Enabling two-factor authentication for terminal services

US 8,756,660 B2
Filed: 04/17/2008
Issued: 06/17/2014
Est. Priority Date: 04/17/2008
Status: Active Grant

First Claim

Patent Images

1. A method executed at a client device for authenticating a request for a remote presentation comprising:

Receiving an authentication token using a first process running on the client device, the authentication token being received from an authentication server;

writing data from the authentication token to a file on the client device using the first process, the file being accessible to a second process running on the client device, the second process being separate from the first process and being configured to enable a remote presentation between the client device and a terminal services device;

passing authentication data from the file to a communications module using the second process, the communications module being configured to communicate data from the client device to the terminal services device and to the authentication server based on a protocol associated with the remote presentation;

sending the authentication data in a format associated with the protocol to the terminal services device using the communications module;

sending native authentication information to the terminal services device in the format associated with the protocol using the communications module; and

receiving an indication that the terminal services device verified the authentication data with the server and that the terminal services device verified the native authentication information, the indication being received using the communications module.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for enabling two-factor authentication for terminal services are described. A client receives an authentication token from an authentication server. The authentication token is used as a factor for authenticating the client to a terminal services device. Native authentication of the client is also performed.

Citations

19 Claims

1. A method executed at a client device for authenticating a request for a remote presentation comprising:
- Receiving an authentication token using a first process running on the client device, the authentication token being received from an authentication server;
  
  writing data from the authentication token to a file on the client device using the first process, the file being accessible to a second process running on the client device, the second process being separate from the first process and being configured to enable a remote presentation between the client device and a terminal services device;
  
  passing authentication data from the file to a communications module using the second process, the communications module being configured to communicate data from the client device to the terminal services device and to the authentication server based on a protocol associated with the remote presentation;
  
  sending the authentication data in a format associated with the protocol to the terminal services device using the communications module;
  
  sending native authentication information to the terminal services device in the format associated with the protocol using the communications module; and
  
  receiving an indication that the terminal services device verified the authentication data with the server and that the terminal services device verified the native authentication information, the indication being received using the communications module.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the authentication token is a one-time password.
  - 3. The method of claim 1, wherein the first process is a browser, the second process is a terminal service client process, the authentication token is formatted as a browser cookie, wherein writing data to a file comprises encrypting data in the browser cookie and storing the encrypted data in the file, wherein passing authentication data from the file to a communications module comprises decrypting the data and sending the decrypted data to the communications module, and wherein sending the authentication data in a format associated with the protocol comprises the communications module transforming the decrypted data to a remote procedure call and wrapping the remote procedure call in a hypertext transfer protocol format.
  - 4. The method of claim 1, wherein the native authentication information comprises a user identification and a user password.
  - 5. The method of claim 1, wherein the remote presentation comprises a remote desktop protocol communications session.
  - 6. The method of claim 1, wherein receiving an authentication token using the first process comprises:
    - requesting, using an Internet browser interface, an authentication token from the authentication server; and
      
      receiving the authentication token formatted as a browser cookie.
  - 7. The method of claim 1, wherein sending the authentication data in a format associated with the protocol comprises sending HTTP data comprising a remote procedure call, wherein the remote procedure call comprises information associated with the authentication data.

8. A computer-readable storage device having stored therein instructions to authenticate a request for a remote presentation that upon execution on a first device at least cause the first device to:
- receive of an authentication token using a first process running on the first device, the authentication token being received from an authentication computing device;
  
  write data from the authentication token to a file on the first device using the first process, the file being accessible to a second process running on the first device, the second process being separate from the first process and being configured to enable a remote presentation between the first device and a terminal services device;
  
  pass authentication data from the file to a communications module using the second process, the communications module being configured to communicate data from the first device to the terminal services device and to the authentication computing device based on a protocol associated with the remote presentation;
  
  send the authentication data in a format associated with the protocol to the terminal services device using the communications module;
  
  send native authentication information to the terminal services device in the format associated with the protocol using the communications module; and
  
  receive an indication that the terminal services device verified the authentication data with the server and that the terminal services device verified the native authentication information, the indication being received using the communications module.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable storage device as recited in claim 8, wherein the authentication token is a one-time password.
  - 10. The computer-readable storage device as recited in claim 8, wherein the first process is a browser, the second process is a terminal service client process, the authentication token is formatted as a browser cookie, wherein the instruction that at least cause the first device to write data to a file comprises encrypting data in the browser cookie and storing the encrypted data in the file, wherein the instruction that at least cause the first device to pass authentication data from the file to a communications module comprises decrypting the data and sending the decrypted data to the communications module, and wherein the instruction that at least cause the first device to send the authentication data in a format associated with the protocol comprises the communications module transforming the decrypted data to a remote procedure call and wrapping the remote procedure call in a hypertext transfer protocol format.
  - 11. The computer-readable storage device as recited in claim 8, wherein the native authentication information comprises a user identification and a user password.
  - 12. The computer-readable storage device as recited in claim 8, wherein the remote presentation comprises a remote desktop protocol communications session.
  - 13. The computer-readable storage device as recited in claim 8, wherein the instruction that at least cause the first device to receive an authentication token using the first process comprises instructions that cause the first device to:
    - request, using an Internet browser interface, an authentication token from the authentication server; and
      
      receive the authentication token formatted as a browser cookie.
  - 14. The computer-readable storage device as recited in claim 8, wherein the instruction that at least cause the first device to send the authentication data in a format associated with the protocol comprises instructions that cause the first device to send HTTP data comprising a remote procedure call, wherein the remote procedure call comprises information associated with the authentication data.

15. A system for authenticating a request for a remote presentation, comprising:
- a processor; and
  
  memory coupled to the processor having stored thereon instructions that upon execution on the processor cause the system to;
  
  receive of an authentication token using a first process running on the system, the authentication token being received from an authentication computing device;
  
  write data from the authentication token to a file on the system using the first process, the file being accessible to a second process running on the system, the second process being separate from the first process and being configured to enable a remote presentation between system and a terminal services device;
  
  pass authentication data from the file to a communications module using the second process, the communications module being configured to communicate data from the system to the terminal services device and to the authentication computing device based on a protocol associated with the remote presentation;
  
  send the authentication data in a format associated with the protocol to the terminal services device using the communications module;
  
  send native authentication information to the terminal services device in the format associated with the protocol using the communications module; and
  
  receive an indication that the terminal services device verified the authentication data with the server and that the terminal services device verified the native authentication information, the indication being received using the communications module.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The system as recited in claim 15, wherein the authentication token is a one-time password.
  - 17. The system as recited in claim 15, wherein the first process is a browser, the second process is a terminal service client process, the authentication token is formatted as a browser cookie, wherein the instruction that at least cause the system to write data to a file comprises encrypting data in the browser cookie and storing the encrypted data in the file, wherein the instruction that at least cause the system to pass authentication data from the file to a communications module comprises decrypting the data and sending the decrypted data to the communications module, and wherein the instruction that at least cause the system to send the authentication data in a format associated with the protocol comprises the communications module transforming the decrypted data to a remote procedure call and wrapping the remote procedure call in a hypertext transfer protocol format.
  - 18. The system as recited in claim 15, wherein the native authentication information comprises a user identification and a user password.
  - 19. The system as recited in claim 15, wherein the remote presentation comprises a remote desktop protocol communications session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Malakapalli, Meher, Ding, Lisen, Ben-Shachar, Ido, Palekar, Ashwin
Primary Examiner(s)
Simitoski, Michael
Assistant Examiner(s)
LAVELLE, GARY E

Application Number

US12/105,247
Publication Number

US 20090328182A1
Time in Patent Office

2,252 Days
Field of Search

380/44, 380/54, 726/4, 726/6, 713/168, 713/182
US Class Current

726/4
CPC Class Codes

H04L 63/0838 using one-time-passwords

H04L 63/105 Multiple levels of security

Enabling two-factor authentication for terminal services

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Enabling two-factor authentication for terminal services

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links