| 发明名称 |
Resource protection on un-trusted devices |
| 摘要 |
Authenticating a user to a first service to allow the user to access a resource provided by the first service. The resource is a protected resource requiring a general purpose credential (e.g. a user name and/or password) to access the resource. The method includes receiving at a second service, from the device, an ad-hoc credential. The ad-hoc credential is a credential that is particular to the device. The ad-hoc credential can be used to authenticate both the user and the device, but cannot be directly used to as authentication at the first service for the user to access the resource. The method further includes, at the second service, substituting the general purpose credential for the ad-hoc credential and forwarding the general purpose credential to the first service. As such the first service can provide the resource to the user at the device. |
| 申请公布号 |
US9106634(B2) |
申请公布日期 |
2015.08.11 |
| 申请号 |
US201313732526 |
申请日期 |
2013.01.02 |
| 申请人 |
Microsoft Technology Licensing, LLC |
发明人 |
Mendelovich Meir;Matchoro Ron |
| 分类号 |
H04L29/06;G06F21/33 |
主分类号 |
H04L29/06 |
| 代理机构 |
|
代理人 |
Churna Timothy;Fashokun Sade;Minhas Micky |
| 主权项 |
1. In a computing environment comprising one or more hardware processors, a method of authenticating an untrusted device to an enterprise service, the method comprising:
at an enterprise gateway service of an enterprise network, receiving from an untrusted device that is outside of the enterprise network a secondary user credential for access to a plurality of services within the enterprise network,
wherein the secondary user credential is associated with the untrusted device and with a primary user credential and is indirectly usable for access to one or more of the plurality of services by the untrusted device, the primary user credential being directly usable for access to the plurality of services by trusted devices that are within the enterprise network,wherein the enterprise gateway service is configured to enforce one or more restrictions that allow the secondary user credential to be used with a particular set of untrusted devices that includes the untrusted device, while excluding use of the secondary user credential with one or more devices not in the particular set of untrusted devices, andwherein the enterprise gateway service is configured to enforce a policy that limits access that the untrusted device is granted to the plurality of services based on the secondary user credential having been used, as compared to access that the trusted devices would be granted to the plurality of services when using the primary user credential; at the enterprise gateway service, verifying that the secondary user credential was received from the untrusted device that is associated with the secondary user credential; at the enterprise gateway service, verifying that the secondary user credential is valid; and at the enterprise gateway service, based on the secondary user credential having been received from the untrusted device that is associated with the secondary user credential and based on the secondary user credential being valid, substituting the primary user credential for the secondary user credential, and forwarding the primary user credential to a first service of the plurality of services for granting the untrusted device access to the first service based on use of the secondary user credential, while enforcing the policy by refraining from forwarding the primary user credential to a second service of the plurality of services that would otherwise be accessible by a trusted device using the primary user credential. |
| 地址 |
Redmond WA US |
