Methods and systems for controlling the scope of delegation of authentication credentials

US 20030018913A1
Filed: 06/20/2001
Published: 01/23/2003
Est. Priority Date: 06/20/2001
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

identifying a target service to which access is sought on behalf of a client;

causing a server operatively coupled to the client to request access to the target service on behalf of the client, from a trusted third-party, wherein the server provides the trusted third-party with a credential authenticating the server, information about the target service, and a service credential previously provided by the client to the server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are provided for controlling the scope of delegation of authentication credentials within a network environment. A server is configured to provide a trusted third-party with a ticket authenticating the server, information about a target service that a server seeks to access on behalf of the client, and a service ticket associated with the client. This service ticket may be provided by the client or may be a previously granted service ticket granted to the server for itself in the name of the client. The trusted third-party grants a new service ticket to access the target service to the server, in the client'"'"'s name, if such delegation is permitted according to delegation constraints associated with the client.

Citations

64 Claims

1. A method comprising:
- identifying a target service to which access is sought on behalf of a client;
  
  causing a server operatively coupled to the client to request access to the target service on behalf of the client, from a trusted third-party, wherein the server provides the trusted third-party with a credential authenticating the server, information about the target service, and a service credential previously provided by the client to the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 14, 15, 17, 18, 19, 20, 21, 22, 23, 24, 25, 27, 28, 29, 30)
- - 2. The method as recited in claim 1, wherein the trusted third-party includes at least one service selected from a group of services comprising a key distribution center (KDC) service, a certificate granting authority service, and a domain controller service.
  - 3. The method as recited in claim 2, wherein the trusted third-party provides the server with a new service credential granted in the name of the client rather than the server.
  - 4. The method as recited in claim 3, wherein the new service credential is configured for use by the server and the target service to which access is sought.
  - 5. The method as recited in claim 3, wherein the credential authenticating the server is a ticket that includes a ticket granting ticket associated with the server.
  - 6. The method as recited in claim 1, further comprising:
    - causing the trusted third-party to verify that the client has authorized delegation.
  - 7. The method as recited in claim 6, wherein:
    - the trusted third-party includes a key distribution center (KDC); and
      
      causing the trusted third-party to verify that the client has authorized delegation includes verifying the status of a restriction placed on the ticket originating from the client.
  - 8. The method as recited in claim 1, further comprising:
    - causing the trusted-third-party to selectively determine if the client is allowed to participate in delegation either based on information selected from a group comprising an identity of the client, a group affiliation associated with the client.
  - 9. The method as recited in claim 1, wherein the server is a front-end server with respect to a back-end server that is coupled to the front-end server, and wherein the back-end server is configured to provide the target service to which access is sought.
  - 10. The method as recited in claim 1, wherein:
    - the trusted third-party includes a key distribution center (KDC);
      
      the KDC provides a ticket-granting-ticket associated with the client to the client; and
      
      the client does not provide the ticket granting ticket to the server.
  - 11. The method as recited in claim 1, wherein:
    - the trusted third-party includes a key distribution center (KDC); and
      
      the server requests the new credential in a ticket granting service request message that includes a service ticket provided by the client to the server.
  - 13. The method as recited in claim 12, wherein the implementation-specific identity information includes information selected from a group comprising privilege attribute certificate (PAC) information, security identifier information, Unix identifier information, Passport identifier information, certificate information.
  - 14. The method as recited in claim 13, wherein the PAC information includes compound identity information.
  - 15. The method as recited in claim 13, wherein the PAC information includes access control restrictions for use as delegation constraints.
  - 17. The computer-readable medium as recited in claim 16, wherein the trusted third-party includes at least one service selected from a group of services comprising a key distribution center (KDC) service, a certificate granting authority service, and a domain controller service.
  - 18. The computer-readable medium as recited in claim 17, wherein the new service credential is granted in the name of the client rather than the server.
  - 19. The computer-readable medium as recited in claim 18, wherein the service credential is configured for use by the server and the target service.
  - 20. The computer-readable medium as recited in claim 18, wherein the credential authenticating the server includes a ticket granting ticket associated with the server.
  - 21. The computer-readable medium as recited in claim 16, further comprising:
    - causing the trusted third-party to verify that the client has authorized delegation.
  - 22. The computer-readable medium as recited in claim 21, wherein:
    - the trusted third-party includes a key distribution center (KDC); and
      
      causing the trusted third-party to verify that the client has authorized delegation includes verifying the status of a forwardable flag value as set by the client.
  - 23. The computer-readable medium as recited in claim 16, wherein the server is a front-end server with respect to a back-end server coupled to the front-end server, and wherein the back-end server is configured to provide the target service.
  - 24. The computer-readable medium as recited in claim 16, wherein:
    - the trusted third-party includes a key distribution center (KDC);
      
      the KDC provides a ticket-granting-ticket associated with the client to the client; and
      
      the client does not provide the ticket granting ticket to the server.
  - 25. The computer-readable medium as recited in claim 16, wherein:
    - the trusted third-party includes a key distribution center (KDC); and
      
      the requesting server requests the new service credential in a ticket granting service request message that includes a service ticket provided by the client to the server.
  - 27. The system as recited in claim 26, wherein the credential granting mechanism is provided by a trusted third party and includes at least one service selected from a group of services comprising a key distribution center (KDC) service, a certificate granting authority service, and a domain controller service.
  - 28. The system as recited in claim 27, wherein the new service credential is granted in the name of the client rather than the server.
  - 29. The system as recited in claim 28, wherein the service credential is configured for use by the server and the target service.
  - 30. The system as recited in claim 28, wherein the credential authenticating the server includes a ticket granting ticket associated with the server, and which was previously granted by the credential granting mechanism.

12. A method comprising:
- identifying a target service to which access is sought on behalf of a client; and
  
  causing a server operatively coupled to the client to request access to the target service on behalf of the client, from a trusted third party, wherein the server provides the trusted third party with a service credential authenticating the server, information about the target service, and a service credential previously provided by the client for the service, and wherein the client ticket includes implementation-specific identity information.

16. A computer-readable medium having computer-executable instructions for performing tasks comprising:
- in a server, determining a target service to which access is sought on behalf of a client coupled to the server;
  
  requesting a new service credential from a trusted third-party by providing the trusted third-party with a credential authenticating the server, information about the target service, and a service credential associated with the client and the requesting server.

26. A system comprising:
- a credential granting mechanism configured to receive a request for a new service credential from a server and in response generate the new service credential if delegation is allowable, and wherein the request includes ;
  
  a credential authenticating the requesting server, identifying information about a target service to which access is sought on behalf of a client coupled to the server, and a service credential that was previously granted to the client for use with the server.

31. A system comprising:
- a server configured to generate a request for a new service credential from a trusted third-party, the new service credential being associated with a client and a target service, the request comprising;
  
  a credential authenticating the server, information about the target service, and a service credential associated with the client and the server.
- View Dependent Claims (32, 33, 34, 35, 37, 39)
- - 32. The system as recited in claim 31, wherein the trusted third-party includes at least one service selected from a group of services comprising a key distribution center (KDC) service, a certificate granting authority service, and a domain controller service.
  - 33. The system as recited in claim 31, wherein the credential authenticating the server includes a ticket granting ticket associated with the server.
  - 34. The system as recited in claim 31, wherein the server is a front-end server with respect to the service.
  - 35. The system as recited in claim 31, wherein the server requests the new service credential in a ticket granting service request message that includes the service ticket associated with the client and the server.
  - 37. The computer-readable medium as recited in claim 36, wherein the credential authenticating the first server includes a ticket-granting-ticket (TGT) and the service credential includes a service ticket.
  - 39. The method as recited in claim 38, further comprising:
    - causing the server to request the new service ticket on behalf of the client by forwarding the server ticket granting ticket, information identifying the new service, and the service ticket to a trusted third party.

36. A computer-readable medium having stored thereon a data structure, comprising:
- a credential authenticating a first server, information identifying a second server, and a service credential associated with a client and the first server.

38. A method comprising:
- separately authenticating a server and a client;
  
  providing the server with a server ticket granting ticket;
  
  providing the client with a client ticket granting ticket and a service ticket for use with the server;
  
  providing the server with a new service ticket for use by the server for use with a new service without requiring the server to have access to the client ticket granting ticket.

40. A method comprising:
- identifying a target service to which access is sought on behalf of a client that has been authenticated using a first authentication method;
  
  causing a server that is operatively coupled to the target service and the client to request a service credential to itself from a second authentication method trusted third-party by identifying the client and the first authentication protocol; and
  
  causing the server to request a new service credential, for use by the server and the target service, from the second authentication method trusted third-party, wherein the server provides the trusted third-party with a credential authenticating the server, information about the target service, and the service credential to itself.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 50, 51, 52, 53, 54, 55, 56, 57, 59, 60, 61, 62, 63, 64)
- - 41. The method as recited in claim 40, wherein the second authentication method trusted third-party includes at least one service selected from a group of services comprising a key distribution center (KDC) service, a certificate granting authority service, and a domain controller service.
  - 42. The method as recited in claim 41, wherein the new service credential is granted in an identity of the client rather than an identity of the server.
  - 43. The method as recited in claim 42, wherein the service credential is configured for use by the server and the target service to which access is sought.
  - 44. The method as recited in claim 42, wherein the credential authenticating the server includes a ticket granting ticket associated with the server.
  - 45. The method as recited in claim 40, further comprising:
    - upon receiving a request for the new service credential from the server, causing the second authentication method trusted third-party to verify that the client has authorized delegation.
  - 46. The method as recited in claim 40, wherein the server is a front-end server with respect to a back-end server that is coupled to the front-end server, and wherein the back-end server is configured to provide the target service.
  - 47. The method as recited in claim 40, wherein the first authentication method is selected from a group of authentication methods comprising Passport, SSL, NTLM, and Digest.
  - 48. The method as recited in claim 40, wherein the second authentication method includes a Kerberos authentication protocol.
  - 50. The computer-readable medium as recited in claim 49, wherein the second authentication method trusted third-party includes a key distribution center (KDC).
  - 51. The computer-readable medium as recited in claim 50, wherein the new service ticket includes a service ticket granted in an identity of the client rather than an identity of the server.
  - 52. The computer-readable medium as recited in claim 51, wherein the service ticket is configured for use by the server and the target service.
  - 53. The computer-readable medium as recited in claim 51, wherein the ticket authenticating the server includes a ticket granting ticket associated with the server.
  - 54. The computer-readable medium as recited in claim 49, further comprising:
    - upon receiving a request for the new service ticket from the server, causing the second authentication method trusted third-party to verify that the client has authorized delegation.
  - 55. The computer-readable medium as recited in claim 49, wherein the server is a front-end server with respect to a back-end server that is coupled to the front-end server, and wherein the back-end server is configured to provide the target service.
  - 56. The computer-readable medium as recited in claim 49, wherein the first authentication method is selected from a group of authentication methods comprising Passport, SSL, NTLM, and Digest.
  - 57. The computer-readable medium as recited in claim 49, wherein the second authentication method includes a Kerberos authentication protocol.
  - 59. The system as recited in claim 58, wherein the new service credential is granted in an identity of the client rather than the server.
  - 60. The system as recited in claim 59, wherein the new service credential is configured for use by the server and the target service.
  - 61. The system as recited in claim 59, wherein the credential authenticating the server includes a ticket granting ticket associated with the server.
  - 62. The system as recited in claim 57, wherein the server is a front-end server with respect to a back-end server that is coupled to the front-end server, and wherein the back-end server is configured to provide the target service.
  - 63. The system as recited in claim 57, wherein the first authentication method is selected from a group of authentication methods comprising Passport, SSL, NTLM, and Digest.
  - 64. The system as recited in claim 57, wherein the second authentication method uses a Kerberos authentication protocol.

49. A computer-readable medium having computer-executable instructions for performing tasks comprising:
- identifying a target service to which access is sought on behalf of a client that has been authenticated using a first authentication method;
  
  causing a server that is operatively coupled to the target service and the client to request a service ticket to itself from a second authentication method trusted third-party by identifying the client and the first authentication protocol; and
  
  causing the server to request a new service ticket, for use by the server and the identified service, from the second authentication method trusted third-party, wherein the server provides the trusted third-party with a ticket authenticating the server, information about the target service, and the service ticket to itself.

58. A system comprising:
- a server configurable to;
  
  identify a target service to which access is sought on behalf of a client that has been authenticated using a first authentication method, request a service credential to itself from a second authentication method trusted third-party by identifying the client and the first authentication method, and subsequently request a new service credential, for use by the server and the target service, from the second authentication method trusted third-party, wherein the server provides the second authentication method trusted third-party with a credential authenticating the server, information about the target service, and the service credential to itself.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Brezak, John E., Ward, Richard B., Schmidt, Donald E.

Granted Patent

US 7,698,381 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

G06F 21/31   User authentication

G06F 21/33   using certificates

G06F 2221/2115   Third party

H04L 63/0807   using tickets, e.g. Kerbero...

Methods and systems for controlling the scope of delegation of authentication credentials

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

64 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for controlling the scope of delegation of authentication credentials

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

64 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links