匿名，身份验证，模拟和委派有什么区别，为什么委派需要Kerberos? [英] What's the difference between Anonymous, Authenticate, Impersonate and Delegate, and why does Delegate need Kerberos?

问题描述

当客户安装我们的软件时，他们通常会选择分批安装"，即服务在一个盒子上运行，而数据库在另一个盒子上.这些服务可能与其他服务对话，或者数据库可能包含需要与另一个数据库对话的存储过程.

When our customers install our software, they often opt for a "split install", where the services run on one box and the database is on another box. The services might talk to other services, or the database might contain stored procedures that need to talk to another database.

这将我们带入Kerberos和SetSPN的黑暗世界.

This leads us into the murky world of Kerberos and SetSPN.

我本打算向支持人员发送一封电子邮件，详细说明Windows支持的各种身份验证级别之间的差异，但是我意识到我的知识对于模拟和委托之间的差异有点含糊不清，我真的很粗略关于Kerberos.

I was about to send the support guys an email breaking down the difference between the various authentication levels supported by Windows, but I realised that my knowledge gets a bit vague about the difference between impersonate and delegate, and I'm really sketchy when it comes to Kerberos.

有人可以启发我吗?

推荐答案

验证(authn)表示标识用户.授权(authz)表示确定经过身份验证的用户具有哪些权利.匿名用户尚未通过身份验证，但可能具有系统上的某些权限(来宾").模拟和委托是同一枚硬币的两个方面.如果我使用您的身份采取行动，我会冒充您；您授予我模仿您并采取某些行动的权利.

Authenticate (authn) means to identify a user. Authorize (authz) means to determine what rights an authenticated user has. An Anonymous user has not been authenticated but may have some rights on the system (a "guest"). Impersonate and delegate are two sides of the same coin. I impersonate you if I use your identity to do an action; you delegate me the right to impersonate you and take some action.

Kerberos (或"Kerb")是基于令牌的身份验证方案.也就是说，这是一种让用户登录并在系统中得到正确标识(身份验证)和指定权限(authz)的方法.

Kerberos (or "Kerb") is a token-based authentication scheme. That is, it's a way to let users log in and be properly identified (authn) and given rights (authz) in system.

每个注释:您不需要Curb进行委派，但是它内置于Server 2003中.您还可以使用NTLM，SSL证书映射或摘要式身份验证.但是，这些功能都没有Kerb这么强大和灵活.您还可以选择执行约束委派，这仅允许委派特定服务.原因是您需要受信任的第三方来验证您的令牌.基本上，流程是这样的...

Per comments: You don't need Kerb for delegation, but it's built in to Server 2003. You can also use NTLM, SSL Certificate Mapping or Digest Authentication. But none of those is as robust and flexible as Kerb. You also have the option to do constrained delegation which allows a delegation only to a certain services. The reason is that you need a trusted 3rd party to validate your token. Basically, the flow goes like this ...

1. 我对我的域进行身份验证.
2. 该域向我颁发了证书.那证书证明了我.
3. 我拿到了该证书并将其提供给我想让我做某事的服务
4. 该服务将获取该证书，并使用受信任的证书颁发机构的Valida证书
5. 该服务基于与证书颁发机构的通信来授予或拒绝访问

正如您所知，这是一个很深的主题. :)这是有关上述某些选项的好文章.另外，请查看此网络投射-与ADFS有关，但是在可能有用的概念上做得很好.

It's a deep subject as you know. :) Here is a good article on some of the above options. Also, check out this web cast -- it's about ADFS, but it does a good job on the concepts that might help.

这篇关于匿名，身份验证，模拟和委派有什么区别，为什么委派需要Kerberos?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！