CN1725687A - Security identification method - Google Patents
Security identification method Download PDFInfo
- Publication number
- CN1725687A CN1725687A CN 200510002759 CN200510002759A CN1725687A CN 1725687 A CN1725687 A CN 1725687A CN 200510002759 CN200510002759 CN 200510002759 CN 200510002759 A CN200510002759 A CN 200510002759A CN 1725687 A CN1725687 A CN 1725687A
- Authority
- CN
- China
- Prior art keywords
- user
- authentication
- certificate server
- windows
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Abstract
A security certification method includes issuing windows domain logging request by client terminal , obtaining user identifier data by 802.1x client end , issuing 802 1x switching in certification to certification server , authorizing right of making access of network to client terminal by said server , carrying out windows domain certification by using 802.1x client end to control client terminal , using client terminal to carry out domain logging procedure continuously for obtaining access right of application resource .
Description
Technical field
The present invention relates to safety certifying method, more particularly, the present invention relates to a kind of method that in network, realizes 802.1x and the unified certification of Windows territory.
Background technology
IT application in enterprises work is at present constantly deepened, the deployment in enterprise broadband more and more widely, the Internet resources that enterprise network provided are also more and more, and a lot of enterprises and institutions have set up the management system based on the Windows territory, manage all users' authority concentratedly by the Windows territory.The server that wherein is used for managing this territory is called as domain controller (or Windows domain controller).The same during with common startup PC, described based on adopting the mode of username and password login authentication to carry out safety certification in the information management system in Windows territory, be that the user imports username and password and signs in to the territory, just need not have inputed password when visiting again the resource of this " territory " being managed at every turn.But above-mentioned safe verification method can only affact application layer for the control of authority based on the Windows information management system, also can't realize control to user's physical access authority, for example to the control of network insertion authority, this brings a lot of hidden danger for the network and the application safety of enterprise network.
In order to control more effectively and network resource administration, improve the fail safe of network insertion, industry also further authenticates the identification and the control of authority of the access customer that achieves a butt joint by 802.1x when safety certification, and specific implementation is as follows:
For the user provides independent 802.1x client, in online, the user must be by 802.1x authentication ability accesses network, during specific implementation, the user need be introduced into windows desktop, open the 802.1x client then and carry out the 802.1x authentication, after authentication was passed through, the user just can carry out access to netwoks; When the user need visit the resource that the Windows domain controller limited, input domain user name, password carried out the Windows domain authentication once more.
From the above, there is following shortcoming in prior art:
Windows territory and 802.1x certificate server have special-purpose user identity identification and control of authority information separately, need use two cover username and passwords when causing user access network and login Windows territory, user's identity disunity, make the user must remember two cover user name passwords, the user is also cumbersome in operation.For example, if allow the user carry out earlier could surfing the Net after the 802.1x authentication, the user must be introduced into windows desktop so, could open the online of 802.1x client then, and when the resource of access domain control, input domain username and password once more also, operating process is very loaded down with trivial details.
Summary of the invention
The technical problem that the present invention solves provides a kind of user-friendly safety certifying method, unifying 802.1x and windows domain authentication flow process, and further strengthens the fail safe in windows territory.
For addressing the above problem, a kind of safety certifying method of the present invention, be used for realizing 802.1x and the unified certification of Windows territory at network, include authenticating device, the certificate server that is used for the 802.1x access authentication in the described network and be installed in 802.1x client and Windows domain controller on the user terminal computer of Windows territory, this method comprises the steps:
Windows operating system on a, the user terminal computer is initiated Windows territory logging request according to user totem information;
B, 802.1x client intercept described logging request, obtain user totem information;
C, 802.1x client are initiated 802.1x access authentication by authenticating device to certificate server according to described user totem information;
D, after described 802.1x access authentication passes through, certificate server is to the authority of user terminal granted access network, carries out the Windows domain authentication by described 802.1x client control user terminal then;
Windows operating system on e, the user terminal computer is proceeded the territory login process, obtains the application resource access rights.
Wherein, step c comprises:
C1,802.1x client send the authentication request that comprises user totem information by authenticating device to certificate server;
C2, certificate server determine whether described user is validated user, if, execution in step c3, otherwise, execution in step c4;
C3, access authentication pass through, and this user of certificate server mandate can access network;
C4, authentication are not passed through, and finish authentication.
Wherein, step c2 determines whether the user is that validated user comprises:
C21, certificate server are transmitted to the Windows domain controller with authentication request;
C22, Windows domain controller determine according to user totem information whether this user is validated user, and with judged result notification authentication server;
C23, according to this judged result, certificate server determines whether the user is validated user.
Wherein, Windows domain controller among the step c22 is pre-stored with all user totem information data of mandate, by the user totem information of request authentication and the user totem information of pre-stored are compared whether the next user who determines that request is logined of checking is validated user.
Wherein, described user totem information comprises username and password.
Wherein, described certificate server is an authentication, authorization and accounting server.
In addition, another kind of safety certifying method of the present invention, be used for realizing 802.1x and the unified certification of Windows territory at network, include certificate server that is used for the 802.1x access authentication and the 802.1x client that is installed on the user terminal computer of Windows territory in the described network, this method comprises the steps:
Windows operating system on a, the user terminal computer is initiated Windows territory logging request;
B, 802.1x client intercept described logging request, initiate the 802.1x access authentication to certificate server;
C, after described 802.1x access authentication passes through, certificate server is to the authority of user terminal granted access network, carries out the Windows domain authentication by described 802.1x client control user terminal then.
Wherein, further include authenticating device in the described network, logging request comprises user totem information, and step b specifically comprises:
When b1,802.1x client intercept described logging request, obtain described user totem information;
B2,802.1x client are initiated 802.1x access authentication by authenticating device to certificate server according to described user totem information.
Wherein, step b2 specifically comprises:
802.1x client sends the authentication request that comprises user totem information by authenticating device to certificate server;
Certificate server determines whether described user is validated user, if, execution in step c1, otherwise, execution in step c2;
C1, access authentication pass through, and this user of certificate server mandate can access network;
C2, authentication are not passed through, and finish authentication.
Wherein, include the Windows domain controller in the described network, wherein can be equipped with device according to the situation of reality and described authentication clothes integrated or divide and be arranged for this Windows domain controller, and described certificate server determines that whether the user is that the step of validated user comprises:
Certificate server is transmitted to the Windows domain controller with authentication request;
The Windows domain controller determines according to user totem information whether this user is validated user, and with judged result notification authentication server;
According to this judged result, certificate server determines whether the user is validated user, and authorizes corresponding access rights.
Compared with prior art, the present invention has following beneficial effect:
At first, the present invention only needs a cover username and password, an authentication operation can be realized the unified certification of windows territory and 802.1x, user-friendly with the operation, reduce the user and remember the loaded down with trivial details of two cover user names and password simultaneously, and transparent unified certification flow process, in full accord with common domain authentication process, need not the user is additionally trained;
Secondly, the user must could visit and sign in in the Windows territory by the 802.1x authentication earlier among the present invention, has improved the fail safe of using resource in the territory;
In addition, also can realize unification, the centralized maintenance of username and password among the present invention, improve the fail safe of user cipher protection, make things convenient for the user's modification password by domain controller.
Description of drawings
Fig. 1 is the structure principle chart of 802.1X authentication network system in the prior art LAN system;
Fig. 2 is the flow chart of safety certifying method specific implementation of the present invention.
Embodiment
With reference to figure 1, this figure is the structure principle chart of 802.1X authentication network system in the prior art LAN system; The operation principle of each entity is as follows among the figure:
When client 1 has authentication request, at first the id information of self is passed to certificate server 4 by network 3 via authenticating device 2, the id information of 4 pairs of these clients of certificate server carries out authentication operation, if authentication is passed through, then certificate server 4 is to authenticating device 2 return authentications success message, after authenticating device 2 receives the authentication success message of certificate server 4, allow client 1 accesses network resource; If authentication is not passed through, then certificate server 4 after authenticating device 2 receives the authentification failure message of certificate server 4, is refused client 1 accesses network resource to authenticating device 2 return authentication failure messages.
Comprise each user terminal computer and domain controller in the territory in the management system based on the Windows territory among the present invention, for realizing unified 802.1X authentication and domain authentication, above-mentioned 802.1x client software is installed to carry out the 802.1x authentication on the Windows2000 of user terminal computer that can be in the territory among the present invention and the above operating system.
With specific embodiment verification process of the present invention is described below.
With reference to figure 2, this figure is the flow chart of authentication method specific implementation of the present invention.
The territory user terminal computer of the above-mentioned installation 802.1x of customer end adopted client software in the present embodiment is initiated request as authentication requester to authenticating device (Authenticator), and the legitimacy of its identity is tested;
Authenticating device adopts switch, the authentication request of customer in response end;
Certificate server adopts authentication, authorization and accounting server (AAA, Authentication, Authorization, Accounting) server, by the identify label of sending of check client, judge whether the have the right network service of using authenticating device (being switch) to be provided of this requestor.
Detailed safety certification process is described as follows, and specifically can be divided into 802.1x authentication phase and domain authentication stage:
802.1x authentication phase:
After the user terminal start that the 802.1x client is housed, enter common Windows territory login interface;
In step 11, user totem information and domain name that the Windows operating system of user terminal computer is imported in this interface according to the user are initiated the Windows logging request, and user totem information described in the present embodiment specifically comprises username and password;
In step 12, described 802.1x client is intercepted and captured Windows territory logging request, obtain the user totem information (being user name, password) that the user inputs in the login interface of Windows territory, before the user proceeds the Windows domain authentication, initiate the 802.1x authentication earlier;
In step 13, the 802.1x client initiates to comprise the authentication request of user totem information by authenticating device (being switch in the present embodiment) to certificate server (being aaa server in the present embodiment);
Determine at step 14, certificate server whether described user is validated user, if, execution in step 15; Otherwise, execution in step 16, authentication is not passed through, and finishes authentication;
Need to prove, when certificate server determines whether the user is validated user, unify maintenance customer's identification information data, and the user is authenticated by following step by domain controller:
At first, aaa server is forwarded to the Windows domain controller with user authentication request, carries out user name, password authentification by it, is not here to carry out domain authentication, but comes by domain controller whether verified users is validated user;
After passing through the authentication of domain controller, domain controller returns identity authentication result to aaa server, if authentication success, aaa server is again to this user terminal granted network access authority.Like this, the process of 802.1x authentication just is through with, and the user has obtained the authority of accesses network; But verification process does not finish, and next also will carry out domain authentication;
The domain authentication stage:
Passed through the user under the precondition of 802.1x authentication, in step 17,802.1x client control user terminal is proceeded the Windows domain authentication, continue to finish common territory login process by the Windows operating system on the user terminal computer of 802.1x client place, obtain the application resource access rights, because the domain authentication process is the known technology of this area, no longer describe in detail here.
Like this,, can finish 802.1x access authentication and the login authentication of Windows territory simultaneously, reach the purpose of unified certification and single login by above unified certification flow process.
Need to prove, more than only be better embodiment of the present invention.During concrete enforcement, those skilled in the art also can change certificate server and domain controller accordingly according to actual conditions, for example, in order to reduce the hardware device cost, described certificate server and domain controller be integrated in the physical equipment realize function corresponding, repeat no more here.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (10)
1, a kind of safety certifying method, be used for realizing 802.1x and the unified certification of Windows territory at network, include authenticating device, the certificate server that is used for the 802.1x access authentication in the described network and be installed in 802.1x client and Windows domain controller on the user terminal computer of Windows territory, it is characterized in that, comprise the steps:
Windows operating system on a, the user terminal computer is initiated Windows territory logging request according to user totem information;
B, 802.1x client intercept described logging request, obtain user totem information;
C, 802.1x client are initiated 802.1x access authentication by authenticating device to certificate server according to described user totem information;
D, after described 802.1x access authentication passes through, certificate server is to the authority of user terminal granted access network, carries out the Windows domain authentication by described 802.1x client control user terminal then;
Windows operating system on e, the user terminal computer is proceeded the territory login process, obtains the application resource access rights.
2, safety certifying method according to claim 1 is characterized in that, step c comprises:
C1,802.1x client send the authentication request that comprises user totem information by authenticating device to certificate server;
C2, certificate server determine whether described user is validated user, if, execution in step c3, otherwise, execution in step c4;
C3, access authentication pass through, and this user of certificate server mandate can access network;
C4, authentication are not passed through, and finish authentication.
3, safety certifying method according to claim 2 is characterized in that, step c2 determines whether the user is that validated user comprises:
C21, certificate server are transmitted to the Windows domain controller with authentication request;
C22, Windows domain controller determine according to user totem information whether this user is validated user, and with judged result notification authentication server;
C23, according to this judged result, certificate server determines whether the user is validated user.
4, safety certifying method according to claim 3, it is characterized in that, Windows domain controller among the step c22 is pre-stored with all user totem information data of mandate, by the user totem information of request authentication and the user totem information of pre-stored are compared whether the next user who determines that request is logined of checking is validated user.
5, according to claim 1,2,3 or 4 each described safety certifying methods, it is characterized in that described user totem information comprises username and password.
6, safety certifying method according to claim 5 is characterized in that, described certificate server is an authentication, authorization and accounting server.
7, a kind of safety certifying method, be used for realizing 802.1x and the unified certification of Windows territory at network, include certificate server that is used for the 802.1x access authentication and the 802.1x client that is installed on the user terminal computer of Windows territory in the described network, it is characterized in that, comprise the steps:
Windows operating system on a, the user terminal computer is initiated Windows territory logging request;
B, 802.1x client intercept described logging request, initiate the 802.1x access authentication to certificate server;
C, after described 802.1x access authentication passes through, certificate server is to the authority of user terminal granted access network, carries out the Windows domain authentication by described 802.1x client control user terminal then.
8, safety certifying method according to claim 7 is characterized in that, further includes authenticating device in the described network, and logging request comprises user totem information, and step b specifically comprises:
When b1,802.1x client intercept described logging request, obtain described user totem information;
B2,802.1x client are initiated 802.1x access authentication by authenticating device to certificate server according to described user totem information.
9, safety certifying method according to claim 8 is characterized in that, step b2 specifically comprises:
802.1x client sends the authentication request that comprises user totem information by authenticating device to certificate server;
Certificate server determines whether described user is validated user, if, execution in step c1, otherwise, execution in step c2;
C1, access authentication pass through, and this user of certificate server mandate can access network;
C2, authentication are not passed through, and finish authentication.
10, safety certifying method according to claim 9, it is characterized in that, include the Windows domain controller in the described network, wherein can be equipped with device according to the situation of reality and described authentication clothes integrated or divide and be arranged for this Windows domain controller, and described certificate server determines that whether the user is that the step of validated user comprises:
Certificate server is transmitted to the Windows domain controller with authentication request;
The Windows domain controller determines according to user totem information whether this user is validated user, and with judged result notification authentication server;
According to this judged result, certificate server determines whether the user is validated user, and authorizes corresponding access rights.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100027594A CN100512107C (en) | 2005-01-26 | 2005-01-26 | Security identification method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100027594A CN100512107C (en) | 2005-01-26 | 2005-01-26 | Security identification method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1725687A true CN1725687A (en) | 2006-01-25 |
| CN100512107C CN100512107C (en) | 2009-07-08 |
Family
ID=35924941
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100027594A Active CN100512107C (en) | 2005-01-26 | 2005-01-26 | Security identification method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100512107C (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009155812A1 (en) * | 2008-06-23 | 2009-12-30 | 华为技术有限公司 | Terminal access method, access management method, network equipment and communication system |
| CN101166173B (en) * | 2006-10-20 | 2012-03-28 | 北京直真节点技术开发有限公司 | A single-node login system, device and method |
| CN101064604B (en) * | 2006-04-29 | 2012-04-18 | 西门子公司 | Remote access process, system and equipment |
| CN103259795A (en) * | 2013-05-14 | 2013-08-21 | 百度在线网络技术(北京)有限公司 | Method for executing automatic register and login, mobile terminal and server |
| CN103281185A (en) * | 2013-05-08 | 2013-09-04 | 深圳创维数字技术股份有限公司 | Method and system for controlling resource access of terminal |
| CN107623701A (en) * | 2017-10-31 | 2018-01-23 | 江苏神州信源系统工程有限公司 | A kind of fast and safely authentication method and device based on 802.1X |
| CN108027851A (en) * | 2015-07-14 | 2018-05-11 | 优捷达公司 | Client communication system including service pipelining |
| CN109074441A (en) * | 2016-04-29 | 2018-12-21 | 微软技术许可有限责任公司 | Based on the certification watched attentively |
| CN109558433A (en) * | 2017-09-27 | 2019-04-02 | 北京京东尚科信息技术有限公司 | A kind of method and apparatus requesting access to HDFS |
| CN109829284A (en) * | 2018-12-29 | 2019-05-31 | 曙光信息产业(北京)有限公司 | A method of integrating Linux and Windows operating system unifying user authentication |
| CN115001808A (en) * | 2022-05-31 | 2022-09-02 | 中国银行股份有限公司 | Domain user login method, device, equipment and medium |
-
2005
- 2005-01-26 CN CNB2005100027594A patent/CN100512107C/en active Active
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101064604B (en) * | 2006-04-29 | 2012-04-18 | 西门子公司 | Remote access process, system and equipment |
| CN101166173B (en) * | 2006-10-20 | 2012-03-28 | 北京直真节点技术开发有限公司 | A single-node login system, device and method |
| WO2009155812A1 (en) * | 2008-06-23 | 2009-12-30 | 华为技术有限公司 | Terminal access method, access management method, network equipment and communication system |
| CN103281185A (en) * | 2013-05-08 | 2013-09-04 | 深圳创维数字技术股份有限公司 | Method and system for controlling resource access of terminal |
| CN103259795A (en) * | 2013-05-14 | 2013-08-21 | 百度在线网络技术(北京)有限公司 | Method for executing automatic register and login, mobile terminal and server |
| CN103259795B (en) * | 2013-05-14 | 2016-12-28 | 百度在线网络技术(北京)有限公司 | Perform registration logs in automatically method, mobile terminal and server |
| CN108027851B (en) * | 2015-07-14 | 2023-08-08 | 优捷达公司 | Customer communication system including service pipeline |
| CN108027851A (en) * | 2015-07-14 | 2018-05-11 | 优捷达公司 | Client communication system including service pipelining |
| CN109074441A (en) * | 2016-04-29 | 2018-12-21 | 微软技术许可有限责任公司 | Based on the certification watched attentively |
| CN109074441B (en) * | 2016-04-29 | 2021-06-04 | 微软技术许可有限责任公司 | Gaze-based authentication |
| CN109558433A (en) * | 2017-09-27 | 2019-04-02 | 北京京东尚科信息技术有限公司 | A kind of method and apparatus requesting access to HDFS |
| CN109558433B (en) * | 2017-09-27 | 2022-04-12 | 北京京东尚科信息技术有限公司 | Method and device for requesting access to HDFS |
| CN107623701B (en) * | 2017-10-31 | 2020-07-14 | 江苏神州信源系统工程有限公司 | Fast safety authentication method and device based on 802.1X |
| CN107623701A (en) * | 2017-10-31 | 2018-01-23 | 江苏神州信源系统工程有限公司 | A kind of fast and safely authentication method and device based on 802.1X |
| CN109829284A (en) * | 2018-12-29 | 2019-05-31 | 曙光信息产业(北京)有限公司 | A method of integrating Linux and Windows operating system unifying user authentication |
| CN115001808A (en) * | 2022-05-31 | 2022-09-02 | 中国银行股份有限公司 | Domain user login method, device, equipment and medium |
| CN115001808B (en) * | 2022-05-31 | 2024-05-28 | 中国银行股份有限公司 | Domain user login method, device, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100512107C (en) | 2009-07-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1725687A (en) | Security identification method | |
| CN1212716C (en) | Method of sharing subscriber confirming information in different application systems of internet | |
| US8024488B2 (en) | Methods and apparatus to validate configuration of computerized devices | |
| EP1914658B1 (en) | Identity controlled data center | |
| CN1855814A (en) | Safety uniform certificate verification design | |
| US20050177730A1 (en) | System and method for authentication via a single sign-on server | |
| CN101076796A (en) | Virtual special purpose network established for roam user | |
| CN1274105C (en) | Dynamic password authentication method based on digital certificate implement | |
| CN1835438A (en) | Method of realizing single time accession between systems and system thereof | |
| JP2017535877A (en) | Conditional login promotion | |
| CN1507203A (en) | Method and system for conducting user verification to sub position of network position | |
| CN1815482A (en) | Method for obtaining and verifying credentials | |
| CN101075875A (en) | Method and system for realizing monopoint login between gate and system | |
| CN1823513A (en) | Method and system for stepping up to certificate-based authentication without breaking an existing ssl session | |
| CN1848729A (en) | Method and system for single sign-on in a network | |
| US7581111B2 (en) | System, method and apparatus for transparently granting access to a selected device using an automatically generated credential | |
| US8387130B2 (en) | Authenticated service virtualization | |
| CN112039889B (en) | Password-free login method, device, equipment and storage medium | |
| CN103986734B (en) | Authentication management method and authentication management system applicable to high-security service system | |
| CN1142662C (en) | Authentication method for supporting network switching in based on different devices at same time | |
| CN1822541A (en) | Device and method for controlling computer access | |
| US8272039B2 (en) | Pass-through hijack avoidance technique for cascaded authentication | |
| CN1700638A (en) | Enterprise network security access method by means of security authentication gateway | |
| US9077745B1 (en) | Method of resolving port binding conflicts, and system and method of remote vulnerability assessment | |
| CN114385995B (en) | Method for accessing micro-service to industrial Internet through identification analysis based on Handle and identification service system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: NEW H3C TECHNOLOGIES Co.,Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd. |
|
| CP03 | Change of name, title or address | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230625 Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd. Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466 Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right |