SYSTEMS AND METHODS FOR USING EXTERNAL AUTHENTICATION SERVICE FOR KERBEROS PRE-AUTHENTICATION

US 20090110200A1
Filed: 01/18/2008
Published: 04/30/2009
Est. Priority Date: 10/25/2007
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, from a principal of an authentication service, a request for authentication of the principal for the authentication service;

authenticating the principal in the authentication service; and

providing a key associated with the authenticated principal in the authentication service to a Kerberos Key Distribution Center (KDC).

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for providing Kerberos pre-authentication are presented. According to a method embodiment, a request for authentication is received from a principal of an authentication service. The principal in the authentication service is authenticated. A key associated with the authenticated principal in the authentication service is provided to a Kerberos Key Distribution Center (KDC).

Citations

24 Claims

1. A method, comprising:
- receiving, from a principal of an authentication service, a request for authentication of the principal for the authentication service;
  
  authenticating the principal in the authentication service; and
  
  providing a key associated with the authenticated principal in the authentication service to a Kerberos Key Distribution Center (KDC).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising authenticating for Kerberos the authenticated principal of the authentication service using the key provided to the KDC.
  - 3. The method of claim 2, further comprising:
    - receiving at the KDC a principal request to access a service; and
      
      providing a ticket with a random session key, using the KDC, to the principal for use to access the service.
  - 4. The method of claim 3, wherein the principal sends the ticket with the random session key to the service to authenticate itself to the service.
  - 5. The method of claim 1, wherein authenticating the principal in the authentication service includes using an authentication service that supports multiple authentication mechanisms to receive a sequence of authentication mechanisms from the principal.
  - 6. The method of claim 5, wherein the sequence of authentication mechanisms from the principal includes one or more of the following types of mechanisms:
    - password-based mechanisms, certificate-based mechanisms, or biometric-based mechanisms.
  - 7. The method of claim 5, wherein the sequence of authentication mechanisms from the principal includes logical AND and logical OR connections between mechanisms.
  - 8. The method of claim 5, wherein authenticating the principal in the authentication service includes authenticating the principal for a directory service, including authenticating the principal in a hierarchical, object oriented database that represent organizational assets in a logical tree.
  - 9. The method of claim 1, wherein providing the key associated with the authenticated principal to the KDC includes storing the received sequence for access by the KDC.
  - 10. The method of claim 1, wherein providing the key associated with the authenticated principal to the KDC includes generating a random password for the authenticated principal, generating a key derived from the random password, and sharing the key with the KDC using a table.
  - 11. The method of claim 1, wherein receiving a request for authentication of the principal for the authentication service includes supporting login methods that use smart cards, proximity cards, certificates, passwords, and challenge responses.

12. A method, comprising:
- receiving a key from a directory service, wherein the key is associated with an authenticated principal for the directory service;
  
  pre-authenticating the principal for Kerberos using the key;
  
  receiving a request from the principal to access a Kerberos-enabled service; and
  
  granting a ticket with a session key to the principal to enable the principal to communicate with the Kerberos-enabled service.
- View Dependent Claims (13, 14)
- - 13. The method of claim 12, wherein pre-authenticating includes sending a random password generated by the directory service to the principal for use by the principal in creating a Key Distribution Center (KDC) request with PA-ENC-TIMESTAMP.
  - 14. The method of claim 12, further comprising receiving from the directory service a sequence of mechanisms used to authenticate the principal to the directory service, wherein pre-authenticating includes embedding the sequence in the TGT sent to the principal.

15. A system, comprising:
- a directory service, including an authentication service for the directory service;
  
  wherein the authentication service is to authenticate a principal of the directory service, generate a random key associated with the authenticated principal of the directory service, and provide a Kerberos Key Distribution Center (KDC) with the random key associated with the authenticated principal.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the authentication service includes an authentication service that supports multiple authentication mechanisms to receive a sequence of authentication mechanisms from the principal.
  - 17. The system of claim 16, wherein the directory service includes a hierarchical, object oriented database that represent organizational assets in a logical tree.
  - 18. The system of claim 16, wherein the authentication service supports a sequence of authentication mechanisms that includes logical AND and logical OR connections between mechanisms.
  - 19. The system of claim 16, wherein the sequence of multiple authentication mechanisms includes one or more mechanisms selected from a group of mechanisms consisting of:
    - password-based mechanisms, certificate-based mechanisms, and biometric-based mechanisms.
  - 20. The system of claim 16, further comprising a look-up table shared by the directory service and the KDC and used to share the random key.

21. A network, comprising:
- an authentication service;
  
  a Kerberos Key Distribution Center (KDC);
  
  a principal; and
  
  a Kerberos-enabled service,the authentication service is to authenticate the principal for both the directory service and the KDC, the KDC is to pre-authenticate the principal for Kerberos, receive a request from the principal to access the service, and grant a ticket with a session key to the principal to enable the principal to communicate with the Kerberos-enabled service.
- View Dependent Claims (22, 23, 24)
- - 22. The network of claim 21, wherein the authentication service includes an authentication service that supports multiple authentication mechanisms and is to receive a sequence of authentication mechanisms from the principal.
  - 23. The network of claim 21, wherein the authentication service includes a key cache shared by the directory service and the KDC, wherein the key cache includes a key for each authenticated principal.
  - 24. The network of claim 23, wherein the key expires after a time on the order of five minutes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Srinivas, Rahul

Granted Patent

US 8,516,566 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/279
CPC Class Codes

G06F 21/335   for accessing specific reso...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 9/083   involving central third par...

H04L 9/0869   involving random numbers or...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3226   using a predetermined code,...

H04L 9/3263   involving certificates, e.g...

H04L 9/3271   using challenge-response

H04L 9/3297   involving time stamps, e.g....

SYSTEMS AND METHODS FOR USING EXTERNAL AUTHENTICATION SERVICE FOR KERBEROS PRE-AUTHENTICATION

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR USING EXTERNAL AUTHENTICATION SERVICE FOR KERBEROS PRE-AUTHENTICATION

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links