Pluggable authentication and authorization

US 9,935,788 B2
Filed: 06/17/2015
Issued: 04/03/2018
Est. Priority Date: 02/11/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising, by a client device:

forwarding a predetermined local port to a gateway port of a gateway to create a secure shell tunnel to the gateway;

establishing a first connection to a ticket server coupled to the gateway, wherein the ticket server comprises a pluggable authentication and authorization (PAA) ticket server, wherein the gateway couples the client device to a first computing device, wherein the first connection is the secure shell'"'"' tunnel to the gateway, wherein the ticket server preserves state information, and wherein the state information comprises the state information for operation between the client device and one or more computing devices or an event;

confirming one or more credentials for the client device to access the first computing device base at least on a request from the client device to access the first computing device via the secure shell tunnel and an access of the client device to the gateway;

retrieving a permission vector from the ticket server through the first connection, wherein the retrieved permission vector contains at least one or more tickets to authenticate and authorize the client device access to at least the gateway and the first computing device and client-side redirection information;

storing the at least one or more tickets in a persistent storage;

establishing a second connection to the first computing device based at least on the retrieved tickets and information associated with the first connection such that additional information is not required to establish the second connection, wherein the first and second connections comprise one or more remote desktop protocol (RDP) connections, and wherein establishing the second connection to the first computing device based at least on the retrieved tickets comprises by the first computing device;

determining, with the ticket server, whether the retrieved tickets are valid; and

accepting the establishment of the second connection based, at least in part, on the determination of whether the retrieved tickets are valid; and

accessing on one more services provided by the gateway via the first connection.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In particular embodiments, a client device may established a first connection to a ticket server of a gateway, wherein the gateway couples the client device to a first computing device, retrieve a permission vector from the ticket server though the first connection, wherein the retrieved permission vector contains at least one or more tickets to authenticate and authorize the client device access to at least the gateway and the first computing device, and establish a second connection to the first computing device based at least on the retrieved tickets

Citations

16 Claims

1. A method comprising, by a client device:
- forwarding a predetermined local port to a gateway port of a gateway to create a secure shell tunnel to the gateway;
  
  establishing a first connection to a ticket server coupled to the gateway, wherein the ticket server comprises a pluggable authentication and authorization (PAA) ticket server, wherein the gateway couples the client device to a first computing device, wherein the first connection is the secure shell'"'"' tunnel to the gateway, wherein the ticket server preserves state information, and wherein the state information comprises the state information for operation between the client device and one or more computing devices or an event;
  
  confirming one or more credentials for the client device to access the first computing device base at least on a request from the client device to access the first computing device via the secure shell tunnel and an access of the client device to the gateway;
  
  retrieving a permission vector from the ticket server through the first connection, wherein the retrieved permission vector contains at least one or more tickets to authenticate and authorize the client device access to at least the gateway and the first computing device and client-side redirection information;
  
  storing the at least one or more tickets in a persistent storage;
  
  establishing a second connection to the first computing device based at least on the retrieved tickets and information associated with the first connection such that additional information is not required to establish the second connection, wherein the first and second connections comprise one or more remote desktop protocol (RDP) connections, and wherein establishing the second connection to the first computing device based at least on the retrieved tickets comprises by the first computing device;
  
  determining, with the ticket server, whether the retrieved tickets are valid; and
  
  accepting the establishment of the second connection based, at least in part, on the determination of whether the retrieved tickets are valid; and
  
  accessing on one more services provided by the gateway via the first connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the ticket server is coupled with a database server, wherein the database server stores the one or more tickets.
  - 3. The method of claim 1, further comprising the step of storing at least part of the state information in the permission vector.
  - 4. The method of claim 1, further comprising an application in communication with the ticket server, wherein the application and the ticket server exchange a set of information.
  - 5. The method of claim 4, where the set of information comprises at least the permission vector and an updated state information.
  - 6. The method of claim 5, wherein the application further comprises:
    - receiving, from the ticket server, the set of information;
      
      executing tasks based on the set of information, andsending, to the ticket server, the results of the executed tasks.
  - 7. The method of claim 6, wherein the executed tasks are executed by an application of a proxy.
  - 8. The method of claim 1, wherein the ticket server comprises a third-party PAA ticket server.
  - 9. The method of claim 1, wherein the tickets comprise one or more encrypted credentials, the encrypted credentials authenticating and authorizing the client device access to the first computing device.
  - 10. The method of claim 9, wherein the encrypted credentials are provided by a structured query language (SQL) server, the SQL server being coupled to the ticket server of the gateway.
  - 11. The method of claim 9, wherein the encrypted credentials comprise one or more credentials of a user of the client device, the encrypted user credentials authenticating and authorizing the user access to the first computing device.
  - 12. The method of claim 9, wherein one or more of the encrypted credentials are retrieved from a remote device of the client device through a virtual interface of the remote device, the virtual interface comprising one or more virtual channels of the first connection between the client device and the ticket server.

13. One or more computer-readable non-transitory storage media embodying logic that is operable when executed to:
- by a first computing device;
  
  receiving a request from a client device to access the first computing device via a first connection comprising a secure shell tunnel, the client device being coupled to the first computing device, wherein a predetermined local port of the client device is forwarded to a port of a gateway to create the secure shell tunnel;
  
  confirming one or more credentials for the client device to access the first computing device based at least on the received request and an access of the client device to a gateway, the gateway being coupled to the client device and the first computing device, wherein the first computing device is a ticket server, wherein the ticket server comprises a pluggable authentication and authorization ticket server, wherein the ticket server preserves state information, and wherein the state information comprises the state information for operation between the client device and one or more computing devices or an event, and wherein the client device receives one or more tickets and client-side redirection information from the ticket server;
  
  retrieving a permission vector from the ticket server through the secure shell tunnel, wherein the retrieved permission vector contains at least one or more tickets to authenticate and authorize the client device access to at least the first connection and the first computing device and client-side redirection information;
  
  storing the at least one or more tickets in a persistent storage;
  
  establishing a second connection to the first computing device based at least on the one or more tickets and information associated with the first connection such that additional information is not required to establish the second connection, wherein the first and second connections comprise one or more remote desktop protocol (RDP) connections, and wherein establishing the second connection to the first computing device based at least on the retrieved tickets comprises by the first computing device;
  
  determining, with the ticket server, whether the retrieved tickets are valid;
  
  accepting the establishment of the second connection based, at least in part, on the determination of whether the retrieved tickets are valid; and
  
  providing access to one or more services provided by the gateway via the secure shell tunnel.
- View Dependent Claims (14, 15)
- - 14. The media of claim 13, wherein the client device being coupled to the first computing device comprises a remote desktop protocol connection between the client device and the first computing device.
  - 15. The media of claim 13, wherein the ticket server is coupled with a database server, wherein the database server stores the one or more tickets.

16. An information handling system comprising:
- one or more processors; and
  
  a memory coupled to the processors comprising instructions executable by the processors, the processors being operable when executing the instructions to;
  
  by a first computing device;
  
  receiving a request from a client device to access the first computing device via a secure shell tunnel, the client device being coupled to the first computing device, wherein a predetermined local port of the client device is forwarded to a port of a gateway to create the secure shell tunnel;
  
  confirming one or more credentials for the client device to access the first computing device based at least on the received request and an access of the client device to a gateway, the gateway being coupled to the client device and the first computing device, wherein the first computing device is a ticket server, wherein the ticket server comprises a pluggable authentication and authorization ticket server, wherein the ticket server preserves state information, and wherein the state information comprises the state information for operation between the client device and one or more computing devices or an event, and wherein the client device receives one or more tickets and client-side redirection information from the ticket server;
  
  retrieving a permission vector from the ticket server through the secure shell tunnel, wherein the retrieved permission vector contains at least one or more tickets to authenticate and authorize the client device access to at least the gateway and the first computing device and client-side redirection information;
  
  storing the at least one or more tickets in a persistent storage;
  
  establishing a second connection to the first computing device based at least on the one or more tickets and information associated with the first connection such that additional information is not required to establish the second connection, wherein the first and second connections comprise one or more remote desktop protocol (RDP) connections, and wherein establishing the second connection to the first computing device based at least on the retrieved tickets comprises by the first computing device;
  
  determining, with the ticket server, whether the retrieved tickets are valid;
  
  accepting the establishment of the second connection based, at least in part, on the determination of whether the retrieved tickets are valid; and
  
  providing access to one or more services provided by the gateway via the secure shell tunnel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dell Products LP (Dell Technologies Inc.)
Original Assignee
Dell Products LP (Dell Technologies Inc.)
Inventors
Fausak, Andrew T., Rombakh, Oleg
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Huang, Cheng-Feng

Application Number

US14/742,124
Publication Number

US 20160234195A1
Time in Patent Office

1,021 Days
Field of Search
US Class Current
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 12/4679   Arrangements for the regist...

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 67/01   Protocols

H04L 67/025   for remote control or remot...

H04L 67/08   specially adapted for termi...

H04L 67/1001   for accessing one among a p...

H04L 67/131   Protocols for games, networ...

H04L 67/141   Setup of application sessio...

H04L 67/142   Managing session states for...

H04L 67/148   Migration or transfer of se...

H04L 67/563   Data redirection of data ne...

H04L 69/04   Protocols for data compress...

H04L 69/14   Multichannel or multilink p...

H04L 9/3213   using tickets or tokens, e....

Y02D 30/50   in wire-line communication ...

Pluggable authentication and authorization

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Pluggable authentication and authorization

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links