-
公开(公告)号:US07571311B2
公开(公告)日:2009-08-04
申请号:US11096829
申请日:2005-04-01
申请人: Cristian Marius Ilac , Karthik Jaganathan , Murli D. Satagopan , Tarek Bahna El-Din Mahmoud Kamel , Todd F. Stecher
发明人: Cristian Marius Ilac , Karthik Jaganathan , Murli D. Satagopan , Tarek Bahna El-Din Mahmoud Kamel , Todd F. Stecher
IPC分类号: H04L9/32
CPC分类号: H04L9/3213 , H04L9/0833
摘要: Branch domain controllers (DCs) contain read only replicas of the data in a normal domain DC. This includes information about the groups a user belongs to so it can be used to determine authorization information. Password information, however, is desirably replicated to the branch DCs only for users and services (including machines) designated for that particular branch. Moreover, all write operations are desirably handled by hub DCs, the primary domain controller (PDC), or other DCs trusted by the corporate office. Rapid authentication and authorization in branch offices is supported using Kerberos sub-realms in which each branch office operates as a virtual realm. The Kerberos protocol employs different key version numbers to distinguish between the virtual realms of the head and branch key distribution centers (KDCs). Accounts may be named krbtgt_ where is carried in the kvno field of the ticket granting ticket (TGT) to indicate to the hub KDC which krbtgt′ key was used to encrypt the TGT.
摘要翻译: 分支域控制器(DC)包含正常域DC中数据的只读副本。 这包括有关用户所属组的信息,因此可用于确定授权信息。 然而,密码信息仅适用于指定用于该特定分支的用户和服务(包括机器)的分支DC。 而且,所有的写入操作都希望由集线器DC,主域控制器(PDC)或公司办公室信任的其他DC来处理。 使用Kerberos子域支持分支机构的快速身份验证和授权,每个分支机构都将其作为虚拟领域运行。 Kerberos协议使用不同的密钥版本号来区分头部和分支密钥分发中心(KDC)的虚拟领域。 账户可以被命名为krbtgt_
,其中 被携带在票据授予票据(TGT)的kvno字段中,以向集线器KDC指示哪个krbtgt'密钥用于加密TGT。 -
2.发明授权System and method for protecting domain data against unauthorized modification 有权保护域数据免受未经授权的修改的系统和方法公开(公告)号:US07200869B1
公开(公告)日:2007-04-03
申请号:US09663811
申请日:2000-09-15
IPC分类号: G06F7/04 , G06F17/30 , G06K9/00 , H03M1/68 , H04K1/00 , G06F15/16 , G06F11/30 , G06F12/14 , H04L9/32
CPC分类号: G06F12/1433 , G06F17/30289 , H04L63/105 , Y10S707/99952 , Y10S707/99953
摘要: Described is an invention for safeguarding against the modification of certain data associated with one domain of a distributed network by an entity (such as an administrator) within another domain of the distributed network while still allowing the entity to modify other data associated with the one domain. More particularly, security safeguards are applied by a directory replication service that operates to replicate the shared data to each domain in a domain “forest.” Those security safeguards allow a user to indicate that certain modifications of specified shared data may only be made within the domain in which the shared data was created. In that way, a shared data namespace may still be implemented in which trust relationships exist so that, for example, an administrator in one domain may alter a configuration of another domain within the forest. However, certain data may be restricted by these safeguards such that certain modifications of that data (e.g., taking ownership of the data) may only be done from the domain which currently owns the data.
摘要翻译: 描述了一种用于防止由分布式网络的另一个域内的实体(例如管理员)与分布式网络的一个域相关联的某些数据的修改的发明,同时仍允许该实体修改与该一个域相关联的其他数据 。 更具体地说,安全保护由应用于将共享数据复制到域“林”中的每个域的操作的目录复制服务应用。 这些安全保护措施允许用户指示指定共享数据的某些修改只能在共享数据创建的域内进行。 以这种方式,仍然可以实现共享数据命名空间,其中存在信任关系,以便例如一个域中的管理员可以改变林内另一个域的配置。 然而,某些数据可能受到这些保护措施的限制,使得该数据的某些修改(例如,获取数据的所有权)只能从当前拥有该数据的域完成。
-
公开(公告)号:US07617522B2
公开(公告)日:2009-11-10
申请号:US11379998
申请日:2006-04-24
CPC分类号: H04L63/0815 , H04L63/083
摘要: An enterprise network architecture has a trust link established between two autonomous network systems that enables transitive resource access between network domains of the two network systems. The trust link is defined by data structures maintained by each of the respective network systems. The first network system maintains namespaces that correspond to the second network system and a domain controller in the first network system, or a first network system administrator, indicates whether to trust individual namespaces. An account managed by a domain in the second network system can request authentication via a domain controller in the first network system. The first network system determines from the trust link to communicate the authentication request to the second network system. The first network system also determines from the trust link where to communicate authorization requests when administrators manage group memberships and access control lists.
摘要翻译: 企业网络架构具有建立在两个自主网络系统之间的信任链路,能够实现两个网络系统的网络域之间的传递资源访问。 信任链接由相应网络系统中的每一个维护的数据结构来定义。 第一网络系统维护对应于第二网络系统的命名空间和第一网络系统中的域控制器,或者第一网络系统管理员指示是否信任个体命名空间。 由第二网络系统中的域管理的帐户可以通过第一网络系统中的域控制器请求认证。 第一网络系统从信任链路确定将认证请求传送到第二网络系统。 当管理员管理组成员身份和访问控制列表时,第一个网络系统还从信任链接确定何处传达授权请求。
-
公开(公告)号:US07185359B2
公开(公告)日:2007-02-27
申请号:US10029426
申请日:2001-12-21
CPC分类号: H04L63/0815 , H04L63/083
摘要: An enterprise network architecture has a trust link established between two autonomous network systems that enables transitive resource access between network domains of the two network systems. The trust link is defined by data structures maintained by each of the respective network systems. The first network system maintains namespaces that correspond to the second network system and a domain controller in the first network system, or a first network system administrator, indicates whether to trust individual namespaces. An account managed by a domain in the second network system can request authentication via a domain controller in the first network system. The first network system determines from the trust link to communicate the authentication request to the second network system. The first network system also determines from the trust link where to communicate authorization requests when administrators manage group memberships and access control lists.
摘要翻译: 企业网络架构具有建立在两个自主网络系统之间的信任链路,能够实现两个网络系统的网络域之间的传递资源访问。 信任链接由相应网络系统中的每一个维护的数据结构来定义。 第一网络系统维护对应于第二网络系统的命名空间和第一网络系统中的域控制器,或者第一网络系统管理员指示是否信任个体命名空间。 由第二网络系统中的域管理的帐户可以通过第一网络系统中的域控制器请求认证。 第一网络系统从信任链路确定将认证请求传送到第二网络系统。 当管理员管理组成员身份和访问控制列表时,第一个网络系统还从信任链接确定何处传达授权请求。
-
公开(公告)号:US06751674B1
公开(公告)日:2004-06-15
申请号:US09360498
申请日:1999-07-26
IPC分类号: G06F1516
CPC分类号: H04L29/06 , H04L67/1095 , H04L69/329 , Y10S707/99953
摘要: Method and system for networking multiple-master servers, including multiple-master servers, with single-master servers are described. A checkpoint-flag is used to identify a state when the same changes are present in the change-log of a first multiple-master server, which is emulating a primary server for the single master servers in the network, and a second multiple master server in the network. This done by identifying a replication cycle in which no changes are made to either the first multiple-master server or the second multiple master serve. The change-log of the first multiple master server is adopted by the second multiple master server, thus ensuring that the multiple master server in the network have their change-logs converge to reflect the order in the change-log of the multiple master server emulating a primary server. Thus any of the multiple master servers can takeover the task of the primary server in the event such a promotion is required without inconveniencing the single master servers in the network. This strategy helps in realization of hybrid networks that retain both single master and multiple master functionality and, moreover, facilitate a smooth and economical switch to a multiple master server based network from a single master server based network.
摘要翻译: 描述了使用单主服务器联网多主服务器(包括多主服务器)的方法和系统。 当第一个多主服务器的更改日志中存在相同的更改时,检查点标志用于标识状态,该第一多主服务器正在模拟网络中单个主服务器的主服务器,第二个多主服务器 在网络中。 这是通过识别不对第一个多主服务器或第二个多主服务器进行任何更改的复制周期来实现的。 第一个多主服务器的变更日志由第二个多主服务器采用,从而确保网络中的多个主服务器的变更日志收敛,以反映多主服务器的更改日志中的顺序 一个主服务器。 因此,在需要这样的促销的情况下,任何多个主服务器可以接管主服务器的任务,而不会使网络中的单个主服务器不受影响。 这种策略有助于实现保留单主机和多主机功能的混合网络,此外,有助于平滑和经济地从基于单个主服务器的网络切换到基于主服务器的多个网络。
-
公开(公告)号:US07085833B2
公开(公告)日:2006-08-01
申请号:US09764956
申请日:2001-01-17
IPC分类号: G06F15/173
CPC分类号: H04L67/2895 , H04L63/08 , H04L63/0884 , H04L67/2842 , H04L67/306 , H04L67/325 , H04L69/329
摘要: A network system server, at a first network site, maintains network access information that identifies users authorized to access a network and a network controller, at a second network site, caches the network access information for individual users that request access to the network from the second network site. The network controller tracks the individual users that request access to the network from the second network site and updates the cached network access information for the individual users that request access to the network from the second network site within a defined time interval.
-
公开(公告)号:US06457053B1
公开(公告)日:2002-09-24
申请号:US09157772
申请日:1998-09-21
IPC分类号: G06F1516
CPC分类号: H04L61/2061 , H04L29/12283 , H04L67/10 , H04L69/40
摘要: A system for multi-master unique identifier allocation comprises a server for allocating pools of identifiers to requesting servers and at least one server for requesting pools of identifiers and allocating individual identifiers as necessary. A single master server allocates “pools” of unique identifiers to network servers upon request. The network servers in turn allocate unique identifiers from their pool as necessary when the server generates new system objects. When a network server's pool of unique identifiers is nearly depleted, the network server requests an additional pool of identifiers from the master server.
摘要翻译: 用于多主机唯一标识符分配的系统包括用于向请求服务器分配标识符池的服务器和用于请求标识符池的至少一个服务器,并且根据需要分配单独的标识符。 单个主服务器根据请求向网络服务器分配唯一标识符的“池”。 当服务器生成新的系统对象时,网络服务器根据需要从其池中分配唯一的标识符。 当网络服务器的唯一标识符池几乎耗尽时,网络服务器从主服务器请求一个额外的标识符池。
-
-
-
-
-
-
搜索结果
7 条记录 (耗时 0.029 秒)