-ms-RefreshTokenCredential and request tokens from Azure AD.
FF Azure AD 验证 PRT cookie 上的会话密钥签名,验证 nonce,验证设备在租户中是否有效,然后颁发网页的 ID 令牌和浏览器的已加密会话 cookie。Azure AD validates the Session key signature on the PRT cookie, validates the nonce, verifies that the device is valid in the tenant, and issues an ID token for the web page and an encrypted session cookie for the browser.

备注

上述步骤中所述的浏览器 SSO 流不适用于隐私模式的会话,例如 Microsoft Edge 中的 InPrivate 或 Google Chrome 中的 Incognito(使用 Microsoft Accounts 扩展时)。The Browser SSO flow described in the steps above does not apply for sessions in private modes such as InPrivate in Microsoft Edge, or Incognito in Google Chrome (when using the Microsoft Accounts extension).

后续步骤Next steps

要详细了解如何解决与 PRT 相关的问题,请参阅排查已建立混合 Azure Active Directory 联接的 Windows 10 和 Windows Server 2016 设备问题一文。For more information on troubleshooting PRT-related issues, see the article Troubleshooting hybrid Azure Active Directory joined Windows 10 and Windows Server 2016 devices.