Methods for dynamically constructing a service principal name and devices thereof

US 10,230,566 B1
Filed: 12/31/2012
Issued: 03/12/2019
Est. Priority Date: 02/17/2012
Status: Active Grant

First Claim

Patent Images

1. A method for managing access to services implemented by a network traffic management system comprising one or more network traffic management devices, client devices, backend server devices, or domain controller server devices, the method comprising:

selecting one of a plurality of backend servers to provide a service to a client, and identifying an Internet protocol (IP) address of the selected server, in response to a received request from the client to access the service;

performing a reverse domain name system (DNS) lookup with a DNS server using the identified IP address to determine a hostname of the selected server;

dynamically generating a service principal name (SPN) of the selected server based on the hostname determined via the reverse DNS lookup;

sending a ticket granting service (TGS) request to a domain controller server, wherein the TGS request is generated using the dynamically generated SPN and a previously obtained ticket granting ticket (TGT);

andproviding access to the selected server to the client using a service ticket obtained in response to the TGS request and comprising the SPN.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, medium and method for dynamically constructing a service principal name is disclosed. A client request from a user to access a service is received at a network traffic management device which identifies an internet protocol (IP) address of a selected backend server to provide the requested service to the client. The network traffic management device identifies a hostname of the selected backend server based at least on the identified IP address and dynamically generates a service principal name (SPN) of the selected backend server based on the determined host name. The network traffic management device obtains a service ticket from a domain controller server using at least the generated SPN of the selected backend server. The network traffic management device uses the obtained service ticket along with the client request to provide the user access to the selected backend server for the client request.

798 Citations

16 Claims

1. A method for managing access to services implemented by a network traffic management system comprising one or more network traffic management devices, client devices, backend server devices, or domain controller server devices, the method comprising:
- selecting one of a plurality of backend servers to provide a service to a client, and identifying an Internet protocol (IP) address of the selected server, in response to a received request from the client to access the service;
  
  performing a reverse domain name system (DNS) lookup with a DNS server using the identified IP address to determine a hostname of the selected server;
  
  dynamically generating a service principal name (SPN) of the selected server based on the hostname determined via the reverse DNS lookup;
  
  sending a ticket granting service (TGS) request to a domain controller server, wherein the TGS request is generated using the dynamically generated SPN and a previously obtained ticket granting ticket (TGT);
  
  andproviding access to the selected server to the client using a service ticket obtained in response to the TGS request and comprising the SPN.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 further comprising:
    - performing a load balancing technique for the request; and
      
      selecting the server to handle the request based on the load balancing technique.
  - 3. The method of claim 1 wherein the generating the SPN further comprises modifying a preconfigured pattern by replacing one or more format sequences in the preconfigured pattern and applying the preconfigured pattern to the determined hostname of the selected server to convert one or more portions of the hostname to the SPN.
  - 4. The method of claim 1 further comprising:
    - modifying the received client request by attaching the obtained service ticket in a header of the request; and
      
      forwarding the modified request to the selected server to facilitate decrypting the modified request to confirm an identity associated with the client and providing access to the selected server to the client.

5. A non-transitory computer readable medium having stored thereon instructions for managing access to services comprising executable code which when executed by at least one processor, causes the processor to:
- select one of a plurality of servers to provide a service to a client, and identify an Internet protocol (IP) address of the selected server, in response to a received request from the client to access the service;
  
  perform a reverse domain name system (DNS) lookup with a DNS server using the identified IP address to determine a hostname of the selected server;
  
  dynamically generate a service principal name (SPN) of the selected server based on the hostname determined via the reverse DNS lookup;
  
  send a ticket granting service (TGS) request to a domain controller server, wherein the TGS request is generated using the dynamically generated SPN and a previously obtained ticket granting ticket (TGT);
  
  andprovide access to the selected server to the client using a service ticket obtained in response to the TGS request and comprising the SPN.
- View Dependent Claims (6, 7, 8)
- - 6. The non-transitory computer readable medium of claim 5, wherein the executable code when executed by the processor further causes the processor to:
    - perform a load balancing technique for the request; and
      
      select the server to handle the request based on the load balancing technique.
  - 7. The non-transitory computer readable medium of claim 5, wherein the executable code when executed by the processor further causes the processor to modify a preconfigured pattern by replacing one or more format sequences in the preconfigured pattern and apply the preconfigured pattern to the determined hostname of the selected server to convert one or more portions of the hostname to the SPN.
  - 8. The non-transitory computer readable medium of claim 5, wherein the executable code when executed by the processor further causes the processor to:
    - modify the received request by attaching the obtained service ticket in a header of the request; and
      
      forward the modified client request to the selected server to facilitate decrypting the modified request to confirm an identity associated with the client and providing access to the selected server to the client.

9. A network traffic management device comprising a memory comprising programmed instructions stored thereon and at least one processor configured to be capable of executing the stored programmed instructions to:
- select one of a plurality of backend servers to provide a service to a client, and identify an Internet protocol (IP) address of the selected server, in response to a received request from the client to access the service;
  
  perform a reverse domain name system (DNS) lookup with a DNS server using the identified IP address to determine a hostname of the selected server;
  
  dynamically generate a service principal name (SPN) of the selected server based on the hostname determined via the reverse DNS lookup;
  
  send a ticket granting service (TGS) request to a domain controller server, wherein the TGS request is generated using the dynamically generated SPN and a previously obtained ticket granting ticket (TGT);
  
  andprovide access to the selected server to the client using a service ticket obtained in response to the TGS request and comprising the SPN.
- View Dependent Claims (10, 11, 12)
- - 10. The network traffic management device of claim 9, wherein the processor is further configured to be capable of executing the stored programmed instructions to:
    - perform a load balancing technique for the request; and
      
      select the server to handle the request based on the load balancing technique.
  - 11. The network traffic management device of claim 9, wherein the processor is further configured to be capable of executing the stored programmed instructions to modify preconfigured pattern by replacing one or more format sequences in the preconfigured pattern and apply the preconfigured pattern to the determined hostname of the selected server to convert one or more portions of the hostname to the SPN.
  - 12. The network traffic management device of claim 9, wherein the processor is further configured to be capable of executing the stored programmed instructions to:
    - modify the received request by attaching the obtained service ticket in a header of the request; and
      
      forward the modified request to the selected server to facilitate decrypting the modified request to confirm an identity associated with the client and providing access to the selected server to the client.

13. A network traffic management system, comprising one or more traffic management devices, client devices, server devices, or domain controller server devices, the network traffic management system comprising memory comprising programmed instructions stored thereon and at least one processor configured to be capable of executing the stored programmed instructions to:
- select one of a plurality of backend servers to provide a service to a client, and identify an Internet protocol (IP) address of the selected server, in response to a received request from the client to access the service;
  
  perform a reverse domain name system (DNS) lookup with a DNS server using the identified IP address to determine a hostname of the selected server;
  
  dynamically generate a service principal name (SPN) of the selected server based on the hostname determined via the reverse DNS lookup;
  
  send a ticket granting service (TGS) request to a domain controller server, wherein the TGS request is generated using the dynamically generated SPN and a previously obtained ticket granting ticket (TGT);
  
  andprovide access to the selected server to the client using a service ticket obtained in response to the TGS request and comprising the SPN.
- View Dependent Claims (14, 15, 16)
- - 14. The system of claim 13, wherein the processor is further configured to be capable of executing the stored programmed instructions to:
    - perform a load balancing technique for the request; and
      
      select the backend server to handle the request based on the load balancing technique.
  - 15. The system of claim 13, wherein the processor is further configured to be capable of executing the stored programmed instructions to modify a preconfigured pattern by replacing one or more format sequences in the preconfigured pattern and apply the preconfigured pattern to the determined hostname of the selected server to convert one or more portions of the hostname to the SPN.
  - 16. The system of claim 13, wherein the processor is further configured to be capable of executing the stored programmed instructions to:
    - modify the received client request by attaching the obtained service ticket in a header of the request; and
      
      forward the modified client request to the selected server to facilitate decrypting the modified request to confirm an identity associated with the client and providing access to the selected server to the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
F5 Networks, Inc. (F5 Incorporated)
Original Assignee
F5 Networks, Inc. (F5 Incorporated)
Inventors
Jain, Amit, Martynenko, Konstantin, Costlow, Jeff, Holmes, David
Primary Examiner(s)
Lazaro, David R
Assistant Examiner(s)
Henry, Mariegeorges A

Application Number

US13/731,119
Time in Patent Office

2,262 Days
Field of Search

709224, 726 10, 713168
US Class Current
CPC Class Codes

H04L 2101/30   Types of network names

H04L 41/00   Arrangements for maintenanc...

H04L 61/4511   using domain name system [DNS]

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/0884   by delegation of authentica...

H04L 67/1001   for accessing one among a p...

H04L 9/3213   using tickets or tokens, e....

Methods for dynamically constructing a service principal name and devices thereof

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

798 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Methods for dynamically constructing a service principal name and devices thereof

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

798 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links