CN100512107C - Security identification method - Google Patents
Security identification method Download PDFInfo
- Publication number
- CN100512107C CN100512107C CNB2005100027594A CN200510002759A CN100512107C CN 100512107 C CN100512107 C CN 100512107C CN B2005100027594 A CNB2005100027594 A CN B2005100027594A CN 200510002759 A CN200510002759 A CN 200510002759A CN 100512107 C CN100512107 C CN 100512107C
- Authority
- CN
- China
- Prior art keywords
- user
- authentication
- windows
- domain controller
- certificate server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
A security certification method includes issuing windows domain logging request by client terminal , obtaining user identifier data by 802.1x client end , issuing 802 1x switching in certification to certification server , authorizing right of making access of network to client terminal by said server , carrying out windows domain certification by using 802.1x client end to control client terminal , using client terminal to carry out domain logging procedure continuously for obtaining access right of application resource .
Description
Technical field
The present invention relates to safety certifying method, more particularly, the present invention relates to a kind of method that in network, realizes 802.1x and the unified certification of Windows territory.
Background technology
IT application in enterprises work is at present constantly deepened, the deployment in enterprise broadband more and more widely, the Internet resources that enterprise network provided are also more and more, and a lot of enterprises and institutions have set up the management system based on the Windows territory, manage all users' authority concentratedly by the Windows territory.The server that wherein is used for managing this territory is called as domain controller (or Windows domain controller).The same during with common startup PC, described based on adopting the mode of username and password login authentication to carry out safety certification in the information management system in Windows territory, be that the user imports username and password and signs in to the territory, just need not have inputed password when visiting again the resource of this " territory " being managed at every turn.But above-mentioned safe verification method can only affact application layer for the control of authority based on the Windows information management system, also can't realize control to user's physical access authority, for example to the control of network insertion authority, this brings a lot of hidden danger for the network and the application safety of enterprise network.
In order to control more effectively and network resource administration, improve the fail safe of network insertion, industry also further authenticates the identification and the control of authority of the access customer that achieves a butt joint by 802.1x when safety certification, and specific implementation is as follows:
For the user provides independent 802.1x client, in online, the user must be by 802.1x authentication ability accesses network, during specific implementation, the user need be introduced into windows desktop, open the 802.1x client then and carry out the 802.1x authentication, after authentication was passed through, the user just can carry out access to netwoks; When the user need visit the resource that the Windows domain controller limited, input domain user name, password carried out the Windows domain authentication once more.
From the above, there is following shortcoming in prior art:
Windows territory and 802.1x certificate server have special-purpose user identity identification and control of authority information separately, need use two cover username and passwords when causing user access network and login Windows territory, user's identity disunity, make the user must remember two cover user name passwords, the user is also cumbersome in operation.For example, if allow the user carry out earlier could surfing the Net after the 802.1x authentication, the user must be introduced into windows desktop so, could open the online of 802.1x client then, and when the resource of access domain control, input domain username and password once more also, operating process is very loaded down with trivial details.
Summary of the invention
The technical problem that the present invention solves provides a kind of user-friendly safety certifying method, unifying 802.1x and windows domain authentication flow process, and further strengthens the fail safe in windows territory.
For addressing the above problem, a kind of safety certifying method of the present invention, be used for realizing 802.1x and the unified certification of Windows territory at network, include authenticating device, the certificate server that is used for the 802.1x access authentication in the described network and be installed in 802.1x client and Windows domain controller on the user terminal computer of Windows territory, this method comprises the steps:
Windows operating system on a, the user terminal computer is initiated Windows territory logging request according to user totem information;
B, 802.1x client intercept described logging request, obtain user totem information;
C, 802.1x client initiate to comprise the authentication request of user totem information by authenticating device to certificate server, carry out the 802.1x access authentication;
Whether d, certificate server are forwarded to the Windows domain controller with user authentication request, be validated user by domain controller checking user, if validated user, then the 802.1x access authentication passes through;
E, after described 802.1x access authentication passes through, certificate server is to the authority of user terminal granted access network, carries out the Windows domain authentication by described 802.1x client control user terminal then;
Windows operating system on f, the user terminal computer is proceeded the territory login process, obtains the application resource access rights.
Wherein, described method also comprises:
In described steps d, if the user who is verified by domain controller is not a validated user, then authentication is not passed through, and finishes authentication.
Whether wherein, described is that validated user comprises by domain controller checking user:
The Windows domain controller determines according to user totem information whether this user is validated user, and with judged result notification authentication server.
Wherein, described Windows domain controller determines according to user totem information whether this user is that validated user comprises: described Windows domain controller compares checking by all user totem informations with the mandate of the user totem information of request authentication and pre-stored and determines whether the user of request login is validated user.
Wherein, described user totem information comprises username and password.
Wherein, described certificate server is an authentication, authorization and accounting server.
In addition, another kind of safety certifying method of the present invention, be used for realizing 802.1x and the unified certification of Windows territory at network, include certificate server that is used for the 802.1x access authentication and the 802.1x client that is installed on the user terminal computer of Windows territory in the described network, this method comprises the steps:
Windows operating system on a, the user terminal computer is initiated Windows territory logging request;
B, 802.1x client intercept described logging request, initiate the 802.1x access authentication to certificate server;
C, certificate server carry out the 802.1x access authentication by the Windows domain controller;
D, after described 802.1x access authentication passes through, certificate server is to the authority of user terminal granted access network, carries out the Windows domain authentication by described 802.1x client control user terminal then.
Wherein, further include authenticating device in the described network, logging request comprises user totem information, and step b specifically comprises:
When b1,802.1x client intercept described logging request, obtain described user totem information;
B2,802.1x client are initiated 802.1x access authentication by authenticating device to certificate server according to described user totem information.
Wherein, step b2 specifically comprises:
802.1x client sends the authentication request that comprises user totem information by authenticating device to certificate server.
Wherein, include the Windows domain controller in the described network, wherein can be equipped with device according to the situation of reality and described authentication clothes integrated or divide and be arranged for this Windows domain controller, and described step c specifically comprises:
Certificate server is transmitted to the Windows domain controller with described authentication request;
The Windows domain controller determines according to user totem information whether this user is validated user, and with judged result notification authentication server;
According to this judged result, certificate server determines whether the user is validated user, and authorizes corresponding access rights.
Described Windows domain controller compares checking by all user totem informations with the mandate of the user totem information of request authentication and pre-stored and determines whether the user of request login is validated user.
Compared with prior art, the present invention has following beneficial effect:
At first, the present invention only needs a cover username and password, an authentication operation can be realized the unified certification of windows territory and 802.1x, user-friendly with the operation, reduce the user and remember the loaded down with trivial details of two cover user names and password simultaneously, and transparent unified certification flow process, in full accord with common domain authentication process, need not the user is additionally trained;
Secondly, the user must could visit and sign in in the Windows territory by the 802.1x authentication earlier among the present invention, has improved the fail safe of using resource in the territory;
In addition, also can realize unification, the centralized maintenance of username and password among the present invention, improve the fail safe of user cipher protection, make things convenient for the user's modification password by domain controller.
Description of drawings
Fig. 1 is the structure principle chart of 802.1X authentication network system in the prior art LAN system;
Fig. 2 is the flow chart of safety certifying method specific implementation of the present invention.
Embodiment
With reference to figure 1, this figure is the structure principle chart of 802.1X authentication network system in the prior art LAN system; The operation principle of each entity is as follows among the figure:
When client 1 has authentication request, at first the id information of self is passed to certificate server 4 by network 3 via authenticating device 2, the id information of 4 pairs of these clients of certificate server carries out authentication operation, if authentication is passed through, then certificate server 4 is to authenticating device 2 return authentications success message, after authenticating device 2 receives the authentication success message of certificate server 4, allow client 1 accesses network resource; If authentication is not passed through, then certificate server 4 after authenticating device 2 receives the authentification failure message of certificate server 4, is refused client 1 accesses network resource to authenticating device 2 return authentication failure messages.
Comprise each user terminal computer and domain controller in the territory in the management system based on the Windows territory among the present invention, for realizing unified 802.1X authentication and domain authentication, above-mentioned 802.1x client software is installed to carry out the 802.1x authentication on the Windows2000 of user terminal computer that can be in the territory among the present invention and the above operating system.
With specific embodiment verification process of the present invention is described below.
With reference to figure 2, this figure is the flow chart of authentication method specific implementation of the present invention.
The territory user terminal computer of the above-mentioned installation 802.1x of customer end adopted client software in the present embodiment is initiated request as authentication requester to authenticating device (Authenticator), and the legitimacy of its identity is tested;
Authenticating device adopts switch, the authentication request of customer in response end;
Certificate server adopts authentication, authorization and accounting server (AAA, Authentication, Authorization, Accounting) server, by the identify label of sending of check client, judge whether the have the right network service of using authenticating device (being switch) to be provided of this requestor.
Detailed safety certification process is described as follows, and specifically can be divided into 802.1x authentication phase and domain authentication stage:
802.1x authentication phase:
After the user terminal start that the 802.1x client is housed, enter common Windows territory login interface;
In step 11, user totem information and domain name that the Windows operating system of user terminal computer is imported in this interface according to the user are initiated the Windows logging request, and user totem information described in the present embodiment specifically comprises username and password;
In step 12, described 802.1x client is intercepted and captured Windows territory logging request, obtain the user totem information (being user name, password) that the user inputs in the login interface of Windows territory, before the user proceeds the Windows domain authentication, initiate the 802.1x authentication earlier;
In step 13, the 802.1x client initiates to comprise the authentication request of user totem information by authenticating device (being switch in the present embodiment) to certificate server (being aaa server in the present embodiment);
Determine at step 14, certificate server whether described user is validated user, if, execution in step 15; Otherwise, execution in step 16, authentication is not passed through, and finishes authentication;
Need to prove, when certificate server determines whether the user is validated user, unify maintenance customer's identification information data, and the user is authenticated by following step by domain controller:
At first, aaa server is forwarded to the Windows domain controller with user authentication request, carries out user name, password authentification by it, is not here to carry out domain authentication, but comes by domain controller whether verified users is validated user;
After passing through the authentication of domain controller, domain controller returns identity authentication result to aaa server, if authentication success, aaa server is again to this user terminal granted network access authority.Like this, the process of 802.1x authentication just is through with, and the user has obtained the authority of accesses network; But verification process does not finish, and next also will carry out domain authentication;
The domain authentication stage:
Passed through the user under the precondition of 802.1x authentication, in step 17,802.1x client control user terminal is proceeded the Windows domain authentication, continue to finish common territory login process by the Windows operating system on the user terminal computer of 802.1x client place, obtain the application resource access rights, because the domain authentication process is the known technology of this area, no longer describe in detail here.
Like this,, can finish 802.1x access authentication and the login authentication of Windows territory simultaneously, reach the purpose of unified certification and single login by above unified certification flow process.
Need to prove, more than only be better embodiment of the present invention.During concrete enforcement, those skilled in the art also can change certificate server and domain controller accordingly according to actual conditions, for example, in order to reduce the hardware device cost, described certificate server and domain controller be integrated in the physical equipment realize function corresponding, repeat no more here.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (11)
1, a kind of safety certifying method, be used for realizing 802.1x and the unified certification of Windows territory at network, include authenticating device, the certificate server that is used for the 802.1x access authentication in the described network and be installed in 802.1x client and Windows domain controller on the user terminal computer of Windows territory, it is characterized in that, comprise the steps:
Windows operating system on a, the user terminal computer is initiated Windows territory logging request according to user totem information;
B, 802.1x client intercept described logging request, obtain user totem information;
C, 802.1x client initiate to comprise the authentication request of user totem information by authenticating device to certificate server, carry out the 802.1x access authentication;
Whether d, certificate server are forwarded to the Windows domain controller with user authentication request, be validated user by domain controller checking user, if validated user, then the 802.1x access authentication passes through;
E, after described 802.1x access authentication passes through, certificate server is to the authority of user terminal granted access network, carries out the Windows domain authentication by described 802.1x client control user terminal then;
Windows operating system on f, the user terminal computer is proceeded the territory login process, obtains the application resource access rights.
2, safety certifying method according to claim 1 is characterized in that, described method also comprises:
In described steps d, if the user who is verified by domain controller is not a validated user, then authentication is not passed through, and finishes authentication.
3, safety certifying method according to claim 1 is characterized in that, whether described be that validated user comprises by domain controller checking user:
The Windows domain controller determines according to user totem information whether this user is validated user, and with judged result notification authentication server.
4, safety certifying method according to claim 3 is characterized in that, described Windows domain controller determines according to user totem information whether this user is that validated user comprises:
Described Windows domain controller compares checking by all user totem informations with the mandate of the user totem information of request authentication and pre-stored and determines whether the user of request login is validated user.
5, according to claim 1,2,3 or 4 each described safety certifying methods, it is characterized in that described user totem information comprises username and password.
6, safety certifying method according to claim 5 is characterized in that, described certificate server is an authentication, authorization and accounting server.
7, a kind of safety certifying method, be used for realizing 802.1x and the unified certification of Windows territory at network, include certificate server that is used for the 802.1x access authentication and the 802.1x client that is installed on the user terminal computer of Windows territory in the described network, it is characterized in that, comprise the steps:
Windows operating system on a, the user terminal computer is initiated Windows territory logging request;
B, 802.1x client intercept described logging request, initiate the 802.1x access authentication to certificate server;
C, certificate server carry out the 802.1x access authentication by the Windows domain controller;
D, after described 802.1x access authentication passes through, certificate server is to the authority of user terminal granted access network, carries out the Windows domain authentication by described 802.1x client control user terminal then.
8, safety certifying method according to claim 7 is characterized in that, further includes authenticating device in the described network, and logging request comprises user totem information, and step b specifically comprises:
When b1,802.1x client intercept described logging request, obtain described user totem information;
B2,802.1x client are initiated 802.1x access authentication by authenticating device to certificate server according to described user totem information.
9, safety certifying method according to claim 8 is characterized in that, step b2 specifically comprises:
802.1x client sends the authentication request that comprises user totem information by authenticating device to certificate server.
10, safety certifying method according to claim 9, it is characterized in that, include the Windows domain controller in the described network, wherein this Windows domain controller can according to the situation of reality and described certificate server be integrated or divide and be arranged, and described step c specifically comprises:
Certificate server is transmitted to the Windows domain controller with described authentication request;
The Windows domain controller determines according to user totem information whether this user is validated user, and with judged result notification authentication server;
According to this judged result, certificate server determines whether the user is validated user, and authorizes corresponding access rights.
11, safety certifying method according to claim 10 is characterized in that, described Windows domain controller determines according to user totem information whether this user is that validated user comprises:
Described Windows domain controller compares checking by all user totem informations with the mandate of the user totem information of request authentication and pre-stored and determines whether the user of request login is validated user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100027594A CN100512107C (en) | 2005-01-26 | 2005-01-26 | Security identification method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100027594A CN100512107C (en) | 2005-01-26 | 2005-01-26 | Security identification method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1725687A CN1725687A (en) | 2006-01-25 |
| CN100512107C true CN100512107C (en) | 2009-07-08 |
Family
ID=35924941
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100027594A Active CN100512107C (en) | 2005-01-26 | 2005-01-26 | Security identification method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100512107C (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101064604B (en) * | 2006-04-29 | 2012-04-18 | 西门子公司 | Remote access process, system and equipment |
| CN101166173B (en) * | 2006-10-20 | 2012-03-28 | 北京直真节点技术开发有限公司 | A single-node login system, device and method |
| WO2009155812A1 (en) * | 2008-06-23 | 2009-12-30 | 华为技术有限公司 | Terminal access method, access management method, network equipment and communication system |
| CN103281185A (en) * | 2013-05-08 | 2013-09-04 | 深圳创维数字技术股份有限公司 | Method and system for controlling resource access of terminal |
| CN103259795B (en) * | 2013-05-14 | 2016-12-28 | 百度在线网络技术(北京)有限公司 | Perform registration logs in automatically method, mobile terminal and server |
| US10108965B2 (en) * | 2015-07-14 | 2018-10-23 | Ujet, Inc. | Customer communication system including service pipeline |
| US10063560B2 (en) * | 2016-04-29 | 2018-08-28 | Microsoft Technology Licensing, Llc | Gaze-based authentication |
| CN109558433B (en) * | 2017-09-27 | 2022-04-12 | 北京京东尚科信息技术有限公司 | Method and device for requesting access to HDFS |
| CN107623701B (en) * | 2017-10-31 | 2020-07-14 | 江苏神州信源系统工程有限公司 | Fast safety authentication method and device based on 802.1X |
| CN109829284A (en) * | 2018-12-29 | 2019-05-31 | 曙光信息产业(北京)有限公司 | A method of integrating Linux and Windows operating system unifying user authentication |
-
2005
- 2005-01-26 CN CNB2005100027594A patent/CN100512107C/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN1725687A (en) | 2006-01-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100512107C (en) | Security identification method | |
| KR100920871B1 (en) | Methods and systems for authentication of a user for sub-locations of a network location | |
| US8893243B2 (en) | Method and system protecting against identity theft or replication abuse | |
| US6892307B1 (en) | Single sign-on framework with trust-level mapping to authentication requirements | |
| US6668322B1 (en) | Access management system and method employing secure credentials | |
| US6609198B1 (en) | Log-on service providing credential level change without loss of session continuity | |
| EP1914658B1 (en) | Identity controlled data center | |
| US20120204245A1 (en) | Secure authentication using one-time passwords | |
| US20080148046A1 (en) | Real-Time Checking of Online Digital Certificates | |
| EP1564625A1 (en) | Computer security system and method | |
| US20080320566A1 (en) | Device provisioning and domain join emulation over non-secured networks | |
| US11368449B2 (en) | Asserting a mobile identity to users and devices in an enterprise authentication system | |
| CN101986598B (en) | Authentication method, server and system | |
| CN114301617A (en) | Identity authentication method and device for multi-cloud application gateway, computer equipment and medium | |
| US9461991B2 (en) | Virtual smartcard authentication | |
| US20040083296A1 (en) | Apparatus and method for controlling user access | |
| Kadlec et al. | Implementation of an Advanced Authentication Method within Microsoft Active Directory Network Services | |
| KR101627896B1 (en) | Authentication method by using certificate application and system thereof | |
| CN106856471A (en) | AD domains login authentication method under 802.1X | |
| CN112929388B (en) | Network identity cross-device application rapid authentication method and system, and user agent device | |
| KR20180039037A (en) | Cross authentication method and system between online service server and client | |
| KR101545897B1 (en) | A server access control system by periodic authentification of the smart card | |
| CN112970017A (en) | Secure linking of devices to cloud storage | |
| US11917087B2 (en) | Transparent short-range wireless device factor in a multi-factor authentication system | |
| US20230315830A1 (en) | Web-based authentication for desktop applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: NEW H3C TECHNOLOGIES Co.,Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230625 Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd. Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466 Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd. |