Selective Cross-Realm Authentication

US 20090228969A1
Filed: 05/20/2009
Published: 09/10/2009
Est. Priority Date: 10/31/2002
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, from an entity authenticated in a first realm, a request to access a resource associated with a second realm;

determining whether entities authenticated by other than the second realm are allowed access to the resource according to a selective trust relationship between the second realm and other realms that include the first realm;

in an event that entities authenticated by other than the second realm are allowed access to the resource;

determining other realm access permissions to be assigned to entities authenticated by other than the second realm, based on the selective trust relationship, wherein the other realm access permissions are different from second realm access permissions that are to be assigned to entities authenticated by the second realm; and

granting the entity access to the resource according to the other realm access permissions; and

in an event that entities authenticated by other than the second realm are not allowed to access the resource, refusing to grant the entity access to the resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A selective cross-realm authenticator associates an identifier with a request from an entity authenticated in one realm to access a resource associated with a second realm. The identifier indicates that the entity was authenticated in a realm other than the realm associated with the requested resource. A domain controller associated with the resource performs an access check to verify that the authenticated user is authorized to authenticate to the requested resource. Permissions associated with the resource can be used to specify levels of access to be granted to entities authenticated by a domain controller associated with another realm.

82 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving, from an entity authenticated in a first realm, a request to access a resource associated with a second realm;
  
  determining whether entities authenticated by other than the second realm are allowed access to the resource according to a selective trust relationship between the second realm and other realms that include the first realm;
  
  in an event that entities authenticated by other than the second realm are allowed access to the resource;
  
  determining other realm access permissions to be assigned to entities authenticated by other than the second realm, based on the selective trust relationship, wherein the other realm access permissions are different from second realm access permissions that are to be assigned to entities authenticated by the second realm; and
  
  granting the entity access to the resource according to the other realm access permissions; and
  
  in an event that entities authenticated by other than the second realm are not allowed to access the resource, refusing to grant the entity access to the resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as recited in claim 1 wherein determining whether entities authenticated by other than the second realm are allowed to access the resource comprises comparing a security identifier associated with the entity with an access control list associated with the resource, wherein the security identifier indicates that the entity was authenticated by other than the second realm.
  - 3. The method as recited in claim 1 wherein determining whether entities authenticated by other than the second realm are allowed to access the resource comprises comparing data associated with a security token to an access control list, wherein the data associated with the security token indicates that the entity was authenticated outside of the second realm.
  - 4. The method as recited in claim 3 wherein the security token comprises at least one of an SAML token and an XrML token.
  - 5. The method as recited in claim 1 wherein granting the entity access to the resource comprises completing an authentication request.
  - 6. The method as recited in claim 1 wherein granting the entity access to the resource comprises completing an NTLM authentication request.
  - 7. The method as recited in claim 1 wherein granting the entity access to the resource comprises serving a service ticket associated with the resource to the entity.
  - 8. A domain controller configured to perform the method as recited in claim 1.
  - 9. One or more computer-readable media comprising computer executable instructions that, when executed, direct a computing system to perform the method as recited in claim 1.

10. A method comprising:
- receiving, from a user authenticated in a first realm, a request to access a resource associated with a second realm; and
  
  associating with the user, an identifier that indicates the user was authenticated in a realm other than the second realm,wherein the second realm has a selective trust relationship with other realms, including the first realm, such that user access permissions to the resource associated with the second realm differ based on whether the user was authenticated in the second realm or whether the user was authenticated in one of the other realms.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method as recited in claim 10 wherein the user comprises an application.
  - 12. The method as recited in claim 10 wherein the user comprises a computer system.
  - 13. The method as recited in claim 10 wherein the identifier further indicates a type of authentication associated with the user.
  - 14. The method as recited in claim 10 wherein the associating comprises adding a security identifier to a privilege access certificate associated with the user.
  - 15. The method as recited in claim 10 wherein the associating comprises adding a security identifier to a privilege access certificate associated with the request.
  - 16. The method as recited in claim 10 wherein the associating comprises setting a flag associated with the user.
  - 17. The method as recited in claim 10 wherein the associating comprises setting a flag associated with the request.
  - 18. One or more computer-readable media comprising computer executable instructions that, when executed, direct a computing system to perform the method as recited in claim 10.

19. A system comprising:
- a first domain controller implemented to maintain first user accounts and to authenticate users based on the first user accounts;
  
  a second domain controller implemented to maintain second user accounts and to authenticate users based on the second user accounts; and
  
  a cross-realm authenticator configured to associate, with a request from an entity authenticated by the first domain controller to access a resource associated with the second domain controller, an identifier that indicates that the request is from an entity authenticated by a domain controller other than the second domain controller.
- View Dependent Claims (20)
- - 20. The system as recited in claim 19 wherein the second domain controller is further configured to verify that an entity authenticated by a domain controller other than the second domain controller is allowed to access the resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Dyke, Cliff Van, Garg, Praerit, Jaganathan, Karthik, Schmidt, Donald E., Pustilnik, Mark

Granted Patent

US 8,510,818 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/10
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

Selective Cross-Realm Authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

82 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Selective Cross-Realm Authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

82 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links