Resource protection on un-trusted devices

US 9,584,501 B2
Filed: 07/17/2015
Issued: 02/28/2017
Est. Priority Date: 01/02/2013
Status: Active Grant

First Claim

Patent Images

1. A client device, comprising:

one or more hardware processors; and

one or more computer-readable media having stored thereon computer-executable instructions that are executable by the one or more processors, and that configure the client device to authenticate to an enterprise network, including computer-executable instructions that configure the client device to perform at least the following;

obtain a secondary credential, the secondary credential being associated with a primary credential that is usable from within the enterprise network to directly gain access to a service of the enterprise network, the secondary credential having been generated within the enterprise network as being usable by a particular set of client devices that includes the client device to indirectly gain access to the service through the primary credential and as being unusable by any other client devices not included in the particular set of client devices to gain access to the service;

while outside of the enterprise network, request access to the service, including sending the secondary credential to an enterprise gateway of the enterprise network; and

based at least on sending the secondary credential to the enterprise gateway, receive a resource from the service, the resource being received from the service based at least on the enterprise gateway having forwarded the primary credential to the service after verifying that the secondary credential is valid and that the client device is in the particular set of client devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Authenticating a client device to a service to allow the client device to access a resource provided by the service. A client device obtains a secondary credential that is associated with a primary credential and that is generated as being usable by a particular set of devices including the client device to indirectly gain access to the service through the primary credential. While outside of an enterprise network, the client device requests access to the service, including sending the secondary credential to an enterprise gateway. Based at least on sending the secondary credential to the enterprise gateway, the client device receives a resource from the service. The resource is received based at least on the enterprise gateway having forwarded the primary credential to the service after verifying that the secondary credential is valid and that the client device is in the particular set of client devices.

Citations

20 Claims

1. A client device, comprising:
- one or more hardware processors; and
  
  one or more computer-readable media having stored thereon computer-executable instructions that are executable by the one or more processors, and that configure the client device to authenticate to an enterprise network, including computer-executable instructions that configure the client device to perform at least the following;
  
  obtain a secondary credential, the secondary credential being associated with a primary credential that is usable from within the enterprise network to directly gain access to a service of the enterprise network, the secondary credential having been generated within the enterprise network as being usable by a particular set of client devices that includes the client device to indirectly gain access to the service through the primary credential and as being unusable by any other client devices not included in the particular set of client devices to gain access to the service;
  
  while outside of the enterprise network, request access to the service, including sending the secondary credential to an enterprise gateway of the enterprise network; and
  
  based at least on sending the secondary credential to the enterprise gateway, receive a resource from the service, the resource being received from the service based at least on the enterprise gateway having forwarded the primary credential to the service after verifying that the secondary credential is valid and that the client device is in the particular set of client devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The client device as recited in claim 1, the secondary credential having been generated within the enterprise network as being usable to indirectly gain access to the service through the primary credential only when the secondary credential is received over a particular set of communication channels.
  - 3. The client device as recited in claim 2, the resource being received from the service based at least on the enterprise gateway also having verified that the secondary credential was received over a communication channel in the particular set of communication channels.
  - 4. The client device as recited in claim 1, also including computer-executable instructions that configure the client device to send only traffic intended for the service to the enterprise gateway.
  - 5. The client device as recited in claim 1, also including computer-executable instructions that configure the client device to obtain the secondary credential from a user.
  - 6. The client device as recited in claim 1, also including computer-executable instructions that configure the client device to obtain the secondary credential from a management system in the enterprise network.
  - 7. The client device as recited in claim 1, the secondary credential having been generated by a management system within the enterprise network using a secret at the management system in combination with the primary credential.
  - 8. The client device as recited in claim 1, wherein the secondary credential is valid for a shorter period of time than the primary credential.
  - 9. The client device as recited in claim 1, wherein the secondary credential grants limited access to services of the enterprise network as compared to the primary credential.

10. A system, comprising:
- an enterprise gateway of an enterprise network, which includes one or more first hardware processors and one or more first computer-readable media storing first computer-executable instructions that configure the enterprise gateway to perform at least the following;
  
  receive a secondary credential from a client device that is outside of the enterprise network, the secondary credential being associated with a primary credential that is usable from within the enterprise network to directly gain access to a service of the enterprise network, the secondary credential having been generated within the enterprise network as being usable by a particular set of client devices that includes the client device to indirectly gain access to the service through the primary credential and as being unusable by any other client devices not included in the particular set of client devices to gain access to the service;
  
  verify that the secondary credential is valid;
  
  verify that the client device is in the particular set of client devices; and
  
  when the secondary credential is valid and when the client device is in the particular set of client devices, forward the primary credential to the service; and
  
  the client device, which includes one or more second processors and one or more second computer-readable media storing second computer-executable instructions that configure the client device to perform at least the following;
  
  obtain the secondary credential;
  
  while outside of the enterprise network, request access to the service, including sending the secondary credential to the enterprise gateway; and
  
  based at least on sending the secondary credential to the enterprise gateway, receive a resource from the service.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system as recited in claim 10, the secondary credential having been generated within the enterprise network as being usable to indirectly gain access to the service through the primary credential only when the secondary credential is received over a particular set of communication channels.
  - 12. The system as recited in claim 11, wherein the first computer-executable instructions also configure the enterprise gateway to verify that the secondary credential was received over a communication channel in the particular set of communication channels prior to forwarding the primary credential to the service.
  - 13. The system as recited in claim 10, wherein the second computer-executable instructions also configure the client device to send only traffic intended for the service to the enterprise gateway.
  - 14. The system as recited in claim 10, wherein the second computer-executable instructions also configure the client device to obtain the secondary credential from a user.
  - 15. The system as recited in claim 10, wherein the second computer-executable instructions also configure the client device to obtain the secondary credential from a management system in the enterprise network.
  - 16. The system as recited in claim 10, wherein the secondary credential is generated by a management system within the enterprise network using a secret at the management system in combination with the primary credential.
  - 17. The system as recited in claim 10, wherein the secondary credential is valid for a shorter period of time than the primary credential.
  - 18. The system as recited in claim 10, wherein the secondary credential grants limited access to services of the enterprise network as compared to the primary credential.

19. A method, implemented at a client device that includes one or more processors, for authenticating to an enterprise network, the method comprising:
- obtaining a secondary credential, wherein the secondary credential is associated with a primary credential that is usable from within the enterprise network to directly gain access to a service of the enterprise network, and wherein the secondary credential was been generated within the enterprise network as being usable by a particular set of client devices that includes the client device to indirectly gain access to the service through the primary credential and as being unusable by any other client devices not included in the particular set of client devices to gain access to the service;
  
  while outside of the enterprise network, requesting access to the service, including sending the secondary credential to an enterprise gateway of the enterprise network; and
  
  based at least on sending the secondary credential to the enterprise gateway, receiving a resource from the service, wherein the resource is received from the service based at least on the enterprise gateway having forwarded the primary credential to the service after verifying that the secondary credential is valid and that the client device is in the particular set of client devices.
- View Dependent Claims (20)
- - 20. The method as recited in claim 19, wherein the secondary credential was generated within the enterprise network as being usable to indirectly gain access to the service through the primary credential only when the secondary credential is received over a particular set of communication channels, and wherein the resource is received from the service based at least on the enterprise gateway also having verified that the secondary credential was received over a communication channel in the particular set of communication channels.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Mendelovich, Meir, Matchoro, Ron
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Song, Hee

Application Number

US14/802,562
Publication Number

US 20150326552A1
Time in Patent Office

592 Days
Field of Search

726/6, 726/9, 726 26- 29, 380200-203, 380/227
US Class Current

1/1
CPC Class Codes

G06F 21/33   using certificates

G06F 21/44   Program or device authentic...

H04L 63/08   for authentication of entit...

Resource protection on un-trusted devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Resource protection on un-trusted devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links