Systems and methods for using external authentication service for Kerberos pre-authentication

US 8,516,566 B2
Filed: 01/18/2008
Issued: 08/20/2013
Est. Priority Date: 10/25/2007
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, from a principal of a directory service, a request for pre-authentication of the principal for Kerberos, the directory service configured for managing access to resources within a network system and comprising an authentication service;

authenticating the principal for the directory service by the authentication service in response to receiving the request;

identifying, by the authentication service, a key associated with the authenticated principle, wherein identifying the key comprises generating a random password for the authenticated principal and deriving the key from the random password;

providing, by the authentication service, the key to a Kerberos Key Distribution Center (KDC) by storing the key in a data structure in the directory service that is accessible by the KDC; and

sending, by the authentication service, the random password to the authenticated principal for use as pre-authentication information in a Kerberos authentication request subsequently sent by the authenticated principal to the KDC.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for providing Kerberos pre-authentication are presented. According to a method embodiment, a request for authentication is received from a principal of an authentication service. The principal in the authentication service is authenticated. A key associated with the authenticated principal in the authentication service is provided to a Kerberos Key Distribution Center (KDC).

63 Citations

View as Search Results

21 Claims

1. A method, comprising:
- receiving, from a principal of a directory service, a request for pre-authentication of the principal for Kerberos, the directory service configured for managing access to resources within a network system and comprising an authentication service;
  
  authenticating the principal for the directory service by the authentication service in response to receiving the request;
  
  identifying, by the authentication service, a key associated with the authenticated principle, wherein identifying the key comprises generating a random password for the authenticated principal and deriving the key from the random password;
  
  providing, by the authentication service, the key to a Kerberos Key Distribution Center (KDC) by storing the key in a data structure in the directory service that is accessible by the KDC; and
  
  sending, by the authentication service, the random password to the authenticated principal for use as pre-authentication information in a Kerberos authentication request subsequently sent by the authenticated principal to the KDC.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising authenticating, by the KDC, the authenticated principal using the random password in the authentication request and the corresponding key in the data structure.
  - 3. The method of claim 1, wherein the authentication service supports multiple authentication mechanisms to receive a sequence of authentication mechanisms from the principal.
  - 4. The method of claim 3, wherein the sequence of authentication mechanisms includes one or more of the following types of mechanisms:
    - password-based mechanisms, certificate-based mechanisms, or biometric-based mechanisms.
  - 5. The method of claim 3, wherein the sequence of authentication mechanisms includes logical AND and logical OR connections between mechanisms.
  - 6. The method of claim 3, wherein the directory service further comprises a hierarchical, object oriented database that represents organizational assets in a logical tree and is used to authenticate the principal.
  - 7. The method of claim 3, wherein identifying the key further comprises storing the received sequence in the data structure for access by the KDC.
  - 8. The method of claim 1, wherein the authentication service supports login methods that use smart cards, proximity cards, certificates, passwords, and challenge responses.

9. A method, comprising:
- receiving, by a Kerberos Key Distribution Center (KDC), a Kerberos authentication request from a principal pre-authenticated for Kerberos by an authentication service operating within a directory service that is configured to manage access to resources within a network system, the Kerberos authentication request containing pre-authentication information comprising a random password generated by the authentication service for the pre-authenticated principal;
  
  obtaining, by the KDC, a key corresponding to the random password for the pre-authenticated principal from a data structure on the directory service that is accessible by the KDC wherein the key is derived from the random password by the authentication service; and
  
  authenticating, by the KDC, the pre-authenticated principal for Kerberos using the key.
- View Dependent Claims (10, 11)
- - 10. The method of claim 9, wherein the Kerberos authentication request includes the random password stored in a PA-ENC-TIMESTAMP field.
  - 11. The method of claim 9, wherein the data structure further comprises a sequence of mechanisms used to authenticate the principal to the directory service, and wherein pre-authenticating includes embedding the sequence of mechanisms in a ticket granting ticket (TGT) sent to the principal by the KDC.

12. A system, comprising processing circuitry configured to operate on instructions stored in a computer-accessible media to provide a directory service configured to manage access to resources within a network system and comprising an authentication service for the directory service, wherein the instructions cause the authentication service to:
- receive, from a principal of the directory service, a request to pre-authenticate the principal for Kerberos;
  
  authenticate the principal for the directory service in response to receiving the request;
  
  generate a random password for the authenticated principal;
  
  derive a key associated with the authenticated principal from the random password;
  
  provide a Kerberos Key Distribution Center (KDC) with the key by storing the key in a data structure on the directory service that is accessible by the KDC; and
  
  send the random password to the authenticated principal for use as pre-authentication information in a Kerberos authentication request subsequently sent by the authenticated principal to the KDC.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The system of claim 12, wherein the authentication service supports multiple authentication mechanisms to receive a sequence of authentication mechanisms from the principal.
  - 14. The system of claim 13, wherein the directory service further comprises a hierarchical, object oriented database that represents organizational assets in a logical tree and is used to authenticate the principal.
  - 15. The system of claim 13, wherein the authentication service supports a sequence of authentication mechanisms that includes logical AND and logical OR connections between mechanisms.
  - 16. The system of claim 13, wherein the sequence of multiple authentication mechanisms includes one or more mechanisms selected from a group of mechanisms consisting of:
    - password-based mechanisms, certificate-based mechanisms, and biometric-based mechanisms.
  - 17. The system of claim 12, wherein the data structure is a look-up table containing a key for each authenticated principal that is pre-authenticated for Kerberos.

18. A network system, comprising processing circuitry configured to operate on instructions to provide a directory service, a Kerberos Key Distribution Center (KDC), a principal, and a Kerberos-enabled service, the directory service configured to manage access to resources within the network system and comprising an authentication service for the directory service, wherein the instructions cause the authentication service to:
- receive, from a principal of the directory service, a request to pre-authenticate the principal for Kerberos;
  
  authenticate the principal for the directory service in response to receiving the request;
  
  generate a random password for the authenticated principal;
  
  derive a key associated with the authentication principal from the random password;
  
  provide the KDC with the key by storing the key in a directory structure on the directory service that is accessible by the KDC; and
  
  send the random password to the authenticated principal for use as pre-authentication information in a Kerberos authentication request subsequently sent by the authenticated principal to the KDC.
- View Dependent Claims (19, 20, 21)
- - 19. The network of claim 18, wherein the authentication service supports multiple authentication mechanisms and is to receive a sequence of authentication mechanisms from the principal.
  - 20. The network of claim 18, wherein the data structure is a key cache containing a key for each authenticated principal that is pre-authenticated for Kerberos.
  - 21. The network of claim 18 wherein the key expires after a time on the order of five minutes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Srinivas, Rahul
Primary Examiner(s)
KOSOWSKI, CAROLYN M

Application Number

US12/016,363
Publication Number

US 20090110200A1
Time in Patent Office

2,041 Days
Field of Search

726/10
US Class Current

726/10
CPC Class Codes

G06F 21/335   for accessing specific reso...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 9/083   involving central third par...

H04L 9/0869   involving random numbers or...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3226   using a predetermined code,...

H04L 9/3263   involving certificates, e.g...

H04L 9/3271   using challenge-response

H04L 9/3297   involving time stamps, e.g....

Systems and methods for using external authentication service for Kerberos pre-authentication

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

63 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for using external authentication service for Kerberos pre-authentication

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links