公开(公告)号：US20060224891A1

公开(公告)日：2006-10-05

申请号：US11096829

申请日：2005-04-01

申请人： Cristian Ilac ,  Karthik Jaganathan ,  Murli Satagopan ,  Tarek Bahna Mahmoud Kamel ,  Todd Stecher

发明人： Cristian Ilac ,  Karthik Jaganathan ,  Murli Satagopan ,  Tarek Bahna Mahmoud Kamel ,  Todd Stecher

IPC分类号： H04L9/00

CPC分类号： H04L9/3213 ,  H04L9/0833

摘要： Branch domain controllers (DCs) contain read only replicas of the data in a normal domain DC. This includes information about the groups a user belongs to so it can be used to determine authorization information. Password information, however, is desirably replicated to the branch DCs only for users and services (including machines) designated for that particular branch. Moreover, all write operations are desirably handled by hub DCs, the primary domain controller (PDC), or other DCs trusted by the corporate office. Rapid authentication and authorization in branch offices is supported using Kerberos sub-realms in which each branch office operates as a virtual realm. The Kerberos protocol employs different key version numbers to distinguish between the virtual realms of the head and branch key distribution centers (KDCs). Accounts may be named krbtgt_ where is carried in the kvno field of the ticket granting ticket (TGT) to indicate to the hub KDC which krbtgt′ key was used to encrypt the TGT.