Persistent authorization context based on external authentication

US 7,401,235 B2
Filed: 05/10/2002
Issued: 07/15/2008
Est. Priority Date: 05/10/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method for providing a first user with controlled access to a local computing resource without requiring that the first user have a unique user account associated with the local computing resource, the method comprising:

receiving an identifier of the first user from a second user that has a unique user account associated with the local computing resource;

associating a security identifier (SID) of the first user with the local computing resource based on the identifier received from the second user;

when the first user attempts to access to the local computing resource, receiving a pair wise unique identifier (PUID) associated with the first user that is to be provided access to said local computing resource, said PUID being associated with an external computing resource that has authenticated the first user based on an electronic mail (e-mail) address associated with the first user;

translating said PUID into a corresponding security identifier (SID) by providing said PUID to an application programming interface (API) and in return receiving the corresponding SID from said API;

determining when the corresponding SID matches the associated SID using an access control mechanism associated with said local computing resource; and

providing the first user controlled access to the local computing resource based on the determination.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are provided to allow users that are authenticated by a trusted external service to gain controlled levels of access to selected local computing resources without requiring the user to also have conventional access control capabilities for the resources.

319 Citations

31 Claims

1. A method for providing a first user with controlled access to a local computing resource without requiring that the first user have a unique user account associated with the local computing resource, the method comprising:
- receiving an identifier of the first user from a second user that has a unique user account associated with the local computing resource;
  
  associating a security identifier (SID) of the first user with the local computing resource based on the identifier received from the second user;
  
  when the first user attempts to access to the local computing resource, receiving a pair wise unique identifier (PUID) associated with the first user that is to be provided access to said local computing resource, said PUID being associated with an external computing resource that has authenticated the first user based on an electronic mail (e-mail) address associated with the first user;
  
  translating said PUID into a corresponding security identifier (SID) by providing said PUID to an application programming interface (API) and in return receiving the corresponding SID from said API;
  
  determining when the corresponding SID matches the associated SID using an access control mechanism associated with said local computing resource; and
  
  providing the first user controlled access to the local computing resource based on the determination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as recited in claim 1, wherein said PUID is associated with a Passport service.
  - 3. The method as recited in claim 1, wherein translating said PUID into said corresponding SID further includes:
    - separating said PUID into at least one sub authority identifier portion and at least one member identifier portion.
  - 4. The method as recited in claim 1, wherein receiving said PUID further includes:
    - receiving said PUID within a Kerberos-based message.
  - 5. The method as recited in claim 4, wherein said PUID is provided in a PAC within said Kerberos-based message.
  - 6. The method as recited in claim 4, wherein said Kerberos-based message is associated with an S4U2self process.
  - 7. The method as recited in claim 4, wherein said Kerberos-based message is associated with an S4U2proxy process.
  - 8. The method as recited in claim 1, wherein:
    - the associated SID is stored within an access control list (ACL) associated with said at least one computing resource; and
      
      determining when the corresponding SID matches the associated SID further includes comparing the corresponding SID to the ACL.
  - 9. The method as recited in claim 1, wherein providing the first user controlled access to the local computing resource further includes:
    - providing a default account for the first user to access said at least one computing resource.

10. A computer-readable medium having computer-executable instructions for performing acts comprising:
- associating a security identifier (SID) of a first user with a local computing resource based on an electronic mail (e-mail) address associated with the first user that is provided by a second user having a user account to access the local computing resource;
  
  accepting a pair wise unique identifier (PUID) associated with the first user that is to be provided controlled access to the local computing resource, said PUID being associated with an external computing resource that has authenticated the first user based on the first user providing the electronic mail (e-mail) address associated with the user to the external computing resource;
  
  converting said PUID into a corresponding security identifier (SID) by outputting said PUID to an application programming interface (API) and, in return, receiving the corresponding SID from said API;
  
  verifying that the corresponding SID matches the associated using an access control mechanism associated with said local computing resource; and
  
  allowing controlled access to the local computing resource responsive to the act of verifying and without requiring that the first user have a unique user account associated with the local computing resource.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer-readable medium as recited in claim 10, wherein said PUID is associated with a Passport service.
  - 12. The computer-readable medium as recited in claim 10, wherein converting further includes:
    - subdividing said PUID into at least one sub authority identifier portion and at least one member identifier portion.
  - 13. The computer-readable medium as recited in claim 10, wherein receiving said PUID further includes:
    - receiving said PUID within a Kerberos-based message.
  - 14. The computer-readable medium as recited in claim 13, wherein said PUID is provided in a PAC within said Kerberos-based message.
  - 15. The computer-readable medium as recited in claim 13, wherein said Kerberos-based message is associated with an S4U2self process.
  - 16. The computer-readable medium as recited in claim 13, wherein said Kerberos-based message is associated with an S4U2proxy process.
  - 17. The computer-readable medium as recited in claim 10, wherein verifying further includes:
    - comparing the corresponding SID to an access control list (ACL) associated with said local computing resource the ACL including the associated SID.
  - 18. The computer-readable medium as recited in claim 10, wherein accepting said PUID associated with the first user that is to be provided controlled access to said local computing resource further includes:
    - providing a default account for the first user that is to be provided access to said local computing resource.

19. A computer-readable medium having computer-executable instructions for performing acts comprising:
- associating a security identifier (SID) of a first user with a local computing resource based on an electronic mail (e-mail) address associated with the first user that is input by a second user having a user account to access the local computing resource;
  
  receiving a pair wise unique identifier (PUID) associated with an authentication context of the first user with an external resource;
  
  translating said PUID into a corresponding security identifier (SID) associated with the authentication context by subdividing said PUID into at least one sub authority identifier portion and at least one member identifier portion, and arranging said at least one sub authority identifier portion and said at least one member identifier portion as said SID; and
  
  selectively providing the first user controlled access to the local computing resource based on a comparison of the corresponding SID to the SID associated with the local computing resource.
- View Dependent Claims (20, 21)
- - 20. The computer-readable medium as recited in claim 19, wherein arranging said at least one sub authority identifier portion and said at least one member identifier portion as said SID further includes arranging said SID to have said sub authority identifier, a HIWORD(MemberIDHigh), a LOWORD(MemberIDHigh), and a MemberIDLow.
  - 21. The computer-readable medium as recited in claim 19, further comprising outputting said SID.

22. A system for controlling access to at least one computing resource, the system comprising:
- memory; and
  
  logic operatively coupled to said memory and configurable to;
  
  associate a security identifier (SID) of a first user with said at least one computing resource based on an electronic mail (e-mail) address associated with the first user that is input by a second user having access to said at least one computing resource, the first user to be provided controlled access to said at least one computing resource by the second user;
  
  receive a unique identifier associated with the first user through an electronic mail (e-mail) address for the first user, said unique identifier being associated with another computing resource that has authenticated the first user based on the e-mail address for the first user, said logic being further operatively configured to translate said unique identifier into a corresponding security identifier (SID), and allowing said first user to access said at least one computing resource if said corresponding SID matches said SID associated with said at least one computing resource that is stored in said memory and without requiring that the first user have a unique user account associated with said at least one computing resource.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 23. The system as recited in claim 22, wherein said unique identifier includes a pair wise unique identifier (PUID).
  - 24. The system as recited in claim 23, wherein said PUID is associated with a Passport service.
  - 25. The system as recited in claim 24, wherein said logic is further configured to separate said Passport unique identifier into at least one sub authority identifier portion and at least one member identifier portion.
  - 26. The system as recited in claim 22, wherein said logic is configurable to receive said unique identifier within a Kerberos-based message.
  - 27. The system as recited in claim 26, wherein said unique identifier is provided in a PAC within said Kerberos-based message.
  - 28. The system as recited in claim 26, wherein said Kerberos-based message is associated with an S4U2self process.
  - 29. The system as recited in claim 27, wherein said Kerberos-based message is associated with an S4U2proxy process.
  - 30. The system as recited in claim 22, wherein said SID associated with said at least one computing resource that is stored in said memory is part of an access control list (ACL) associated with said at least one computing resource.
  - 31. The system as recited in claim 22, wherein said logic is further configurable to provide an anonymous account capability to the first user that is to be provided access control to said at least one computing resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Brezak, John E., Ward, Richard B., Mowers, David R., Viswanathan, Ram, Leban, Roy, Doubrovkine, Daniel, Schmidt, Donald E.
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Okoronkwo; Chinwendu C

Application Number

US10/144,059
Publication Number

US 20030212806A1
Time in Patent Office

2,258 Days
Field of Search

726/2, 726/10, 709/200, 709/203
US Class Current

726/2
CPC Class Codes

G06F 21/31   User authentication

G06F 21/33   using certificates

G06F 2221/2141   Access rights, e.g. capabil...

Persistent authorization context based on external authentication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

319 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Persistent authorization context based on external authentication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

319 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links