Policy driven, credential delegation for single sign on and secure access to network resources

US 20070277231A1
Filed: 05/26/2006
Published: 11/29/2007
Est. Priority Date: 05/26/2006
Status: Active Grant

First Claim

Patent Images

1. A method for delegating user credentials from a client to a server in a networked computing environment, comprising:

request from a client for an application, service or resource of a server in the networked computing environment that implicates delegation of user credentials from the client to the server;

initiating a handshake between the client and the server;

negotiating to select an authentication package shared between the client and server to utilize as an authentication mechanism for authenticating communications between the client and the server;

mutually authenticating the server and the client utilizing the selected authentication package as the authentication mechanism;

determining whether mutual authentication has occurred according to said mutually authenticating step, and if mutual authentication has occurred, establishing a session between the client and server including establishing a shared secret for encryption of messages communicated between the client and server;

prior to transmitting the credentials for the request, performing a policy check according to at least one pre-defined policy defined for user credentials to determine whether the server can be trusted with the user'"'"'s credentials; and

if the server can be trusted, transmitting the user'"'"'s credentials to the server to gain access to the requested application, service or resource of the server from the client.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A credential security support provider (Cred SSP) is provided that enables any application to securely delegate a user'"'"'s credentials from the client, via client side Security Support Provider (SSP) software, to a target server, via server side SSP software in a networked computing environment. The Cred SSP of the invention provides a secure solution that is based in part upon a set of policies, including a default policy that is secure against a broad range of attacks, which are used to control and restrict the delegation of user credentials from a client to a server. The policies can be for any type of user credentials and the different policies are designed to mitigate a broad range of attacks so that appropriate delegation can occur for given delegation circumstances, network conditions, trust levels, etc. Additionally, only a trusted subsystem, e.g., a trusted subsystem of the Local Security Authority (LSA), has access to the clear text credentials such that neither the calling application of the Cred SSP APIs on the server side nor the calling application of the Cred SSP APIs on the client side have access to clear text credentials.

174 Citations

22 Claims

1. A method for delegating user credentials from a client to a server in a networked computing environment, comprising:
- request from a client for an application, service or resource of a server in the networked computing environment that implicates delegation of user credentials from the client to the server;
  
  initiating a handshake between the client and the server;
  
  negotiating to select an authentication package shared between the client and server to utilize as an authentication mechanism for authenticating communications between the client and the server;
  
  mutually authenticating the server and the client utilizing the selected authentication package as the authentication mechanism;
  
  determining whether mutual authentication has occurred according to said mutually authenticating step, and if mutual authentication has occurred, establishing a session between the client and server including establishing a shared secret for encryption of messages communicated between the client and server;
  
  prior to transmitting the credentials for the request, performing a policy check according to at least one pre-defined policy defined for user credentials to determine whether the server can be trusted with the user'"'"'s credentials; and
  
  if the server can be trusted, transmitting the user'"'"'s credentials to the server to gain access to the requested application, service or resource of the server from the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the at least one pre-defined policy is a plurality of policies used to control and restrict the delegation of user credentials from a client to a server.
  - 3. The method of claim 2, wherein the plurality of policies address the mitigation of a broad range of attacks including at least one of Trojan or malware running on the client, default group policy settings and group policy values configurable by an administrator of the client, domain name service (DNS) poisoning to avoid resolution to a rogue server and denial of service attacks.
  - 4. The method of claim 2, wherein the plurality of policies include policies that at least one of allow or deny delegation based on a list of service principal names (SPNs) of the server.
  - 5. The method of claim 1, wherein the performing includes performing a policy check according to a relative strength of the authentication mechanism.
  - 6. The method of claim 1, wherein the performing includes performing a policy check according to at least one pre-defined policy defined based on the type of user credentials.
  - 7. The method of claim 6, wherein the performing includes performing a policy check according to at least one pre-defined policy defined based on whether the user credentials are fresh, saved or default credentials.
  - 8. The method of claim 1, wherein said transmitting of the user'"'"'s credentials includes transmitting the user'"'"'s credentials in a format that only a trusted subsystem of a local security system has access to the user'"'"'s credentials in clear text format.
  - 9. The method of claim 8, wherein the performing of the policy check is performed by a local security authority (LSA) and the trusted subsystem is a trusted subsystem of the LSA.
  - 10. The method of claim 1, further comprising:
    - after establishing the session between the client and server, authenticating the public key of the server.
  - 11. The method of claim 1, wherein said steps are performed via a credential security support provider component made available to the client making the request via a security support provider interface (SSPI).
  - 12. The method of claim 1, wherein the initial handshake is a handshake according to the secure sockets layer (SSL) or transport layer security (TLS) protocol.
  - 13. The method of claim 1, wherein the negotiating includes negotiating using Simple and Protected Generic Security Service Application Program Interface (GSSAPI) Negotiation Mechanism (SPNEGO) negotiation.
  - 14. The method of claim 1, wherein the selected authentication package is any one of Kerberos or NT Local Area Network (LAN) Manager (NTLM).
  - 15. The method of claim 1, wherein said shared secret is shared session key.
  - 16. An application programming interface comprising computer executable interface modules having computer executable instructions for performing the method of claim 1.

17. A client computing device, comprising:
- a credential security support provider component for handling a request from the client computing device for an application, service or resource of a server in the networked computing environment, wherein the request implicates delegation of user credentials from the client computing device to the server;
  
  wherein the credential security support provider component initiates a handshake between the client and the server, negotiates the selection of a security support provider shared between the client and server to utilize as an authentication package for authenticating communications between the client and the server, performs steps to mutually authenticate the server and the client utilizing the authentication package,wherein, if mutual authentication has occurred, the credential security support provider component establishes a session between the client and server and a shared secret for encryption of messages communicated between the client and server according to the session, performs a policy check according to at least one pre-defined policy used to control and restrict the delegation of user credentials from the client computing device to the server, and transmits the user'"'"'s credentials to the server to gain access to the requested application, service or resource of the server from the client only if the policy check is passed.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The client computing device of claim 17, wherein the credential security support provider component transmits the user'"'"'s credentials in a format that only a trusted subsystem of a local security authority (LSA) can decode to clear text format.
  - 19. The client computing device of claim 17, wherein the at least one pre-defined policy addresses the mitigation of any one or more of a broad range of attacks including Trojan or malware running on the client, default group policy settings and group policy values configurable by an administrator of the client, domain name service (DNS) poisoning to avoid resolution to a rogue server and denial of service attacks.
  - 20. The client computing device of claim 17, wherein the at least one pre-defined policy includes a delegation policy based on a relative strength of the authentication mechanism.
  - 21. The client computing device of claim 17, wherein the at least one pre-defined policy includes a delegation policy based on whether the user credentials are fresh, saved or default credentials.

22. A method for delegating user credentials from a client to a server in a networked computing environment as part of a single sign to a server'"'"'s resources, including:
- receiving a user'"'"'s credentials via a single sign of a user interface component of a client to access a set of resources of the server, and in response, initiating a handshake between the client and the server according to transport layer security (TLS) protocol;
  
  negotiating to select an authentication package shared between the client and server to utilize as an authentication mechanism for authenticating communications between the client and the server;
  
  mutually authenticating the server and the client utilizing the selected authentication package as the authentication mechanism;
  
  if mutual authentication has occurred, establishing a session between the client and server including establishing a shared secret for encryption of messages communicated between the client and server; and
  
  securely delegating the user'"'"'s credentials to the server to gain access to the set of resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Leach, Paul J., Parsons, John E., Hagiu, Costin, Medvinsky, Gennady, Ilac, Cristian, Fathalla, Mohamed Emad El Din, Kamel, Tarek Buhaa El-Din Mahmoud

Granted Patent

US 7,913,084 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/0815   providing single-sign-on or...

H04L 63/20   for managing network securi...

H04L 9/3273   for mutual authentication n...

Policy driven, credential delegation for single sign on and secure access to network resources

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

174 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

Policy driven, credential delegation for single sign on and secure access to network resources

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

174 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others