Systems and Methods for Facilitating Distributed Authentication

US 20070107048A1
Filed: 10/06/2006
Published: 05/10/2007
Est. Priority Date: 10/11/2005
Status: Active Grant

First Claim

Patent Images

1. A method for facilitating distributed authentication, the method comprising the steps of:

(a) requesting, by a user of a client machine residing in a first domain, access to a resource residing in a second domain;

(b) authenticating, by the client machine, the user to an intermediate machine;

(c) impersonating, by the intermediate machine, the client machine;

(d) requesting, by the intermediate machine impersonating the client machine, access to the second domain from a domain controller residing in the second domain;

(e) authorizing, by the domain controller, the requested access to the second domain, responsive to a determination that the impersonated client machine is trusted for delegation;

(f) transmitting, by the domain controller, to an application server residing in the second domain, authentication data associated with the impersonated client machine;

(g) transmitting, by the application server, to the intermediate machine, a launch ticket uniquely identifying a logon token; and

(h) providing, by the client machine to the application server, the launch ticket to access the resource residing in the second domain.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for facilitating distributed authentication includes the step of requesting, by a user of a client machine residing in a first domain, access to a resource residing in a second domain. The client machine authenticates the user to an intermediate machine. The intermediate machine impersonates the client machine. The intermediate machine impersonating the client machine requests access to the second domain from a domain controller residing in the second domain. The domain controller authorizes the requested access, responsive to a determination that the impersonated client machine is trusted for delegation. The domain controller transmits to an application server residing in the second domain, authentication data associated with the impersonated client machine. The application server transmits, to the intermediate machine, a launch ticket uniquely identifying a logon token. The client machine provides, to the application server, the launch ticket to access the resource residing in the second domain.

Citations

33 Claims

1. A method for facilitating distributed authentication, the method comprising the steps of:
- (a) requesting, by a user of a client machine residing in a first domain, access to a resource residing in a second domain;
  
  (b) authenticating, by the client machine, the user to an intermediate machine;
  
  (c) impersonating, by the intermediate machine, the client machine;
  
  (d) requesting, by the intermediate machine impersonating the client machine, access to the second domain from a domain controller residing in the second domain;
  
  (e) authorizing, by the domain controller, the requested access to the second domain, responsive to a determination that the impersonated client machine is trusted for delegation;
  
  (f) transmitting, by the domain controller, to an application server residing in the second domain, authentication data associated with the impersonated client machine;
  
  (g) transmitting, by the application server, to the intermediate machine, a launch ticket uniquely identifying a logon token; and
  
  (h) providing, by the client machine to the application server, the launch ticket to access the resource residing in the second domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, further comprising the step of receiving, by the client machine, from the application server, output data generated by an execution of the resource.
  - 3. The method of claim 1, wherein step (a) further comprises requesting, by a user having an account in a third domain, via the client machine residing in the first domain, access to a resource residing in the second domain.
  - 4. The method of claim 1, wherein step (a) further comprises requesting, by the user of the client machine residing in the first domain, access to an application program executed by an application server residing in the second domain.
  - 5. The method of claim 1, wherein step (a) further comprises requesting, by the user of the client machine residing in the first domain, access to a WINDOWS application program executed by an application server residing in the second domain.
  - 6. The method of claim 1, wherein step (a) further comprises providing, by the user of the client machine, authentication credentials to the client machine, the authentication credentials associated with an account associated with the user in the first domain.
  - 7. The method of claim 1, wherein step (a) further comprises providing, by the user of the client machine, authentication credentials to the client machine, the authentication credentials associated with an account associated with the user in a third domain.
  - 8. The method of claim 1, wherein step (b) further comprises authenticating, by the client machine, the user to an intermediate machine using Active Directory Federation Services.
  - 9. The method of claim 1, wherein step (b) further comprises authenticating, by the client machine, the user to a web server using Active Directory Federation Services.
  - 10. The method of claim 1, wherein step (b) further comprises transmitting, by the client machine, authentication credentials associated with the user to the intermediate machine, via a plurality of intermediate machines.
  - 11. The method of claim 1, wherein step (b) further comprises transmitting, by the client machine, an Active Directory Federation Services claim associated with the user to the intermediate machine, via a plurality of intermediate machines.
  - 12. The method of claim 1, wherein step (b) further comprises authenticating, by the client machine, the user to an intermediate machine via an Integrated Authentication technique.
  - 13. The method of claim 1, wherein step (b) further comprises authenticating, by the client machine, the user to an intermediate machine by providing an Integrated Authentication credential.
  - 14. The method of claim 1, wherein step (c) further comprises using, by the intermediate machine, an Active Directory Federation Services component to impersonate the client machine.
  - 15. The method of claim 1, wherein step (f) further comprises transmitting, by the domain controller, to the application server, WINDOWS authentication credentials associated with the user.
  - 16. The method of claim 1, wherein step (g) further comprises transmitting, by the intermediate machine to the client machine, the launch ticket.

17. A system for facilitating distributed authentication comprising:
- a client machine, residing in a first domain, requesting access to a resource residing in a second domain;
  
  an intermediate machine receiving, from the client machine, authentication credentials associated with a user of the client machine, authenticating the user, and impersonating the client machine;
  
  a domain controller residing in the second domain, receiving a request for access to the second domain from the intermediate machine impersonating the client machine and determining that the impersonated client machine is trusted for delegation; and
  
  an application server receiving, from the domain controller, authentication data associated with the user of the impersonated client machine with a request for access to the resource on the second domain and transmitting, to the intermediate machine impersonating the client machine, a launch ticket uniquely identifying a logon token;
  
  wherein the client machine provides the launch ticket to the application server to access the resource residing in the second domain.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 18. The system of claim 17, wherein the application server further comprises a transmitter sending output data generated by an execution of the resource to the client machine.
  - 19. The system of claim 17, wherein the client machine further comprises a transmitter sending a request for access to a resource residing in the second domain, for a user having an account on the first domain.
  - 20. The system of claim 17, wherein the client machine further comprises a transmitter sending a request for access to a resource residing in the second domain, for a user having an account on a third domain.
  - 21. The system of claim 17, wherein the client machine further comprises a transmitter sending a request for access to an application program executed by an application server residing in the second domain.
  - 22. The system of claim 17, wherein the client machine further comprises a transmitter sending a request for access to a WINDOWS application program executed by an application server residing in the second domain.
  - 23. The system of claim 17, wherein the client machine further comprises a receiver receiving, from the user, authentication credentials associated with an account associated with the user on the first domain.
  - 24. The system of claim 17, wherein the client machine further comprises a receiver receiving, from the user, authentication credentials associated with an account associated with the user on a third domain.
  - 25. The system of claim 17, wherein the intermediate machine further comprises an authentication component for authenticating the user of the client machine using Active Directory Federation Services.
  - 26. The system of claim 17, wherein the intermediate machine further comprises a web server using Active Directory Federation Services to authenticate the user of the client machine.
  - 27. The system of claim 17, wherein the intermediate machine further comprises a receiver receiving, from the client machine, authentication credentials associated with the user, via a plurality of intermediate machines.
  - 28. The system of claim 17, wherein the intermediate machine further comprises a receiver receiving an Active Directory Federation Services claim associated with the user, via a plurality of intermediate machines.
  - 29. The system of claim 17, wherein the intermediate machine further comprises an authentication component authenticating the user of the client machine via an Integrated Authentication technique.
  - 30. The system of claim 17, wherein the intermediate machine further comprises an authentication component authenticating the user of the client machine responsive to a received Integrated Authentication credential.
  - 31. The system of claim 17, wherein the intermediate machine further comprises an Active Directory Federation Service component used to impersonate the client machine.
  - 32. The system of claim 17, wherein the domain controller further comprises a transmitter sending, to the application server, WINDOWS authentication credentials associated with the user.
  - 33. The system of claim 17, wherein intermediate machine further comprises a transmitter sending, to the client machine, the launch ticket.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Halls, David, Mayers, Chris

Granted Patent

US 8,112,789 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/33   using certificates

H04L 63/0218   Distributed architectures, ...

H04L 63/0407   wherein the identity of one...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

Systems and Methods for Facilitating Distributed Authentication

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and Methods for Facilitating Distributed Authentication

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links