Policy driven, credential delegation for single sign on and secure access to network resources
First Claim
1. A method for delegating user credentials from a client to a server in a networked computing environment, comprising:
- request from a client for an application, service or resource of a server in the networked computing environment that implicates delegation of user credentials from the client to the server;
initiating a handshake between the client and the server;
negotiating to select an authentication package shared between the client and server to utilize as an authentication mechanism for authenticating communications between the client and the server;
mutually authenticating the server and the client utilizing the selected authentication package as the authentication mechanism;
determining whether mutual authentication has occurred according to said mutually authenticating step, and if mutual authentication has occurred, establishing a session between the client and server including establishing a shared secret for encryption of messages communicated between the client and server;
prior to transmitting the credentials for the request, performing a policy check according to at least one pre-defined policy defined for user credentials to determine whether the server can be trusted with the user'"'"'s credentials; and
if the server can be trusted, transmitting the user'"'"'s credentials to the server to gain access to the requested application, service or resource of the server from the client.
3 Assignments
0 Petitions
Accused Products
Abstract
A credential security support provider (Cred SSP) is provided that enables any application to securely delegate a user'"'"'s credentials from the client, via client side Security Support Provider (SSP) software, to a target server, via server side SSP software in a networked computing environment. The Cred SSP of the invention provides a secure solution that is based in part upon a set of policies, including a default policy that is secure against a broad range of attacks, which are used to control and restrict the delegation of user credentials from a client to a server. The policies can be for any type of user credentials and the different policies are designed to mitigate a broad range of attacks so that appropriate delegation can occur for given delegation circumstances, network conditions, trust levels, etc. Additionally, only a trusted subsystem, e.g., a trusted subsystem of the Local Security Authority (LSA), has access to the clear text credentials such that neither the calling application of the Cred SSP APIs on the server side nor the calling application of the Cred SSP APIs on the client side have access to clear text credentials.
174 Citations
22 Claims
-
1. A method for delegating user credentials from a client to a server in a networked computing environment, comprising:
-
request from a client for an application, service or resource of a server in the networked computing environment that implicates delegation of user credentials from the client to the server; initiating a handshake between the client and the server; negotiating to select an authentication package shared between the client and server to utilize as an authentication mechanism for authenticating communications between the client and the server; mutually authenticating the server and the client utilizing the selected authentication package as the authentication mechanism; determining whether mutual authentication has occurred according to said mutually authenticating step, and if mutual authentication has occurred, establishing a session between the client and server including establishing a shared secret for encryption of messages communicated between the client and server; prior to transmitting the credentials for the request, performing a policy check according to at least one pre-defined policy defined for user credentials to determine whether the server can be trusted with the user'"'"'s credentials; and if the server can be trusted, transmitting the user'"'"'s credentials to the server to gain access to the requested application, service or resource of the server from the client. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A client computing device, comprising:
-
a credential security support provider component for handling a request from the client computing device for an application, service or resource of a server in the networked computing environment, wherein the request implicates delegation of user credentials from the client computing device to the server; wherein the credential security support provider component initiates a handshake between the client and the server, negotiates the selection of a security support provider shared between the client and server to utilize as an authentication package for authenticating communications between the client and the server, performs steps to mutually authenticate the server and the client utilizing the authentication package, wherein, if mutual authentication has occurred, the credential security support provider component establishes a session between the client and server and a shared secret for encryption of messages communicated between the client and server according to the session, performs a policy check according to at least one pre-defined policy used to control and restrict the delegation of user credentials from the client computing device to the server, and transmits the user'"'"'s credentials to the server to gain access to the requested application, service or resource of the server from the client only if the policy check is passed. - View Dependent Claims (18, 19, 20, 21)
-
-
22. A method for delegating user credentials from a client to a server in a networked computing environment as part of a single sign to a server'"'"'s resources, including:
-
receiving a user'"'"'s credentials via a single sign of a user interface component of a client to access a set of resources of the server, and in response, initiating a handshake between the client and the server according to transport layer security (TLS) protocol; negotiating to select an authentication package shared between the client and server to utilize as an authentication mechanism for authenticating communications between the client and the server; mutually authenticating the server and the client utilizing the selected authentication package as the authentication mechanism; if mutual authentication has occurred, establishing a session between the client and server including establishing a shared secret for encryption of messages communicated between the client and server; and securely delegating the user'"'"'s credentials to the server to gain access to the set of resources.
-
Specification