Kerberos ticket virtualization for network load balancers

US 8,132,246 B2
Filed: 02/27/2008
Issued: 03/06/2012
Est. Priority Date: 02/27/2008
Status: Active Grant

First Claim

Patent Images

1. Computer-readable storage media including instructions executable by one or more processors to perform acts comprising:

transmitting a client key with a ticket granting service request to a key distribution center, the ticket granting service request specifying a name of a group; and

receiving a group ticket for a Kerberos protocol from the key distribution center, the group ticket comprising;

the name of the group;

a service ticket encrypted with a dynamic group key; and

a plurality of enveloped pairs wherein each enveloped pair comprises a name associated with a member of the group and an encrypted dynamic group key for decryption by a key possessed by the member of the group whereby decryption of a particular encrypted dynamic group key allows for decryption of the service ticket.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An exemplary group ticket for a Kerberos protocol includes a service ticket encrypted with a dynamic group key and a plurality of enveloped pairs where each pair includes a name associated with a member of a group and an encrypted the dynamic group key for decryption by a key possessed by the member of the group where decryption of an encrypted dynamic group key allows for decryption of the service ticket. Other exemplary methods, systems, etc., are also disclosed.

13 Citations

View as Search Results

18 Claims

1. Computer-readable storage media including instructions executable by one or more processors to perform acts comprising:
- transmitting a client key with a ticket granting service request to a key distribution center, the ticket granting service request specifying a name of a group; and
  
  receiving a group ticket for a Kerberos protocol from the key distribution center, the group ticket comprising;
  
  the name of the group;
  
  a service ticket encrypted with a dynamic group key; and
  
  a plurality of enveloped pairs wherein each enveloped pair comprises a name associated with a member of the group and an encrypted dynamic group key for decryption by a key possessed by the member of the group whereby decryption of a particular encrypted dynamic group key allows for decryption of the service ticket.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-readable media of claim 1 wherein the group ticket further comprises a temporary session key.
  - 3. The computer-readable media of claim 1 wherein the name of the group comprises a server principle name associated with a network load balancer.
  - 4. The computer-readable media of claim 3 wherein the server principle name comprises a name associated with a virtual network load balancer.
  - 5. The computer-readable media of claim 4 wherein the virtual network load balancer comprises a virtual IP address.
  - 6. The computer-readable media of claim 1 wherein the name of the group comprises a server principle name corresponding to a network load balancing server.
  - 7. The computer-readable media of claim 1 wherein the group ticket further comprises one or more restrictions associated with a number of different member names for transactions.

8. A method comprising:
- under control of one or more processors configured with executable instructions;
  
  receiving, at a network load balancer, an application request and a group ticket that comprises a name for a group associated with the network load balancer and a service ticket including enveloped pairs, each enveloped pair comprising a key and a member name;
  
  routing the request and the group ticket to members of the group named in the enveloped pairs, wherein the members of the group named in the enveloped pairs each comprises a member key;
  
  decrypting a dynamic group key in one of the enveloped pairs using the member key of the member of the group named in the one of the enveloped pairs; and
  
  decrypting the service ticket using the dynamic group key.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The method of claim 8 wherein the routing comprises load balancing among the members of the group.
  - 10. The method of claim 8 wherein the group name comprises a server principle name of the network load balancer.
  - 11. The method of claim 8 wherein the group ticket comprises an enveloped key pair for each member of the group.
  - 12. The method of claim 8 further comprising creating a virtual server and performing the routing using the virtual server.
  - 13. The method of claim 8 further comprising routing the request and the group ticket to more than one member of the group wherein each of the members of the group comprises a member key capable of decrypting the dynamic group key.
  - 14. The method of claim 8 wherein the routing to more than one member occurs for a single group ticket.
  - 15. The method of claim 8 wherein the group ticket allows for routing to more than one member of the group wherein each of the members comprises a member key capable of decrypting the dynamic group key.

16. A system comprising:
- a key distribution center including one or more processors and memory storing instructions that, when executed, configure the one or more processors to perform acts comprising;
  
  receiving a group name and member names of members of the group from a group registrant, wherein the group name comprises a server principle name associated with a network load balancer;
  
  storing the member names;
  
  receiving a ticket granting request from a client wherein the request comprises the group name; and
  
  generating a group ticket that comprises an encrypted service ticket and enveloped pairs for each of the member names, each enveloped pair comprising an encrypted dynamic group key and the member name whereby decryption of an encrypted dynamic group key allows for decryption of the encrypted service ticket.
- View Dependent Claims (17, 18)
- - 17. The system of claim 16 wherein the network load balancer comprises a network load balancing server.
  - 18. The system of claim 17 wherein the network load balancing server comprises a virtual server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Ilac, Cristian, Leach, Paul J., Kamel, Tarek B., Zhu, Liqiang
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Sanders, Stephen

Application Number

US12/038,736
Publication Number

US 20090217029A1
Time in Patent Office

1,469 Days
Field of Search

726/10
US Class Current

726/10
CPC Class Codes

H04L 9/0822   using key encryption key

H04L 9/0833   involving conference or gro...

H04L 9/3213   using tickets or tokens, e....

Kerberos ticket virtualization for network load balancers

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Kerberos ticket virtualization for network load balancers

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others