在Active Directory域中为WCF配置加密算法
[英]Configuring Encryption Algorithm for WCF in Active Directory Domain
问题描述
Scenario: A WCF Client/Server application running on an Active Directory domain using NetTcp, Transport Security, and Windows Authentication. 
方案:使用NetTcp,传输安全性和Windows身份验证在Active Directory域上运行的WCF客户端/服务器应用程序。 I understand how this works behind the scenes with SSPI, and how it by default does transport layer encryption. 我了解SSPI在后台如何工作,默认情况下它如何进行传输层加密。 It is also my understanding that the encryption parameters, such as what algorithm, are configured in the domain. 据我了解,在域中配置了加密参数(例如什么算法)。
Question: How, in this scenario, would I configure my Active Directory domain to use different algorithms? 问题:在这种情况下,如何配置Active Directory域以使用不同的算法? I don't necessarily want my app to specify a specific algorithm; 我不一定要我的应用指定特定的算法; I'm happy with Windows Authentication doing the heavy lifting for me in this scenario. 对于这种情况下的Windows身份验证,我感到很满意。 However, I need to be able to tell the customer how to configure their policies to use their selected algorithm, or at least look into their policies to determine what algorithm they're using today. 但是,我需要能够告诉客户如何配置其策略以使用他们选择的算法,或者至少要研究其策略以确定他们今天使用的算法。
To be clear: I don't want to use Certificate Authentication. 需要说明的是:我不想使用证书身份验证。 I really want to stay with Windows authentication. 我真的很想保留Windows身份验证。
1 个解决方案
解决方案1
0 2018-05-27 14:23:35
Since kerberos is the default authentication protocol method used with Active Directory, I would focus on adjusting (if need be) the encryption methods used for Kerberos. 由于kerberos是与Active Directory一起使用的默认身份验证协议方法,因此我将重点介绍调整(如果需要)用于Kerberos的加密方法。 Since Windows 2008 R2 active-directory , AES256-SHA1 has been the default encryption algorithm for Kerberos. 从Windows 2008 R2 活动目录开始 , AES256-SHA1已成为Kerberos的默认加密算法。 Though with SSPI Windows authentication, it is possible that ntlm might be the authentication protocol used, that is highly unlikely today in 2018. 尽管使用SSPI Windows身份验证,但ntlm可能是所使用的身份验证协议,在2018年今天这种可能性很小。
To tell which authentication and encryption method you are using, and if you are using Windows 10, from a command prompt type: klist . 要告诉您使用哪种身份验证和加密方法,以及是否使用Windows 10,请从命令提示符下键入: klist 。 The output will show the resource connected to, and the encryption method used. 输出将显示连接的资源以及使用的加密方法。 If you connected via SSO to a network resource and you do not see a matching Kerberos ticket in the klist output, that means NTLM was used. 如果您通过SSO连接到网络资源,但在klist输出中看不到匹配的Kerberos票证,则表示已使用NTLM。 Use a network capture tool like Wireshark to confirm this. 使用Wireshark之类的网络捕获工具进行确认。
To configure the Kerberos policy to use a particular encryption algorithm, conduct the following: 要将Kerberos策略配置为使用特定的加密算法,请执行以下操作:
- Open up the Group Policy Management Console (GPMC) and edit the Default Domain Policy (after making a backup copy of it first). 打开组策略管理控制台(GPMC)并编辑“默认域策略”(首先创建它的备份副本)。
- Navigate to the following location: Computer Configuration\\ Windows Settings\\ Security Settings\\ Local Policies\\ Security Options 导航到以下位置: 计算机配置\\ Windows设置\\安全设置\\本地策略\\安全选项
- Click to select the Network security: Configure encryption types allowed for Kerberos option . 单击以选中网络安全性:配置Kerberos允许的加密类型选项 。
- Click to select Define these policy settings and select the desired check boxes for the encryption type(s). 单击以选中“定义这些策略设置”,然后选择所需的加密类型复选框。
- Click OK. 单击确定。 Close out of the GPMC. 关闭GPMC。
Reference: Network security: Configure encryption types allowed for Kerberos Win7 only . 参考: 网络安全:配置仅适用于Kerberos Win7的加密类型 。 Note: Article says Win7 only but it applies to Windows 8 and Windows 10 as well. 注意:文章仅说Win7,但它也适用于Windows 8和Windows 10。
Note: Since you said you are not using Certificate authentication, then matters like TLS would not apply here. 注意:由于您说的是不使用证书身份验证,因此类似TLS的问题在这里将不适用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.