Authentication and authorization across autonomous network systems

US 7,185,359 B2
Filed: 12/21/2001
Issued: 02/27/2007
Est. Priority Date: 12/21/2001
Status: Expired due to Fees

First Claim

Patent Images

1. An enterprise network architecture, comprising:

a first network system including a plurality of first network system domains;

a second network system including a plurality of second network system domains, the second network system being autonomous from the first network system such that the first network system domains are administratively independent from the second network system domains; and

a trust link between a first network system root domain and a second network system root domain, the trust link configured to provide transitive resource access between the plurality of first network system domains and the plurality of second network system domains where the transitive resource access includes remote authentication such that an account managed by the second network system initiates a request for authentication via a first network system domain, and where it is determined from the trust link where to communicate the account request and to authenticate the request via the trust link.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An enterprise network architecture has a trust link established between two autonomous network systems that enables transitive resource access between network domains of the two network systems. The trust link is defined by data structures maintained by each of the respective network systems. The first network system maintains namespaces that correspond to the second network system and a domain controller in the first network system, or a first network system administrator, indicates whether to trust individual namespaces. An account managed by a domain in the second network system can request authentication via a domain controller in the first network system. The first network system determines from the trust link to communicate the authentication request to the second network system. The first network system also determines from the trust link where to communicate authorization requests when administrators manage group memberships and access control lists.

147 Citations

62 Claims

1. An enterprise network architecture, comprising:
- a first network system including a plurality of first network system domains;
  
  a second network system including a plurality of second network system domains, the second network system being autonomous from the first network system such that the first network system domains are administratively independent from the second network system domains; and
  
  a trust link between a first network system root domain and a second network system root domain, the trust link configured to provide transitive resource access between the plurality of first network system domains and the plurality of second network system domains where the transitive resource access includes remote authentication such that an account managed by the second network system initiates a request for authentication via a first network system domain, and where it is determined from the trust link where to communicate the account request and to authenticate the request via the trust link.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. An enterprise network architecture as recited in claim 1, wherein:
    - the first network system root domain is configured for communication with the plurality of first network system domains;
      
      the second network system root domain is configured for communication with the plurality of second network system domains; and
      
      the trust link is further configured to provide transitive security associations between the plurality of one or more first network system domains and the plurality of second network system domains.
  - 3. An enterprise network architecture as recited in claim 1, wherein the transitive resource access includes the remote authentication to access a resource managed in the second network system, such that the account managed by the second network system can initiate the request for authentication to access the resource via the first network system domain.
  - 4. An enterprise network architecture as recited in claim 1, wherein:
    - the first network system domain includes a first domain controller;
      
      a second network system domain includes a second domain controller; and
      
      a second network system domain includes a second domain controller; and
      
      the account managed by the second domain controller can initiate the request for remote network authentication via the first domain controller.
  - 5. An enterprise network architecture as recited in claim 1, wherein:
    - the first network system domain includes a first domain controller;
      
      a second network system domain includes a second domain controller; and
      
      the account managed by the second domain controller can initiate the request for authentication to access a resource managed in the second network system, the request for authentication communicated from the first domain controller to the second network system via the trust link.
  - 6. An enterprise network architecture as recited in claim 1, wherein:
    - the first network system root domain is configured for communication with the plurality of first network system domains, an individual first network system domain including a first domain controller;
      
      the second network system root domain is configured for communication with the second network system domains, an individual second network system domain including a second domain controller; and
      
      the account managed by the second domain controller can initiate the request for authentication to access a resource managed by the second domain controller, the request for authentication communicated from the first domain controller to the second domain controller via the first network system root domain, the trust link, and the second network system root domain.
  - 7. An enterprise network architecture as recited in claim 1, wherein the trust link is a one-way trust link initiated by an administrator of the first network system, and wherein the account in the second network system can access resources in the first network system.
  - 8. An enterprise network architecture as recited in claim 1, wherein the trust link is a one-way trust link initiated by an administrator of the first network system, the one-way trust link configured to provide transitive resource access from the second network system domains to the first network system domains.
  - 9. An enterprise network architecture as recited in claim 1, wherein the trust link is a two-way trust link initiated by a first network system administrator and by a second network system administrator, and wherein the transitive resource access is automatically configured when the trust link is established.
  - 10. An enterprise network architecture as recited in claim 1, wherein the first network system is configured to determine from the trust link where to communicate a request for a resource, the request received from the account managed in the first network system and the resource maintained by the second network system.
  - 11. An enterprise network architecture as recited in claim 1, wherein the first network system is configured to receive a request to logon to the second network system and determine from the trust link where to communicate the request, and wherein the second network system is configured to authenticate the request.
  - 12. An enterprise network architecture as recited in claim 1, wherein the trust link is a data structure configured to maintain namespaces corresponding to trusted network system domain components.
  - 13. An enterprise network architecture as recited in claim 1, wherein the trust link includes a first network system data structure and a second network system data structure, the first network system data structure configured to maintain trusted namespaces corresponding to the second network system, and the second network system data structure configured to maintain trusted namespaces corresponding to the first network system.
  - 14. An enterprise network architecture as recited in claim 1, wherein the trust link is a data structure configured to maintain namespaces corresponding to the second network system, and wherein the first network system is configured to:
    - maintain the data structure; and
      
      automatically designate which of the namespaces are trusted by the first network system.
  - 15. An enterprise network architecture as recited in claim 1, wherein the trust link is a data structure maintained by the first network system, the data structure configured to maintain namespaces corresponding to trusted second network system domain components, and the trusted second network system domain components being designated as trusted by a first network system administrator.
  - 16. An enterprise network architecture as recited in claim 1, wherein the trust link is a data structure maintained by the first network system, the data structure configured to maintain trusted namespaces corresponding to the second network system, and wherein the first network system is configured to receive a request to logon to the second network system and determine from the trusted namespaces where to communicate the request.
  - 17. An enterprise network architecture as recited in claim 1, wherein the first network system is configured to:
    - receive an account request to logon to the second network system; and
      
      provide a security identifier to the second network system, the security identifier corresponding to the account.
  - 18. An enterprise network architecture as recited in claim 1, wherein:
    - the first network system is configured to determine from the trust link where to communicate a service account request to access a resource maintained by the second network system;
      
      the first network system is further configured to provide a security identifier to the second network system, the security identifier corresponding to a user account maintained by the first network system; and
      
      the second network system is configured to determine from the trust link whether to trust the security identifier to authorize the service account request.
  - 19. An enterprise network architecture as recited in claim 1, wherein the trust link is a data structure maintained by the first network system, the data structure configured to maintain trusted namespaces corresponding to the second network system, and wherein the first network system is configured to:
    - determine from the trusted namespaces where to communicate a logon request received from the account managed in the second network system; and
      
      provide a security identifier to the second network system, the security identifier corresponding to the account.
  - 20. An enterprise network architecture as recited in claim 1, wherein the trust link is a data structure maintained by the first network system, the data structure configured to maintain trusted namespaces corresponding to the second network system, and wherein:
    - the first network system is configured to determine from the trusted namespaces where to communicate a service account request to access a resource maintained by the second network system;
      
      the first network system is further configured to provide a security identifier to the second network system, the security identifier corresponding to a user account maintained by the first network system; and
      
      the second network system is configured to determine from the trusted namespaces whether to trust the security identifier to authorize the service account request.

21. A network system domain, comprising:
- a root domain controller communicatively linked with a plurality of network system domains in a first network system; and
  
  a trusted domain component configured to define a trust link between the root domain controller and a second network system root domain controller, the second network system root domain controller communicatively linked with a plurality of second network system domains that are administratively independent from the first network system domains, and the trust link being configured to provide transitive resource access between the first network system domains and the second network system domains, the trusted domain component being further configured to provide remote network authentication such that an account managed by a second network system domain initiates a request for authentication via a first network system domain, and where it is determined from the trust link where to communicate the account request and to authenticate the request via the trust link.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 22. A network system domain as recited in claim 21, wherein the root domain controller is configured to create the trusted domain component when the trust link is initiated.
  - 23. A network system domain as recited in claim 21, wherein the root domain controller is configured to establish the transitive resource access between the first network system domains and the second network system domains when the trust link is initiated.
  - 24. A network system domain as recited in claim 21, wherein the trusted domain component defines a one-way trust link from the root domain controller to the second network system root domain controller.
  - 25. A network system domain as recited in claim 21, wherein the trusted domain component is further configured to provide the remote network authentication to access a resource managed by the second network system domain, such that the account managed by the first network system domain can initiate a request to access the resource, the request communicated from the root domain controller to the second network system root domain controller via the trust link.
  - 26. A network system domain as recited in claim 21, wherein the root domain controller is configured to determine from the trusted domain component where to communicate the request for authentication received from the account managed by the second network system domain.
  - 27. A network system domain as recited in claim 21, wherein the trusted domain component is configured to indicate where to communicate the request for authentication received from the account managed by the second network system domain.
  - 28. A network system domain as recited in claim 21, wherein the root domain controller is configured to determine from the trusted domain component where to communicate a request for a resource, the request received from the account managed by the second network system domain and the resource maintained by the second network system domain.
  - 29. A network system domain as recited in claim 21, wherein the root domain controller is configured to receive a request to logon to the second network system domain, and determine from the trusted domain component to communicate the request to the second network system root domain controller via the trust link.
  - 30. A network system domain as recited in claim 21, wherein the trusted domain component is a data structure configured to maintain trusted namespaces corresponding to the second network system.
  - 31. A network system domain as recited in claim 21, wherein the trusted domain component is a data structure configured to maintain namespaces corresponding to trusted second network system domain components.
  - 32. A network system domain as recited in claim 21, wherein the trusted domain component is a data structure configured to maintain namespaces corresponding to the second network system, and wherein the root domain controller is configured to maintain the data structure and automatically designate which of the namespaces are trusted by the first network system.
  - 33. A network system domain as recited in claim 21, wherein the trusted domain component is a data structure maintained by the root domain controller, the data structure configured to maintain namespaces corresponding to the second network system, and the namespaces being designated as trusted by a network system administrator.
  - 34. A network system domain as recited in claim 21, wherein the trusted domain component is a data structure maintained by the root domain controller, the data structure configured to maintain trusted namespaces corresponding to the plurality of second network system domains, and wherein the root domain controller is configured to receive a request to logon to the second network system and determine from the trusted namespaces where to communicate the request.
  - 35. A network system domain as recited in claim 21, wherein the trusted domain component is a data structure configured to maintain trusted namespaces corresponding to the second network system, and wherein the root domain controller is configured to determine from the trusted namespaces where to communicate a request for a resource, the request received from an account managed by the root domain controller and the resource maintained by a second network system domain.
  - 36. A network system domain as recited in claim 21, wherein:
    - the trusted domain component is a data structure configured to maintain trusted namespaces corresponding to the second network system;
      
      the root domain controller is configured to determine from the trusted namespaces where to communicate a request for a resource, the request received from an account managed by the root domain controller and the resource maintained by a second network system domain; and
      
      the second network system is configured to authorize the request for the resource.
  - 37. A network system domain as recited in claim 21, wherein the root domain controller is configured to:
    - receive an account request to logon to a second network system domain;
      
      determine from the trusted domain component where to communicate the account request; and
      
      provide a security identifier to the second network system domain controller, the security identifier corresponding to the account.
  - 38. A network system domain as recited in claim 21, wherein the trusted domain component is a data structure maintained by the domain controller, the data structure including trusted namespaces corresponding to the second network system, and wherein the root domain controller is configured to:
    - determine from the trusted namespaces where to communicate a logon request received from an account managed by a second network system; and
      
      provide a security identifier to the second network system domain controller, the security identifier corresponding to the account.

39. A first network system domain controller performing a method comprising:
- establishing a trust link with a second network system domain controller to provide transitive resource access between domains in a first network system and domains in a separate, autonomous second network system;
  
  receiving an authentication request from an account managed by a domain in the second network system; and
  
  determining from the trust link where to communicate the request and authenticating the request via the trust link.
- View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47)
- - 40. The method as recited in claim 39, wherein establishing the trust link comprises:
    - receiving network system identifiers corresponding to the second network system;
      
      creating a data structure to maintain the network system identifiers; and
      
      designating which of the network system identifiers to trust.
  - 41. The method as recited in claim 39, wherein establishing the trust link comprises:
    - receiving namespaces corresponding to the second network system;
      
      creating a data structure to maintain the namespaces; and
      
      designating which of the namespaces to trust.
  - 42. The method as recited in claim 39, wherein establishing the trust link comprises:
    - receiving network system identifiers corresponding to the second network system;
      
      creating a data structure to maintain the network system identifiers;
      
      determining whether to trust an individual network system identifier; and
      
      designating in the data structure whether to trust the individual network system identifier.
  - 43. The method as recited in claim 39, wherein establishing the trust link comprises:
    - receiving namespaces corresponding to the second network system;
      
      creating a data structure to maintain the namespaces;
      
      determining whether to trust an individual namespace; and
      
      designating in the data structure whether to trust the individual namespace.
  - 44. The method as recited in claim 39, wherein establishing the trust link comprises:
    - receiving network system identifiers corresponding to the second network system;
      
      comparing a received network system identifier with existing network system identifiers to determine whether to accept the received network system identifier; and
      
      creating a data structure to maintain accepted network system identifiers.
  - 45. The method as recited in claim 39, wherein establishing the trust link comprises:
    - receiving namespaces corresponding to the second network system;
      
      comparing a received namespace with existing namespaces to determine whether to accept the received namespace; and
      
      creating a data structure to maintain accepted namespaces.
  - 46. The method as recited in claim 39, wherein establishing the trust link comprises receiving network system identifiers corresponding to the second network system and designating which of the network system identifiers to trust, and wherein determining comprises comparing a component of the request with the network system identifiers to determine that the account is managed in the second network system.
  - 47. The method as recited in claim 39, further comprising providing a security identifier corresponding to the account to the first network system domain controller, the first network system domain controller comparing the security identifier with stored network system identifiers to determine whether the security identifier is valid.

48. A first network system domain controller performing a method comprising:
- establishing a trust link with a second network system domain controller to provide transitive resource access between domains in a first network system and domains in a separate, autonomous second network system;
  
  receiving a resource request from an account managed by the first network system domain controller;
  
  determining from the trust link where to communicate the resource request; and
  
  communicating the resource request to the second network system domain controller via the trust link.
- View Dependent Claims (49, 50, 51, 52)
- - 49. The method as recited in claim 48, wherein establishing the trust link comprises:
    - receiving network system identifiers corresponding to the second network system;
      
      creating a data structure to maintain the network system identifiers; and
      
      designating which of the network system identifiers to trust.
  - 50. The method as recited in claim 48, wherein establishing the trust link comprises:
    - receiving namespaces corresponding to the second network system;
      
      creating a data structure to maintain the namespaces; and
      
      designating which of the namespaces to trust.
  - 51. The method as recited in claim 48, wherein establishing the trust link comprises receiving network system identifiers corresponding to the second network system and designating which of the network system identifiers to trust, and wherein determining comprises comparing a component of the request with the network system identifiers to determine that the resource is managed in the second network system.
  - 52. The method as recited in claim 48, further comprising providing a security identifier corresponding to the account to the first network system domain controller, the first network system domain controller comparing the security identifier with stored network system identifiers to determine whether the security identifier is valid.

53. One or more computer-readable media comprising computer-executable instructions that, when executed, direct a first network system domain controller to perform a method comprising:
- establishing a trust link with a second network system domain controller to provide transitive resource access between domains in a first network system and domains in a separate, autonomous second network system;
  
  receiving a resource request from an account managed by a domain controller in the second network system;
  
  determining from the trust link to communicate the resource request to the second network system; and
  
  communicating the resource request to the second network system domain controller via the trust link.
- View Dependent Claims (54)
- - 54. One or more computer-readable media as recited in claim 53, wherein establishing the trust link comprises:
    - receiving network system identifiers corresponding to the second network system;
      
      creating a data structure to maintain the network system identifiers; and
      
      designating which of the network system identifiers to trust.

55. One or more computer-readable media comprising computer-executable instructions that, when executed, direct a domain controller in a first network system to perform a method comprising:
- requesting network system identifiers corresponding to a second network system to create a trust link between the first network system and the second network system, the second network system being autonomous from the first network system;
  
  the trust link configured to provide transitive resource access between the plurality of first network system domains and the plurality of second network system domains;
  
  determining whether to accept the network system identifiers;
  
  designating accepted network system identifiers as trusted with trust indicators;
  
  creating a data structure to maintain the accepted network system identifiers and corresponding trust indicators;
  
  receiving a resource request from an account managed by the first network system domain controller;
  
  determining from the trust link where to communicate the resource request; and
  
  communicating the resource request via the trust link.
- View Dependent Claims (56, 57)
- - 56. One or more computer-readable media as recited in claim 55, wherein determining comprises comparing an individual network system identifier with existing network system identifiers and rejecting the individual network system identifier if it is a duplicate of an existing network system identifier.
  - 57. One or more computer-readable media as recited in claim 55, the method further comprising:
    - receiving an authentication request to logon to a domain in the second network system;
      
      comparing a component of the authentication request with the network system identifiers; and
      
      communicating the authentication request to the second network system if the component corresponds to a trusted network system identifier.

58. A domain controller in a first network system performing a method comprising:
- receiving a security identifier from a domain controller in a second network system via a trust link, the security identifier corresponding to an account managed by the second network system;
  
  the trust link configured to provide transitive resource access between the plurality of first network system domains and the plurality of second network system domains;
  
  determining whether the security identifier is valid;
  
  trusting the account corresponding to the security identifier if the security identifier is determined to be valid;
  
  receiving a resource request from an account managed by the first network system domain controller;
  
  determining from the trust link where to communicate the resource request; and
  
  communicating the resource request via the trust link.
- View Dependent Claims (59, 60, 61, 62)
- - 59. The A method as recited in claim 58, wherein determining comprises comparing the security identifier with network system identifiers and determining that the security identifier is valid if it matches a component of a network system identifier.
  - 60. The A method as recited in claim 58, wherein determining comprises comparing the security identifier with stored network system identifiers and determining that the security identifier is valid if it matches a component of a network system identifier, the network system identifiers received from the second network system and designated as being trusted when the trust link is initiated.
  - 61. The A method as recited in claim 58, wherein the security identifier corresponds to a security principal managed by the domain controller in the second network system.
  - 62. One or more computer-readable media comprising computer-executable instructions that, when executed, direct a computing system to perform the method of claim 58.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Garg, Praerit, Leach, Paul J., Van Dyke, Clifford P., Schmidt, Donald E., Satagopan, Murli D.
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
Poltorak; Piotr

Application Number

US10/029,426
Publication Number

US 20030120948A1
Time in Patent Office

1,894 Days
Field of Search

726 1- 2, 726/8, 713/155, 713/170, 709/223, 709/238
US Class Current

726/2
CPC Class Codes

H04L 63/0815 providing single-sign-on or...

H04L 63/083 using passwords cryptograph...

Authentication and authorization across autonomous network systems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

147 Citations

62 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication and authorization across autonomous network systems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

147 Citations

62 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links