我们正在部署 Active Directory 身份验证策略和孤岛,以将域管理员限制为域控制器,将服务器管理员限制为服务器,这在我们从 Hyper-V Server 2012 R2 到 Windows Server 2016 的所有服务器上都运行良好(在执行klist -lh 0 -li 0x3e7 purge强制刷新计算机帐户的 Kerberos 票证而无需重新启动后),但我们的 1 个 Windows Server 2008 R2 除外,它出现错误:
您的帐户配置不允许您使用此计算机。请尝试使用另一台计算机。
发生这种情况时,域控制器上会记录以下事件:
Log Name: Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController
Source: Microsoft-Windows-Kerberos-Key-Distribution-Center
Date: 04/04/2019 09:25:50
Event ID: 105
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: <FQDN of DC #1>
Description:
A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.
Account Information:
Account Name: <username of server admin>
Supplied Realm Name:
User ID: <down-level username of server admin>
Authentication Policy Information:
Silo Name: Silo - Servers and Server Admins
Policy Name: Server admin
TGT Lifetime: 120
Device Information:
Device Name:
Service Information:
Service Name: krbtgt/<NetBIOS domain name>
Service ID: S-1-5-21-<SID of domain>-0
Network Information:
Client Address: ::ffff:<IP address of server>
Client Port: 50847
Additional Information:
Ticket Options: 0x7B
Result Code: 0xC
Ticket Encryption Type: 0x7
Pre-Authentication Type: 0
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768结果代码如下:
Code Code Name Description Possible causes
0xC KDC_ERR_POLICY Requested start time is later than end time This error is usually the result of logon restrictions in place on a user’s account. For example workstation restriction, smart card authentication requirement or logon time restriction.
因此,由于某种原因,它认为用户帐户无权访问服务器,即使服务器的计算机帐户和服务器管理员帐户确实已添加并分配给正确的筒仓,如下所示:
Kerberos client support for claims, compound authentication, and Kerberos armoring我已经验证启用的先决条件是通过组策略应用:
重启不会影响这一点。
我唯一能想到的是 Windows Server 2008 R2 不支持由先决条件策略Computer Configuration\Administrative Templates\System\Kerberos|Kerberos client support for claims, compound authentication, and Kerberos armoring本地不存在所支持的身份验证策略和孤岛:
但是,我找不到任何明确说明这一点的文档。最接近这一点的是https://social.technet.microsoft.com/wiki/contents/articles/26945.authentication-policies-and-authentication-silos-restricting-domain-controller-access.aspx其中写道:
先决条件:
[...]
• 必须配置 Windows 8、Windows 8.1、Windows Server 2012 和 Windows Server 2012 R2 域成员以支持 DAC,包括 Kerberos 复合声明(设备声明)
即使如此,解决方法是什么? 2012 年之前的 Windows 服务器只拥有一组单独的管理员帐户?
答案1
Kerberos 客户端支持声明、复合身份验证和 Kerberos 保护至少支持 Windows 2012 或 Windows 8 或 Windows RT。