Systems and methods for using external authentication service for Kerberos pre-authentication
First Claim
Patent Images
1. A method, comprising:
- receiving, from a principal of a directory service, a request for pre-authentication of the principal for Kerberos, the directory service configured for managing access to resources within a network system and comprising an authentication service;
authenticating the principal for the directory service by the authentication service in response to receiving the request;
identifying, by the authentication service, a key associated with the authenticated principle, wherein identifying the key comprises generating a random password for the authenticated principal and deriving the key from the random password;
providing, by the authentication service, the key to a Kerberos Key Distribution Center (KDC) by storing the key in a data structure in the directory service that is accessible by the KDC; and
sending, by the authentication service, the random password to the authenticated principal for use as pre-authentication information in a Kerberos authentication request subsequently sent by the authenticated principal to the KDC.
5 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for providing Kerberos pre-authentication are presented. According to a method embodiment, a request for authentication is received from a principal of an authentication service. The principal in the authentication service is authenticated. A key associated with the authenticated principal in the authentication service is provided to a Kerberos Key Distribution Center (KDC).
-
Citations
21 Claims
-
1. A method, comprising:
-
receiving, from a principal of a directory service, a request for pre-authentication of the principal for Kerberos, the directory service configured for managing access to resources within a network system and comprising an authentication service; authenticating the principal for the directory service by the authentication service in response to receiving the request; identifying, by the authentication service, a key associated with the authenticated principle, wherein identifying the key comprises generating a random password for the authenticated principal and deriving the key from the random password; providing, by the authentication service, the key to a Kerberos Key Distribution Center (KDC) by storing the key in a data structure in the directory service that is accessible by the KDC; and sending, by the authentication service, the random password to the authenticated principal for use as pre-authentication information in a Kerberos authentication request subsequently sent by the authenticated principal to the KDC. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method, comprising:
-
receiving, by a Kerberos Key Distribution Center (KDC), a Kerberos authentication request from a principal pre-authenticated for Kerberos by an authentication service operating within a directory service that is configured to manage access to resources within a network system, the Kerberos authentication request containing pre-authentication information comprising a random password generated by the authentication service for the pre-authenticated principal; obtaining, by the KDC, a key corresponding to the random password for the pre-authenticated principal from a data structure on the directory service that is accessible by the KDC wherein the key is derived from the random password by the authentication service; and authenticating, by the KDC, the pre-authenticated principal for Kerberos using the key. - View Dependent Claims (10, 11)
-
-
12. A system, comprising processing circuitry configured to operate on instructions stored in a computer-accessible media to provide a directory service configured to manage access to resources within a network system and comprising an authentication service for the directory service, wherein the instructions cause the authentication service to:
-
receive, from a principal of the directory service, a request to pre-authenticate the principal for Kerberos; authenticate the principal for the directory service in response to receiving the request; generate a random password for the authenticated principal; derive a key associated with the authenticated principal from the random password; provide a Kerberos Key Distribution Center (KDC) with the key by storing the key in a data structure on the directory service that is accessible by the KDC; and send the random password to the authenticated principal for use as pre-authentication information in a Kerberos authentication request subsequently sent by the authenticated principal to the KDC. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A network system, comprising processing circuitry configured to operate on instructions to provide a directory service, a Kerberos Key Distribution Center (KDC), a principal, and a Kerberos-enabled service, the directory service configured to manage access to resources within the network system and comprising an authentication service for the directory service, wherein the instructions cause the authentication service to:
-
receive, from a principal of the directory service, a request to pre-authenticate the principal for Kerberos; authenticate the principal for the directory service in response to receiving the request; generate a random password for the authenticated principal; derive a key associated with the authentication principal from the random password; provide the KDC with the key by storing the key in a directory structure on the directory service that is accessible by the KDC; and send the random password to the authenticated principal for use as pre-authentication information in a Kerberos authentication request subsequently sent by the authenticated principal to the KDC. - View Dependent Claims (19, 20, 21)
-
Specification