Scheme for sub-realms within an authentication protocol

    公开(公告)号:US20060224891A1

    公开(公告)日:2006-10-05

    申请号:US11096829

    申请日:2005-04-01

    IPC分类号: H04L9/00

    CPC分类号: H04L9/3213 H04L9/0833

    摘要: Branch domain controllers (DCs) contain read only replicas of the data in a normal domain DC. This includes information about the groups a user belongs to so it can be used to determine authorization information. Password information, however, is desirably replicated to the branch DCs only for users and services (including machines) designated for that particular branch. Moreover, all write operations are desirably handled by hub DCs, the primary domain controller (PDC), or other DCs trusted by the corporate office. Rapid authentication and authorization in branch offices is supported using Kerberos sub-realms in which each branch office operates as a virtual realm. The Kerberos protocol employs different key version numbers to distinguish between the virtual realms of the head and branch key distribution centers (KDCs). Accounts may be named krbtgt_ where is carried in the kvno field of the ticket granting ticket (TGT) to indicate to the hub KDC which krbtgt′ key was used to encrypt the TGT.

    CLOUD SCALE DIRECTORY SERVICES
    2.
    发明申请
    CLOUD SCALE DIRECTORY SERVICES 有权
    云计算目录服务

    公开(公告)号:US20110145526A1

    公开(公告)日:2011-06-16

    申请号:US12635028

    申请日:2009-12-10

    IPC分类号: G06F12/16

    摘要: Embodiments described herein are directed to providing scalability to software applications. A computer system partitions a portion of data stored in a directory services system into multiple different data partitions. Each data partition includes a primary writable copy and at least one secondary read-only copy of the data. The computer system receives a client request for a portion of the data that is stored in the directory services system and accesses various stored partition mappings to determine which of the different data partitions includes the requested data. The computer system also accesses a dynamic copy locator to determine which of the read-only copies of the indicated partition to access and provide the accessed primary writeable copy of the indicated partition and the determined read-only copy to the client in a virtualized manner so that the client is not aware of the data partitions.

    摘要翻译: 本文描述的实施例旨在提供对软件应用的可扩展性。 计算机系统将存储在目录服务系统中的数据的一部分分成多个不同的数据分区。 每个数据分区包括主要可写入副本和数据的至少一个次要只读副本。 计算机系统接收对存储在目录服务系统中的一部分数据的客户端请求,并访问各种存储的分区映射,以确定哪个不同的数据分区包括所请求的数据。 计算机系统还访问动态复制定位器,以确定指定分区的哪些只读副本访问,并以虚拟化的方式将指定分区和所确定的只读副本的访问主可写副本提供给客户端 客户端不知道数据分区。

    Method and system for identity exchange and recognition
    4.
    发明申请
    Method and system for identity exchange and recognition 有权
    身份认同方法和系统

    公开(公告)号:US20050091495A1

    公开(公告)日:2005-04-28

    申请号:US10693172

    申请日:2003-10-23

    摘要: In accordance with various aspects, the present invention relates to methods and systems for sending an identity information document comprising selecting identity information from a self-identity information store for inclusion in the identity information document. The selected identity information is read from a self-identity information store. The identity information document is generated to include the selected identity information and one or more keys, and signed using a key associated with one of the keys included in the identity information document. The identity information document is then sent to a recipient. Receiving an identity information document comprises receiving a signed identity information document from an originator. A determination is made as to whether identity information in the identity information document is reliable. The identity information is saved in a recognized identity information store if the identity information is determined to be reliable. If the identity information is determined to be unreliable, an identity recognition number retrieved from the sender is compared to an identity recognition number generated by the recipient based on information in the received identity information document. If the identity recognition number is verified, the identity information is saved in the recognized identity information store.

    摘要翻译: 根据各方面,本发明涉及用于发送身份信息文档的方法和系统,包括从自身身份信息存储中选择身份信息以包括在身份信息文档中。 所选择的身份信息从自身身份信息存储器读取。 生成身份信息文档以包括所选择的身份信息和一个或多个密钥,并且使用与包括在身份信息文档中的密钥之一相关联的密钥进行签名。 然后将身份信息文档发送给收件人。 接收身份信息文档包括从发起者接收签名的身份信息文档。 确定身份信息文档中的身份信息是否可靠。 如果身份信息被确定为可靠,则身份信息被保存在识别的身份信息存储器中。 如果身份信息被确定为不可靠,则根据接收到的身份信息文档中的信息,将从发送者检索到的身份识别号码与由接收者产生的身份识别号码进行比较。 如果身份识别号码被验证,身份信息被保存在识别的身份信息存储中。

    Coexistence tools for synchronizing properties between on-premises customer locations and remote hosting services
    5.
    发明授权
    Coexistence tools for synchronizing properties between on-premises customer locations and remote hosting services 有权
    用于同步本地客户位置和远程托管服务之间的属性的共存工具

    公开(公告)号:US09063993B2

    公开(公告)日:2015-06-23

    申请号:US12024088

    申请日:2008-01-31

    摘要: Coexistence tools are described for synchronizing properties between on-premises customer locations and remote hosting services. These tools may provide methods that send the tools for installation onto on-premises infrastructure located at customer sites, execute the tools to manage the customer infrastructure remotely via a hosted service, and synchronize properties at the customer site with the hosted service. Other methods may include receiving the tools from the hosted service, communicating configuration parameters related to operating the tools, and executing the tools in response to the configuration parameters. The tools may also provide systems that include on-premises servers associated with the customer infrastructure, with the on-premises servers including on-premises coexistence components for maintaining the property at the customer site. These systems may also include administrative servers associated with the hosted service. The administrative servers may include hosted-side coexistence components for maintaining and synchronizing counterparts of the on-premises properties.

    摘要翻译: 描述了共存工具,用于同步本地客户位置和远程托管服务之间的属性。 这些工具可以提供将安装工具发送到位于客户站点的内部部署基础设施的方法,执行通过托管服务远程管理客户基础架构的工具,并将客户站点上的属性与托管服务同步。 其他方法可以包括从托管服务接收工具,传送与操作工具相关的配置参数,以及响应配置参数执行工具。 这些工具还可以提供包括与客户基础设施相关联的本地服务器的系统,本地服务器包括用于维护客户站点的属性的内部部署共存组件。 这些系统还可以包括与托管服务相关联的管理服务器。 管理服务器可以包括用于维护和同步本地属性的对等部件的托管侧共存组件。

    System and method for name resolution
    6.
    发明授权
    System and method for name resolution 有权
    名称解析的系统和方法

    公开(公告)号:US08473634B2

    公开(公告)日:2013-06-25

    申请号:US10693516

    申请日:2003-10-23

    IPC分类号: H04L29/12066

    摘要: In accordance with various aspects, the present invention relates to accessing and publishing documents between two computer systems or nodes that are connected together in a network environment. The system and method for name resolution stores an identity information document containing a user-friendly handle signifying identity, such as an email address, and a machine location, such as an IP address, for the publishing computer system where the documents are stored. Next, the system and method intercepts an initial request for access to documents when the initial request includes a user-friendly handle and replaces the user-friendly handle with the machine location, so that network users may easily access these documents through knowledge only of the user-friendly handle.

    摘要翻译: 根据各方面,本发明涉及在网络环境中连接在一起的两个计算机系统或节点之间访问和发布文档。 用于名称解析的系统和方法存储包含用户友好句柄表示身份的身份信息文档,例如电子邮件地址,以及用于存储文档的发布计算机系统的诸如IP地址的机器位置。 接下来,当初始请求包括用户友好的句柄并且将用户友好的句柄替换为机器位置时,系统和方法拦截对文档的访问的初始请求,使得网络用户可以通过仅知道 用户友好的句柄。

    Application programming interface for centralized storage of principal data
    7.
    发明授权
    Application programming interface for centralized storage of principal data 有权
    用于集中存储主要数据的应用程序编程接口

    公开(公告)号:US07200608B2

    公开(公告)日:2007-04-03

    申请号:US10693097

    申请日:2003-10-23

    IPC分类号: G06F17/00 G06F15/173

    摘要: In the present invention, data relating to principals known to a computer system is centrally stored and objects having a standardized principal application programming interface (API) for finding, managing and accessing that data is provided to applications in lieu of having the applications independently store the principal data. The present invention eliminates the need for each application to create duplicate principal data. It also ensures that principal data are consistent throughout the applications on the computer system. In addition, the present invention allows any application with objects having the principal API to manage and change the principal data making such principal data easy to update. The principal API includes methods to find principals based on an identity reference to a principal or an identity claim that uniquely identifies the principal on computer system.

    摘要翻译: 在本发明中,与计算机系统已知的原理有关的数据被集中存储,并且具有用于查找,管理和访问该数据的标准化主应用编程接口(API)的对象被提供给应用,代替使应用独立地存储 主要资料。 本发明消除了对每个应用程序创建重复主体数据的需要。 它还确保在计算机系统上的整个应用程序中主数据是一致的。 此外,本发明允许具有主要API的对象的任何应用程序来管理和改变使主要数据容易更新的主要数据。 主要API包括基于对主体或身份声明的身份引用来查找主体的方法,唯一标识计算机系统上的主体。

    Authentication and Authorization Across Autonomous Network Systems
    8.
    发明申请
    Authentication and Authorization Across Autonomous Network Systems 有权
    跨自治网络系统的认证和授权

    公开(公告)号:US20060184646A1

    公开(公告)日:2006-08-17

    申请号:US11379998

    申请日:2006-04-24

    IPC分类号: G06F15/16

    CPC分类号: H04L63/0815 H04L63/083

    摘要: An enterprise network architecture has a trust link established between two autonomous network systems that enables transitive resource access between network domains of the two network systems. The trust link is defined by data structures maintained by each of the respective network systems. The first network system maintains namespaces that correspond to the second network system and a domain controller in the first network system, or a first network system administrator, indicates whether to trust individual namespaces. An account managed by a domain in the second network system can request authentication via a domain controller in the first network system. The first network system determines from the trust link to communicate the authentication request to the second network system. The first network system also determines from the trust link where to communicate authorization requests when administrators manage group memberships and access control lists.

    摘要翻译: 企业网络架构具有建立在两个自主网络系统之间的信任链路,能够实现两个网络系统的网络域之间的传递资源访问。 信任链接由相应网络系统中的每一个维护的数据结构来定义。 第一网络系统维护对应于第二网络系统的命名空间和第一网络系统中的域控制器,或者第一网络系统管理员指示是否信任个体命名空间。 由第二网络系统中的域管理的帐户可以通过第一网络系统中的域控制器请求认证。 第一网络系统从信任链路确定将认证请求传送到第二网络系统。 当管理员管理组成员身份和访问控制列表时,第一个网络系统还从信任链接确定何处传达授权请求。

    System and method for name resolution
    9.
    发明申请
    System and method for name resolution 有权
    名称解析的系统和方法

    公开(公告)号:US20050091402A1

    公开(公告)日:2005-04-28

    申请号:US10693516

    申请日:2003-10-23

    摘要: In accordance with various aspects, the present invention relates to accessing and publishing documents between two computer systems or nodes that are connected together in a network environment. The system and method for name resolution stores an identity information document containing a user-friendly handle signifying identity, such as an email address, and a machine location, such as an IP address, for the publishing computer system where the documents are stored. Next, the system and method intercepts an initial request for access to documents when the initial request includes a user-friendly handle and replaces the user-friendly handle with the machine location, so that network users may easily access these documents through knowledge only of the user-friendly handle.

    摘要翻译: 根据各方面,本发明涉及在网络环境中连接在一起的两个计算机系统或节点之间访问和发布文档。 用于名称解析的系统和方法存储包含用户友好句柄表示身份的身份信息文档,例如电子邮件地址,以及用于存储文档的发布计算机系统的诸如IP地址的机器位置。 接下来,当初始请求包括用户友好的句柄并且将用户友好的句柄替换为机器位置时,系统和方法拦截对文档的访问的初始请求,使得网络用户可以通过仅知道 用户友好的句柄。

    Moving principals across security boundaries without service interruption
    10.
    发明授权
    Moving principals across security boundaries without service interruption 有权
    移动校长跨越安全边界,不会中断服务

    公开(公告)号:US07814312B2

    公开(公告)日:2010-10-12

    申请号:US12058968

    申请日:2008-03-31

    IPC分类号: H04L9/00

    摘要: An improved network architecture employs a super authority having an identity catalog to direct login authentication tasks to appropriate authorities. Authentication tasks may be performed by authorities across namespace boundaries if so directed by the super authority, such that a principal account may be moved without alteration of the account ID. In an embodiment of the invention, the identity catalog comprises a listing associating account IDs with appropriate authenticating authorities.

    摘要翻译: 改进的网络架构采用具有身份目录的超级机构来将登录认证任务引导到适当的权限。 认证任务可以由权威机构跨越命名空间边界执行,如果超级管理机构如此指示,则可以移动主体帐户而不更改帐户ID。 在本发明的实施例中,身份目录包括将帐户ID与适当的认证机构相关联的列表。