Remote Access to Hosted Virtual Machines By Enterprise Users

US 20120096271A1
Filed: 10/15/2010
Published: 04/19/2012
Est. Priority Date: 10/15/2010
Status: Active Grant

First Claim

Patent Images

1. A method for allowing a remote presentation session between a virtual machine hosted in a first domain and a client computer in a second domain, the method comprising:

establishing, at a server in the second domain, a communication session with the client computer;

receiving, by the server, a virtual machine identifier indicative of the virtual machine hosted in the first domain;

receiving from the virtualization manager in the second domain a cookie including a signed token and public key;

authenticating the token using the public key and verifying that the token maps to a user account in the first domain;

sending the virtual machine identifier to a virtualization system in the first domain;

receiving, from the virtualization system in the first domain, a confirmation that the identified virtual machine is valid and an identity of a target resource associated with the identified virtual machine;

sending to an intermediary listening service in the virtualization system the virtual machine identifier and received token; and

forwarding remote presentation session data to the intermediary listener service.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An end user of an enterprise is enabled to receive secure remote presentation access to the assigned virtual machines in a hosted public cloud through the cloud provider'"'"'s virtualization hosts and remote presentation gateway. Thus an enterprise administrator may purchase computing capacity from the cloud provider and further sub-divide the purchased computing capacity among enterprise end users. The cloud provider need not create shadow accounts for each end user of the enterprise. The cloud provider AD and the enterprise AD do not need to trust each other. The cloud provider also need not expose host information to the tenants. Authorization may be provided by using a combination of a custom authorization plug-in at the terminal services gateway and an indirection listener component at the virtualization host. The host details may also be abstracted when the client connects to the remote presentation gateway so as to protect the fabric from attack and enabling the tenant virtual machines to freely move across the cloud provider'"'"'s virtualization hosts.

302 Citations

20 Claims

1. A method for allowing a remote presentation session between a virtual machine hosted in a first domain and a client computer in a second domain, the method comprising:
- establishing, at a server in the second domain, a communication session with the client computer;
  
  receiving, by the server, a virtual machine identifier indicative of the virtual machine hosted in the first domain;
  
  receiving from the virtualization manager in the second domain a cookie including a signed token and public key;
  
  authenticating the token using the public key and verifying that the token maps to a user account in the first domain;
  
  sending the virtual machine identifier to a virtualization system in the first domain;
  
  receiving, from the virtualization system in the first domain, a confirmation that the identified virtual machine is valid and an identity of a target resource associated with the identified virtual machine;
  
  sending to an intermediary listening service in the virtualization system the virtual machine identifier and received token; and
  
  forwarding remote presentation session data to the intermediary listener service.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein said establishing further comprises establishing a connection with the client computer over an HTTPS tunnel specifying a destination virtualization server and a destination port of the intermediary listening service.
  - 3. The method of claim 1, further comprising performing a host level authorization.
  - 4. The method of claim 1, further comprising querying, by an authorization plug-in executing on the server, the virtualization server to determine that the client computer is authorized to access the virtual machine based on the token.
  - 5. The method of claim 1, wherein said first domain is a cloud service provider.
  - 6. The method of claim 1, wherein said second domain is an enterprise providing its users access to virtual machines hosted by a cloud service provider.
  - 7. The method of claim 1, wherein the signed token includes a tenant ID, token ID, token expiration time, and authorized target virtual machine ID.

8. A system for allowing access to a virtual machine hosted in a first domain to a client computer in a second domain, comprising:
- a computing device comprising at least one processor;
  
  a memory communicatively coupled to said processor when said system is operational;
  
  said memory having stored therein computer instructions that upon execution by the at least one processor cause;
  
  receiving a first virtual machine identifier, signed token with public key, and a request for a virtual machine host associated with the virtual machine identifier;
  
  instantiating a remote presentation session with the client computer;
  
  receiving via the remote presentation session a target virtual machine identifier and correlating and authorizing the target virtual machine identifier with the first virtual machine identifier; and
  
  determining that the target and first virtual machine identifiers match and forwarding data received via the remote presentation session to the target virtual machine.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein said forwarding comprises forwarding the data via the remote presentation session at a single port listener in the first domain.
  - 10. The system of claim 8, wherein said correlating and authorizing further comprises determining that the first virtual machine has access to the target virtual machine based on user role policies in an authorization store XML.
  - 11. The system of claim 10, wherein said determining is performed using CredSSP.
  - 12. The system of claim 8, further comprising allowing console access to the target virtual machine.
  - 13. The system of claim 8, wherein said first domain is a cloud service provider.
  - 14. The system of claim 8, wherein the signed token includes a tenant ID, token ID, token expiration time, and authorized target virtual machine ID.

15. A computer readable storage medium storing thereon computer executable instructions for accessing a virtual machine hosted in a first domain by a client computer in a second domain, said instructions for:
- establishing a communication session with a virtualization host in the first domain;
  
  sending to a virtualization host in the first domain a virtual machine identifier and a claim requesting authorization for access to the identified virtual machine;
  
  receiving a signed token from the virtualization manager in the second domain;
  
  establishing a remote presentation session through the virtualization host in the first domain and sending an indication that a cookie-based authorization will be performed;
  
  sending to the virtualization host in the first domain a cookie including a signed token and public key; and
  
  establishing a remote presentation session with the requested virtual machine.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer readable storage medium of claim 15, wherein said establishing a communication session further comprises establishing a connection with the server in the second domain over an HTTPS tunnel specifying a virtualization server in the first domain and a destination port of an intermediary listening service.
  - 17. The computer readable storage medium of claim 15, wherein the signed token includes a tenant ID, token ID, token expiration time, and authorized target virtual machine ID.
  - 18. The computer readable storage medium of claim 15, wherein said second domain is an enterprise providing an end user with access to virtual machines hosted by a cloud service provider.
  - 19. The computer readable storage medium of claim 15, wherein said token is signed with a X.509 certificate.
  - 20. The computer readable storage medium of claim 15, wherein said token is a SAML token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Ramarathinam, Aravind, Parthasarathy, Srivatsan, Michael, Michael

Granted Patent

US 8,607,054 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/172
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 63/168   above the transport layer

Remote Access to Hosted Virtual Machines By Enterprise Users

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

302 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Remote Access to Hosted Virtual Machines By Enterprise Users

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

302 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links