本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
為您的 AWS Managed Microsoft AD 使用者啟用用於初始驗證的公有金鑰密碼編譯 (PKINIT)
AWS Managed Microsoft AD 目錄預設使用強式憑證繫結,這需要在憑證和 AD 物件之間明確映射。下列映射對於 AWS Managed Microsoft AD 而言視為強式:
-
altSecurityIdentities發行者和序號 -
altSecurityIdentities主旨金鑰識別符 -
altSecurityIdentitiesSHA1 公有金鑰雜湊
這些屬性可啟用強大的憑證映射,透過要求 Active Directory 中定義的明確certificate-to-user關係,為憑證型身分驗證提供更好的安全性。這有助於防止憑證型權限提升攻擊
您可以使用此程序來設定強大的憑證繫結,協助您防止權限提升攻擊,同時維護憑證身分驗證功能。
如需詳細資訊,請參閱 Microsoft KB5014754:Windows 網域控制站上的憑證型身分驗證變更
先決條件
-
已設定憑證授權單位的 AWS Managed Microsoft AD 目錄
-
對 Active Directory 環境的管理存取權
-
已安裝 Active Directory 模組的 PowerShell
-
您要映射至 AD 物件的憑證
對應 AltSecurityIdentity 屬性
-
根據您的憑證資訊選擇下列其中一個
AltSecurityIdentity映射方法:-
SHA1 雜湊 – 使用憑證公有金鑰的 SHA1 雜湊
對於 SHA1 雜湊映射,擷取憑證雜湊並將其套用至使用者物件:
$Username = 'YourUsername' $cert = certutil -dump "YourCertificate.cer" $certHash = ($cert | Select-String -Pattern "(sha1):*" | Select-String -Pattern "Cert").ToString().TrimStart('Cert Hash(sha1): ').Replace(' ','') Set-ADUser -Identity $Username -Add @{'altSecurityIdentities'="X509:<SHA1-PUKEY>$CertHash"} -
發行者和序號 – 使用憑證的發行者名稱和序號
對於發行者和序號映射,請使用憑證的發行者和序號:
$Username = 'YourUsername' $IssuerName = 'YourCertificateIssuer' $SerialNumber = 'YourCertificateSerialNumber' Set-ADUser -Identity $Username -Add @{'altSecurityIdentities'="X509:<I>$IssuerName<SR>$SerialNumber"} -
主旨金鑰識別符 – 使用憑證的主旨金鑰識別符延伸
對於主體金鑰識別符映射,請使用憑證的主體金鑰識別符:
$Username = 'YourUsername' $SubjectKeyIdentifier = 'YourSubjectKeyIdentifier' Set-ADUser -Identity $Username -Add @{'altSecurityIdentities'="X509:<SKI>$SubjectKeyIdentifier"}
-
-
驗證是否已成功套用映射:
Get-ADUser -Identity $Username -Properties altSecurityIdentities | Select-Object -ExpandProperty altSecurityIdentities -
等待 Active Directory 複寫完成 (通常為 15-30 秒),再測試憑證身分驗證。
範例:對應 AltSecurityIdentity 屬性的大量憑證
下列範例示範如何對應來自憑證授權單位的多個使用者憑證的AltSecurityIdentity屬性:
$CertificateTemplateName = 'User' $Now = $((Get-Date).ToString($(Get-culture).DateTimeFormat.ShortDatePattern)) $Restrict = "Disposition=20,NotAfter>=$Now,Certificate Template=$CertificateTemplateName" $Out = "SerialNumber,Certificate Hash,User Principal Name,RequesterName,CommonName,CertificateTemplate,NotBefore,NotAfter" $Certs = certutil -view -restrict $Restrict -out $Out csv | ConvertFrom-CSV $UserSha1HashMapping = @{} ForEach ($Cert in $Certs) { $UPN = $Cert.'User Principal Name' $Username, $Domain = $UPN.Split('@') $CertificateThumbprint = ($Cert.'Certificate Hash').Replace(' ','') $AdUserObject = Get-ADUser -Identity $Username If ($AdUserObject -And $AdUserObject.Count -gt 1) { Write-Output "Unable to map user: $Username, multiple user objects found" Continue } If ($AdUserObject) { If ($UserSha1HashMapping.Keys -Contains $Username) { $UserSha1HashMapping[$Username] += $CertificateThumbprint } Else { $UserSha1HashMapping[$Username] = @($CertificateThumbprint) } } } ForEach ($User in $UserSha1HashMapping.Keys) { Write-Output "Mapping altSecurityIdentity for $User" $UserObject = Get-ADUser -Identity $User | Get-ADObject -Properties 'altSecurityIdentities' $altSecurityIdentities = $UserObject.altSecurityIdentities ForEach ($thumbprint in $UserSha1HashMapping[$User]) { $SHA1PUKEY = "X509:<SHA1-PUKEY>$thumbprint" If ($altSecurityIdentities -Contains $SHA1PUKEY) { Write-Output "Skipping $thumbprint, already mapped." Continue } Write-Output "Adding $thumbprint to $User as altSecurityIdentity" Set-ADUser -Identity $User -Add @{'altSecurityIdentities'=$SHA1PUKEY} } }
後續步驟
-
使用映射的憑證測試憑證型身分驗證
-
設定您的應用程式以使用映射的憑證進行身分驗證
-
監控您的 AWS Managed Microsoft AD 用於身分驗證事件
