Method and system for enterprise network single-sign-on by a manageability engine
First Claim
Patent Images
1. A method for using an out-of-band (OOB) manageability engine (ME) having an OOB processor separate from a main processor of a computer platform to securely access an Enterprise server comprising:
- receiving, with the OOB processor of the ME, user authentication credentials from a pre-boot authentication module (PBAM) executed by a BIOS of the computer platform;
requesting, with the OOB processor of the ME, via a dedicated OOB interface, independent of the main processor, between the ME and a network controller of the computer platform, a key encryption key (KEK) from a key distribution center (KDC);
receiving, with the OOB processor of the ME and independent of the main processor, via the dedicated OOB interface, the KEK from the KDC if the user authentication credentials are authenticated by the KDC;
securely storing the KEK using the OOB processor of the ME;
enabling, with the OOB processor of the ME, the BIOS to proceed with booting of an operating system (OS);
wrapping an OS credential manager with a shim, wherein the OS credential manager is configured to authenticate a user to the OS;
intercepting an OS login process by the shim wrapping the OS credential manager;
receiving, with the OOB processor of the ME, a request for the KEK from the shim used to intercept the OS login process;
retrieving, with the OOB processor of the ME, the KEK from secure storage; and
sending, with the OOB processor of the ME, the KEK to the OS, wherein the shim, upon receipt of the KEK suppresses an OS login prompt and completes booting of the OS;
wherein when the OS requires access to the Enterprise server, the ME uses the KEK to obtain a ticket specific to the Enterprise server, and the OS retrieves the ticket specific to the Enterprise server from the ME.
1 Assignment
0 Petitions
Accused Products
Abstract
A manageability engine (ME) receives an authentication response from a user during pre-boot authentication and registers the user with a key distribution center (KDC), indicating that the user has successfully authenticated to the PC. The KDC supplies the ME with single-sign-on credentials in the form of a Key Encryption Key (KEK). The KEK may later be used by the PC to obtain a credential used to establish secure access to Enterprise servers.
16 Citations
28 Claims
-
1. A method for using an out-of-band (OOB) manageability engine (ME) having an OOB processor separate from a main processor of a computer platform to securely access an Enterprise server comprising:
-
receiving, with the OOB processor of the ME, user authentication credentials from a pre-boot authentication module (PBAM) executed by a BIOS of the computer platform; requesting, with the OOB processor of the ME, via a dedicated OOB interface, independent of the main processor, between the ME and a network controller of the computer platform, a key encryption key (KEK) from a key distribution center (KDC); receiving, with the OOB processor of the ME and independent of the main processor, via the dedicated OOB interface, the KEK from the KDC if the user authentication credentials are authenticated by the KDC; securely storing the KEK using the OOB processor of the ME; enabling, with the OOB processor of the ME, the BIOS to proceed with booting of an operating system (OS); wrapping an OS credential manager with a shim, wherein the OS credential manager is configured to authenticate a user to the OS; intercepting an OS login process by the shim wrapping the OS credential manager; receiving, with the OOB processor of the ME, a request for the KEK from the shim used to intercept the OS login process; retrieving, with the OOB processor of the ME, the KEK from secure storage; and sending, with the OOB processor of the ME, the KEK to the OS, wherein the shim, upon receipt of the KEK suppresses an OS login prompt and completes booting of the OS; wherein when the OS requires access to the Enterprise server, the ME uses the KEK to obtain a ticket specific to the Enterprise server, and the OS retrieves the ticket specific to the Enterprise server from the ME. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An article comprising:
- a non-transitory storage medium having a plurality of machine accessible instructions, wherein when the instructions are executed by a an out-of-band (OOB) co-processor separate from a main processor of a computer platform, the instructions provide for;
receiving, with the OOB co-processor, user authentication credentials from a pre-boot authentication module (PBAM) executed by a BIOS of the computer platform; requesting, with the OOB co-processor, via a dedicated OOB interface, independent of the main processor, between the OOB co-processor and a network controller of the computer platform, a key encryption key (KEK) from a key distribution center (KDC) ; receiving, with the OOB co-processor and independent of the main processor, via the dedicated OOB interface, the KEK from the KDC if the user authentication credentials are authenticated by the KDC; securely storing the KEK using the OOB co-processor; enabling, with the OOB co-processor, the BIOS to proceed with booting of an operating system (OS); wrapping an OS credential manager with a shim, wherein the OS credential manager is configured to authenticate a user to the OS; intercepting an OS login process by the shim wrapping the OS credential manager; receiving, with the OOB co-processor, a request for the KEK from the shim used to intercept the OS login process; retrieving, with the OOB co-processor, the KEK from secure storage; and sending, with the OOB co-processor, the KEK to the OS, wherein the shim, upon receipt of the KEK suppresses an OS login prompt and completes booting of the OS; wherein when the OS requires access to the Enterprise server, the ME uses the KEK to obtain a ticket specific to the Enterprise server, and the OS retrieves the ticket specific to the Enterprise server from the ME. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- a non-transitory storage medium having a plurality of machine accessible instructions, wherein when the instructions are executed by a an out-of-band (OOB) co-processor separate from a main processor of a computer platform, the instructions provide for;
-
21. A computer platform to securely access an Enterprise server, the computer platform comprising:
-
a main processor to execute a BIOS including a pre-boot authentication module (PBAM); an out-of-band (OOB) manageability engine (ME) having an OOB processor separate from the main processor; and a network controller having a dedicated OOB interface to the OOB processor, independent of the main processor; wherein the OOB processor of the ME is to; receive user authentication credentials from the PBAM, wherein a user authenticates to the PBAM through the BIOS; request, via the dedicated OOB interface, a key encryption key (KEK) from a key distribution center (KDC); receive, via the dedicated OOB interface, the KEK from the KDC if the user authentication credentials are authenticated by the KDC; securely store the KEK; enable the BIOS to proceed with booting of an operating system (OS); receive a request for the KEK from a shim that wraps an OS credential manager and is used to intercept an OS login process, wherein the OS credential manager is configured to authenticate a user to the OS; retrieve the KEK from secure storage; and send the KEK to the OS; wherein the main processor to wrap the OS credential manager with the shim and intercept the OS login process by the shim that wraps the OS credential manager, and wherein the shim, upon receipt of the KEK, to suppress an OS login prompt and complete booting of the OS; and wherein when the OS requires access to the Enterprise server, the ME to use the KEK to obtain a ticket specific to the Enterprise server, and the OS to retrieve the ticket specific to the Enterprise server from the ME. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
-
Specification