Windows Hello don Kasuwanci, maɓallan hardware, da SSO

Idan kuna sarrafa ganowa a cikin mahallin Microsoft, tabbas kun ji labarin Windows Hello, Windows Hello don Kasuwanci, maɓallai hardware da SSOAmma yana da sauƙi a rasa a tsakanin gajarta da yawa, nau'ikan amana, da buƙatu. Bugu da ƙari, a cikin ƙayyadaddun turawa tare da Gaji Active Directory, fahimtar abin da WHfB ke bayarwa da gaske idan aka kwatanta da PIN mai sauƙi ko shigar da kwayoyin halitta na iya zama bambanci tsakanin aiki mai santsi… ko ciwon kai na dindindin.

A cikin wannan labarin za mu yi bayani dalla-dalla yadda yake aiki Windows Hello don Kasuwanci (WHfB), wace rawa maɓallan kayan masarufi suke takawa, ta yaya ake samun sa hannu ɗaya (SSO)? da kuma yadda ya bambanta da "al'ada" Windows Hello ga masu amfani da gida. Za mu dubi matakan ciki (rejistar na'ura, samarwa, maɓalli na aiki tare, takaddun shaida, da tabbatarwa), samfuran turawa (girgije-kawai, matasan, da kan-gidaje), nau'ikan amana, buƙatun PKI, lasisi, ƙalubalen ƙaddamarwa na duniya, da yadda duk wannan ya dace da hanyoyin zamani kamar FIDO2 da tsaro mara kalmar sirri.

Windows Hello vs Windows Hello don Kasuwanci: Abin da Yake Canjewa

Windows Hello (a bayyane kuma mai sauƙi) shine ƙwarewar mai amfani don shiga tare da PIN ko na'urorin halitta akan na'urar Windows, wanda aka ƙera don gida da mahalli na ƙwararru. Windows Sannu don Kasuwanci (WHfB), a gefe guda, shine haɓakar kasuwancin da ke ƙara ƙarfin ikon ganewa da aka haɗa tare da Active Directory da Microsoft Entra ID.

Tare da hanyoyi guda biyu zaka iya amfani da su PIN, sawun yatsa ko tantance fuska yana goyan bayan TPM don shiga cikin kwamfutar. Hakanan kuna iya tantancewa akan wani yanki na yanki na gargajiya. Babban bambanci shine WHfB yana ƙirƙira da sarrafawa takaddun shaida na matakin kasuwanciMaɓallai nau'i-nau'i ko takaddun shaida masu alaƙa da mai amfani da na'urar, tsare-tsaren tsare-tsare da amfani ga SSO akan albarkatun gida da na gajimare.

Yayin da "na al'ada" Windows Hello an iyakance shi da gaske musanya kalmar sirri tare da karimcin dacewa akan waccan na'urarWHfB yana haifar da ƙaƙƙarfan takaddun shaida wanda mai ba da shaida (AD, Microsoft Entra ID, ko AD FS) ya gane, adanawa, da amfani da su don ba da alamun samun dama da tilasta tsaro. Samun sharadi, ingantaccen ingantaccen KDC, PRT, Kerberos a cikin gajimare da sauran ci-gaba controls.

Tambayar ma'ana ita ce: idan na riga na sami na'urorin haɗin yanki, wanda aka sarrafa tare da Intune, tare da TPM da biometrics, da SSO zuwa ga gajimare ta hanyar daidaita hash na kalmar sirri, Me zan samu ta ƙara WHfB? Amsar ta ta'allaka ne kan yadda aka gina maɓallan da ingantattun hanyoyin, yadda ake haɗa na'urar, da kuma ikon faɗaɗa wannan tsaro ga duk yanayin muhalli, ba kawai shiga gida ba.

Gine-gine na asali: Windows Hello don matakan Kasuwanci

WHfB tsarin rarrabawa ne wanda ya dogara da abubuwa da yawa: na'urar, TPM, mai ba da shaida, PKI, aiki tare da directory, da hanyoyin SSODon fahimtar shi ba tare da bata ba, yana da taimako a raba ayyukansa zuwa matakai biyar na aiwatarwa.

1. Rijistar Na'ura

Yankin farko na wuyar warwarewa shine rajistar na'ura tare da mai ba da shaidar (IDP)Wannan matakin yana ba ku damar haɗa na'urar tare da ainihi a cikin kundin adireshi kuma ku ba ta damar tantancewa ta atomatik lokacin da mai amfani ya shiga.

A cikin girgije-kawai ko mahallin mahalli, IdP shine Microsoft Shigar ID kuma na'urar tana yin rijista tare da sabis ɗin rajista na na'urar (haɗe zuwa Microsoft Entra, haɗaɗɗen haɗin gwiwa, ko rijista). A cikin al'amuran gida kawai, IdP yawanci AD FS tare da Sabis ɗin Rajista na Na'urar Kasuwanci.

Bayan kammala wannan rajista, IdP za ta ba ƙungiyar keɓaɓɓen ainihi wanda za a yi amfani da shi don kafa amintaccen kundin adireshi na na'ura a jeren ingantattun bayanai. An rarraba wannan rikodin ta "nau'in haɗin na'ura", wanda ke ƙayyade ko an haɗa na'urar zuwa yanki na gida, zuwa ID na Entra, matasan, ko kuma a sauƙaƙe rajista azaman na sirri.

2. Samar da: ƙirƙirar akwati na Windows Hello

Da zarar na'urar ta yi rajista, lokaci zai fara Samar da takaddun shaida na Windows Hello don kasuwanciAnan ne aka ƙirƙira abin da ake kira kwantena na Windows Hello, wanda a hankali ke haɗa duk bayanan sirrin mai amfani da ke cikin waccan kwamfutar.

Tsarin saye na yau da kullun yana bin waɗannan manyan matakan, koyaushe yana bin a farkon tabbaci tare da raunanan takaddun shaida (sunan mai amfani da kalmar wucewa):

• Mai amfani ya tabbatar da MFA a IdP (Microsoft Shigar MFA ko wata hanya mai dacewa, ko adaftar MFA a AD FS a cikin mahallin gida).
• Bayan cin nasara akan wannan batu na biyu, ana tambayarka don saita a PIN kuma, idan akwai kayan aikin da suka dace, alamar ƙirar halitta (fuska, fuska, iris).
• Bayan tabbatar da PIN, Windows yana haifar da Windows Hello kwantena don wannan asusun akan waccan ƙungiyar.
• A cikin wannan akwati, a maɓallin maɓalli na sirri (na jama'a da na sirri), an haɗa shi da TPM lokacin da akwai ko, rashin hakan, software yana kiyaye shi.
• La Maɓalli na sirri yana kan na'urar kuma ba za a iya fitarwa ba, wanda ya rage ta TPM da kuma ta masu kare PIN/biometric.
• La an yi rajistar maɓalli na jama'a a cikin IdP kuma an haɗa shi da abu mai amfani: a cikin Microsoft Login ID an rubuta shi ga mai amfani, kuma a cikin yanayin yanayi na cikin gida, AD FS yana tura shi zuwa Directory Active.

Kwandon kuma ya haɗa da a maɓalli na gudanarwaWannan yana da amfani ga yanayin yanayi kamar sake saitin PIN; akan na'urori masu TPM, ana kuma adana toshe bayanan da ke ɗauke da takaddun shaida na TPM. Duk kayan ana buɗewa ne kawai lokacin da mai amfani ya yi karimcin (PIN ko biometrics), kuma wannan haɗin MFA na farko yana tabbatar da aminci tsakanin mai amfani, na'ura, da IdP.

3. Maɓallai a cikin akwati: tabbatarwa da mai gano mai amfani

A cikin kwandon Windows Hello mun sami nau'ikan maɓalli da yawa, tare da ayyuka daban-daban, duka rufaffiyar tare da tushen PIN ko kariyar biometric:

• Maɓallin tantancewaMaɓallan asymmetric guda biyu waɗanda aka samar yayin rajista waɗanda dole ne koyaushe a buɗe su tare da alamar PIN ko ƙirar halitta. Shi ne tushen abin da ake sake sarrafa wasu kayan lokacin da aka canza PIN.
• Maɓallan gano mai amfaniMaɓallai na ainihi na iya zama m ko asymmetric dangane da Mai Ba da Shaida (IdP) da ƙirar (maɓalli ko takaddun shaida). Ana amfani da su don sa hannu ko ɓoye buƙatun da alamun da aka kai ga mai ba da shaida. A cikin mahallin kasuwanci, yawanci ana ƙirƙira su azaman maɓalli na asymmetric, tare da maɓallin jama'a da aka yiwa rajista da IdP.

Ana iya samun waɗannan maɓallan gano masu amfani ta hanyoyi guda biyu: hade da PKI na kamfani don ba da takaddun shaida (misali, don VPN, RDP ko Tantancewar Kerberos na tushen takaddun shaida) ko IdP ta haifar da kai tsaye a cikin al'amuran ba tare da PKI (samfurin maɓalli mai tsafta ba).

Haka kayayyakin more rayuwa damar amfani da Windows Hello a matsayin mai inganta FIDO2/WebAuthn a cikin aikace-aikace da gidajen yanar gizo masu jituwa. Shafukan na iya ƙirƙirar shaidar FIDO a cikin akwati na Windows Hello; a ziyarar da ta biyo baya, mai amfani yana tantancewa da PIN ko na'urorin halitta ba tare da fallasa kalmomin shiga ba.

4. Maɓalli na aiki tare a cikin mahallin mahalli

A cikin gine-ginen gine-gine inda suke tare Microsoft Login ID da Active DirectoryYin rijistar maɓalli kawai a cikin gajimare bai isa ba. Bayan samarwa, maɓallin jama'a na WHfB dole ne a haɗa shi da kundin adireshin gida don kunnawa tabbatarwa da SSO akan albarkatun kan-gida.

A cikin waɗannan yanayin, Microsoft Entra Connect Sync yana kulawa kwafi maɓallin jama'a zuwa sifa ta msDS-KeyCredentialLink na abu mai amfani a cikin Active Directory. Wannan aiki tare shine maɓalli domin mai sarrafa yanki zai iya inganta sa hannun da na'urar ta haifar tare da maɓalli na sirri da aka adana a cikin TPM.

5. Rijistar takaddun shaida (kawai idan ya cancanta)

A wasu samfurori (kamar su amincewa da takardar shaidarBaya ga maɓallan, ƙungiyar tana buƙatar bayar da takaddun shaida ga masu amfani. A wannan yanayin, ana kunna ƙarin lokaci. rajista na takaddun shaida.

Bayan yin rijistar maɓalli na jama'a, abokin ciniki yana haifar da a bukatar takardar shaida wanda ke aika buƙatun zuwa ga ikon rajistar takaddun shaida, yawanci haɗawa cikin AD FS a cikin turawar tarayya. Wannan CRA tana tabbatar da buƙatar ta amfani da PKI na kamfani da Yana ba da takaddun shaida da aka adana a cikin akwati Hello, sake amfani da su don tabbatarwa akan albarkatun gida waɗanda har yanzu sun dogara da takaddun shaida.

Tabbatarwa, maɓalli na sirri, da SSO: yadda duk ya dace tare

Da zarar an kammala rajista da matakan samarwa, rayuwar mai amfani ta yau da kullun tana raguwa zuwa wani abu mai sauqi: motsi (PIN ko biometrics) wanda ke "saki" maɓallin keɓaɓɓen na'urarAbin sha'awa shine abin da ke faruwa a bayan fage.

Lokacin da mai amfani ya buɗe kwamfutar, Windows yana amfani da ɓangaren sirri na shaidar WHfB zuwa bayanan sirri da aka aika zuwa IdPWannan yana tabbatar da sa hannu ta amfani da maɓallin jama'a da aka adana a cikin abin mai amfani. Saboda PIN bai taɓa barin na'urar ba kuma maɓalli na sirri ba ya barin, tsarin yana da juriya ga satar bayanan sirri da na al'ada.

A cikin yanayin shigar da ID na Microsoft, kammala wannan tabbacin yana haifar da a Alamar Refresh na Farko (PRT)Alamar gidan yanar gizo ta JSON mai ɗauke da bayanan mai amfani da na'urar. Ita ce tushen SSO zuwa aikace-aikacen girgije kuma, a hade tare da Microsoft Kerberos ko aiki tare da maɓalli, har ila yau zuwa albarkatun gida.

Ba tare da PRT ba, ko da mai amfani yana da ingantaccen shaidar WHfB, Zan rasa sa hannu guda ɗaya. kuma za a tilastawa ci gaba da tantancewa a cikin kowane app. Shi ya sa manufofin samun damar sharadi, na tushen na'ura ko na tushen haɗari, yawanci suna la'akari da kasancewar wannan PRT.

Don Active Directory, lokacin amfani da maɓalli ko amintaccen takaddun shaida, WHfB yana aiki azaman a kama-da-wane katinMai amfani ya sanya hannu ba tare da wata matsala ba ko ƙalubale daga KDC, mai sarrafa yanki yana tabbatar da takaddun shaida ko maɓalli, kuma yana ba da tikitin Kerberos TGT, don haka yana ba SSO damar zuwa sabis na gida da aka haɗa tare da Kerberos.

Tsaro na cikin gida: na'urorin halitta, TPM da kariya daga hare-hare

Ɗaya daga cikin ginshiƙan WHfB shine cewa Bayanan biometric baya barin na'urarSamfuran da na'urori masu auna firikwensin suka haifar ana adana su a cikin gida bayanan bayanai rufaffen (misali, a cikin hanyar C: WINDOWSSystem32WinBioDatabase) ta amfani da maɓalli na musamman a kowace rumbun adana bayanai, an kiyaye su tare da AES a yanayin CBC da SHA-256 azaman aikin hash.

Wannan yana nufin cewa ko da maharin zai sami damar shiga waɗannan fayilolin, Ba zan iya sake gina hoton fuskar mai amfani ko sawun yatsa ba.kuma ba za a iya amfani da su a wata na'ura ba. Bugu da ƙari, kowane firikwensin yana kula da ajiyar kansa, yana rage yiwuwar wuri guda ɗaya na satar samfuran biometric.

Windows Hello don Kasuwancin PIN kuma an fi kiyaye shi fiye da kalmar sirri ta gargajiya. Ba ya tafiya akan hanyar sadarwa, an inganta shi a cikin gida, kuma TPM tana aiwatar da matakan tsaro. tubalan saboda yunƙurin kuskure da yawaWannan yana mayar da hare-haren ƙamus ko rashin amfani. Kuma idan wani ya saci PIN, zai yi aiki ne kawai akan wannan takamaiman na'urar, tunda shaidar tana da alaƙa da kayan aikin.

Fuskantar barazanar zamani (Yadda ake gane idan imel ɗin phishing ne(sake amfani da kalmar sirri, satar bayanan jama'a), WHfB ya dogara Sirrin maɓalli na jama'a mai alaƙa da na'uraWannan yana guje wa, ta hanyar ƙira, fallasa asirin da aka raba. Wannan ya yi daidai da ƙa'idodi da shawarwarin ƙa'idodi kamar NIST 800-63B kuma tare da ƙirar amintattun amintattu.

Samfuran turawa: gajimare, matasan, da kan-gidaje

WHfB yana da sassauƙa dangane da yanayin topology, amma wannan sassauci yana kawo masa wani rikitarwa. Magana mai zurfi, zamu iya magana game da nau'ikan turawa guda uku waɗanda ke haɗuwa ta hanyoyi daban-daban. Microsoft Entra ID, Active Directory, PKI da tarayya.

Samfurin Cloud kawai

A cikin ƙungiyoyin da ke rayuwa kusan 100% a ciki Microsoft 365 da sauran sabis na SaaS, ba tare da abubuwan da suka dace na gida ba, samfurin mafi sauƙi shine na Cloud-kawai tare da na'urorin da aka haɗa zuwa Microsoft. ShigaA cikin wannan yanayin:

• Duk masu amfani da na'urori suna zaune a ciki Microsoft Entra ID.
• Na'ura da rajistar maɓalli ana yin su kai tsaye a cikin gajimare.
• Babu kamfanin PKI da ake buƙata ko takaddun shaida mai sarrafa yanki.
• SSO ya dogara ne akan PRT da Microsoft Entra tokens don aikace-aikace.

Shi ne mafi kai tsaye zaɓi ga girgije-farko kamfanoni, tare da low kayayyakin more rayuwa da kuma in mun gwada da sauki turawa, manufa lokacin da albarkatun kan-gida ba su samuwa ko kadan.

Samfurin Hybrid: mafi yawan lokuta

Mafi yawan kamfanoni suna wani wuri tsakanin: Directory Active Directory haɗe tare da Microsoft Login ID aiki tareWHfB yana haskakawa a nan, amma kuma shine inda matsalolin daidaitawa suka fi yawa idan ba a tsara su da kyau ba.

A cikin mahalli mai haɗe-haɗe, ana aiki tare da ganowa tare da Microsoft Entra Connect Sync, kuma akwai yuwuwar haɗuwa da yawa. samfurin turawa (matasan) da nau'in amana (girgije Kerberos, maɓalli ko takaddun shaida)Manufar yawanci shine bayar da:

• SSO zuwa sabis na girgije (SharePoint Kan layi, Ƙungiyoyi, aikace-aikacen OIDC/SAML).
• Samun damar kai tsaye zuwa albarkatun gida (share, apps Kerberos, VPN, RDP).
• Hanyar fita mai kaifi don kalmomin shiga, yayin da ake kiyaye aikace-aikacen gado.

Babban nau'ikan amana a cikin al'amuran matasan sune:

• Kerberos a cikin gajimareMicrosoft Entra Kerberos yana fitar da TGTs don Active Directory ba tare da buƙatar ƙarin Kayayyakin Maɓalli na Jama'a (PKI). Wannan shine mafi zamani kuma mafi sauƙi samfurin matasan, saboda yana haɓaka abubuwan more rayuwa na FIDO2 kuma baya buƙatar aiki tare da maɓallan jama'a tare da Active Directory.
• Mabuɗin AminciMasu amfani suna tantancewa zuwa Active Directory ta amfani da maɓallin daure na'urar; masu kula da yanki suna buƙatar takamaiman takaddun shaida. Ana buƙatar PKI don masu sarrafa yanki, amma ba don takaddun shaida na mai amfani ba.
• Amincewa da takaddun shaidaAna ba da takaddun shaida na mai amfani kuma ana amfani da su don samun Kerberos TGTs. Wannan yana buƙatar cikakken PKI, AD FS azaman CRA, da ƙarin tsari mai ƙarfi.

Zaɓin nau'in amana da ya dace yana da mahimmanci: babu wanda ya fi "aminci" a zahiriKoyaya, sun bambanta cikin farashi, rikitarwa, da buƙatun kayan more rayuwa. Dogaro da Kerberos a cikin gajimare galibi shine mafi kyawun zaɓi don sabbin turawa, inhar sigar Windows ɗin abokin ciniki da uwar garken sun cika mafi ƙarancin buƙatu.

Tsarin gida mai tsabta

Ƙungiyoyi masu ƙaƙƙarfan ƙaƙƙarfan ƙayyadaddun tsari, ko tare da ƙaramin ko babu tallafi ga girgije, na iya zaɓar tura WHfB. 100% na gida, masu goyan bayan Active Directory da AD FSA cikin wannan samfurin:

• Ana sarrafa rajistar na'ura AD FS.
• Tabbatarwa na iya zama tushen maɓalli ko tushen satifiket, amma koyaushe ana goyan bayansa Kamfanin PKI.
• Zaɓuɓɓukan MFA sun haɗa da adaftan don AD FS ko mafita kamar Azure MFA Server (wanda ya riga ya gado) hadedde kan-gidaje.

Wannan hanya tana ba da a cikakken iko akan bayanan tantancewaKoyaya, yana buƙatar ƙoƙarce-ƙoƙarce mai ƙarfi (PKI, AD FS, bugu na CRLs waɗanda ke samun dama ta kwamfutocin da ba na yanki ba, da sauransu), wani abu wanda ba duk ƙungiyoyi bane ke son ɗauka a cikin dogon lokaci.

PKI mai samun dama, takaddun shaida mai sarrafa yanki, da CRLs

A cikin samfuran da suka dogara da takaddun shaida (ko na masu amfani, masu kula da yanki, ko duka biyun), PKI ya zama zuciyar amana. WHfB yana buƙatar tabbataccen inganci na KDCs lokacin da na'ura ta haɗa zuwa Microsoft Shigar ta tabbatar da wani yanki na gida.

A aikace, wannan yana nufin cewa dole ne takardar shaidar mai kula da yanki ta cika wasu sharuɗɗan fasaha: An bayar ta amintaccen tushen CA don na'urar, bisa ga samfurin tantancewar Kerberos, tare da "Tabbacin KDC" EKU, daidai sunan DNS, RSA 2048 da SHA-256 azaman algorithm sa hannu.a tsakanin sauran bukatu.

Bugu da ƙari, yana da mahimmanci cewa na'urar zata iya duba sokewar takaddun shaidaAnan akwai matsala ta yau da kullun tare da CRLs: na'urar da aka haɗa kawai zuwa Microsoft Entra ba za ta iya karanta hanyoyin LDAP a cikin Active Directory ba idan har yanzu ba a inganta ba, don haka ya zama dole a buga wurin rarraba CRL a ciki. URL ɗin HTTP yana samuwa ba tare da tantancewa ba.

Wannan ya ƙunshi shirya sabar gidan yanar gizo (IIS, alal misali), ƙirƙirar kundin adireshi (cdp), da daidaita izini. NTFS kuma daga albarkatun da aka raba, kashe ajiya A cikin caching na layi, saita CA don buga CRL akan waccan albarkatun da aka raba kuma a fallasa ta ta HTTP. Da zarar an gama, kuna buƙatar Sabunta takaddun shaida mai sarrafa yanki don haɗa sabuwar CDP da tabbatar da cewa an tura takardar shaidar tushen kasuwanci zuwa na'urorin da aka haɗa zuwa Microsoft Entra (misali, tare da Intune da bayanin martaba na "amintaccen takaddun shaida").

Aiki tare na adireshi, MFA, da daidaitawar na'ura

Kwarewar mai amfani ta ƙarshe tare da Windows Hello don Kasuwanci ya dogara da yawa Yadda ake haɗa aikin aiki tare na kundin adireshi, MFA, da daidaitawar manufofi.

A cikin jigilar kayan aiki, Microsoft Entra Connect Sync ba kawai yana daidaita asusun ba; yana iya daidaitawa Muhimman halayen kamar msDS-KeyCredentialLinkwanda ya ƙunshi maɓallin jama'a na WHfB da ake buƙata don tantancewa a cikin AD. A cikin mahalli tare da Azure MFA Server, ana amfani da aiki tare don shigo da masu amfani zuwa uwar garken MFA, wanda sai ya nemi sabis ɗin girgije don tabbatarwa.

Game da tantance abubuwa da yawa, ƙungiyoyi suna da zaɓuɓɓuka da yawa: Microsoft Entra MFA don girgije ko yanayin yanayiHaɗe-haɗe na waje ta hanyar tantancewar waje a cikin ID na Entra ko ta tarayya, da adaftan MFA na ɓangare na uku don AD FS a cikin mahalli na kan gida. Tutar FederatedIdpMfaBehavior a cikin yankuna masu haɗin gwiwa yana ƙayyade ko ID na Entra yana karɓa, yana buƙata, ko watsi da MFA da IdP ɗin tarayya ke yi, wanda zai iya zama mahimmanci ga samar da WHfB don yin aiki daidai.

Ana iya yin saitin WHfB akan kayan aiki tare da manufofin rukuni (GPO) ko CSP ta hanyar MDM (misali, Intune). A cikin ƙungiyoyin zamani, ya zama ruwan dare don ba da damar rajistar WHfB ta atomatik, tilasta MFA akan shiga ta farko, ayyana manufofin sarƙaƙƙiya na PIN, da sarrafa hanyoyin da aka karɓi hanyoyin biometric (ƙwararrun firikwensin kawai, kyamarorin IR, da sauransu).

A cikin layi daya, yana da mahimmanci a yi la'akari da ƙwarewar farfadowa: Sake saitin PIN na aikin kai, madadin hanyoyin kamar maɓallan FIDO2, da Rufin BitLocker don kare bayanai a hutawa idan na'urar ta ɓace ko sace.

Lasisi, buƙatun tsarin, da iyakoki masu amfani

Ɗaya daga cikin tatsuniyoyi na gama gari shine cewa koyaushe kuna buƙatar amfani da WHfB Microsoft Shigar da ID P1 ko P2A zahiri, ainihin aikin WHfB yana samuwa tare da matakin ID na Entra kyauta, kuma ana iya kunna amincin abubuwa da yawa da ake buƙata don samar da kalmar sirri ba tare da lasisin ƙima ba, kodayake fasalulluka kamar rajistar MDM ta atomatik, samun ci gaba na sharadi, ko rubutattun na'urar da aka jinkirta ta hanyar suna buƙatar manyan tiers.

Dangane da tsarin aiki, kusan duk nau'ikan abokin ciniki na zamani na Windows suna tallafawa WHfB, amma Dogara ga Kerberos a cikin gajimare yana buƙatar ƙananan ƙarancin ƙima (misali, Windows 10 21H2 tare da wasu faci ko takamaiman nau'ikan Windows 11A gefen uwar garken, kowane nau'in Windows Server da aka goyan baya zai iya zama gabaɗaya azaman DC, kodayake ɓangaren Kerberos a cikin gajimare yana buƙatar takamaiman juzu'i da sabuntawa akan masu sarrafa yanki.

Bayan abubuwan fasaha, akwai ƙalubale masu amfani sosai: kayan aikin da aka raba a inda WHfB, kasancewar na'ura da takamaiman mai amfani, yana dacewa akai akai; hardware ba tare da TPM 2.0 ko na'urori masu auna sigina ba; ko kuma wuraren da farashin sabunta tsoffin jiragen ruwa, tura PKI da haɓaka 2012 DCs ya sa cikakkiyar ɗaukar WHfB ba ta da kyau a cikin ɗan gajeren lokaci.

A lokuta, hanyar da ta dace ta ƙunshi hada WHfB tare da wasu abubuwan da ba su da kalmar sirri (Maɓallan FIDO2, katunan wayo, ingantaccen wayar tarho) don rufe wuraren aiki da aka raba, dandamalin da ba na Windows ba, ko masu amfani da wayar hannu sosai, barin WHfB a matsayin babban mai tabbatarwa a cikin kwamfyutoci kamfanoni masu alaƙa da Entra ko hybrids.

Duban duka hoton, Windows Hello don kasuwanci yana ba da yawa fiye da "PIN mai kyau": yana gabatarwa Shaidar asymmetric mai ɗaure kayan aiki, tabbataccen KDC mai ƙarfi, haɗin kai mai zurfi tare da Microsoft Entra ID da Active Directory, da ƙaƙƙarfan tsarin don amintaccen SSO duka a cikin gajimare da kan-gidaje. Koyaya, ainihin ƙimar sa idan aka kwatanta da ainihin Windows Hello ya dogara da farkon farkon ku: a cikin gajimare na zamani-na farko ko mahalli tare da sabunta PKI da DC, tsalle a cikin tsaro da gudanarwa a fili ya fi ƙarfin ƙoƙarin; a cikin tsofaffin yankuna, tare da ƙananan kayan aikin da aka shirya kuma babu tsare-tsaren zamani, yana iya yin ƙarin ma'ana don fara ci gaba a cikin kayan aiki, PKI, da ikon samun dama kafin rungumar cikakkiyar damar WHfB.

Labari mai dangantaka:

Yadda ake sanin waɗanne aikace-aikacen ke da damar zuwa kyamarar ku, makirufo, ko wuri a cikin Windows 11

Ishaku

Marubuci mai sha'awa game da duniyar bytes da fasaha gabaɗaya. Ina son raba ilimina ta hanyar rubutu, kuma abin da zan yi ke nan a cikin wannan shafi, in nuna muku duk abubuwan da suka fi ban sha'awa game da na'urori, software, hardware, yanayin fasaha, da ƙari. Burina shine in taimaka muku kewaya duniyar dijital ta hanya mai sauƙi da nishaɗi.