Systems and methods for accessing a virtual desktop

US 8,782,768 B2
Filed: 06/15/2012
Issued: 07/15/2014
Est. Priority Date: 06/15/2012
Status: Active Grant

First Claim

Patent Images

1. An authentication system comprising:

a plurality of access-protected network resources, each of the access-protected network resources having respective access permissions;

a first computing device comprising a first processor configured to;

receive an access request and access credentials from a first user;

determine that the access credentials are valid; and

in response to determining that the access credentials are valid, authenticate the first user and generate an authentication token for the first user; and

a second computing device comprising a second processor configured to;

receive a request from the first user to access a first access-protected network resource of the plurality of access-protected network resources;

receive one of the authentication token for the first user or a reference to the authentication token;

determine that the first user has permission to access the first access-protected network resource;

generate smartcard credentials for the first user, wherein the smartcard credentials comprise a private key and a digital certificate with a public key for the first user;

store the smartcard credentials in a virtual smartcard;

associate the virtual smartcard with the first access-protected network resource to allow the first user to access the first access-protected network resource using the smartcard credentials without entering additional access credentials;

receive a request from the first user to access a second access-protected network resource of the plurality of access-protected network resources, the second access-protected network resource having different access permissions from the first access-protected network resource;

determine that the first user has permission to access the second access-protected network resource from one of the authentication token or a reference to the authentication token; and

associate the virtual smartcard with the second access-protected network resource to allow the first user to access the second access-protected network resource using the smartcard credentials without entering additional access credentials, wherein;

the plurality of access-protected network resources, the first computing device, and the second computing device are included within a domain.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, computer-readable storage medium, and systems described herein facilitate enabling access to a virtual desktop of a host computing device. An authentication system receives one of an authentication token and a reference to the authentication token, wherein the authentication token is indicative of whether a user successfully logged in to an authentication portal using a client computing device. The authentication system generates a private key, a digital certificate, and a personal identification number (PIN) for the user in response to receiving the one of the authentication token and the reference to the authentication token. The private key, the digital certificate, and the PIN are stored in a virtual smartcard, and the client computing device is authorized to log into a virtual desktop using the virtual smartcard.

17 Citations

View as Search Results

19 Claims

1. An authentication system comprising:
- a plurality of access-protected network resources, each of the access-protected network resources having respective access permissions;
  
  a first computing device comprising a first processor configured to;
  
  receive an access request and access credentials from a first user;
  
  determine that the access credentials are valid; and
  
  in response to determining that the access credentials are valid, authenticate the first user and generate an authentication token for the first user; and
  
  a second computing device comprising a second processor configured to;
  
  receive a request from the first user to access a first access-protected network resource of the plurality of access-protected network resources;
  
  receive one of the authentication token for the first user or a reference to the authentication token;
  
  determine that the first user has permission to access the first access-protected network resource;
  
  generate smartcard credentials for the first user, wherein the smartcard credentials comprise a private key and a digital certificate with a public key for the first user;
  
  store the smartcard credentials in a virtual smartcard;
  
  associate the virtual smartcard with the first access-protected network resource to allow the first user to access the first access-protected network resource using the smartcard credentials without entering additional access credentials;
  
  receive a request from the first user to access a second access-protected network resource of the plurality of access-protected network resources, the second access-protected network resource having different access permissions from the first access-protected network resource;
  
  determine that the first user has permission to access the second access-protected network resource from one of the authentication token or a reference to the authentication token; and
  
  associate the virtual smartcard with the second access-protected network resource to allow the first user to access the second access-protected network resource using the smartcard credentials without entering additional access credentials, wherein;
  
  the plurality of access-protected network resources, the first computing device, and the second computing device are included within a domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The authentication system of claim 1, wherein the authentication token includes a security assertion markup language (SAML) assertion that the first user was authenticated.
  - 3. The authentication system of claim 1, further comprising a directory service, wherein determining that the first user has permission to access the first access-protected network resource comprises transmitting a request to the directory service to validate whether the first user has permission to access the access-protected network resource.
  - 4. The authentication system of claim 1, wherein the first processor is further configured to transmit, to the second computing device, the authentication token or the reference to the authentication token.
  - 5. The authentication system of claim 1, wherein the second processor is further configured to validate the authentication token with an authentication portal.
  - 6. The authentication system of claim 1, wherein the system further comprises a directory service included within the domain.
  - 7. The authentication system of claim 6, wherein the second computing device is further configured to log the first user into the directory service using the virtual smartcard.

8. A non-transitory computer-readable storage medium having computer-executable instructions stored thereon that, when executed by one or more computing devices, cause the computing devices to perform operations comprising:
- receiving a request from a first user to access a first access-protected virtual desktop of a plurality of access-protected virtual desktops;
  
  receiving one of an authentication token or a reference to the authentication token, wherein the authentication token indicates that the first user successfully logged in to an authentication portal by submitting access credentials to the authentication portal;
  
  determining that the first user has permission to access the first access-protected virtual desktop;
  
  generating smartcard credentials for the first user, wherein the smartcard credentials comprise a private key, a digital certificate, and a personal identification number (PIN) for the first user;
  
  storing the smartcard credentials in a virtual smartcard;
  
  authorizing the client computing device to log into the first access-protected virtual desktop using the smartcard credentials stored in the virtual smartcard, without entering additional access credentials;
  
  receive a request from the first user to access a second access-protected network resource of the plurality of access-protected network resources, the second access-protected network resource having different access permissions from the first access-protected network resource;
  
  determine that the first user has permission to access the second access-protected network resource from one of the authentication token or a reference to the authentication token; and
  
  associate the virtual smartcard with the second access-protected network resource to allow the first user to access the second access-protected network resource using the smartcard credentials without entering additional access credentials, wherein;
  
  the plurality of access-protected network resources and the one or more devices are included within a domain.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The computer-readable storage medium of claim 8, wherein the computer-executable instructions further cause the at least one processor to transmit a request to a directory service to determine whether the first user has permission to access the first access-protected virtual desktop.
  - 10. The computer-readable storage medium of claim 9, wherein the computer-executable instructions further cause the at least one processor to log the first user into the directory service using the virtual smartcard.
  - 11. The computer-readable storage medium of claim 8, wherein the computer-executable instructions further cause the at least one processor to transmit a login request to the authentication portal, wherein the login request includes the access credentials associated with the user.
  - 12. The computer-readable storage medium of claim 11, wherein the computer-executable instructions further cause the at least one processor to receive the authentication token or the reference to the authentication token from the authentication portal in response to the login request.

13. A method of authorizing a first user to access access-protected virtual desktops, the method comprising:
- receiving, by a first computing device, a request from the first user to access a first access-protected virtual desktop of a plurality of access-protected virtual desktops;
  
  receiving, by the first computing device, one of an authentication token or a reference to the authentication token, wherein the authentication token indicates that the first user successfully logged in to an authentication portal by submitting access credentials to the authentication portal;
  
  determining that the first user has permission to access the first access-protected virtual desktop;
  
  generating smartcard credentials for the first user, wherein the smartcard credentials comprise a private key, a digital certificate, and a personal identification number (PIN) for the first user;
  
  storing the smartcard credentials in a virtual smartcard; and
  
  associating the virtual smartcard with the first access-protected virtual desktop to allow the first user to log in to the first access-protected virtual desktop using the smartcard credentials without entering additional access credentials;
  
  receiving a request from the first user to access a second access-protected network resource of the plurality of access-protected network resources, the second access-protected network resource having different access permissions from the first access-protected network resource;
  
  determining that the first user has permission to access the second access-protected network resource from one of the authentication token or a reference to the authentication token; and
  
  associating the virtual smartcard with the second access-protected network resource to allow the first user to access the second access-protected network resource using the smartcard credentials without entering additional access credentials, wherein;
  
  the plurality of access-protected network resources and the first computing device are included within a domain.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method of claim 13, wherein determining that the first user has permission to access the first access-protected virtual desktop further comprises transmitting a request to a directory service to validate whether the user has permission to access the first access-protected virtual desktop.
  - 15. The method of claim 13, further comprising transmitting, by a second computing device, the access credentials to the authentication portal.
  - 16. The method of claim 15, further comprising receiving, by the second computing device, the authentication token or the reference to the authentication token from the authentication portal.
  - 17. The method of claim 16, further comprising transmitting, from the second computing device to the first computing device, the authentication token and the reference to the authentication token.
  - 18. The method of claim 13, further comprising logging the first user into a directory service using the virtual smartcard.
  - 19. The method of claim 18, further comprising logging the user into the domain such that the first user is enabled to log into the plurality of access-protected virtual desktops within the domain using the smartcard credentials.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Larsson, Per Olov
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Tran, Tongoc

Application Number

US13/524,412
Publication Number

US 20130340063A1
Time in Patent Office

760 Days
Field of Search

726/2, 726/4, 726/15, 726 8- 10, 726 19- 30, 713/155, 713/156, 713/168, 713/172, 713/185, 713/186
US Class Current

726/9
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/34   involving the use of extern...

G06F 21/41   where a single sign-on prov...

G06F 21/42   using separate channels for...

G06F 21/44   Program or device authentic...

H04L 63/0272   Virtual private networks

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 9/3247   involving digital signatures

Systems and methods for accessing a virtual desktop

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for accessing a virtual desktop

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others