WO2015090116A1 - Login method and desktop management device - Google Patents

Login method and desktop management device Download PDF

Info

Publication number
WO2015090116A1
WO2015090116A1 PCT/CN2014/089858 CN2014089858W WO2015090116A1 WO 2015090116 A1 WO2015090116 A1 WO 2015090116A1 CN 2014089858 W CN2014089858 W CN 2014089858W WO 2015090116 A1 WO2015090116 A1 WO 2015090116A1
Authority
WO
WIPO (PCT)
Prior art keywords
login
account
password
virtual machine
registered
Prior art date
Application number
PCT/CN2014/089858
Other languages
French (fr)
Chinese (zh)
Inventor
张冠男
林国仁
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2015090116A1 publication Critical patent/WO2015090116A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/451Execution arrangements for user interfaces
    • G06F9/452Remote windowing, e.g. X-Window System, desktop virtualisation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/08Protocols specially adapted for terminal emulation, e.g. Telnet
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a login method and a desktop management device.
  • the definition of the desktop cloud is: through the thin client or any other network connected device To access cross-platform applications, as well as the entire customer desktop.
  • the desktop cloud system requires a terminal to connect through the network, so that users get the same user experience as traditional desktop systems and applications, and this user experience is not limited to specific operating systems and applications. . That is to say, the user only needs a thin client device, or any other device that can connect to the network, through a dedicated program or browser, can access the personal desktop and various applications residing on the server side, and the user experience and peacetime use the tradition
  • the personal computer is exactly the same.
  • the authentication methods are various. For example, single sign-on with domain account password, single sign-on and non-single sign-on for smart card, or domain account password combined with dynamic password login. Among them, in terms of cost and ease of use, the cheapest and most widely used access authentication method is still a single sign-on method based on domain account password.
  • AD domain control server for user management and authentication.
  • AD domain control server may have a series of security risks such as data leakage, and other non-AD management authentication servers, two sets of accounts are required to log in to the desktop management device and log in to the virtual machine. The password is more complicated.
  • the technical problem to be solved by the embodiments of the present invention is to provide a login method and a desktop management device. To improve the security of the desktop cloud system and ensure the convenience of single sign-on.
  • a first aspect of the embodiments of the present invention provides a login method, which may include:
  • the desktop management device receives the login request of the cloud terminal, and performs identity authentication on the non-AD management authentication server.
  • the authentication is passed, the login account and the login password for the single sign-on are saved, the virtual machine selected message sent by the cloud terminal is received, the login ticket is generated according to the login account and the login password, and the login ticket is sent to the login ticket.
  • the cloud terminal so that the cloud terminal sends the login ticket to a selected virtual machine, where the login account is located in a local account group of the virtual machine;
  • the login account is a registered account that is registered by the cloud terminal in the non-AD management authentication server, and the login password is that the cloud terminal is in the non-AD
  • the registration password registered with the registration account registered by the authentication server is managed.
  • the login account is a registered account that is registered by the cloud terminal in the non-AD management authentication server, and the login password is that the desktop management device is configured according to the The random password generated by the account.
  • the login account is a unique administrator account in the virtual machine local account group, and the login password is generated by the desktop management device according to the administrator account. random code.
  • the login account is the cloud terminal
  • the associated account of the registered account registered by the non-AD management authentication server, the login password is a random password generated by the desktop management device according to the associated account.
  • the desktop management device saves the login account and login When the password is used, the encryption method is used.
  • the desktop management device configures an expiration date for the login account, the login password, and the login ticket.
  • the login account is sent by the desktop management device to a local account group of the virtual machine in.
  • a second aspect of the embodiments of the present invention provides a desktop management device, which may include:
  • a receiving unit configured to receive a login request of the cloud terminal, and perform identity authentication on the non-AD management authentication server;
  • a generating unit configured to save a login account and a login password for single sign-on, receive a virtual machine selected message sent by the cloud terminal, generate a login ticket according to the login account and a login password, and if Sending the login ticket to the cloud terminal, so that the cloud terminal sends the login ticket to the selected virtual machine, where the login account is located in a local account group of the virtual machine;
  • a sending unit configured to send the login account and a login password to the virtual machine or send the login password to the virtual machine, so that the virtual machine updates a password of a login account in a local account group For the login password;
  • An authentication unit configured to receive a login ticket authentication request sent by the virtual machine, and if the authentication is passed, return the login account and the login password to the virtual machine, so that the virtual machine automatically uses the login account and login The password completes the local login.
  • the login account is a registered account that is registered by the cloud terminal in the non-AD management authentication server, and the login password is that the cloud terminal is in the non-AD
  • the registration password registered with the registration account registered by the authentication server is managed.
  • the login account is a registered account that is registered by the cloud terminal in the non-AD management authentication server, and the login password is the desktop The random password generated by the management device according to the registered account.
  • the login account is a unique administrator account in the virtual machine local account group, and the login password is generated by the desktop management device according to the administrator account. random code.
  • the login account is an associated account of the registered account registered by the cloud terminal in the non-AD management authentication server, and the login password is the desktop management device according to the desktop management device.
  • the random password generated by the associated account is an associated account of the registered account registered by the cloud terminal in the non-AD management authentication server.
  • the generating unit is further configured to save the login account And when the password is logged in, the encryption method is used.
  • the generating unit is further configured to configure an expiration date for the login account, the login password, and the login ticket.
  • the login account is sent by the sending unit to a local account group of the virtual machine. .
  • the device saves the login account in the local account group of the VM and updates the password of the account to the login password before logging in to the VM. The user does not need to enter another account password to log in again on the VM to ensure the desktop cloud system. The convenience of single sign-on.
  • FIG. 1 is a schematic flow chart of a first embodiment of a login method of the present invention
  • FIG. 2 is a schematic flow chart of a second embodiment of the login method of the present invention.
  • FIG. 3 is a schematic flow chart of a third embodiment of the login method of the present invention.
  • FIG. 4 is a schematic flow chart of a fourth embodiment of the login method of the present invention.
  • FIG. 5 is a schematic flowchart diagram of a fifth embodiment of the login method of the present invention.
  • FIG. 6 is a schematic structural diagram of a first embodiment of a desktop management device of the present invention.
  • FIG. 7 is a schematic diagram showing the composition of a second embodiment of the desktop management device of the present invention.
  • the cloud terminal registers with the AD domain control server and logs in to the desktop management device by using the registered account password.
  • the desktop management device finally uses the registered account password when the account password is authenticated by the AD domain control server.
  • the virtual machine selected by the cloud terminal is automatically logged in, and the virtual machine uses the account password to authenticate to the AD domain control server, thereby implementing single sign-on of the desktop cloud system.
  • the entire process requires only one set of account passwords.
  • the US AD domain controller server is used as the user management and authentication server. When logging in to the desktop management device and logging in to the VM, you need to authenticate to the AD domain controller. This may exist for some applications with high security requirements.
  • FIG. 1 is a schematic flowchart of a first embodiment of a login method according to the present invention.
  • the method includes the following steps:
  • the desktop management device receives the login request of the cloud terminal, and performs identity authentication on the non-AD management authentication server.
  • the account and password used when the cloud terminal logs in are the registered account registered with the non-AD management authentication server and the corresponding registration password.
  • the non-AD management authentication server may be a Lightweight Directory Access Protocol (LDAP) server or a database server. It only needs to complete the login authentication of the desktop management device. The login of the virtual machine can be logged in locally without having to authenticate to the non-AD management authentication server, thus improving the security of the desktop cloud system.
  • the non-AD management authentication server is an LDAP server
  • the interface that the desktop management device interacts with the non-AD management authentication server is adapted according to an interface of the LDAP server, when the non-AD management authentication server is a database server.
  • the interface that the desktop management device interacts with the non-AD management authentication server is adapted according to an interface of the database server.
  • the desktop management device saves the login account and the login password for the single sign-on, and receives the virtual machine selected message sent by the cloud terminal, according to the login account. And generating a login ticket with the login password and transmitting the login ticket to the cloud terminal, so that the cloud terminal sends the login ticket to the selected virtual machine.
  • the login account is located in a local account group of the virtual machine.
  • the desktop management device may adopt an encryption save mode when saving the login account and the login password. Thereby improving the security of the login. And the desktop management device configures an expiration date for the login account, the login password, and the login ticket. When the expiration date is reached, the login account, the login password, and the login ticket are invalidated, which further improves the security of the login.
  • the login account in the local account group of the virtual machine may be pre-sent to the local account group of the virtual machine by the desktop management device, or may be locally present in the virtual machine.
  • Local account number in the account group may be pre-sent to the local account group of the virtual machine by the desktop management device, or may be locally present in the virtual machine.
  • the login account may be a registered account registered by the cloud terminal in the non-AD management authentication server, and the login password may be registered by the cloud terminal with the non-AD management authentication server.
  • the registration password for the account matching may be a registered account registered by the cloud terminal in the non-AD management authentication server.
  • the login account may be a registered account registered by the cloud terminal in the non-AD management authentication server, and the login password may be the desktop management device according to the registration account.
  • the random password generated by the number may also be a registration password that is registered by the cloud terminal with the registered account in the non-AD management authentication server.
  • the login account may be a unique administrator account in the virtual machine local account group, and the login password may be a random password generated by the desktop management device according to the administrator account.
  • the login password may also be a registration password that is registered by the cloud terminal with the registered account in the non-AD management authentication server.
  • the login account may be an associated account of the registered account registered by the cloud terminal in the non-AD management authentication server, and the login password may be a random password generated by the desktop management device according to the associated account.
  • the login password may also be a registration password that is registered by the cloud terminal with the registered account in the non-AD management authentication server.
  • the desktop management device may be sent to the local account group of the virtual machine.
  • the security of the desktop cloud system can be further improved. Because the login password is a random password, the user cannot know the specific password composition, and therefore cannot be accessed by other methods such as remote access and virtual machine. You can log in to the VM directly, and you must log in to the desktop management device before the VM can obtain the generated random password and log in with a random password.
  • the desktop management device sends the login account and a login password to the virtual machine or sends the login password to the virtual machine, so that the virtual machine sets a login account in a local account group.
  • the password is updated to the login password.
  • the registration password on the non-AD management authentication server is changed, and on the virtual machine side, the password can still be changed.
  • Single sign-on is achieved by matching the login password with the login account.
  • the desktop management device receives a login ticket authentication request sent by the virtual machine, and if the desktop management device passes the verification, returns the login account and the login password to the virtual machine, so that the virtual machine is automatically Use the login account and login password to complete the local login.
  • the user can log in to the virtual machine to perform local login without the need to authenticate to the non-AD management authentication server, thereby improving the security of the desktop cloud system.
  • Sex and saved by virtual desktop management device Log in to the account in the local account group, and update the password of the account to be the login password before logging in to the VM.
  • the user does not need to enter another account password to log in again on the VM, thus ensuring single sign-on of the desktop cloud system. Convenience.
  • FIG. 2 is a schematic flowchart of a second embodiment of a login method according to the present invention.
  • the method includes the following steps:
  • the desktop management device joins the registered account registered in the non-AD management authentication server to the virtual machine local account group.
  • the cloud terminal sends the login request to the desktop management device by using the registration account and the registration password registered by the non-AD management authentication server.
  • the desktop management device performs identity authentication on the non-AD server.
  • the desktop management device sends the virtual machine list to the cloud terminal.
  • the cloud terminal sends a virtual machine selected message to the desktop management device.
  • the desktop management device generates a login ticket according to the registered account and the registration password, and sends the login ticket to the cloud terminal.
  • S208 The desktop management device sends the registration account and the registration password to the virtual machine.
  • the virtual machine updates the password of the registered account in the local account group as the registration password.
  • the cloud terminal sends the login ticket to the virtual machine.
  • the virtual machine sends a login ticket authentication request to the desktop management device.
  • the virtual machine automatically completes the local login by using the registered account and the registered password.
  • the registration account registered with the non-AD management authentication server and the registration password are used to complete the single login of the virtual machine and the single sign-on of the desktop cloud system, without introducing other accounts and passwords, and the changes are small. It is easy to implement and will not bring any other burdens and impacts on the system.
  • FIG. 3 is a schematic flowchart of a third embodiment of a login method according to the present invention.
  • the method includes the following steps:
  • the desktop management device joins the registered account registered in the non-AD management authentication server to the virtual machine local account group.
  • the cloud terminal sends a login request by using a registration account and a registration password registered by the non-AD management authentication server.
  • the desktop management device performs identity authentication on the non-AD management authentication server.
  • S304 The authentication is passed, and the desktop management device saves the registered account and the generated random password.
  • the desktop management device sends the virtual machine list to the cloud terminal.
  • the cloud terminal sends a virtual machine selected message to the desktop management device.
  • the desktop management device generates a login ticket according to the registered account and the random password, and sends the login ticket to the cloud terminal.
  • the desktop management device sends the registered account and the random password to the virtual machine.
  • the password of the registered account in the virtual machine update local account group is a random password.
  • the cloud terminal sends the login ticket to the virtual machine.
  • S311 The virtual machine sends a login ticket authentication request to the desktop management device.
  • S313 The virtual machine automatically completes the local login by using the registered account and the random password.
  • the matching of the generated random password and the registered account is used to ensure that the user cannot log in to the virtual machine by other means, thereby further improving the security of the login, and when the password on the non-AD authentication server is changed, as long as the user A successfully logged-in desktop management device can still log in locally to the virtual machine.
  • FIG. 4 it is a schematic flowchart of a fourth embodiment of a login method according to the present invention.
  • the method includes the following steps:
  • the cloud terminal sends a login request by using a registered account and a registration password registered by the non-AD management authentication server.
  • the desktop management device performs identity authentication on the non-AD management authentication server.
  • the desktop management device After the authentication is passed, the desktop management device saves the unique administrator account of the virtual machine and the generated random password.
  • the desktop management device sends the virtual machine list to the cloud terminal.
  • the cloud terminal sends a virtual machine selected message to the desktop management device.
  • the desktop management device generates a login ticket according to an administrator account and a random password, and sends the login ticket to the cloud terminal.
  • the desktop management device sends a random password to the virtual machine.
  • the password of the virtual machine update administrator account is a random password.
  • the cloud terminal sends the login ticket to the virtual machine.
  • the virtual machine sends a login ticket authentication request to the desktop management device.
  • the virtual machine automatically completes the local login by using an administrator account and a random password.
  • the administrator account in the virtual machine is directly used as the login account, and the login account is not required to be sent to the local account group of the virtual machine, which simplifies the process and improves the efficiency.
  • FIG. 5 is a schematic flowchart of a fifth embodiment of a login method according to the present invention.
  • the method includes the following steps:
  • the desktop management device adds the associated account of the registered account registered by the non-AD management authentication server to the virtual machine local account group.
  • the cloud terminal sends a login request by using a registration account and a registration password registered by the non-AD management authentication server.
  • the desktop management device performs identity authentication on the non-AD management authentication server.
  • S504 The authentication is passed, and the desktop management device saves the associated account and the generated random password.
  • the desktop management device sends the virtual machine list to the cloud terminal.
  • the cloud terminal sends a virtual machine selected message to the desktop management device.
  • the desktop management device generates a login ticket according to the associated account and the random password, and sends the login ticket to the cloud terminal.
  • the desktop management device sends the associated account and the random password to the virtual machine.
  • S509 The virtual machine updates the password of the associated account in the local account group to a random password.
  • S510 The cloud terminal sends the login ticket to the virtual machine.
  • the virtual machine sends a login ticket authentication request to the desktop management device.
  • the virtual machine automatically completes the local login by using the associated account and a random password.
  • the virtual account is implemented by using the associated account of the registered account and the random password.
  • Local login, login account and login password are not available to the general user, which further improves the security and privacy of the login.
  • the desktop management device includes:
  • the receiving unit 100 is configured to receive a login request of the cloud terminal, and perform identity authentication on the non-AD management authentication server.
  • the generating unit 200 is configured to: if the authentication is passed, save the login account and the login password for the single sign-on, receive the virtual machine selected message sent by the cloud terminal, generate the login ticket according to the login account and the login password, and Sending the login ticket to the cloud terminal, so that the cloud terminal sends the login ticket to the selected virtual machine, where the login account is located in a local account group of the virtual machine;
  • the sending unit 300 is configured to send the login account and the login password to the virtual machine or send the login password to the virtual machine, so that the virtual machine sets a password of the login account in the local account group. Updated to the login password;
  • the authentication unit 400 is configured to receive a login ticket authentication request sent by the virtual machine, and if the authentication is passed, return the login account and the login password to the virtual machine, so that the virtual machine automatically uses the login account and Login password to complete local login.
  • the login account is a registered account registered by the cloud terminal in the non-AD management authentication server
  • the login password is a registration password that the cloud terminal registers with the non-AD management authentication server and matches the registered account.
  • the login account is a registered account registered by the cloud terminal in the non-AD management authentication server, and the login password is a random password generated by the desktop management device according to the registered account.
  • the login account is a unique administrator account in the virtual machine local account group, and the login password is a random password generated by the desktop management device according to the administrator account.
  • the login account is an associated account of the registered account registered by the cloud terminal in the non-AD management authentication server, and the login password is a random password generated by the desktop management device according to the associated account.
  • the generating unit 200 is further configured to use adding when the login account and the login password are saved. Secret storage method.
  • the generating unit 200 is further configured to configure an expiration date for the login account, the login password, and the login ticket.
  • the login account is the associated account of the registered account or the registered account
  • the login account is sent by the sending unit 300 to the local account group of the virtual machine.
  • the desktop management device may be configured with a virtual desktop management system for saving account passwords, generating and sending virtual machine lists, generating and sending login tickets, and additionally configuring an operation and maintenance management system. Used to manage the account password and add the account to be used to the virtual account's local account group.
  • the foregoing generating unit may be formed by the storage subunit and the generating subunit, or may exist independently, and the generating unit and/or the authentication unit in the foregoing desktop management device embodiment may be independent of the desktop management in the form of hardware.
  • the processor of the device is separately set and can be in the form of a microprocessor; it can also be embedded in the processor of the desktop management device in hardware, or can be stored in the memory of the desktop management device in software, so as to facilitate The processor of the desktop management device invokes the operations corresponding to the above generating unit or the authentication unit.
  • the generating unit 200 and/or the authentication unit 400 may be a processor of the desktop management device, and the receiving unit 100 and the transmitting unit 300
  • the functionality can be embedded in the processor.
  • the receiving unit 100 and the sending unit 300 may be integrated or set independently.
  • the receiving unit 100 and the sending unit 300 may be used as an interface circuit of the desktop management device, or may be integrated with the generating unit 200 or the authentication unit 400, or may be independently configured.
  • the embodiment of the invention does not impose any limitation.
  • the above processor may be a central processing unit (CPU), a microprocessor, a single chip microcomputer, or the like.
  • the desktop management device includes: an interface circuit 500, a memory 600, and the interface circuit 500 and the memory 600.
  • Connected processor 700 The memory 600 is used to store a set of program codes, and the processor 700 is configured to call the program code stored in the memory 600 to perform the operations described in any one of the first to fifth embodiments of the login method of the present invention.
  • the present invention has the following advantages:
  • the device saves the login account in the local account group of the VM and updates the password of the account to the login password before logging in to the VM. The user does not need to enter another account password to log in again on the VM to ensure the desktop cloud system. The convenience of single sign-on.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).

Abstract

Disclosed is a login method, comprising: receiving, by a desktop management device, a login request of a cloud terminal, and conducting identity authentication on a non-AD management authentication server; saving a login account number and a login password, and according to the login account number and the login password, generating a login ticket and sending same to the cloud terminal, so that the cloud terminal sends the login ticket to a virtual machine, wherein the login account number is located in a local account number group of the virtual machine; sending the login account number and the login password to the virtual machine, or sending the login password to the virtual machine, so that the virtual machine updates the password of the login account number in the local account number group to the login password; and receiving a login ticket authentication request sent by the virtual machine, and returning the login account number and the login password to the virtual machine, so that the virtual machine automatically completes local login. Also disclosed is a desktop management device. By means of the present invention, the security of a desktop cloud system can be improved, and the convenience of single login can be ensured.

Description

一种登录方法和桌面管理设备Login method and desktop management device
本申请要求于2013年12月17日提交中国专利局、申请号为201310690626.5、发明名称为“一种登录方法和桌面管理设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. 201310690626.5, entitled "A Logging Method and Desktop Management Device", filed on December 17, 2013, the entire contents of in.
技术领域Technical field
本发明涉及通信技术领域,尤其涉及一种登录方法和桌面管理设备。The present invention relates to the field of communications technologies, and in particular, to a login method and a desktop management device.
背景技术Background technique
在国际商业机器公司(International Business Machines Corporation,简称IBM)云计算智能商务桌面(Smart Business Desktop Cloud,简称SBDC)中,对桌面云的定义是:可以通过瘦客户端或者其他任何与网络相连的设备来访问跨平台的应用程序,以及整个客户桌面。从这个定义中可以看出,桌面云系统需要一个终端通过网络连接,使用户获得与传统的桌面系统和应用程序一样的用户体验,并且这种用户体验并不局限于特定的操作系统和应用程序。也就是说用户只需要一个瘦客户端设备,或者其他任何可以连接网络的设备,通过专用程序或者浏览器,就可以访问驻留在服务器端的个人桌面以及各种应用,并且用户体验和平时使用传统的个人电脑是一模一样的。在用户登录桌面云系统进行认证时,其认证方式多种多样,例如,可采用域账号密码的单点登录、智能卡的单点登录及非单点登录或者域账号密码结合动态密码的登录方式。其中,处于成本及使用便捷性的考虑,最廉价也最广泛使用的接入认证方式仍为基于域账号密码的单点登录方式。In the International Business Machines Corporation (IBM) Cloud Business Smart Business Cloud (SBDC), the definition of the desktop cloud is: through the thin client or any other network connected device To access cross-platform applications, as well as the entire customer desktop. As can be seen from this definition, the desktop cloud system requires a terminal to connect through the network, so that users get the same user experience as traditional desktop systems and applications, and this user experience is not limited to specific operating systems and applications. . That is to say, the user only needs a thin client device, or any other device that can connect to the network, through a dedicated program or browser, can access the personal desktop and various applications residing on the server side, and the user experience and peacetime use the tradition The personal computer is exactly the same. When a user logs in to the desktop cloud system for authentication, the authentication methods are various. For example, single sign-on with domain account password, single sign-on and non-single sign-on for smart card, or domain account password combined with dynamic password login. Among them, in terms of cost and ease of use, the cheapest and most widely used access authentication method is still a single sign-on method based on domain account password.
在现有技术中,大多数桌面云厂商只支持基于微软公司的活动目录(Active Directory,简称AD)域控服务器进行用户管理和认证的方式,但是,对于一些安全性要求较高的应用场所如非美国的军工、政府或研究所等,采用AD域控服务器可能存在资料泄密等一系列安全隐患,而采用其他非AD管理认证服务器,登录桌面管理设备和登录虚拟机时需要两套账 号密码,较为繁琐。In the prior art, most desktop cloud vendors only support Microsoft's Active Directory (AD) domain control server for user management and authentication. However, for some applications with high security requirements, such as Non-US military, government, research institutes, etc., using AD domain control server may have a series of security risks such as data leakage, and other non-AD management authentication servers, two sets of accounts are required to log in to the desktop management device and log in to the virtual machine. The password is more complicated.
发明内容Summary of the invention
本发明实施例所要解决的技术问题在于,提供一种登录方法和桌面管理设备。以提升桌面云系统的安全性,确保单点登录的便捷性。The technical problem to be solved by the embodiments of the present invention is to provide a login method and a desktop management device. To improve the security of the desktop cloud system and ensure the convenience of single sign-on.
本发明实施例第一方面提供了一种登录方法,可包括:A first aspect of the embodiments of the present invention provides a login method, which may include:
桌面管理设备接收云终端的登录请求,向非AD管理认证服务器进行身份认证;The desktop management device receives the login request of the cloud terminal, and performs identity authentication on the non-AD management authentication server.
若认证通过,则保存用于单点登录的登录账号和登录密码,接收所述云终端发送的虚拟机选定消息,根据所述登录账号和登录密码生成登录票据并将所述登录票据发送给所述云终端,以使所述云终端将所述登录票据发送给选定的虚拟机,其中,所述登录账号位于所述虚拟机的本地账号群组中;If the authentication is passed, the login account and the login password for the single sign-on are saved, the virtual machine selected message sent by the cloud terminal is received, the login ticket is generated according to the login account and the login password, and the login ticket is sent to the login ticket. The cloud terminal, so that the cloud terminal sends the login ticket to a selected virtual machine, where the login account is located in a local account group of the virtual machine;
所述桌面管理设备将所述登录账号和登录密码发送给所述虚拟机或者将所述登录密码发送给所述虚拟机,以使所述虚拟机将本地账号群组中的登录账号的密码更新为所述登录密码;Sending, by the desktop management device, the login account and the login password to the virtual machine or sending the login password to the virtual machine, so that the virtual machine updates the password of the login account in the local account group. For the login password;
所述桌面管理设备接收所述虚拟机发出的登录票据认证请求,若认证通过,则返回所述登录账号和登录密码至所述虚拟机,以使所述虚拟机自动使用所述登录账号和登录密码完成本地登录。Receiving, by the desktop management device, a login ticket authentication request sent by the virtual machine, and if the authentication is passed, returning the login account and the login password to the virtual machine, so that the virtual machine automatically uses the login account and login The password completes the local login.
在第一方面的第一种可能的实现方式中,所述登录账号为所述云终端在所述非AD管理认证服务器注册的注册账号,所述登录密码为所述云终端在所述非AD管理认证服务器注册的与所述注册账号匹配的注册密码。In a first possible implementation manner of the first aspect, the login account is a registered account that is registered by the cloud terminal in the non-AD management authentication server, and the login password is that the cloud terminal is in the non-AD The registration password registered with the registration account registered by the authentication server is managed.
在第一方面的第二种可能的实现方式中,所述登录账号为所述云终端在所述非AD管理认证服务器注册的注册账号,所述登录密码为所述桌面管理设备根据所述注册账号生成的随机密码。In a second possible implementation manner of the first aspect, the login account is a registered account that is registered by the cloud terminal in the non-AD management authentication server, and the login password is that the desktop management device is configured according to the The random password generated by the account.
在第一方面的第三种可能的实现方式中,所述登录账号为虚拟机本地账号群组中唯一的管理员账号,所述登录密码为所述桌面管理设备根据所述管理员账号生成的随机密码。In a third possible implementation manner of the first aspect, the login account is a unique administrator account in the virtual machine local account group, and the login password is generated by the desktop management device according to the administrator account. random code.
在第一方面的第四种可能的实现方式中,所述登录账号为所述云终端 在所述非AD管理认证服务器注册的注册账号的关联账号,所述登录密码为所述桌面管理设备根据所述关联账号生成的随机密码。In a fourth possible implementation manner of the first aspect, the login account is the cloud terminal The associated account of the registered account registered by the non-AD management authentication server, the login password is a random password generated by the desktop management device according to the associated account.
结合第一方面或结合第一方面的第一或第二或第三或第四种可能的实现方式,在第五种可能的实现方式中,所述桌面管理设备在保存所述登录账号和登录密码时,采用加密保存方式。In conjunction with the first aspect or the first or second or third or fourth possible implementation of the first aspect, in a fifth possible implementation, the desktop management device saves the login account and login When the password is used, the encryption method is used.
结合第一方面的第五种可能的实现方式,在第六种可能的实现方式中,所述桌面管理设备为所述登录账号、登录密码和登录票据配置有效期。In conjunction with the fifth possible implementation of the first aspect, in a sixth possible implementation, the desktop management device configures an expiration date for the login account, the login password, and the login ticket.
结合第一方面的第一或第二或第四种可能的实现方式,在第七种可能的实现方式中,所述登录账号由所述桌面管理设备发送至所述虚拟机的本地账号群组中。In conjunction with the first or second or fourth possible implementation of the first aspect, in a seventh possible implementation, the login account is sent by the desktop management device to a local account group of the virtual machine in.
本发明实施例第二方面提供了一种桌面管理设备,可包括:A second aspect of the embodiments of the present invention provides a desktop management device, which may include:
接收单元,用于接收云终端的登录请求,向非AD管理认证服务器进行身份认证;a receiving unit, configured to receive a login request of the cloud terminal, and perform identity authentication on the non-AD management authentication server;
生成单元,用于若认证通过,则保存用于单点登录的登录账号和登录密码,接收所述云终端发送的虚拟机选定消息,根据所述登录账号和登录密码生成登录票据并将所述登录票据发送给所述云终端,以使所述云终端将所述登录票据发送给选定的虚拟机,其中,所述登录账号位于所述虚拟机的本地账号群组中;a generating unit, configured to save a login account and a login password for single sign-on, receive a virtual machine selected message sent by the cloud terminal, generate a login ticket according to the login account and a login password, and if Sending the login ticket to the cloud terminal, so that the cloud terminal sends the login ticket to the selected virtual machine, where the login account is located in a local account group of the virtual machine;
发送单元,用于将所述登录账号和登录密码发送给所述虚拟机或者将所述登录密码发送给所述虚拟机,以使所述虚拟机将本地账号群组中的登录账号的密码更新为所述登录密码;a sending unit, configured to send the login account and a login password to the virtual machine or send the login password to the virtual machine, so that the virtual machine updates a password of a login account in a local account group For the login password;
认证单元,用于接收所述虚拟机发出的登录票据认证请求,若认证通过,则返回所述登录账号和登录密码至所述虚拟机,以使所述虚拟机自动使用所述登录账号和登录密码完成本地登录。An authentication unit, configured to receive a login ticket authentication request sent by the virtual machine, and if the authentication is passed, return the login account and the login password to the virtual machine, so that the virtual machine automatically uses the login account and login The password completes the local login.
在第二方面的第一种可能的实现方式中,所述登录账号为所述云终端在所述非AD管理认证服务器注册的注册账号,所述登录密码为所述云终端在所述非AD管理认证服务器注册的与所述注册账号匹配的注册密码。In a first possible implementation manner of the second aspect, the login account is a registered account that is registered by the cloud terminal in the non-AD management authentication server, and the login password is that the cloud terminal is in the non-AD The registration password registered with the registration account registered by the authentication server is managed.
在第二方面的第二种可能的实现方式中,所述登录账号为所述云终端在所述非AD管理认证服务器注册的注册账号,所述登录密码为所述桌面 管理设备根据所述注册账号生成的随机密码。In a second possible implementation manner of the second aspect, the login account is a registered account that is registered by the cloud terminal in the non-AD management authentication server, and the login password is the desktop The random password generated by the management device according to the registered account.
在第二方面的第三种可能的实现方式中,所述登录账号为虚拟机本地账号群组中唯一的管理员账号,所述登录密码为所述桌面管理设备根据所述管理员账号生成的随机密码。In a third possible implementation manner of the second aspect, the login account is a unique administrator account in the virtual machine local account group, and the login password is generated by the desktop management device according to the administrator account. random code.
在第二方面的第四种可能的实现方式中,所述登录账号为所述云终端在所述非AD管理认证服务器注册的注册账号的关联账号,所述登录密码为所述桌面管理设备根据所述关联账号生成的随机密码。In a fourth possible implementation manner of the second aspect, the login account is an associated account of the registered account registered by the cloud terminal in the non-AD management authentication server, and the login password is the desktop management device according to the desktop management device. The random password generated by the associated account.
结合第二方面或结合第二方面的第一或第二或第三或第四种可能的实现方式,在第五种可能的实现方式中,所述生成单元还用于在保存所述登录账号和登录密码时,采用加密保存方式。In combination with the second aspect or the first or second or third or fourth possible implementation of the second aspect, in a fifth possible implementation, the generating unit is further configured to save the login account And when the password is logged in, the encryption method is used.
结合第二方面的第五种可能的实现方式,在第六种可能的实现方式中,所述生成单元还用于为所述登录账号、登录密码和登录票据配置有效期。In conjunction with the fifth possible implementation of the second aspect, in a sixth possible implementation, the generating unit is further configured to configure an expiration date for the login account, the login password, and the login ticket.
结合第二方面的第一或第二或第四种可能的实现方式,在第七种可能的实现方式中,所述登录账号由所述发送单元发送至所述虚拟机的本地账号群组中。With reference to the first or second or the fourth possible implementation of the second aspect, in a seventh possible implementation, the login account is sent by the sending unit to a local account group of the virtual machine. .
实施本发明实施例,具有如下有益效果:Embodiments of the present invention have the following beneficial effects:
通过对使用非AD管理认证服务器取代AD域控服务器,用户在登录虚拟机时可实现本地登录而不再需要到非AD管理认证服务器进行认证,提升了桌面云系统的安全性;且通过桌面管理设备保存位于虚拟机本地账号群组中的登录账号,并在登录虚拟机之前更新该账号的密码为登录密码,用户无需在虚拟机端再次输入另一套账号密码登录,从而确保了桌面云系统单点登录的便捷性。By replacing the AD domain controller with a non-AD management authentication server, users can log in to the VM to log in to the VM without authentication to the non-AD management authentication server. This improves the security of the desktop cloud system. The device saves the login account in the local account group of the VM and updates the password of the account to the login password before logging in to the VM. The user does not need to enter another account password to log in again on the VM to ensure the desktop cloud system. The convenience of single sign-on.
附图说明DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。 In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any creative work.
图1是本发明登录方法的第一实施例的流程示意图;1 is a schematic flow chart of a first embodiment of a login method of the present invention;
图2是本发明登录方法的第二实施例的流程示意图;2 is a schematic flow chart of a second embodiment of the login method of the present invention;
图3是本发明登录方法的第三实施例的流程示意图;3 is a schematic flow chart of a third embodiment of the login method of the present invention;
图4是本发明登录方法的第四实施例的流程示意图;4 is a schematic flow chart of a fourth embodiment of the login method of the present invention;
图5是本发明登录方法的第五实施例的流程示意图;FIG. 5 is a schematic flowchart diagram of a fifth embodiment of the login method of the present invention; FIG.
图6是本发明桌面管理设备的第一实施例的组成示意图;6 is a schematic structural diagram of a first embodiment of a desktop management device of the present invention;
图7是本发明桌面管理设备的第二实施例的组成示意图。7 is a schematic diagram showing the composition of a second embodiment of the desktop management device of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
在现有技术中,云终端通过向AD域控服务器进行注册,并使用注册的账号密码登录桌面管理设备,桌面管理设备在账号密码通过AD域控服务器认证的情况下,最终使用注册的账号密码自动登录云终端选择的虚拟机,虚拟机再使用该账号密码到AD域控服务器进行认证,从而实现桌面云系统的单点登录,整个过程只需要一套账号密码即可。但是,由美国微软的AD域控服务器作为用户管理和认证的服务器,登录桌面管理设备及登录虚拟机时均需要到AD域控服务器进行认证,这样对于一些安全性要求较高的应用场所可能存在资料泄密等一系列安全隐患,而采用其他非AD管理认证服务器,登录虚拟机不再到非AD管理认证服务器认证时,需要在虚拟机侧手动输入本地的账户密码,完成虚拟机的本地认证,这样登录桌面管理设备和登录虚拟机时需要两套账号密码,较为繁琐。为了解决安全性问题和实现单点登录,在下面的实施例中,将采用非AD管理认证服务器替换AD域控服务器。具体如下:In the prior art, the cloud terminal registers with the AD domain control server and logs in to the desktop management device by using the registered account password. The desktop management device finally uses the registered account password when the account password is authenticated by the AD domain control server. The virtual machine selected by the cloud terminal is automatically logged in, and the virtual machine uses the account password to authenticate to the AD domain control server, thereby implementing single sign-on of the desktop cloud system. The entire process requires only one set of account passwords. However, the US AD domain controller server is used as the user management and authentication server. When logging in to the desktop management device and logging in to the VM, you need to authenticate to the AD domain controller. This may exist for some applications with high security requirements. A series of security risks, such as data leakage, and other non-AD management authentication servers. When the login VM is no longer authenticated by the non-AD management authentication server, you need to manually enter the local account password on the VM side to complete the local authentication of the VM. In this way, two sets of account passwords are required to log in to the desktop management device and log in to the virtual machine, which is cumbersome. In order to solve the security problem and implement single sign-on, in the following embodiments, the AD domain controller server will be replaced with a non-AD management authentication server. details as follows:
请参照图1,为本发明登录方法的第一实施例的流程示意图,在本实施例中,所述方法包括以下步骤: 1 is a schematic flowchart of a first embodiment of a login method according to the present invention. In this embodiment, the method includes the following steps:
S101,桌面管理设备接收云终端的登录请求,向非AD管理认证服务器进行身份认证。S101. The desktop management device receives the login request of the cloud terminal, and performs identity authentication on the non-AD management authentication server.
具体地,云终端登录时使用的账号和密码为在非AD管理认证服务器注册的注册账号及对应的注册密码。所述非AD管理认证服务器可以是轻量目录访问协议(Lightweight Directory Access Protocol,简称LDAP)服务器或数据库服务器。其只需要完成桌面管理设备的登录认证即可,虚拟机端的登录可以本地登录而无需再到非AD管理认证服务器进行认证,从而可提升桌面云系统的安全性。且当所述非AD管理认证服务器为LDAP服务器时,所述桌面管理设备与所述非AD管理认证服务器交互的接口根据LDAP服务器的接口适配,当所述非AD管理认证服务器为数据库服务器时,所述桌面管理设备与所述非AD管理认证服务器交互的接口根据数据库服务器的接口适配。Specifically, the account and password used when the cloud terminal logs in are the registered account registered with the non-AD management authentication server and the corresponding registration password. The non-AD management authentication server may be a Lightweight Directory Access Protocol (LDAP) server or a database server. It only needs to complete the login authentication of the desktop management device. The login of the virtual machine can be logged in locally without having to authenticate to the non-AD management authentication server, thus improving the security of the desktop cloud system. And when the non-AD management authentication server is an LDAP server, the interface that the desktop management device interacts with the non-AD management authentication server is adapted according to an interface of the LDAP server, when the non-AD management authentication server is a database server. The interface that the desktop management device interacts with the non-AD management authentication server is adapted according to an interface of the database server.
S102,若所述非AD管理认证服务器认证通过,则所述桌面管理设备保存用于单点登录的登录账号和登录密码,接收所述云终端发送的虚拟机选定消息,根据所述登录账号和登录密码生成登录票据并将所述登录票据发送给所述云终端,以使所述云终端将所述登录票据发送给选定的虚拟机。S102. If the non-AD management authentication server passes the authentication, the desktop management device saves the login account and the login password for the single sign-on, and receives the virtual machine selected message sent by the cloud terminal, according to the login account. And generating a login ticket with the login password and transmitting the login ticket to the cloud terminal, so that the cloud terminal sends the login ticket to the selected virtual machine.
其中,所述登录账号位于所述虚拟机的本地账号群组中。The login account is located in a local account group of the virtual machine.
所述桌面管理设备在保存所述登录账号和登录密码时,可采用加密保存方式。从而提升登录的安全性。且所述桌面管理设备为所述登录账号、登录密码和登录票据配置有效期。当有效期达到时,所述登录账号、登录密码和登录票据均会失效,更进一步地提升了登录的安全性。The desktop management device may adopt an encryption save mode when saving the login account and the login password. Thereby improving the security of the login. And the desktop management device configures an expiration date for the login account, the login password, and the login ticket. When the expiration date is reached, the login account, the login password, and the login ticket are invalidated, which further improves the security of the login.
具体地,位于所述虚拟机的本地账号群组中的登录账号可以是由桌面管理设备预先发送至所述虚拟机的本地账号群组中,也可以是本来就存在于所述虚拟机的本地账号群组中的本地账号。Specifically, the login account in the local account group of the virtual machine may be pre-sent to the local account group of the virtual machine by the desktop management device, or may be locally present in the virtual machine. Local account number in the account group.
优选地,所述登录账号可以为所述云终端在所述非AD管理认证服务器注册的注册账号,所述登录密码可以为所述云终端在所述非AD管理认证服务器注册的与所述注册账号匹配的注册密码。Preferably, the login account may be a registered account registered by the cloud terminal in the non-AD management authentication server, and the login password may be registered by the cloud terminal with the non-AD management authentication server. The registration password for the account matching.
或者,所述登录账号可以为所述云终端在所述非AD管理认证服务器注册的注册账号,所述登录密码可以为所述桌面管理设备根据所述注册账 号生成的随机密码。当然,所述登录密码也可以为所述云终端在所述非AD管理认证服务器注册的与所述注册账号匹配的注册密码。Alternatively, the login account may be a registered account registered by the cloud terminal in the non-AD management authentication server, and the login password may be the desktop management device according to the registration account. The random password generated by the number. Certainly, the login password may also be a registration password that is registered by the cloud terminal with the registered account in the non-AD management authentication server.
或者,所述登录账号可以为虚拟机本地账号群组中唯一的管理员账号,所述登录密码可以为所述桌面管理设备根据所述管理员账号生成的随机密码。当然,所述登录密码也可以为所述云终端在所述非AD管理认证服务器注册的与所述注册账号匹配的注册密码。Alternatively, the login account may be a unique administrator account in the virtual machine local account group, and the login password may be a random password generated by the desktop management device according to the administrator account. Certainly, the login password may also be a registration password that is registered by the cloud terminal with the registered account in the non-AD management authentication server.
或者,所述登录账号可以为所述云终端在所述非AD管理认证服务器注册的注册账号的关联账号,所述登录密码可以为所述桌面管理设备根据所述关联账号生成的随机密码。当然,所述登录密码也可以为所述云终端在所述非AD管理认证服务器注册的与所述注册账号匹配的注册密码。Alternatively, the login account may be an associated account of the registered account registered by the cloud terminal in the non-AD management authentication server, and the login password may be a random password generated by the desktop management device according to the associated account. Certainly, the login password may also be a registration password that is registered by the cloud terminal with the registered account in the non-AD management authentication server.
当所述登录账号为注册账户或关联账号时,可以由所述桌面管理设备发送至所述虚拟机的本地账号群组中。When the login account is a registered account or an associated account, the desktop management device may be sent to the local account group of the virtual machine.
当采用随机密码时,可进一步提升桌面云系统的安全性,因为此时的登录密码为随机密码,用户无法得知具体的密码组成,因此也就无法通过其他方式如远程访问方式、虚拟机直连等方式直接登录虚拟机,而必须先登录桌面管理设备,虚拟机才能获取生成的随机密码并采用随机密码登录。When a random password is used, the security of the desktop cloud system can be further improved. Because the login password is a random password, the user cannot know the specific password composition, and therefore cannot be accessed by other methods such as remote access and virtual machine. You can log in to the VM directly, and you must log in to the desktop management device before the VM can obtain the generated random password and log in with a random password.
S103,所述桌面管理设备将所述登录账号和登录密码发送给所述虚拟机或者将所述登录密码发送给所述虚拟机,以使所述虚拟机将本地账号群组中的登录账号的密码更新为所述登录密码。S103. The desktop management device sends the login account and a login password to the virtual machine or sends the login password to the virtual machine, so that the virtual machine sets a login account in a local account group. The password is updated to the login password.
通过对所述虚拟机将本地账号群组中的登录账号的密码进行更新,即便云终端登录了桌面管理设备之后,非AD管理认证服务器上的注册密码发生了改变,在虚拟机端,仍可以通过更新的登录密码与登录账号匹配,实现单点登录。By updating the password of the login account in the local account group to the virtual machine, even after the cloud terminal logs in to the desktop management device, the registration password on the non-AD management authentication server is changed, and on the virtual machine side, the password can still be changed. Single sign-on is achieved by matching the login password with the login account.
S104,所述桌面管理设备接收所述虚拟机发出的登录票据认证请求,若所述桌面管理设备认证通过,则返回所述登录账号和登录密码至所述虚拟机,以使所述虚拟机自动使用所述登录账号和登录密码完成本地登录。S104. The desktop management device receives a login ticket authentication request sent by the virtual machine, and if the desktop management device passes the verification, returns the login account and the login password to the virtual machine, so that the virtual machine is automatically Use the login account and login password to complete the local login.
在本实施例中,通过对使用非AD管理认证服务器取代AD域控服务器,用户在登录虚拟机时可实现本地登录而不再需要到非AD管理认证服务器进行认证,提升了桌面云系统的安全性;且通过桌面管理设备保存位于虚 拟机本地账号群组中的登录账号,并在登录虚拟机之前更新该账号的密码为登录密码,用户无需在虚拟机端再次输入另一套账号密码登录,从而确保了桌面云系统单点登录的便捷性。In this embodiment, by replacing the AD domain control server with the non-AD management authentication server, the user can log in to the virtual machine to perform local login without the need to authenticate to the non-AD management authentication server, thereby improving the security of the desktop cloud system. Sex; and saved by virtual desktop management device Log in to the account in the local account group, and update the password of the account to be the login password before logging in to the VM. The user does not need to enter another account password to log in again on the VM, thus ensuring single sign-on of the desktop cloud system. Convenience.
下面结合图2至图5说明使用各种登录账号和登录密码实现桌面云系统的单点登录。The single sign-on of the desktop cloud system using various login accounts and login passwords will be described below with reference to FIGS. 2 to 5.
请参照图2,为本发明登录方法的第二实施例的流程示意图,在本实施例中,所述方法包括以下步骤:2 is a schematic flowchart of a second embodiment of a login method according to the present invention. In this embodiment, the method includes the following steps:
S201,桌面管理设备将在非AD管理认证服务器注册的注册账号加入虚拟机本地账号群组。S201. The desktop management device joins the registered account registered in the non-AD management authentication server to the virtual machine local account group.
S202,云终端使用在非AD管理认证服务器注册的注册账号和注册密码,发送登录请求至桌面管理设备。S202. The cloud terminal sends the login request to the desktop management device by using the registration account and the registration password registered by the non-AD management authentication server.
S203,桌面管理设备向非AD服务器进行身份认证。S203. The desktop management device performs identity authentication on the non-AD server.
S204,认证通过,桌面管理设备保存注册账号和注册密码。S204: The authentication is passed, and the desktop management device saves the registered account and the registration password.
S205,桌面管理设备将虚拟机列表发送给云终端。S205. The desktop management device sends the virtual machine list to the cloud terminal.
S206,云终端发送虚拟机选定消息给桌面管理设备。S206. The cloud terminal sends a virtual machine selected message to the desktop management device.
S207,桌面管理设备根据注册账号和注册密码生成登录票据并发送给云终端。S207. The desktop management device generates a login ticket according to the registered account and the registration password, and sends the login ticket to the cloud terminal.
S208,桌面管理设备发送注册账号、注册密码给虚拟机。S208: The desktop management device sends the registration account and the registration password to the virtual machine.
S209,虚拟机更新本地账号群组中注册账号的密码为注册密码。S209. The virtual machine updates the password of the registered account in the local account group as the registration password.
S210,云终端发送登录票据到虚拟机。S210. The cloud terminal sends the login ticket to the virtual machine.
S211,虚拟机发送登录票据认证请求到桌面管理设备。S211. The virtual machine sends a login ticket authentication request to the desktop management device.
S212,认证通过,桌面管理设备返回注册账号和注册密码给虚拟机。S212: After the authentication is passed, the desktop management device returns the registered account and the registration password to the virtual machine.
S213,虚拟机自动使用注册账号和注册密码完成本地登录。S213, the virtual machine automatically completes the local login by using the registered account and the registered password.
在本实施例中,直接使用云终端在非AD管理认证服务器注册的注册账号、注册密码完成虚拟机的本地登录和桌面云系统的单点登录,无需引进其他的账号和密码,改动较小,实施方便,不会对系统带来其他的任何负担和影响。In this embodiment, the registration account registered with the non-AD management authentication server and the registration password are used to complete the single login of the virtual machine and the single sign-on of the desktop cloud system, without introducing other accounts and passwords, and the changes are small. It is easy to implement and will not bring any other burdens and impacts on the system.
请参照图3,为本发明登录方法的第三实施例的流程示意图,在本实施例中,所述方法包括以下步骤: 3 is a schematic flowchart of a third embodiment of a login method according to the present invention. In this embodiment, the method includes the following steps:
S301,桌面管理设备将在非AD管理认证服务器注册的注册账号加入虚拟机本地账号群组。S301. The desktop management device joins the registered account registered in the non-AD management authentication server to the virtual machine local account group.
S302,云终端使用在非AD管理认证服务器注册的注册账号和注册密码,发送登录请求。S302. The cloud terminal sends a login request by using a registration account and a registration password registered by the non-AD management authentication server.
S303,桌面管理设备向非AD管理认证服务器进行身份认证。S303. The desktop management device performs identity authentication on the non-AD management authentication server.
S304,认证通过,桌面管理设备保存注册账号和生成的随机密码。S304: The authentication is passed, and the desktop management device saves the registered account and the generated random password.
S305,桌面管理设备将虚拟机列表发送给云终端。S305. The desktop management device sends the virtual machine list to the cloud terminal.
S306,云终端发送虚拟机选定消息给桌面管理设备。S306. The cloud terminal sends a virtual machine selected message to the desktop management device.
S307,桌面管理设备根据注册账号和随机密码生成登录票据并发送给云终端。S307. The desktop management device generates a login ticket according to the registered account and the random password, and sends the login ticket to the cloud terminal.
S308,桌面管理设备发送注册账号、随机密码到虚拟机。S308. The desktop management device sends the registered account and the random password to the virtual machine.
S309,虚拟机更新本地账号群组中注册账号的密码为随机密码。S309. The password of the registered account in the virtual machine update local account group is a random password.
S310,云终端发送登录票据到虚拟机。S310. The cloud terminal sends the login ticket to the virtual machine.
S311,虚拟机发送登录票据认证请求到桌面管理设备。S311: The virtual machine sends a login ticket authentication request to the desktop management device.
S312,认证通过,桌面管理设备返回注册账号和随机密码给虚拟机。S312: After the authentication is passed, the desktop management device returns the registered account and the random password to the virtual machine.
S313,虚拟机自动使用注册账号和随机密码完成本地登录。S313: The virtual machine automatically completes the local login by using the registered account and the random password.
在本实施例中,采用生成的随机密码和注册账号进行匹配,可确保用户无法通过其他方式登录虚拟机,进一步提升了登录的安全性,且在非AD认证服务器上的密码改变时,只要用户成功登录的桌面管理设备,仍能实现虚拟机端的本地登录。In this embodiment, the matching of the generated random password and the registered account is used to ensure that the user cannot log in to the virtual machine by other means, thereby further improving the security of the login, and when the password on the non-AD authentication server is changed, as long as the user A successfully logged-in desktop management device can still log in locally to the virtual machine.
请参照图4,为本发明登录方法的第四实施例的流程示意图,在本实施例中,所述方法包括以下步骤:Referring to FIG. 4, it is a schematic flowchart of a fourth embodiment of a login method according to the present invention. In this embodiment, the method includes the following steps:
S401,云终端使用在非AD管理认证服务器注册的注册账号和注册密码,发送登录请求。S401. The cloud terminal sends a login request by using a registered account and a registration password registered by the non-AD management authentication server.
S402,桌面管理设备向非AD管理认证服务器进行身份认证。S402. The desktop management device performs identity authentication on the non-AD management authentication server.
S403,认证通过,桌面管理设备保存虚拟机唯一的管理员账号和生成的随机密码。S403: After the authentication is passed, the desktop management device saves the unique administrator account of the virtual machine and the generated random password.
S404,桌面管理设备将虚拟机列表发送给云终端。S404. The desktop management device sends the virtual machine list to the cloud terminal.
S405,云终端发送虚拟机选定消息给桌面管理设备。 S405. The cloud terminal sends a virtual machine selected message to the desktop management device.
S406,桌面管理设备根据管理员账号和随机密码生成登录票据并发送给云终端。S406. The desktop management device generates a login ticket according to an administrator account and a random password, and sends the login ticket to the cloud terminal.
S407,桌面管理设备发送随机密码给虚拟机。S407. The desktop management device sends a random password to the virtual machine.
S408,虚拟机更新管理员账号的密码为随机密码。S408. The password of the virtual machine update administrator account is a random password.
S409,云终端发送登录票据到虚拟机。S409. The cloud terminal sends the login ticket to the virtual machine.
S410,虚拟机发送登录票据认证请求到桌面管理设备。S410. The virtual machine sends a login ticket authentication request to the desktop management device.
S411,认证通过,桌面管理设备返回随机密码给虚拟机。S411, the authentication is passed, and the desktop management device returns a random password to the virtual machine.
S412,虚拟机自动使用管理员账号和随机密码完成本地登录。In S412, the virtual machine automatically completes the local login by using an administrator account and a random password.
在本实施例中,直接使用虚拟机中的管理员账号作为登录账号,无需再将登录账号发送至虚拟机的本地账号群组中,简化了流程,提升了效率。In this embodiment, the administrator account in the virtual machine is directly used as the login account, and the login account is not required to be sent to the local account group of the virtual machine, which simplifies the process and improves the efficiency.
请参照图5,为本发明登录方法的第五实施例的流程示意图,在本实施例中,所述方法包括以下步骤:5 is a schematic flowchart of a fifth embodiment of a login method according to the present invention. In this embodiment, the method includes the following steps:
S501,桌面管理设备将在非AD管理认证服务器注册的注册账号的关联账号加入虚拟机本地账号群组。S501. The desktop management device adds the associated account of the registered account registered by the non-AD management authentication server to the virtual machine local account group.
S502,云终端使用在非AD管理认证服务器注册的注册账号和注册密码,发送登录请求。S502. The cloud terminal sends a login request by using a registration account and a registration password registered by the non-AD management authentication server.
S503,桌面管理设备向非AD管理认证服务器进行身份认证。S503. The desktop management device performs identity authentication on the non-AD management authentication server.
S504,认证通过,桌面管理设备保存关联账号和生成的随机密码。S504: The authentication is passed, and the desktop management device saves the associated account and the generated random password.
S505,桌面管理设备将虚拟机列表发送给云终端。S505. The desktop management device sends the virtual machine list to the cloud terminal.
S506,云终端发送虚拟机选定消息给桌面管理设备。S506. The cloud terminal sends a virtual machine selected message to the desktop management device.
S507,桌面管理设备根据关联账号和随机密码生成登录票据并发送给云终端。S507. The desktop management device generates a login ticket according to the associated account and the random password, and sends the login ticket to the cloud terminal.
S508,桌面管理设备发送关联账号、随机密码给虚拟机。S508. The desktop management device sends the associated account and the random password to the virtual machine.
S509,虚拟机更新本地账号群组中关联账号的密码为随机密码。S509: The virtual machine updates the password of the associated account in the local account group to a random password.
S510,云终端发送登录票据到虚拟机。S510: The cloud terminal sends the login ticket to the virtual machine.
S511,虚拟机发送登录票据认证请求到桌面管理设备。S511. The virtual machine sends a login ticket authentication request to the desktop management device.
S512,认证通过,桌面管理设备返回关联账号和随机密码给虚拟机。S512: After the authentication is passed, the desktop management device returns the associated account and the random password to the virtual machine.
S513,虚拟机自动使用关联账号和随机密码完成本地登录。In S513, the virtual machine automatically completes the local login by using the associated account and a random password.
在本实施例中,使用注册账号的关联账号以及随机密码实现虚拟机的 本地登录,登录账号和登录密码一般用户均无法查看和获知,进一步提高了登录的安全性和隐秘性。In this embodiment, the virtual account is implemented by using the associated account of the registered account and the random password. Local login, login account and login password are not available to the general user, which further improves the security and privacy of the login.
请参照图6,为本发明桌面管理设备的第一实施例的组成示意图;在本实施例中,所述桌面管理设备包括:Referring to FIG. 6 , it is a schematic diagram of a composition of a first embodiment of a desktop management device according to the present invention. In this embodiment, the desktop management device includes:
接收单元100,用于接收云终端的登录请求,向非AD管理认证服务器进行身份认证;The receiving unit 100 is configured to receive a login request of the cloud terminal, and perform identity authentication on the non-AD management authentication server.
生成单元200,用于若认证通过,则保存用于单点登录的登录账号和登录密码,接收所述云终端发送的虚拟机选定消息,根据所述登录账号和登录密码生成登录票据并将所述登录票据发送给所述云终端,以使所述云终端将所述登录票据发送给选定的虚拟机,其中,所述登录账号位于所述虚拟机的本地账号群组中;The generating unit 200 is configured to: if the authentication is passed, save the login account and the login password for the single sign-on, receive the virtual machine selected message sent by the cloud terminal, generate the login ticket according to the login account and the login password, and Sending the login ticket to the cloud terminal, so that the cloud terminal sends the login ticket to the selected virtual machine, where the login account is located in a local account group of the virtual machine;
发送单元300,用于将所述登录账号和登录密码发送给所述虚拟机或者将所述登录密码发送给所述虚拟机,以使所述虚拟机将本地账号群组中的登录账号的密码更新为所述登录密码;The sending unit 300 is configured to send the login account and the login password to the virtual machine or send the login password to the virtual machine, so that the virtual machine sets a password of the login account in the local account group. Updated to the login password;
认证单元400,用于接收所述虚拟机发出的登录票据认证请求,若认证通过,则返回所述登录账号和登录密码至所述虚拟机,以使所述虚拟机自动使用所述登录账号和登录密码完成本地登录。The authentication unit 400 is configured to receive a login ticket authentication request sent by the virtual machine, and if the authentication is passed, return the login account and the login password to the virtual machine, so that the virtual machine automatically uses the login account and Login password to complete local login.
所述登录账号为所述云终端在所述非AD管理认证服务器注册的注册账号,所述登录密码为所述云终端在所述非AD管理认证服务器注册的与所述注册账号匹配的注册密码。The login account is a registered account registered by the cloud terminal in the non-AD management authentication server, and the login password is a registration password that the cloud terminal registers with the non-AD management authentication server and matches the registered account. .
或者,所述登录账号为所述云终端在所述非AD管理认证服务器注册的注册账号,所述登录密码为所述桌面管理设备根据所述注册账号生成的随机密码。Or the login account is a registered account registered by the cloud terminal in the non-AD management authentication server, and the login password is a random password generated by the desktop management device according to the registered account.
或者,所述登录账号为虚拟机本地账号群组中唯一的管理员账号,所述登录密码为所述桌面管理设备根据所述管理员账号生成的随机密码。Or the login account is a unique administrator account in the virtual machine local account group, and the login password is a random password generated by the desktop management device according to the administrator account.
或者,所述登录账号为所述云终端在所述非AD管理认证服务器注册的注册账号的关联账号,所述登录密码为所述桌面管理设备根据所述关联账号生成的随机密码。Or the login account is an associated account of the registered account registered by the cloud terminal in the non-AD management authentication server, and the login password is a random password generated by the desktop management device according to the associated account.
所述生成单元200还用于在保存所述登录账号和登录密码时,采用加 密保存方式。The generating unit 200 is further configured to use adding when the login account and the login password are saved. Secret storage method.
所述生成单元200还用于为所述登录账号、登录密码和登录票据配置有效期。The generating unit 200 is further configured to configure an expiration date for the login account, the login password, and the login ticket.
当所述登录账号为所述注册账号或注册账号的关联账号时,所述登录账号由所述发送单元300发送至所述虚拟机的本地账号群组中。When the login account is the associated account of the registered account or the registered account, the login account is sent by the sending unit 300 to the local account group of the virtual machine.
在具体实现时,所述桌面管理设备可以配置一套虚拟桌面管理系统用于账号密码的保存、虚拟机列表的生成和发送、登录票据的生成和发送等,再另外配置一套运维管理系统用于管理账号密码、将需要使用的账号加入虚拟机的本地账号群组中。In a specific implementation, the desktop management device may be configured with a virtual desktop management system for saving account passwords, generating and sending virtual machine lists, generating and sending login tickets, and additionally configuring an operation and maintenance management system. Used to manage the account password and add the account to be used to the virtual account's local account group.
需要说明的是,以上生成单元可以由保存子单元和生成子单元集合而成,也可以独立存在,且以上桌面管理设备实施例中生成单元和/或认证单元可以以硬件的形式独立于桌面管理设备的处理器单独设置,且设置形式可以是微处理器的形式;也可以以硬件形式内嵌于桌面管理设备的处理器中,还可以以软件形式存储于桌面管理设备的存储器中,以便于桌面管理设备的处理器调用执行以上生成单元或认证单元对应的操作。It should be noted that the foregoing generating unit may be formed by the storage subunit and the generating subunit, or may exist independently, and the generating unit and/or the authentication unit in the foregoing desktop management device embodiment may be independent of the desktop management in the form of hardware. The processor of the device is separately set and can be in the form of a microprocessor; it can also be embedded in the processor of the desktop management device in hardware, or can be stored in the memory of the desktop management device in software, so as to facilitate The processor of the desktop management device invokes the operations corresponding to the above generating unit or the authentication unit.
例如,在本发明桌面管理设备的第一实施例(图6所示的实施例)中,生成单元200和/或认证单元400可以为桌面管理设备的处理器,而接收单元100和发送单元300的功能可以内嵌于该处理器中。当然,接收单元100和发送单元300可以集成设置,也可以独立设置,接收单元100和发送单元300可以作为桌面管理设备的接口电路,也可以与生成单元200或认证单元400集成,也可以独立设置。本发明实施例不做任何限制。以上处理器可以为中央处理单元(CPU)、微处理器、单片机等。For example, in the first embodiment of the desktop management device of the present invention (the embodiment shown in FIG. 6), the generating unit 200 and/or the authentication unit 400 may be a processor of the desktop management device, and the receiving unit 100 and the transmitting unit 300 The functionality can be embedded in the processor. Certainly, the receiving unit 100 and the sending unit 300 may be integrated or set independently. The receiving unit 100 and the sending unit 300 may be used as an interface circuit of the desktop management device, or may be integrated with the generating unit 200 or the authentication unit 400, or may be independently configured. . The embodiment of the invention does not impose any limitation. The above processor may be a central processing unit (CPU), a microprocessor, a single chip microcomputer, or the like.
请参照图7,为本发明桌面管理设备的第二实施例的组成示意图;在本实施例中,所述桌面管理设备包括:接口电路500、存储器600以及与所述接口电路500和存储器600相连接的处理器700。其中存储器600用于存储一组程序代码,处理器700用于调用存储器600中存储的程序代码,执行本发明登录方法的第一至第五任一实施例中所述的操作。7 is a schematic diagram of a composition of a second embodiment of a desktop management device according to the present invention. In this embodiment, the desktop management device includes: an interface circuit 500, a memory 600, and the interface circuit 500 and the memory 600. Connected processor 700. The memory 600 is used to store a set of program codes, and the processor 700 is configured to call the program code stored in the memory 600 to perform the operations described in any one of the first to fifth embodiments of the login method of the present invention.
需要说明的是,本说明书中的各个实施例均采用递进的方式描述,每个实施例重点说明的都是与其它实施例的不同之处,各个实施例之间相同 相似的部分互相参见即可。对于装置实施例而言,由于其与方法实施例基本相似,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。It should be noted that each embodiment in this specification is described in a progressive manner, and each embodiment focuses on the differences from other embodiments, and the embodiments are the same. Similar parts can be seen from each other. For the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
通过上述实施例的描述,本发明具有以下优点:Through the description of the above embodiments, the present invention has the following advantages:
通过对使用非AD管理认证服务器取代AD域控服务器,用户在登录虚拟机时可实现本地登录而不再需要到非AD管理认证服务器进行认证,提升了桌面云系统的安全性;且通过桌面管理设备保存位于虚拟机本地账号群组中的登录账号,并在登录虚拟机之前更新该账号的密码为登录密码,用户无需在虚拟机端再次输入另一套账号密码登录,从而确保了桌面云系统单点登录的便捷性。By replacing the AD domain controller with a non-AD management authentication server, users can log in to the VM to log in to the VM without authentication to the non-AD management authentication server. This improves the security of the desktop cloud system. The device saves the login account in the local account group of the VM and updates the password of the account to the login password before logging in to the VM. The user does not need to enter another account password to log in again on the VM to ensure the desktop cloud system. The convenience of single sign-on.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述的程序可存储于一计算机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。其中,所述的存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory,简称ROM)或随机存储记忆体(Random Access Memory,简称RAM)等。One of ordinary skill in the art can understand that all or part of the process of implementing the foregoing embodiments can be completed by a computer program to instruct related hardware, and the program can be stored in a computer readable storage medium. When executed, the flow of an embodiment of the methods as described above may be included. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).
以上所揭露的仅为本发明较佳实施例而已,当然不能以此来限定本发明之权利范围,因此依本发明权利要求所作的等同变化,仍属本发明所涵盖的范围。 The above is only the preferred embodiment of the present invention, and the scope of the present invention is not limited thereto, and thus equivalent changes made in the claims of the present invention are still within the scope of the present invention.

Claims (16)

  1. 一种登录方法,其特征在于,包括:A login method, comprising:
    桌面管理设备接收云终端的登录请求,向非活动目录管理认证服务器进行身份认证;The desktop management device receives the login request of the cloud terminal, and performs identity authentication on the inactive directory management authentication server;
    若所述非活动目录管理认证服务器认证通过,则所述桌面管理设备保存用于单点登录的登录账号和登录密码,接收所述云终端发送的虚拟机选定消息,根据所述登录账号和登录密码生成登录票据并将所述登录票据发送给所述云终端,以使所述云终端将所述登录票据发送给选定的虚拟机,其中,所述登录账号位于所述虚拟机的本地账号群组中;If the inactive directory management authentication server is authenticated, the desktop management device saves a login account and a login password for single sign-on, and receives a virtual machine selected message sent by the cloud terminal, according to the login account and The login password generates a login ticket and sends the login ticket to the cloud terminal, so that the cloud terminal sends the login ticket to the selected virtual machine, where the login account is located locally of the virtual machine In the account group;
    所述桌面管理设备将所述登录账号和登录密码发送给所述虚拟机或者将所述登录密码发送给所述虚拟机,以使所述虚拟机将本地账号群组中的登录账号的密码更新为所述登录密码;Sending, by the desktop management device, the login account and the login password to the virtual machine or sending the login password to the virtual machine, so that the virtual machine updates the password of the login account in the local account group. For the login password;
    所述桌面管理设备接收所述虚拟机发出的登录票据认证请求,若所述桌面管理设备认证通过,则返回所述登录账号和登录密码至所述虚拟机,以使所述虚拟机自动使用所述登录账号和登录密码完成本地登录。Receiving, by the desktop management device, a login ticket authentication request sent by the virtual machine, if the desktop management device passes the verification, returning the login account and the login password to the virtual machine, so that the virtual machine automatically uses the virtual machine The login account and login password are used to complete the local login.
  2. 如权利要求1所述的方法,其特征在于,所述登录账号为所述云终端在所述非AD管理认证服务器注册的注册账号,所述登录密码为所述云终端在所述非AD管理认证服务器注册的与所述注册账号匹配的注册密码。The method according to claim 1, wherein the login account is a registered account registered by the cloud terminal in the non-AD management authentication server, and the login password is the cloud terminal in the non-AD management. The registration password registered by the authentication server that matches the registered account.
  3. 如权利要求1所述的方法,其特征在于,所述登录账号为所述云终端在所述非AD管理认证服务器注册的注册账号,所述登录密码为所述桌面管理设备根据所述注册账号生成的随机密码。The method of claim 1, wherein the login account is a registered account registered by the cloud terminal in the non-AD management authentication server, and the login password is the desktop management device according to the registered account. Generated random password.
  4. 如权利要求1所述的方法,其特征在于,所述登录账号为虚拟机本地账号群组中唯一的管理员账号,所述登录密码为所述桌面管理设备根据所述管理员账号生成的随机密码。The method of claim 1, wherein the login account is a unique administrator account in the virtual machine local account group, and the login password is randomly generated by the desktop management device according to the administrator account. password.
  5. 如权利要求1所述的方法,其特征在于,所述登录账号为所述云终 端在所述非AD管理认证服务器注册的注册账号的关联账号,所述登录密码为所述桌面管理设备根据所述关联账号生成的随机密码。The method of claim 1 wherein said login account is said cloud end An associated account of the registered account registered by the non-AD management authentication server, where the login password is a random password generated by the desktop management device according to the associated account.
  6. 如权利要求1-5任一项所述的方法,其特征在于,所述非活动目录管理认证服务器为轻量目录访问协议服务器或数据库服务器,且所述桌面管理设备用于与所述非活动目录管理认证服务器交互的接口根据所述非活动目录管理认证服务器的接口适配。。The method according to any one of claims 1 to 5, wherein the inactive directory management authentication server is a lightweight directory access protocol server or a database server, and the desktop management device is used for the inactive The interface of the directory management authentication server interaction is adapted according to the interface of the inactive directory management authentication server. .
  7. 如权利要求6所述的方法,其特征在于,还包括:The method of claim 6 further comprising:
    所述桌面管理设备为所述登录账号、登录密码和登录票据配置有效期。The desktop management device configures an expiration date for the login account, the login password, and the login ticket.
  8. 如权利要求2、3或5任一项所述的方法,其特征在于,所述登录账号由所述桌面管理设备发送至所述虚拟机的本地账号群组中。The method according to any one of claims 2, 3 or 5, wherein the login account is sent by the desktop management device to a local account group of the virtual machine.
  9. 一种桌面管理设备,其特征在于,包括:A desktop management device, comprising:
    接收单元,用于接收云终端的登录请求,向非活动目录管理认证服务器进行身份认证;a receiving unit, configured to receive a login request of the cloud terminal, and perform identity authentication to the inactive directory management authentication server;
    生成单元,用于若所述非活动目录管理认证服务器认证通过,则保存用于单点登录的登录账号和登录密码,接收所述云终端发送的虚拟机选定消息,根据所述登录账号和登录密码生成登录票据并将所述登录票据发送给所述云终端,以使所述云终端将所述登录票据发送给选定的虚拟机,其中,所述登录账号位于所述虚拟机的本地账号群组中;a generating unit, configured to save a login account and a login password for single sign-on, and receive a virtual machine selected message sent by the cloud terminal, according to the login account and if the inactivity directory management authentication server passes the authentication The login password generates a login ticket and sends the login ticket to the cloud terminal, so that the cloud terminal sends the login ticket to the selected virtual machine, where the login account is located locally of the virtual machine In the account group;
    发送单元,用于将所述登录账号和登录密码发送给所述虚拟机或者将所述登录密码发送给所述虚拟机,以使所述虚拟机将本地账号群组中的登录账号的密码更新为所述登录密码;a sending unit, configured to send the login account and a login password to the virtual machine or send the login password to the virtual machine, so that the virtual machine updates a password of a login account in a local account group For the login password;
    认证单元,用于接收所述虚拟机发出的登录票据认证请求,若认证通过,则返回所述登录账号和登录密码至所述虚拟机,以使所述虚拟机自动使用所述登录账号和登录密码完成本地登录。 An authentication unit, configured to receive a login ticket authentication request sent by the virtual machine, and if the authentication is passed, return the login account and the login password to the virtual machine, so that the virtual machine automatically uses the login account and login The password completes the local login.
  10. 如权利要求1所述的设备,其特征在于,所述登录账号为所述云终端在所述非AD管理认证服务器注册的注册账号,所述登录密码为所述云终端在所述非AD管理认证服务器注册的与所述注册账号匹配的注册密码。The device according to claim 1, wherein the login account is a registered account registered by the cloud terminal in the non-AD management authentication server, and the login password is the cloud terminal in the non-AD management. The registration password registered by the authentication server that matches the registered account.
  11. 如权利要求1所述的设备,其特征在于,所述登录账号为所述云终端在所述非AD管理认证服务器注册的注册账号,所述登录密码为所述桌面管理设备根据所述注册账号生成的随机密码。The device according to claim 1, wherein the login account is a registered account registered by the cloud terminal in the non-AD management authentication server, and the login password is the registered management account of the desktop management device. Generated random password.
  12. 如权利要求1所述的设备,其特征在于,所述登录账号为虚拟机本地账号群组中唯一的管理员账号,所述登录密码为所述桌面管理设备根据所述管理员账号生成的随机密码。The device according to claim 1, wherein the login account is a unique administrator account in the virtual machine local account group, and the login password is randomly generated by the desktop management device according to the administrator account. password.
  13. 如权利要求1所述的设备,其特征在于,所述登录账号为所述云终端在所述非AD管理认证服务器注册的注册账号的关联账号,所述登录密码为所述桌面管理设备根据所述关联账号生成的随机密码。The device according to claim 1, wherein the login account is an associated account of the registered account registered by the cloud terminal in the non-AD management authentication server, and the login password is the desktop management device according to the A random password generated by the associated account.
  14. 如权利要求1-13任一项所述的设备,其特征在于,所述非活动目录管理认证服务器为轻量目录访问协议服务器或数据库服务器,且所述接收单元用于与所述非活动目录管理认证服务器交互的接口根据所述非活动目录管理认证服务器的接口适配。。The device according to any one of claims 1 to 13, wherein the inactive directory management authentication server is a lightweight directory access protocol server or a database server, and the receiving unit is configured to use the inactive directory. The interface for managing the authentication server interaction is adapted according to the interface of the inactive directory management authentication server. .
  15. 如权利要求14所述的设备,其特征在于,所述生成单元还用于为所述登录账号、登录密码和登录票据配置有效期。The device according to claim 14, wherein the generating unit is further configured to configure an expiration date for the login account, the login password, and the login ticket.
  16. 如权利要求10、11或13任一项所述的设备,其特征在于,所述登录账号由所述发送单元发送至所述虚拟机的本地账号群组中。 The device according to any one of claims 10, 11 or 13, wherein the login account is sent by the sending unit to a local account group of the virtual machine.
PCT/CN2014/089858 2013-12-17 2014-10-30 Login method and desktop management device WO2015090116A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310690626.5 2013-12-17
CN201310690626.5A CN104717261B (en) 2013-12-17 2013-12-17 A kind of login method and desktop management equipment

Publications (1)

Publication Number Publication Date
WO2015090116A1 true WO2015090116A1 (en) 2015-06-25

Family

ID=53402079

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/089858 WO2015090116A1 (en) 2013-12-17 2014-10-30 Login method and desktop management device

Country Status (2)

Country Link
CN (1) CN104717261B (en)
WO (1) WO2015090116A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107846414A (en) * 2017-12-04 2018-03-27 山东浪潮通软信息科技有限公司 A kind of single-point logging method and system, Centralized Authentication System
CN111756808A (en) * 2020-05-28 2020-10-09 西安万像电子科技有限公司 Data processing method and system
CN112099888A (en) * 2020-08-26 2020-12-18 西安万像电子科技有限公司 Picture display method and system and zero terminal
CN112115436A (en) * 2020-09-04 2020-12-22 上海上讯信息技术股份有限公司 Method and device for modifying AD domain account password
CN112784256A (en) * 2021-01-28 2021-05-11 北京明略昭辉科技有限公司 Account password management method and system
CN114500002A (en) * 2021-12-31 2022-05-13 济南超级计算技术研究院 LDAP-based cluster account allocation method and system
CN117407861A (en) * 2023-12-14 2024-01-16 北京亿赛通科技发展有限责任公司 Login management method and device for database

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105763532B (en) * 2016-01-05 2019-05-07 新华三技术有限公司 A kind of method and device logging in virtual desktop
CN106209816B (en) * 2016-07-01 2019-10-18 浙江宇视科技有限公司 A kind of web camera login method and system
CN106648797A (en) * 2016-12-30 2017-05-10 郑州云海信息技术有限公司 Method and system for installing test software, test server and shared server
CN106534219A (en) * 2016-12-31 2017-03-22 中国移动通信集团江苏有限公司 Security authentication method and device for desktop cloud portal
CN107026860B (en) * 2017-04-01 2020-10-16 成都灵跃云创科技有限公司 Login authentication method, device and system
CN107318100B (en) * 2017-06-02 2020-01-14 Oppo广东移动通信有限公司 Method, device and system for binding mobile phone number
CN110781481A (en) * 2018-07-30 2020-02-11 中兴通讯股份有限公司 Single sign-on method, client, server, and storage medium
CN110032414B (en) * 2019-03-06 2023-06-06 联想企业解决方案(新加坡)有限公司 Apparatus and method for secure user authentication in remote console mode
CN110430280B (en) * 2019-08-15 2022-06-07 上海达龙信息科技有限公司 Account automatic login method and system, storage medium and cloud desktop server
CN113595968B (en) * 2020-04-30 2023-02-03 华为云计算技术有限公司 Login method and system based on cloud application instance and related equipment
CN113507375B (en) * 2021-07-05 2024-03-01 国铁吉讯科技有限公司 Remote login method and device based on time sequence password and storage medium
CN114710355A (en) * 2022-04-11 2022-07-05 西安万像电子科技有限公司 Login management method and system
CN115840937B (en) * 2023-02-21 2023-05-23 中科方德软件有限公司 Control method and device and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102291452A (en) * 2011-08-09 2011-12-21 北京星网锐捷网络技术有限公司 Virtual machine management method, cloud management server and cloud system based on cloud strategy
US20120331521A1 (en) * 2011-06-27 2012-12-27 Samsung Electronics Co., Ltd. System and method for application centric cloud management
CN103259663A (en) * 2013-05-07 2013-08-21 南京邮电大学 User unified authentication method in cloud computing environment
CN103377330A (en) * 2012-04-23 2013-10-30 佛山市智慧岛信息技术有限公司 Virtual resource distribution method and virtual resource distribution system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102333065A (en) * 2010-07-12 2012-01-25 戴元顺 Cloud interaction protocol design
CN102457376B (en) * 2010-10-29 2016-02-10 中兴通讯股份有限公司 A kind of method and system of cloud computing service unified certification
US8756665B2 (en) * 2011-07-08 2014-06-17 International Business Machines Corporation Authenticating a rich client from within an existing browser session
CN102739658B (en) * 2012-06-16 2015-09-30 华南师范大学 A kind of offline verification method of single-sign-on

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120331521A1 (en) * 2011-06-27 2012-12-27 Samsung Electronics Co., Ltd. System and method for application centric cloud management
CN102291452A (en) * 2011-08-09 2011-12-21 北京星网锐捷网络技术有限公司 Virtual machine management method, cloud management server and cloud system based on cloud strategy
CN103377330A (en) * 2012-04-23 2013-10-30 佛山市智慧岛信息技术有限公司 Virtual resource distribution method and virtual resource distribution system
CN103259663A (en) * 2013-05-07 2013-08-21 南京邮电大学 User unified authentication method in cloud computing environment

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107846414A (en) * 2017-12-04 2018-03-27 山东浪潮通软信息科技有限公司 A kind of single-point logging method and system, Centralized Authentication System
CN111756808A (en) * 2020-05-28 2020-10-09 西安万像电子科技有限公司 Data processing method and system
CN112099888A (en) * 2020-08-26 2020-12-18 西安万像电子科技有限公司 Picture display method and system and zero terminal
CN112115436A (en) * 2020-09-04 2020-12-22 上海上讯信息技术股份有限公司 Method and device for modifying AD domain account password
CN112115436B (en) * 2020-09-04 2023-05-30 上海上讯信息技术股份有限公司 AD domain account password modification method and device
CN112784256A (en) * 2021-01-28 2021-05-11 北京明略昭辉科技有限公司 Account password management method and system
CN114500002A (en) * 2021-12-31 2022-05-13 济南超级计算技术研究院 LDAP-based cluster account allocation method and system
CN114500002B (en) * 2021-12-31 2023-11-10 济南超级计算技术研究院 Cluster account distribution method and system based on LDAP
CN117407861A (en) * 2023-12-14 2024-01-16 北京亿赛通科技发展有限责任公司 Login management method and device for database

Also Published As

Publication number Publication date
CN104717261B (en) 2018-05-29
CN104717261A (en) 2015-06-17

Similar Documents

Publication Publication Date Title
WO2015090116A1 (en) Login method and desktop management device
US11695744B2 (en) Using credentials stored in different directories to access a common endpoint
CN108293045B (en) Single sign-on identity management between local and remote systems
KR102117584B1 (en) Local device authentication
US8627409B2 (en) Framework for automated dissemination of security metadata for distributed trust establishment
US8782757B2 (en) Session sharing in secure web service conversations
JP5375976B2 (en) Authentication method, authentication system, and authentication program
US9485246B2 (en) Distributed authentication with data cloud
US20160080358A1 (en) Hosted application sandbox model
CN115021991A (en) Single sign-on for unmanaged mobile devices
US20170279798A1 (en) Multi-factor authentication system and method
US9219762B2 (en) Techniques for desktop migration
US11245681B2 (en) Authentication in a multi-tenant environment
EP3942775A1 (en) Application integration using multiple user identities
US9948648B1 (en) System and method for enforcing access control to publicly-accessible web applications
KR20160012546A (en) Remote control system of mobile
KR20230110817A (en) Pervasive Resource Identity Proof
JP2018106515A (en) Server, login processing method, and login processing program
US10015286B1 (en) System and method for proxying HTTP single sign on across network domains
TW201203115A (en) Method and system for deployment of software applications to mobile computing devices
US11477189B2 (en) Primary domain and secondary domain authentication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14870826

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14870826

Country of ref document: EP

Kind code of ref document: A1