使用 Azure AD Connect 同步实现密码哈希同步Implement password hash synchronization with Azure AD Connect sync

本文提供将用户密码从本地 Active Directory 实例同步到基于云的 Azure Active Directory (Azure AD) 实例时所需的信息。This article provides information that you need to synchronize your user passwords from an on-premises Active Directory instance to a cloud-based Azure Active Directory (Azure AD) instance.

密码哈希同步的工作原理How password hash synchronization works

Active Directory 域服务以实际用户密码的哈希值表示形式存储密码。The Active Directory domain service stores passwords in the form of a hash value representation, of the actual user password. 哈希值是单向数学函数(哈希算法)的计算结果。A hash value is a result of a one-way mathematical function (the hashing algorithm). 没有任何方法可将单向函数的结果还原为纯文本版本的密码。There is no method to revert the result of a one-way function to the plain text version of a password. 无法使用密码哈希来登录本地网络。You cannot use a password hash to sign in to your on-premises network.

为了同步密码,Azure AD Connect 同步将从本地 Active Directory 实例提取密码哈希。To synchronize your password, Azure AD Connect sync extracts your password hash from the on-premises Active Directory instance. 同步到 Azure Active Directory 身份验证服务之前,已对密码哈希应用其他安全处理。Extra security processing is applied to the password hash before it is synchronized to the Azure Active Directory authentication service. 密码基于每个用户按时间顺序同步。Passwords are synchronized on a per-user basis and in chronological order.

密码哈希同步过程的实际数据流类似于用户数据的同步。The actual data flow of the password hash synchronization process is similar to the synchronization of user data. 但是,密码的同步频率高于其他属性的标准目录同步窗口。However, passwords are synchronized more frequently than the standard directory synchronization window for other attributes. 密码哈希同步过程每隔 2 分钟运行一次。The password hash synchronization process runs every 2 minutes. 无法修改此过程的运行频率。You cannot modify the frequency of this process. 同步某个密码时,该密码将覆盖现有的云密码。When you synchronize a password, it overwrites the existing cloud password.

首次启用密码哈希同步功能时,它将对范围内的所有用户执行初始密码同步。The first time you enable the password hash synchronization feature, it performs an initial synchronization of the passwords of all in-scope users. 无法显式定义一部分要同步的用户密码。You cannot explicitly define a subset of user passwords that you want to synchronize.

更改本地密码时,更新后的密码会同步,此操作基本上在几分钟内就可完成。When you change an on-premises password, the updated password is synchronized, most often in a matter of minutes. 密码哈希同步功能会自动重试失败的同步尝试。The password hash synchronization feature automatically retries failed synchronization attempts. 如果尝试同步密码期间出现错误,该错误会被记录在事件查看器中。If an error occurs during an attempt to synchronize a password, an error is logged in your event viewer.

同步密码对当前登录的用户没有任何影响。The synchronization of a password has no impact on the user who is currently signed in. 当前的云服务会话不会立即受到已同步密码更改的影响,而是在登录云服务时才受到影响。Your current cloud service session is not immediately affected by a synchronized password change that occurs, while you are signed in, to a cloud service. 但是,当云服务要求再次身份验证时,就需要提供新的密码。However, when the cloud service requires you to authenticate again, you need to provide your new password.

无论用户是否已登录到其公司网络,都必须第二次输入其公司凭据,以便向 Azure AD 进行身份验证。A user must enter their corporate credentials a second time to authenticate to Azure AD, regardless of whether they're signed in to their corporate network. 但是,如果用户在登录时选中了“使我保持登录状态(KMSI)”复选框,则可以最大限度地避开这些模式。This pattern can be minimized, however, if the user selects the Keep me signed in (KMSI) check box at sign-in. 这样选择可设置会话 Cookie 以在 180 天内绕过身份验证。This selection sets a session cookie that bypasses authentication for 180 days. Azure AD 管理员可以启用或禁用 KMSI 行为。KMSI behavior can be enabled or disabled by the Azure AD administrator.

Note

只有 Active Directory 的对象类型用户才支持密码同步。Password sync is only supported for the object type user in Active Directory. 不支持 iNetOrgPerson 对象类型。It is not supported for the iNetOrgPerson object type.

密码哈希同步工作原理的详细说明Detailed description of how password hash synchronization works

以下部分将深入说明 Active Directory 与 Azure AD 之间的密码哈希同步工作原理。The following section describes, in-depth, how password hash synchronization works between Active Directory and Azure AD.

详细的密码流程

  1. 每隔两分钟,AD Connect 服务器上的密码哈希同步代理都会从 DC 请求存储的密码哈希(unicodePwd 属性)。Every two minutes, the password hash synchronization agent on the AD Connect server requests stored password hashes (the unicodePwd attribute) from a DC. 此请求通过用于同步 DC 之间数据的标准 MS-DRSR 复制协议进行。This request is via the standard MS-DRSR replication protocol used to synchronize data between DCs. 服务帐户必须具有“复制目录更改”和“复制所有目录更改”AD 权限(默认情况下,在安装时授予),才能获取密码哈希。The service account must have Replicate Directory Changes and Replicate Directory Changes All AD permissions (granted by default on installation) to obtain the password hashes.
  2. 在发送前,DC 将使用密钥(即 RPC 会话密钥的 MD5 哈希)和 salt 对 MD4 密码哈希进行加密。Before sending, the DC encrypts the MD4 password hash by using a key that is a MD5 hash of the RPC session key and a salt. 然后,它通过 RPC 将结果发送到密码哈希同步代理。It then sends the result to the password hash synchronization agent over RPC. DC 还使用 DC 复制协议将 salt 传递给同步代理,因此该代理能够解密信封。The DC also passes the salt to the synchronization agent by using the DC replication protocol, so the agent will be able to decrypt the envelope.
  3. 密码哈希同步代理获得加密的信封后,将使用 MD5CryptoServiceProvider和 salt 生成密钥,以便将收到的数据重新解密为其原始的 MD4 格式。After the password hash synchronization agent has the encrypted envelope, it uses MD5CryptoServiceProvider and the salt to generate a key to decrypt the received data back to its original MD4 format. 密码哈希同步代理永远无权访问明文密码。The password hash synchronization agent never has access to the clear text password. 密码哈希同步代理使用 MD5 完全是为了实现与 DC 的复制协议兼容性,并仅在本地的 DC 和密码哈希同步代理之间使用。The password hash synchronization agent’s use of MD5 is strictly for replication protocol compatibility with the DC, and it is only used on premises between the DC and the password hash synchronization agent.
  4. 密码哈希同步代理通过先将哈希转换为 32 字节的十六进制字符串,然后使用 UTF-16 编码重新将此字符串转换为二进制,来将 16 字节的二进制密码哈希扩展为 64 字节。The password hash synchronization agent expands the 16-byte binary password hash to 64 bytes by first converting the hash to a 32-byte hexadecimal string, then converting this string back into binary with UTF-16 encoding.
  5. 密码哈希同步代理通过将每个用户的 salt(包含 10 字节长度的 salt)添加到 64 字节的二进制字符串,来进一步保护原始哈希。The password hash synchronization agent adds a per user salt, consisting of a 10-byte length salt, to the 64-byte binary to further protect the original hash.
  6. 然后,密码哈希同步代理将 MD4 哈希与每个用户的 salt 组合在一起,并将其输入到 PBKDF2 函数。The password hash synchronization agent then combines the MD4 hash plus the per user salt, and inputs it into the PBKDF2 function. 使用 HMAC-SHA256 键控哈希算法的 1000 次迭代。1000 iterations of the HMAC-SHA256 keyed hashing algorithm are used.
  7. 密码哈希同步代理获取生成的 32 字节哈希,将每个用户的 salt 和 SHA256 迭代次数连接到它(以供 Azure AD 使用),然后通过 SSL 将该字符串从 Azure AD Connect 传输到 Azure AD。The password hash synchronization agent takes the resulting 32-byte hash, concatenates both the per user salt and the number of SHA256 iterations to it (for use by Azure AD), then transmits the string from Azure AD Connect to Azure AD over SSL.
  8. 当用户尝试登录到 Azure AD 并输入其密码时,会通过同一 MD4+salt+PBKDF2+HMAC-SHA256 过程运行密码。When a user attempts to sign in to Azure AD and enters their password, the password is run through the same MD4+salt+PBKDF2+HMAC-SHA256 process. 如果生成的哈希与 Azure AD 中存储的哈希匹配,则用户输入的密码正确并进行身份验证。If the resulting hash matches the hash stored in Azure AD, the user has entered the correct password and is authenticated.

Note

原始 MD4 哈希不会传送到 Azure AD。The original MD4 hash is not transmitted to Azure AD. 与之相反,传输的是原始 MD4 哈希的 SHA256 哈希。Instead, the SHA256 hash of the original MD4 hash is transmitted. 因此,如果获取了 Azure AD 中存储的哈希,则无法在本地“传递哈希”攻击中使用。As a result, if the hash stored in Azure AD is obtained, it cannot be used in an on-premises pass-the-hash attack.

安全注意事项Security considerations

同步密码时,纯文本版本的密码既不能向密码哈希同步功能公开,也不能向 Azure AD 或任何相关联的服务公开。When synchronizing passwords, the plain-text version of your password is not exposed to the password hash synchronization feature, to Azure AD, or any of the associated services.

用户身份验证针对 Azure AD(而不是针对组织自己的 Active Directory 实例)进行。User authentication takes place against Azure AD rather than against the organization's own Active Directory instance. Azure AD 中存储的 SHA 256 密码数据(原始 MD4 哈希的哈希)比 Active Directory 中存储的数据更安全。The SHA256 password data stored in Azure AD--a hash of the original MD4 hash--is more secure than what is stored in Active Directory. 而且,由于此 SHA256 哈希无法解密,因此无法将其带回到组织的 Active Directory 环境,并且在“传递哈希”攻击中显示为有效的用户密码。Further, because this SHA256 hash cannot be decrypted, it cannot be brought back to the organization's Active Directory environment and presented as a valid user password in a pass-the-hash attack.

密码策略注意事项Password policy considerations

有两种类型的密码策略受启用密码哈希同步的影响:There are two types of password policies that are affected by enabling password hash synchronization:

  • 密码复杂性策略Password complexity policy
  • 密码过期策略Password expiration policy

密码复杂性策略Password complexity policy

启用密码哈希同步时,本地 Active Directory 实例中的密码复杂性策略会覆盖云中为同步的用户定义的复杂性策略。When password hash synchronization is enabled, the password complexity policies in your on-premises Active Directory instance override complexity policies in the cloud for synchronized users. 可以使用本地 Active Directory 实例的所有有效密码来访问 Azure AD 服务。You can use all of the valid passwords from your on-premises Active Directory instance to access Azure AD services.

Note

直接在云中创建的用户的密码仍受到云中定义的密码策略的约束。Passwords for users that are created directly in the cloud are still subject to password policies as defined in the cloud.

密码过期策略Password expiration policy

如果用户属于密码哈希同步的范围,云帐户密码则设置为“永不过期”。If a user is in the scope of password hash synchronization, the cloud account password is set to Never Expire.

可以继续使用在本地环境中过期的同步密码来登录云服务。You can continue to sign in to your cloud services by using a synchronized password that is expired in your on-premises environment. 下次在本地环境中更改密码时,云密码会更新。Your cloud password is updated the next time you change the password in the on-premises environment.

帐户过期Account expiration

如果组织在用户帐户管理中使用了 accountExpires 属性,此属性不会同步到 Azure AD。If your organization uses the accountExpires attribute as part of user account management, this attribute is not synchronized to Azure AD. 因此,环境中为密码哈希同步配置的过期 Active Directory 帐户仍会在 Azure AD 中处于活动状态。As a result, an expired Active Directory account in an environment configured for password hash synchronization will still be active in Azure AD. 我们建议,如果帐户已过期,工作流操作应触发一个 PowerShell 脚本以禁用用户的 Azure AD 帐户(使用 Set-AzureADUser cmdlet)。We recommend that if the account is expired, a workflow action should trigger a PowerShell script that disables the user's Azure AD account (use the Set-AzureADUser cmdlet). 相反,在启用帐户后,Azure AD 实例应该开启。Conversely, when the account is turned on, the Azure AD instance should be turned on.

覆盖已同步的密码Overwrite synchronized passwords

管理员可以使用 Windows PowerShell 手动重置密码。An administrator can manually reset your password by using Windows PowerShell.

在这种情况下,新密码会覆盖已同步密码,并且在云中定义的所有密码策略都会应用于新的密码。In this case, the new password overrides your synchronized password, and all password policies defined in the cloud are applied to the new password.

如果再次更改本地密码,新密码则会同步到云,并会手动覆盖更新的密码。If you change your on-premises password again, the new password is synchronized to the cloud, and it overrides the manually updated password.

同步密码对登录的 Azure 用户没有任何影响。The synchronization of a password has no impact on the Azure user who is signed in. 当前的云服务会话不会立即受到已同步密码更改的影响,而是在登录云服务时才受到影响。Your current cloud service session is not immediately affected by a synchronized password change that occurs while you're signed in to a cloud service. KMSI 会延长此差异的持续时间。KMSI extends the duration of this difference. 当云服务要求再次身份验证时,需要提供新的密码。When the cloud service requires you to authenticate again, you need to provide your new password.

其他优点Additional advantages

  • 通常情况下,密码哈希同步比联合身份验证服务易于实现。Generally, password hash synchronization is simpler to implement than a federation service. 它不需要任何其他服务器,并且不依赖于高度可用的联合身份验证服务来对用户进行身份验证。It doesn't require any additional servers, and eliminates dependence on a highly available federation service to authenticate users.
  • 除了联合身份验证,还可以启用密码哈希同步。Password hash synchronization can also be enabled in addition to federation. 如果联合身份验证服务发生了中断,它可以用作回退。It may be used as a fallback if your federation service experiences an outage.

启用密码哈希同步Enable password hash synchronization

Important

如果要从 AD FS(或其他联合技术)迁移到密码哈希同步,我们强烈建议你按照此处发布的详细部署指南进行操作。If you are migrating from AD FS (or other federation technologies) to Password Hash Synchronization, we highly recommend that you follow our detailed deployment guide published here.

使用“快速设置”选项安装 Azure AD Connect 时,会自动启用密码哈希同步。When you install Azure AD Connect by using the Express Settings option, password hash synchronization is automatically enabled. 有关详细信息,请参阅通过快速设置开始使用 Azure AD ConnectFor more information, see Getting started with Azure AD Connect using express settings.

如果在安装 Azure AD Connect 时使用了自定义设置,则可在用户登录页上使用密码哈希同步。If you use custom settings when you install Azure AD Connect, password hash synchronization is available on the user sign-in page. 有关详细信息,请参阅 Azure AD Connect 的自定义安装For more information, see Custom installation of Azure AD Connect.

启用密码哈希同步

密码哈希同步和 FIPSPassword hash synchronization and FIPS

如果已经根据美国联邦信息处理标准 (FIPS) 锁定服务器,则会禁用 MD5。If your server has been locked down according to Federal Information Processing Standard (FIPS), then MD5 is disabled.

若要为密码哈希同步启用 MD5,请执行以下步骤:To enable MD5 for password hash synchronization, perform the following steps:

  1. 转到 %programfiles%\Azure AD Sync\Bin。Go to %programfiles%\Azure AD Sync\Bin.
  2. 打开 miiserver.exe.config。Open miiserver.exe.config.
  3. 转到文件末尾的 configuration/runtime 节点。Go to the configuration/runtime node at the end of the file.
  4. 添加以下节点:Add the following node: <enforceFIPSPolicy enabled="false"/>
  5. 保存所做更改。Save your changes.

下面显示了此代码片段的大致情况,供参考:For reference, this snippet is what it should look like:

    <configuration>
        <runtime>
            <enforceFIPSPolicy enabled="false"/>
        </runtime>
    </configuration>

有关安全性与 FIPS 的信息,请参阅 Azure AD password hash sync, encryption, and FIPS compliance(Azure AD 密码哈希同步、加密和 FIPS 符合性)。For information about security and FIPS, see Azure AD password hash sync, encryption, and FIPS compliance.

排查密码哈希同步问题Troubleshoot password hash synchronization

如果遇到密码哈希同步问题,请参阅排查密码哈希同步问题If you have problems with password hash synchronization, see Troubleshoot password hash synchronization.

后续步骤Next steps