公开(公告)号：US20210029090A1

公开(公告)日：2021-01-28

申请号：US17036286

申请日：2020-09-29

申请人： CENTRIFY CORPORATION

发明人： Paul MOORE ,  Nathaniel Wayne YOCOM

IPC分类号： H04L29/06 ,  G06F16/2455 ,  G06F9/54

摘要： A system and method for providing secure access to an organization's internal directory service from external hosted services. The system includes a remote directory service configured to accept directory service queries from an application running on hosted services. The remote directory service passes the queries to a directory service proxy server inside a firewall of the organization via a secure connection service. The directory service proxy server passes the queries to the internal directory service inside said firewall. Request responses from the internal directory service pass through the directory service proxy server to the remote directory service through said firewall via the secure connection service. The remote directory service returns the response to the requesting application.

公开(公告)号：US09378391B2

公开(公告)日：2016-06-28

申请号：US14052591

申请日：2013-10-11

申请人： Centrify Corporation

发明人： Hon Wai Kwok

IPC分类号： G06F21/62

CPC分类号： G06F21/31 ,  G06F3/0481 ,  G06F3/0484 ,  G06F21/6218 ,  G06F2221/2117 ,  G06F2221/2141

摘要： A system and method for creating switchable desktops each with its own authorization. The system provides a custom authentication and authorization data store that defines permission sets called roles, and lists which roles each user may assume. The system also provides a custom virtual desktop manager that creates new virtual desktops using the permissions defined by the roles. When a user requests a new virtual desktop and role from the desktop manager, the manager requests new virtual desktop components from the operating system. The desktop manager intercepts a request by the operating system to the Local Security Authority module for permissions to grant the new virtual desktop. The manager substitutes the user's requested role permissions for the permissions granted by the LSA module. The LSA module and operating system grant those role permissions in a newly created virtual desktop.

摘要翻译： 一种用于创建可切换桌面的系统和方法，每个都具有自己的授权。 该系统提供定制的认证和授权数据存储，它定义了称为角色的权限集，并列出了每个用户可能承担的角色。 该系统还提供了一个自定义虚拟桌面管理器，使用角色定义的权限创建新的虚拟桌面。 当用户从桌面管理器请求新的虚拟桌面和角色时，经理从操作系统请求新的虚拟桌面组件。 桌面管理器拦截操作系统向本地安全机构模块请求授予新虚拟桌面的权限。 管理员将用户所请求的角色权限替换为LSA模块授予的权限。 LSA模块和操作系统在新创建的虚拟桌面中授予这些角色权限。

公开(公告)号：US10798057B2

公开(公告)日：2020-10-06

申请号：US13765616

申请日：2013-02-12

申请人： Centrify Corporation

发明人： Paul Moore ,  Nathaniel Wayne Yocom

IPC分类号： H04L29/06 ,  H04L29/12

摘要： A system and method for providing secure access to an organization's internal directory service from external hosted services. The system includes a remote directory service configured to accept directory service queries from an application running on hosted services. The remote directory service passes the queries to a directory service proxy server inside a firewall of the organization via a secure rendezvous service. The directory service proxy server passes the queries to the internal directory service inside said firewall. Request responses from the internal directory service pass through the directory service proxy server to the remote directory service through said firewall via the secure rendezvous service. The remote directory servicer returns the response to the requesting application.

公开(公告)号：US20150106906A1

公开(公告)日：2015-04-16

申请号：US14052600

申请日：2013-10-11

申请人： CENTRIFY CORPORATION

发明人： Hon Wai Kwok

IPC分类号： H04L29/06

CPC分类号： H04L63/08 ,  H04L63/0807

摘要： A system and method for using a GSSAPI security token to transport additional non-GSSAPI data that includes authorization data used by third-party software. The system includes a hook that intercepts a client process's interactions with the GSSAPI. When a client process requests a security context from the GSSAPI, the hook intercepts the security token the GSSAPI provides for the client process. The hook checks to see if there is additional authorization data to transport, adds the additional data to the security token, then gives the token to the client process. The client process sends the security token to the server process, which submits the token to the GSSAPI for evaluation. A hook on this computer intercepts the security token, removes additional data added earlier, gives the added authorization data to a version of the third-party authorization software, then passes the now-unaltered security token to the server process which uses the security token to finish establishing a security context with the client process.

摘要翻译： 一种使用GSSAPI安全令牌来传输其他非GSSAPI数据的系统和方法，包括第三方软件使用的授权数据。 该系统包括一个拦截客户端进程与GSSAPI交互的钩子。 当客户端进程从GSSAPI请求安全上下文时，该钩子拦截GSSAPI为客户端进程提供的安全令牌。 钩子检查是否有额外的授权数据传输，将附加数据添加到安全令牌，然后将令牌提供给客户端进程。 客户端进程将安全令牌发送到服务器进程，该进程将令牌提交给GSSAPI进行评估。 此计算机上的挂钩拦截安全令牌，删除先前添加的其他数据，将添加的授权数据提供给第三方授权软件的版本，然后将现在未更改的安全令牌传递到使用安全令牌的服务器进程 完成客户端进程的安全上下文。

公开(公告)号：US08024360B2

公开(公告)日：2011-09-20

申请号：US11009921

申请日：2004-12-10

申请人： Paul Moore

发明人： Paul Moore

IPC分类号： G06F7/00 ,  G06F17/30

CPC分类号： H04L61/1523 ,  G06F21/31 ,  G06F2221/2117 ,  G06F2221/2149 ,  H04L63/104

摘要： A method of assigning the UNIX computers in a network to one of a plurality of groups called zones, of creating independent sets of UNIX identity information for each network entity (user or group) for separate zones, and of associating an entity's sets of UNIX entity information with a single global entity record for the entity in the network's identity resolver. A further method of allowing a UNIX computer to request entity information from the identity resolver, and of the identity resolver returning resolved entity information appropriate for the requesting computer's zone. A further method of managing sets of zone-specific UNIX identity information in the identity resolver to ensure that entity names and entity identification numbers are not duplicated within a zone and to all the same names and numbers to be duplicated across zones. Other embodiments are also described.

摘要翻译： 将网络中的UNIX计算机分配给称为区域的多个组之一的方法，为用于单独区域的每个网络实体（用户或组）创建独立的UNIX身份信息集合，以及将实体的UNIX实体集合 信息与网络身份解析器中的实体具有单个全局实体记录。 允许UNIX计算机从身份解析器请求实体信息以及身份解析器返回适合于请求计算机区域的解析实体信息的另一种方法。 在身份解析器中管理区域特定的UNIX身份信息集合的另一种方法，以确保实体名称和实体标识号不在区域内复制，并且跨区域复制所有相同的名称和数字。 还描述了其它实施例。

公开(公告)号：US09015103B2

公开(公告)日：2015-04-21

申请号：US13218353

申请日：2011-08-25

申请人： Paul Moore

发明人： Paul Moore

IPC分类号： G06F21/31 ,  H04L29/12 ,  H04L29/06

CPC分类号： H04L61/1523 ,  G06F21/31 ,  G06F2221/2117 ,  G06F2221/2149 ,  H04L63/104

摘要： A method of assigning the UNIX computers in a network to one of a plurality of groups called zones, of creating independent sets of UNIX identity information for each network entity (user or group) for separate zones, and of associating an entity's sets of UNIX entity information with a single global entity record for the entity in the network's identity resolver. A further method of allowing a UNIX computer to request entity information from the identity resolver, and of the identity resolver returning resolved entity information appropriate for the requesting computer's zone. A further method of managing sets of zone-specific UNIX identity information in the identity resolver to ensure that entity names and entity identification numbers are not duplicated within a zone and to all the same names and numbers to be duplicated across zones. Other embodiments are also described.

摘要翻译： 将网络中的UNIX计算机分配给称为区域的多个组之一的方法，为用于单独区域的每个网络实体（用户或组）创建独立的UNIX身份信息集合，以及将实体的UNIX实体集合 信息与网络身份解析器中的实体具有单个全局实体记录。 允许UNIX计算机从身份解析器请求实体信息以及身份解析器返回适合于请求计算机区域的解析实体信息的另一种方法。 在身份解析器中管理区域特定的UNIX身份信息集合的另一种方法，以确保实体名称和实体标识号不在区域内复制，并且跨区域复制所有相同的名称和数字。 还描述了其它实施例。

公开(公告)号：US08321523B1

公开(公告)日：2012-11-27

申请号：US11410543

申请日：2006-04-24

申请人： Craig L. Lawson ,  Paul Moore

发明人： Craig L. Lawson ,  Paul Moore

IPC分类号： G06F15/16

CPC分类号： G06F17/3056 ,  G06F17/30368 ,  G06F17/30371

摘要： A method of maintaining Network Information Service (NIS) maps where modifying information about any of the network entities described by the NIS maps requires only incremental update of the NIS maps instead of full NIS map regeneration. A further method of detecting when network entity records on a network directory server change so that NIS map updates are necessary.

摘要翻译： 维护网络信息服务（NIS）映射的方法，其中修改由NIS映射描述的任何网络实体的信息仅需要NIS映射的增量更新而不是完整的NIS映射再生。 检测网络目录服务器上的网络实体记录何时发生变化的另一种方法，以便NIS映射更新是必需的。

公开(公告)号：US07591005B1

公开(公告)日：2009-09-15

申请号：US11262000

申请日：2005-10-27

申请人： Paul Moore

发明人： Paul Moore

IPC分类号： H04L9/32

CPC分类号： H04L63/08

摘要： A method of detecting when a user logs into a UNIX computer, of determining if the user's local log-in name should be replaced by a network log-in name for network authentication, of replacing the local log-in name if so determined, and of sending the log-in name with any other required authentication information to an authenticator so the user may be authenticated and allowed to log in to the computer. Other embodiments are also described.

摘要翻译： 一种检测用户何时登录到UNIX计算机的方法，确定用户的本地登录名称是否应该被网络登录名称替换为网络身份验证，如果这样确定，则替换本地登录名;以及 向认证者发送具有任何其他所需认证信息的登录名称，以便用户可以被认证并被允许登录到计算机。 还描述了其它实施例。

公开(公告)号：US09965496B2

公开(公告)日：2018-05-08

申请号：US15239776

申请日：2016-08-17

申请人： CENTRIFY CORPORATION

发明人： Paul Moore

IPC分类号： G06F17/30 ,  H04L29/02

CPC分类号： G06F17/30292 ,  G06F17/30115 ,  G06F17/3012 ,  G06F17/30283 ,  G06F17/30286 ,  G06F17/30589 ,  H04L29/02

摘要： A global user record that can be found in a search for posixAccount-type records is created in a database, then a zone user record of a type that cannot be found in a search for posixAccount-type records is associated with it. Finally, the zone user record is augmented so that it, too, will be found in a search for posixAccount-type records. Global and zone-specific group records are created similarly.

公开(公告)号：US09442962B1

公开(公告)日：2016-09-13

申请号：US11657165

申请日：2007-01-23

申请人： Paul Moore

发明人： Paul Moore

IPC分类号： G06F17/30

CPC分类号： G06F17/30292 ,  G06F17/30115 ,  G06F17/3012 ,  G06F17/30283 ,  G06F17/30286 ,  G06F17/30589 ,  H04L29/02

摘要： A global user record that can be found in a search for posixAccount-type records is created in a database, then a zone user record of a type that cannot be found in a search for posixAccount-type records is associated with it. Finally, the zone user record is augmented so that it, too, will be found in a search for posixAccount-type records. Global and zone-specific group records are created similarly.

摘要翻译： 在数据库中创建可搜索posixAccount类型记录的全局用户记录，然后在搜索posixAccount类型记录时找不到类型的区域用户记录。 最后，区域用户记录被扩充，以便在搜索posixAccount类型记录时也可以找到它。 类似地创建全局和区域特定组记录。