Automatic domain join for virtual machine instances

US 10,509,663 B1
Filed: 02/04/2015
Issued: 12/17/2019
Est. Priority Date: 02/04/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, at a computing resource service provider separate from a requesting device, a request from a user associated with the requesting device to launch a virtual machine instance to be joined to a directory, the directory including a directory domain controller;

processing, by the computing resource service provider, the request to determine configuration information associated with the directory;

storing, by the computing resource service provider, the configuration information;

obtaining, at the computing resource service provider, a temporary set of credentials generated by launching the virtual machine instance;

authenticating, by the directory domain controller, that the user is authorized to join the directory based on the temporary set of credentials;

transmitting, by the computing resource service provider, a command to the directory domain controller to create a computer account corresponding to the directory; and

causing, by the directory domain controller, the virtual machine instance to join the directory based at least in part on the configuration information and authentication of the temporary set of credentials generated by the virtual machine instances.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A customer submits a request to a virtual computer system service to launch a virtual machine instance and to join this instance to a managed directory. The service may obtain, from the customer, a domain name and Internet Protocol addresses for the selected directory, which is then stored within a systems management server. When launched, the instance may initiate an agent, which may communicate with the systems management server to obtain the configuration information. The agent may use this configuration information to establish a communications channel with the managed directory and create a temporary set of computer credentials that may be used to verify that the customer is authorized to join the virtual machine instance to the managed directory. If the credentials are valid, the managed directory may generate a computer account within the managed directory, which may be used to join the virtual machine instance to the managed directory.

Citations

20 Claims

1. A computer-implemented method, comprising:
- receiving, at a computing resource service provider separate from a requesting device, a request from a user associated with the requesting device to launch a virtual machine instance to be joined to a directory, the directory including a directory domain controller;
  
  processing, by the computing resource service provider, the request to determine configuration information associated with the directory;
  
  storing, by the computing resource service provider, the configuration information;
  
  obtaining, at the computing resource service provider, a temporary set of credentials generated by launching the virtual machine instance;
  
  authenticating, by the directory domain controller, that the user is authorized to join the directory based on the temporary set of credentials;
  
  transmitting, by the computing resource service provider, a command to the directory domain controller to create a computer account corresponding to the directory; and
  
  causing, by the directory domain controller, the virtual machine instance to join the directory based at least in part on the configuration information and authentication of the temporary set of credentials generated by the virtual machine instances.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein causing the virtual machine instance to join the directory based at least in part on the configuration information further comprises transmitting a second request to a managed directory service to establish a communications channel between the virtual machine instance and the directory domain controller of the directory.
  - 3. The computer-implemented method of claim 1, further comprising:
    - receiving, at the computing resource service provider, a second request to access the virtual machine instance, the second request to access the virtual machine instance including a set of credentials for a user;
      
      determining the set of credentials for the user are valid;
      
      evaluating one or more policies to determine whether the user is authorized to access the directory; and
      
      as a result of a determination that the user is not authorized to access the directory, disabling functionality of the virtual machine instance to prevent the user from using the virtual machine instance to access the directory.
  - 4. The method of claim 1, wherein the computer-implemented method further comprises obtaining, by the computing resource service provider, a location of a file system associated with the directory, the location of the file system providing a set of computer resources used to operate the virtual machine instance joined to the directory.

5. A computer system, comprising:
- one or more processors; and
  
  memory storing therein instructions that, as a result of being executed by the one or more processors, cause the computer system to;
  
  receive, from a user of a computing device separate from the computer system, a request to launch and join a virtual machine instance to a directory, the directory managed by a directory domain controller;
  
  process, by the computer system, the request by at least obtaining configuration information associated with the directory;
  
  store the configuration information in association with the virtual machine instance;
  
  launch the virtual machine instance;
  
  obtain a temporary set of credentials generated by the virtual machine instance;
  
  authenticate, using the directory domain controller, that the user is authorized to join the directory based at least in part on the generated temporary set of credentials;
  
  cause an account for the virtual machine instance to be generated based on authenticating the temporary set of credentials generated by the virtual machine instance; and
  
  cause the account of the virtual machine instance to be associated with the directory based at least in part on the configuration information and authentication of the temporary set of credentials.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The computer system of claim 5, wherein the configuration information includes a fully qualified domain name for the directory and one or more domain name system Internet Protocol addresses for the directory, the fully qualified domain name and the domain name system Internet Protocol addresses usable by the virtual machine instance to establish a communications channel with the directory domain controller of the directory.
  - 7. The computer system of claim 5, wherein the computer system further comprises the virtual machine instance;
    - andexecution of the instructions causes the virtual machine instance to;
      
      receive a second request to access the virtual machine instance, the second request to access the virtual machine instance including the temporary set of credentials for the user;
      
      determine whether the temporary set of credentials for the user are valid;
      
      transmit, to an identity management service, a third request to determine whether the user is authorized to access the directory; and
      
      as a result of the user not being authorized to access the directory, cause the virtual machine instance to prevent the user from using the virtual machine instance to access the directory.
  - 8. The computer system of claim 5, wherein the memory further includes instructions that, as a result of being executed by one or more processors, cause the computer system to:
    - launch, by a virtual computer system service, the virtual machine instance; and
      
      store the configuration information within a database accessible by a server, such that the configuration information is associated with identification information for the virtual machine instance.
  - 9. The computer system of claim 5, wherein instructions that cause the computer system to cause the virtual machine instance to be associated with the directory further include instructions that, as a result of being executed by one or more processors, cause the computer system to cause the virtual machine instance to transmit a second request to a managed directory service to establish a communications channel with the virtual machine instance, through the managed directory service, to the directory domain controller of the directory.
  - 10. The computer system of claim 5, wherein:
    - the computer system further comprises the virtual machine instance; and
      
      execution of the instructions causes the virtual machine instance to;
      
      generate a set of computer credentials, the set of computer credentials used by the directory to verify that the user of the virtual machine instance is authorized to join the virtual machine instance to the directory and to generate a computer account to join the virtual machine instance to the directory;
      
      provide the set of computer credentials to the directory; and
      
      expose an application programming interface to an operating system of the virtual machine instance to allow the virtual machine instance to join the directory.
  - 11. The computer system of claim 5, wherein the virtual machine instance is hosted by a virtual computer system service on behalf of a customer of the virtual computer system service, the virtual computer system service being different than a managed directory service that maintains the directory.
  - 12. The computer system of claim 5, wherein the memory further includes instructions that, as a result of being executed by one or more processors, cause the computer system to:
    - obtain a location of a file system associated with the directory; and
      
      provide the virtual machine instance with the location such that the virtual machine instance can access the file system associated with the directory.

13. A non-transitory computer-readable storage medium storing executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
- receive, at a virtual computing system service of a computing resource service provider, a first request from a user to launch a virtual machine instance to be joined to a directory, the directory associated with a directory domain controller;
  
  transmit, to a server separate from the virtual computing system service, a second request to obtain configuration information associated with the directory;
  
  receive, from the server, the configuration information;
  
  launch, by the virtual computing system service, the virtual machine instance;
  
  transmit, to the server, a temporary set of credentials generated by an automated agent within the virtual machine instance;
  
  authenticate, using the directory domain controller, that the user is authorized to join the directory based at least in part on the temporary set of credentials;
  
  cause an account for the virtual machine instance to be generated as a result of authenticating the temporary set of credentials; and
  
  use the configuration information and the temporary set of credentials generated by the automated agent to join the virtual machine instance to the directory.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The non-transitory computer-readable storage medium of claim 13, wherein the instructions further include instructions that, as a result of being executed by one or more processors, cause the computer system to:
    - in response to the virtual machine instance having received a third request from the user to access the virtual machine instance, transmit, to an identity management service, a fourth request to determine whether the user is authorized to access the directory; and
      
      as a result of the user not being authorized to access the directory, prevent the user from using the virtual machine instance to access the directory.
  - 15. The non-transitory computer-readable storage medium of claim 13, wherein the instructions further include instructions that, as a result of being executed by one or more processors, cause the computer system to transmit a third request to a managed directory service to establish a communications channel between the virtual machine instance and the directory domain controller.
  - 16. The non-transitory computer-readable storage medium of claim 13, wherein the configuration information includes a fully qualified domain name for the directory and a domain name system Internet Protocol address for the directory, the fully qualified domain name and the domain name system Internet Protocol addresses used to establish a communications channel with the directory domain controller.
  - 17. The non-transitory computer-readable storage medium of claim 13, wherein the virtual machine instance is hosted by the virtual computer system service on behalf of a customer of the virtual computer system service, the virtual computer system service being different than a managed directory service that maintains the directory.
  - 18. The non-transitory computer-readable storage medium of claim 13, wherein the configuration information is stored within a database of the server, the configuration information being stored within the database in response to a previous request to launch the virtual machine instance and join the virtual machine instance to the directory.
  - 19. The non-transitory computer-readable storage medium of claim 13, wherein the instructions further include instructions that, as a result of being executed by one or more processors, cause the computer system to cause the server to utilize a customer identifier associated with the request to determine one or more policies associated with the user utilizing the virtual machine instance specify that the user is authorized to join the virtual machine instance to the directory.
  - 20. The non-transitory computer-readable storage medium of claim 13, wherein the instructions that cause the computer system to join the virtual machine instance to the directory further instructions that, as a result of being executed by one or more processors, cause the computer system to cause an operating system of the virtual machine instance to join the virtual machine instance to the directory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Unnikrishnan, Lekshmi, Sundaram, Manivannan, Mao, Martin Chen, Padisetty, Sivaprasad Venkata, Garg, Praerit, Palande, Sameer, Murphy, Bradley Scott, Ghosh, Manoj Krishna
Primary Examiner(s)
An, Meng Ai T
Assistant Examiner(s)
Huaracha, Willy W

Application Number

US14/614,230
Time in Patent Office

1,777 Days
Field of Search

718 1
US Class Current
CPC Class Codes

G06F 2009/45562   Creating, deleting, cloning...

G06F 2009/4557   Distribution of virtual mac...

G06F 21/53   by executing in a restricte...

G06F 21/6218   to a system of files or obj...

G06F 9/45558   Hypervisor-specific managem...

Automatic domain join for virtual machine instances

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic domain join for virtual machine instances

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links