WO2016082548A1 - User login method, device and system for windows desktop - Google Patents

User login method, device and system for windows desktop Download PDF

Info

Publication number
WO2016082548A1
WO2016082548A1 PCT/CN2015/083280 CN2015083280W WO2016082548A1 WO 2016082548 A1 WO2016082548 A1 WO 2016082548A1 CN 2015083280 W CN2015083280 W CN 2015083280W WO 2016082548 A1 WO2016082548 A1 WO 2016082548A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
server
user
user information
plug
Prior art date
Application number
PCT/CN2015/083280
Other languages
French (fr)
Chinese (zh)
Inventor
石林灵
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2016082548A1 publication Critical patent/WO2016082548A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/08Protocols specially adapted for terminal emulation, e.g. Telnet

Definitions

  • the present invention relates to the field of computer technologies, and in particular, to a user login method, device, and system for a Windows desktop.
  • AD Active Directory, Active Directory
  • AD is a directory service for the Microsoft Windows operating system.
  • AD stores information about network objects and the correspondence between network objects, and administrators and users can easily find and use this information. For example, before users can use Windows virtual desktops, they need to issue Windows virtual desktops to users first.
  • the administrator creates a domain account for the user on the AD and then adds the ID of the VM to the AD domain. After that, the administrator associates the user's account information with the identification information of the virtual machine through a DC (Desktop Controller) and persists it.
  • DC Desktop Controller
  • the user When a user logs in to the Windows virtual desktop, the user accesses the WI (Web Interface) page on the terminal and enters the user name and password. The WI then sends the user name and password entered by the user to the AD for authentication. After the authentication is passed, the virtual machine resources under the user name are displayed on the WI page. The user selects the virtual machine desktop to be logged in. At this time, the desktop protocol client on the terminal sends the user's user name and password to the AD for authentication. After the authentication succeeds, the user logs in to the Windows desktop and controls the computer through the Windows operating system.
  • WI Web Interface
  • AD is a service system developed by Microsoft, there are many restrictions when users use it.
  • the original directory server used by the customer is not AD, but other directory servers, the current solution cannot use the Windows virtual desktop. This will waste the customer's existing IT infrastructure and undermine the continuity and profitability of the customer's IT investment.
  • the maintenance cost of AD is very high, and some small-scale virtual desktop customers are difficult to bear the maintenance cost.
  • the embodiment of the invention provides a user login method, device and system for a Windows desktop, which can use a non-AD authentication server to perform login and login of a Windows desktop.
  • a user login method for a Windows desktop including:
  • the login plug-in interface module receives the user information, and sends the user information to the server docking module through the service plug-in management module;
  • the server docking module sends the user information to the docked inactive directory AD authentication server, so that the non-AD authentication server performs authentication according to the user information to obtain a first authentication result;
  • the login plug-in interface module receives the first authentication result, and sends the first authentication result to the Windows operating system, so that the Windows operating system presents the user terminal to the Windows when the first authentication result is successful. desktop.
  • the user information is sent by the Windows operating system on the virtual machine to the login controller interface module after being acquired by the Windows operating system on the virtual machine. of.
  • the method further includes:
  • the webpage web server receives the user information input by the user on the webpage interface WI page, and sends the user information to the non-AD authentication server, so that the non-AD authentication server performs authentication according to the user information, and obtains the first Second certification result;
  • the web server queries the DC for the user Virtual machine resources
  • the web server receives the query result sent by the DC, and displays the virtual machine resource of the user on the WI page, so that the user selects the virtual machine to be logged in.
  • the non-AD authentication server is a lightweight directory access protocol LADP server or a remote The user dials the authentication server RADIUS.
  • a user login method for a Windows desktop including:
  • the login plug-in interface module receives the user information input by the user, and sends the user information to the server docking module through the service plug-in management module;
  • the server docking module sends the user information to the docked inactive directory AD authentication server, so that the non-AD authentication server performs authentication according to the user information, and obtains an authentication result;
  • the login plug-in interface module receives the authentication result, and sends the authentication result to the Windows operating system, so that the Windows operating system presents the Windows desktop to the user terminal when the authentication result is successful.
  • the non-AD authentication server is a lightweight directory access protocol LADP server or a remote user dialing authentication server RADIUS.
  • a physical host including a hardware layer, a virtual machine monitoring unit VMM running on the hardware layer, and at least one virtual machine running on the VMM, where the physical host further includes: Login plugin interface module running on each virtual machine Windows operating system Block, service plugin management module, and server docking module,
  • the login plug-in interface module is configured to receive user information that the user needs to log in to the Windows operating system on the virtual machine, and send the user information to the service plug-in management module; the user information is that the user needs to log in to the virtual machine.
  • the Windows operating system is acquired on the desktop controller DC;
  • the service plug-in management module is configured to receive the user information sent by the login plug-in interface module, and send the user information to the server docking module;
  • the server docking module is configured to send the user information to the docked inactive directory AD authentication server, so that the non-AD authentication server performs authentication according to the user information, and obtains an authentication result;
  • the server docking module is further configured to receive the authentication result sent by the non-AD authentication server, and send the authentication result to the service plug-in management module;
  • the service plug-in management module is further configured to receive the authentication result sent by the server docking module, and send the authentication result to the login plug-in interface module;
  • the login plug-in interface module is further configured to receive the authentication result sent by the service plug-in management module, and send the authentication result to a Windows operating system, so that the Windows operating system is successful when the authentication result is successful. , presenting a Windows desktop to the user terminal.
  • a physical host including a hardware layer, a Windows operating system running on the hardware layer, the physical host further includes: a login plug-in interface module running on the Windows operating system, Service plugin management module and server docking module,
  • the login plug-in interface module is configured to receive user information input by a user, and send the user information to a service plug-in management module;
  • the service plug-in management module is configured to receive the user information sent by the login plug-in interface module, and send the user information to the server docking module;
  • the server docking module is configured to send the user information to the docked inactive directory AD authentication server, so that the non-AD authentication server performs authentication according to the user information, and obtains an authentication result;
  • the server docking module is further configured to receive the authentication result sent by the non-AD authentication server, and send the authentication result to the service plug-in management module;
  • the service plug-in management module is further configured to receive the authentication result sent by the server docking module, and send the authentication result to the login plug-in interface module;
  • the login plug-in interface module is further configured to receive the authentication result sent by the service plug-in management module, and send the authentication result to a Windows operating system, so that the Windows operating system is successful when the authentication result is successful. , presenting a Windows desktop to the user terminal.
  • a system including: a web server, a physical host, and a non-AD authentication server,
  • the web server is configured to receive the user information input by the user on the webpage interface WI, and send the user information to the non-AD authentication server, so that the non-AD authentication server performs authentication according to the user information, and obtains the authentication.
  • Result after the authentication result is successful, querying the desktop controller DC for the virtual machine resource of the user; receiving the query result sent by the DC, and displaying the virtual machine resource of the user on the WI page, so that The user selects a virtual machine to be logged in;
  • the non-AD authentication server is configured to perform authentication according to the received user information, and obtain an authentication result
  • the physical host is the physical host described in the third aspect of the technical solution.
  • a system including: a physical host and a non-AD authentication server,
  • the physical host is the physical host described in the fourth aspect of the technical solution.
  • the non-AD authentication server is configured to perform authentication according to the received user information, and obtain the recognition Certificate results.
  • the login plug-in interface module acquires user information, and sends the user information to the service plug-in management module through the delivery of the service plug-in management module.
  • the server interface module sends the user information to the docked non-AD authentication server, and the non-AD authentication server performs authentication according to the user information to obtain an authentication result.
  • the server docking module receives the authentication result and sends the authentication result to the service plugin management module through the delivery of the service plugin management module.
  • the login plug-in interface module displays the authentication result and sends the authentication result to the Windows operating system. After the authentication is passed, the user can use the Windows desktop.
  • the non-AD authentication server cannot use the Windows desktop, and the method, device and system provided by the present invention can use the non-AD authentication server to perform the authentication login of the Windows desktop.
  • the customer has lower maintenance costs for existing non-AD certified services, which can avoid the higher cost brought by maintaining the AD authentication server.
  • FIG. 1 is a structural block diagram of a physical host according to Embodiment 1 of the present invention.
  • FIG. 2 is a structural block diagram of another physical host according to Embodiment 1 of the present invention.
  • FIG. 3 is a schematic flowchart of a user login method of a Windows desktop according to Embodiment 2 of the present invention.
  • Figure 4 is a schematic diagram of a virtual machine technology
  • FIG. 5 is a schematic flowchart of a user login method of a Windows desktop according to Embodiment 3 of the present invention.
  • FIG. 6 is a schematic flowchart of a user login method of a Windows desktop according to Embodiment 4 of the present invention.
  • the login process of the virtual machine is as follows: the user inputs the WI (Web Interface, web interface) domain name to access the WI in the terminal browser, and the user inputs the user name and password on the WI page, and the WI user The user name and password are sent to the AD authentication server for initial authentication. After the initial authentication, the WI requests the DC (Desktop Controller) to query the virtual machine resource list under the user name, and the query result is displayed on the WI page for the user to select. . The user selects the virtual machine to be logged in.
  • the Windows desktop protocol client installed on the terminal connects to the virtual machine selected by the user through the AG (Access Gateway) and delivers the virtual machine desktop to the terminal.
  • the user selects the Windows operating system of the virtual machine to be logged in and sends the user's username and password to the AD authentication server for secondary authentication. After the secondary authentication is passed, the user can successfully log in to the virtual machine and use the Windows desktop.
  • the authentication server used is not Microsoft's default AD, but a non-AD authentication server.
  • the WI sends the user's username and password to the non-AD authentication server for initial authentication.
  • the Windows operating system will address the AD authentication server by default, and intends to send the user's username and password to the user. Secondary authentication is performed on the AD authentication server. As the user does not use the AD authentication server, the user authentication fails, which may result in the user not being able to use the Windows desktop normally.
  • the user enters a username and password in the login page provided by the CP (Credential Provider) or GINA (Graphical Identification and Authentication Module) in the Windows operating system.
  • the Windows operating system will also address the AD authentication server by default, intended to send users.
  • the account name and password are authenticated on the AD authentication server.
  • the user authentication fails, which may result in the user not being able to use the Windows desktop normally.
  • the present invention is based on the CP/GINA in the Windows operating system, and provides a method and a physical host.
  • the user name and password of the user are redirected to the non-AD authentication server.
  • the secondary authentication, or the user name and password input by the user are sent to the non-AD server for verification, which can be used to implement the redirection of the user authentication, and can use the non-AD authentication server to perform the authentication login of the Windows desktop.
  • the embodiment of the present invention provides a physical host, as shown in FIG. 1 , including a hardware layer 10, and a virtual machine monitoring unit VMM (Virtual Machine Monitor) 11 running on the hardware layer, At least one virtual machine 12 above the VMM runs the login plug-in interface module 120, the service plug-in management module 121 and the server docking module 122 on the virtual machine operating system (specifically, the Windows operating system).
  • VMM Virtual Machine Monitor
  • the login plug-in interface module 120 is configured to receive user information that the user needs to log in to the Windows operating system on the virtual machine, and send the user information to the service plug-in management module; the user information is that the user needs to log in to the virtual machine.
  • the Windows operating system is obtained on the desktop controller DC.
  • the service plug-in management module 121 is configured to receive the user information sent by the login plug-in interface module 120, and send the user information to the server docking module 122.
  • the server docking module 122 is configured to send the user information to the docked inactive directory AD authentication server, so that the non-AD authentication server performs authentication according to the user information, and obtains an authentication result.
  • the server docking module 122 is further configured to receive the authentication result sent by the non-AD authentication server, and send the authentication result to the service plug-in management module 121;
  • the service plug-in management module 121 is further configured to receive the authentication result sent by the server docking module 122, and send the authentication result to the login plug-in interface module 120;
  • the login plug-in interface module 120 is further configured to receive the authentication result sent by the service plug-in management module 121, and send the authentication result to the Windows operating system, so that the authentication result of the Windows operating system is When successful, the Windows desktop is presented to the user terminal.
  • the embodiment of the present invention further provides a physical host, as shown in FIG. 2, including a hardware layer 20, an operating system running on the hardware layer (specifically, the Windows operating system) 21, running on the Windows
  • the login plug-in interface module 210 is configured to receive user information input by the user, and send the user information to the service plug-in management module.
  • the login plug-in interface module 210 provides a login interface for the user to input a username and password.
  • the login plug-in interface module 210 can also provide functions such as modifying a user password, locking, and the like.
  • the service plug-in management module 211 is configured to receive the user information sent by the login plug-in interface module 210, and send the user information to the server docking module 212.
  • the server docking module 212 is configured to send the user information to the docked inactive directory AD authentication server, so that the non-AD authentication server performs authentication according to the user information, and obtains an authentication result.
  • the server docking module 212 is further configured to receive the authentication result sent by the non-AD authentication server, and send the authentication result to the service plug-in management module 211;
  • the service plug-in management module 211 is further configured to receive the authentication result sent by the server docking module 212, and send the authentication result to the login plug-in interface module 210.
  • the login plug-in interface module 210 is further configured to receive the service plug-in management module 211 And sending the authentication result to the Windows operating system, so that the Windows operating system presents the Windows desktop to the user terminal when the authentication result is successful.
  • the login plug-in interface module may be a CP (Credential Provider) or a GINA (Graphical Identification and Authentication).
  • the service plugin management module may be an Extension Service.
  • the server docking module can be a Service Plugin.
  • the login plug-in interface module, the service plug-in management module, and the server docking management module provided by the implementation of the present invention are all modules on the physical host.
  • the non-AD authentication server may be a LADP (Lightweight Directory Access Protocol) server or a RADIUS (Remote Authentication Dial In User Service).
  • the login plug-in interface module acquires user information, and sends the user information to the service plug-in management module through delivery of the service plug-in management module.
  • the server interface module sends the user information to the docked non-AD authentication server, and the non-AD authentication server performs authentication according to the user information to obtain an authentication result.
  • the server docking module receives the authentication result and sends the authentication result to the service plugin management module through the delivery of the service plugin management module.
  • the login plug-in interface module displays the authentication result and sends the authentication result to the Windows operating system. After the authentication is passed, the user can use the Windows desktop.
  • the non-AD authentication server cannot use the Windows desktop, and the device provided by the present invention can use the non-AD authentication server to perform the authentication login of the Windows desktop.
  • the customer has lower maintenance costs for existing non-AD certified services, which can avoid the higher cost brought by maintaining the AD authentication server.
  • An embodiment of the present invention provides a user login method for a Windows desktop. As shown in FIG. 3, the method includes the following steps:
  • the login plug-in interface module receives the user information, and sends the user information to the server docking module through the service plug-in management module.
  • the user information may be a user name and password of the user.
  • the user information is sent to the login plug-in interface module after the user needs to log in to the Windows operating system on the virtual machine to obtain the desktop controller DC.
  • the web server receives the user information input by the user on the webpage interface WI page, and sends the user information to the non-AD authentication server.
  • the non-AD authentication server performs authentication according to the user information, obtains a second authentication result, and sends the second authentication result to the web server.
  • the web server queries the DC for the virtual machine resource of the user.
  • the web server receives the query result sent by the DC, and displays the virtual machine resource of the user on the WI page, so that the user selects the virtual machine to be logged in.
  • the server docking module sends the user information to the docked inactive directory AD authentication server, so that the non-AD authentication server performs authentication according to the user information to obtain a first authentication result.
  • the service plug-in management module is responsible for managing various service plug-ins, and at the same time, as a bridge, the user name and password input by the user are passed to the server docking module. Therefore, the user information acquired by the login plug-in interface module must be managed by the service plug-in management module. Send to the server docking module.
  • the non-AD authentication server Since the non-AD authentication server stores the correspondence between the user name and password of the user and other rights of the user, the user can be authenticated by using the non-AD authentication server. Specifically, the non-AD authentication server compares the received user name and password with the user name and password stored on the non-AD server one by one, and if there is a non-AD authentication server, the received one will be used. If the user name and password with the same username and password are correct, the authentication succeeds. If they are inconsistent, the authentication fails.
  • the server docking module receives the first authentication result sent by the non-AD authentication server, and sends the first authentication result to the login plug-in interface module by using the service plug-in management module.
  • the server docking module can return the server authentication result to the login plug-in interface module because it must be passed through the service plug-in management module.
  • the login plug-in interface module receives the first authentication result, and sends the first authentication result to the Windows operating system, so that the Windows operating system sends the first authentication result to the user terminal when the first authentication result is successful. Render the Windows desktop.
  • the authentication can be completed, and the Windows desktop is used after the authentication is passed.
  • first authentication result and the second authentication result in this embodiment are not meant to be sequential, but are merely definitions for distinguishing two authentications.
  • the login plug-in interface module acquires user information, and sends the user information to the service plug-in management module through delivery of the service plug-in management module.
  • the server interface module sends the user information to the docked non-AD authentication server, and the non-AD authentication server performs authentication according to the user information to obtain an authentication result.
  • the server docking module receives the authentication result and sends the authentication result to the service plugin management module through the delivery of the service plugin management module.
  • the login plug-in interface module displays the authentication result and sends the authentication result to the Windows operating system. After the authentication is passed, the user can use the Windows desktop.
  • the non-AD authentication server cannot use the Windows desktop, and the method provided by the present invention can use the non-AD authentication server to perform the authentication login of the Windows desktop.
  • the customer has lower maintenance costs for existing non-AD certified services, which can avoid the higher cost brought by maintaining the AD authentication server.
  • FIG. 4 it is a schematic diagram of virtual machine technology.
  • the resources in the virtual technology are stored in a remote server (generally a data center).
  • the remote server A is a remote server serving the virtual machine.
  • Virtual machines B, C, and D are virtualized by virtualization technology, and an operating system (such as a Windows operating system) is installed on the virtual computer. If a desktop operating system is also installed, a virtual desktop E (for example, a Windows desktop) can be provided.
  • the virtual desktop is delivered to the terminal F and displayed to the user through the remote desktop protocol.
  • the input and output of the terminal will also be mapped to the remote server.
  • An embodiment of the present invention provides a user login method for a Windows desktop. As shown in FIG. 5, the method includes the following steps:
  • a web server receives user information input by a user on a WI page on the terminal.
  • the user information may be a username and a password.
  • the WI page is a web page that provides virtual machine services to users. Users can enter their user names and passwords on the WI page to view their virtual machine resources in order to select the virtual machine to be logged in.
  • the operating system installed on the virtual machine is a Windows operating system.
  • the user opens the WI page through the browser on the terminal, and then inputs the user name and password.
  • the web server sends the user information to a non-AD authentication server.
  • the user name and password entered by the user on the WI page are sent to the non-AD authentication server for authentication by HTTP (Hypertext Transfer Protocol).
  • HTTP Hypertext Transfer Protocol
  • the step 202 web server sends the user information to the non-AD authentication server to verify whether the user is a legitimate virtual machine user. Specifically, the non-AD authentication server compares the user information sent by the web server with the user name and password stored by the non-AD authentication server, and if the user information sent by the web server is consistent, the authentication passes; if not, the authentication is performed. failure.
  • the web server queries the DC according to the user name to obtain the virtual machine resource of the user.
  • the web server receives the authentication result sent by the non-AD authentication server, and determines the authentication success according to the received authentication result.
  • the DC generates a security identifier for the user, and records the correspondence between the user's username and password and the security identifier.
  • the security identifier is used instead of the user.
  • the web server receives the virtual machine resource of the user returned by the DC and presents the virtual machine resource list of the user on the WI page.
  • the web server receives the user's security identifier and the user's virtual machine resources.
  • the user initiates a login request to the Windows operating system through the terminal.
  • the initiated login request carries the security identifier of the user, and the present invention specifically refers to the Windows operating system.
  • the operating system here is the Windows operating system installed on the virtual machine selected by the user.
  • the user selects the virtual machine to be logged in the virtual machine resource list displayed on the WI page. Because of the user operation (selecting the virtual machine), the terminal sends a login request to the Windows operating system installed by the selected virtual machine.
  • the Windows operating system requests the user information from the DC.
  • the remote server (for example, remote server A in FIG. 3) transmits the security identifier of the user to the DC.
  • the DC can lock the user name and password of the user according to the security identifier of the user in the stored correspondence table item, and then send the found user name and password to the remote server.
  • the remote server sends the received username and password to the Windows operating system installed on the selected virtual machine.
  • the user information in steps 401 and 402 and the user information after step 406 are both the user name and password of the user.
  • the Windows operating system sends the user information to the login plug-in interface module.
  • the login plug-in interface module sends the user information to the server docking module through the service plug-in management module.
  • the server docking module is connected to the non-AD authentication server described in this embodiment.
  • the server docking module sends the user information to a non-AD authentication server.
  • the non-AD authentication server authenticates the user information, and obtains an authentication result.
  • the non-AD authentication server compares the user information sent by the server docking module with the user name and password stored by itself, and if the user information sent by the web server is consistent, the authentication passes; if not, then Authentication failed.
  • the non-AD authentication server sends the authentication result to the server docking module.
  • the server docking module sends the authentication result to the login plug-in interface module through the service plug-in management module.
  • the login plug-in interface sends the authentication result to the Windows operating system.
  • step 214 is performed.
  • the Windows operating system presents the Windows desktop to the terminal.
  • the Windows operating system installed on the virtual machine selected by the user presents a Windows desktop, and the Windows desktop is presented on the user's terminal through a remote desktop protocol, and the user can use the Windows desktop.
  • the Windows operating system in steps 405-413 of the embodiment is the Windows operating system running on the virtual machine to be logged in by the user in step 405.
  • the login plug-in interface module acquires user information, and sends the user information to the service plug-in management module through delivery of the service plug-in management module.
  • the server interface module sends the user information to the docked non-AD authentication server, and the non-AD authentication server performs authentication according to the user information to obtain an authentication result.
  • the server docking module receives the authentication result and sends the authentication result to the service plugin management module through the delivery of the service plugin management module.
  • the login plug-in interface module displays the authentication result and sends the authentication result to the Windows operating system. After the authentication is passed, the user can use the Windows desktop.
  • the non-AD authentication server cannot use the Windows desktop, and the method provided by the present invention can use the non-AD authentication server to perform the authentication login of the Windows desktop.
  • the customer has lower maintenance costs for existing non-AD certified services, which can avoid the higher cost brought by maintaining the AD authentication server.
  • An embodiment of the present invention provides a user login method for a Windows desktop. As shown in FIG. 6, the method includes the following steps:
  • the login plug-in interface module receives user information input by the user.
  • the user information may be a username and a password.
  • the user is a physical host user
  • the login plug-in interface module provides a user login interface for the user, so that the user inputs the user name and password on the login interface displayed on the terminal.
  • the login plug-in interface module sends the user information to the server docking module through the service plug-in management module.
  • the server docking module sends the user information to a non-AD authentication server.
  • the non-AD authentication server authenticates the user information, and obtains an authentication result.
  • the non-AD authentication server sends the authentication result to the server docking module.
  • the server docking module sends the authentication result to the login plug-in interface module by using the service plug-in management module.
  • the login plug-in interface module sends the authentication result to the Windows operating system.
  • the Windows operating system receives the authentication result, and when the authentication result is successful, presents a Windows desktop to the user terminal.
  • the login plug-in interface module acquires user information, and sends the user information to the service plug-in management module through delivery of the service plug-in management module.
  • the server interface module sends the user information to the docked non-AD authentication server, and the non-AD authentication server performs authentication according to the user information to obtain an authentication result.
  • the server docking module receives the authentication result and sends the authentication result to the service plugin management module through the delivery of the service plugin management module.
  • the login plug-in interface module displays the authentication result and sends the authentication result to the Windows operating system. After the authentication is passed, the user can use the Windows desktop.
  • the non-AD authentication server cannot use the Windows desktop, and the method provided by the present invention can use the non-AD authentication server to perform the authentication login of the Windows desktop.
  • the customer has lower maintenance costs for existing non-AD certified services, which can avoid the higher cost brought by maintaining the AD authentication server.
  • the foregoing program may be stored in a computer readable storage medium, and the program is executed when executed.
  • the foregoing steps include the steps of the foregoing method embodiments; and the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.

Abstract

Provided are a user login method, device and system for a Windows desktop, which relate to the technical field of computers and can perform authentication login on the Windows desktop by using a non active directory (AD) authentication server. The method comprises: a login plug-in interface module receiving user information, and sending the user information to a server butting plug-in module via a service plug-in management module; and the server butting plug-in module sending the user information to a butted non-AD authentication server. After the server butting plug-in module receives a first authentication result sent by the non-AD authentication server, the first authentication result is sent to the login plug-in interface module via the service plug-in management module; and the login plug-in interface module receives the first authentication result and sends the first authentication result to a Windows operating system, in order that the Windows operating system presents a Windows desktop to a user terminal when the first authentication result represents success.

Description

一种Windows桌面的用户登录方法、设备及系统User login method, device and system for Windows desktop 技术领域Technical field
本发明涉及计算机技术领域,尤其涉及一种Windows桌面的用户登录方法、设备及系统。The present invention relates to the field of computer technologies, and in particular, to a user login method, device, and system for a Windows desktop.
背景技术Background technique
AD(Active Directory,活动目录)是面向微软Windows操作系统的目录服务,AD存储了有关网络对象的信息以及网络对象间的对应关系,并且管理员和用户能够轻松地查找和使用这些信息。例如:用户使用Windows虚拟桌面前,需要先为用户发放Windows虚拟桌面。管理员先在AD上为用户创建域账户,再将虚拟机的标识信息加入AD域。之后,管理员通过DC(Desktop Controller,桌面控制器)将用户的账户信息和虚拟机的标识信息关联起来,并持久化保存。AD (Active Directory, Active Directory) is a directory service for the Microsoft Windows operating system. AD stores information about network objects and the correspondence between network objects, and administrators and users can easily find and use this information. For example, before users can use Windows virtual desktops, they need to issue Windows virtual desktops to users first. The administrator creates a domain account for the user on the AD and then adds the ID of the VM to the AD domain. After that, the administrator associates the user's account information with the identification information of the virtual machine through a DC (Desktop Controller) and persists it.
用户登录Windows虚拟桌面时,用户在终端上访问WI(Web Interface,网络接口)页面,并输入用户名和密码。之后WI将用户输入的用户名和密码发送至AD进行认证。认证通过后,在WI页面上显示用户名下的虚拟机资源。用户选中要登录的虚拟机桌面,此时终端上的桌面协议客户端将用户的用户名和密码再次发送至AD进行认证,认证成功后,用户登录Windows桌面,通过Windows操作系统控制计算机运行。When a user logs in to the Windows virtual desktop, the user accesses the WI (Web Interface) page on the terminal and enters the user name and password. The WI then sends the user name and password entered by the user to the AD for authentication. After the authentication is passed, the virtual machine resources under the user name are displayed on the WI page. The user selects the virtual machine desktop to be logged in. At this time, the desktop protocol client on the terminal sends the user's user name and password to the AD for authentication. After the authentication succeeds, the user logs in to the Windows desktop and controls the computer through the Windows operating system.
由于AD是微软开发的一个服务系统,因此用户使用时存在诸多限制。一方面,如果客户原来使用的目录服务器不是AD,而是其他目录服务器,则当前方案无法使用Windows虚拟桌面。这将浪费客户已有的IT基础设施,破坏了客户IT投资的连续性及收益。另一方面,AD的维护成本非常高,一些小规模虚拟桌面客户难以承受维护成本。Since AD is a service system developed by Microsoft, there are many restrictions when users use it. On the one hand, if the original directory server used by the customer is not AD, but other directory servers, the current solution cannot use the Windows virtual desktop. This will waste the customer's existing IT infrastructure and undermine the continuity and profitability of the customer's IT investment. On the other hand, the maintenance cost of AD is very high, and some small-scale virtual desktop customers are difficult to bear the maintenance cost.
发明内容 Summary of the invention
本发明实施例提供一种Windows桌面的用户登录方法、设备及系统,能够使用非AD认证服务器进行Windows桌面的认证登录。The embodiment of the invention provides a user login method, device and system for a Windows desktop, which can use a non-AD authentication server to perform login and login of a Windows desktop.
为达到上述目的,本发明实施例采用的技术方案是,In order to achieve the above objective, the technical solution adopted by the embodiment of the present invention is
第一方面,公开了一种Windows桌面的用户登录方法,包括:In a first aspect, a user login method for a Windows desktop is disclosed, including:
登录插件接口模块接收用户信息,通过服务插件管理模块向服务器对接插件模块发送所述用户信息;The login plug-in interface module receives the user information, and sends the user information to the server docking module through the service plug-in management module;
所述服务器对接插件模块将所述用户信息向对接的非活动目录AD认证服务器发送,以便于所述非AD认证服务器根据所述用户信息进行认证,得出第一认证结果;The server docking module sends the user information to the docked inactive directory AD authentication server, so that the non-AD authentication server performs authentication according to the user information to obtain a first authentication result;
所述服务器对接插件模块接收到所述非AD认证服务器发送的所述第一认证结果,通过所述服务插件管理模块向所述登录插件接口模块发送所述第一认证结果;Receiving, by the server plug-in module, the first authentication result that is sent by the non-AD authentication server, and sending, by the service plug-in management module, the first authentication result to the login plug-in interface module;
所述登录插件接口模块接收所述第一认证结果,并向Windows操作系统发送所述第一认证结果,以便于所述Windows操作系统在所述第一认证结果为成功时,向用户终端呈现Windows桌面。The login plug-in interface module receives the first authentication result, and sends the first authentication result to the Windows operating system, so that the Windows operating system presents the user terminal to the Windows when the first authentication result is successful. desktop.
结合第一方面,在第一方面的第一种可能的实现方式中,所述用户信息是用户需登录虚拟机上的Windows操作系统在桌面控制器DC上获取之后向所述登录插件接口模块发送的。With reference to the first aspect, in a first possible implementation manner of the first aspect, the user information is sent by the Windows operating system on the virtual machine to the login controller interface module after being acquired by the Windows operating system on the virtual machine. of.
结合第一方面的第一种可能的实现方式,在第一方面的第二种可能的实现方式中,所述登录插件接口模块获取所述用户信息之前,所述方法还包括:In conjunction with the first possible implementation of the first aspect, in a second possible implementation manner of the first aspect, before the login plug-in interface module acquires the user information, the method further includes:
网页web服务器接收所述用户在网页接口WI页面输入的所述用户信息,向所述非AD认证服务器发送所述用户信息,以便所述非AD认证服务器根据所述用户信息进行认证,得出第二认证结果;The webpage web server receives the user information input by the user on the webpage interface WI page, and sends the user information to the non-AD authentication server, so that the non-AD authentication server performs authentication according to the user information, and obtains the first Second certification result;
所述web服务器在所述第二认证结果为成功后,向DC查询所述用户的 虚拟机资源;After the second authentication result is successful, the web server queries the DC for the user Virtual machine resources;
所述web服务器接收DC发送的查询结果,并在所述WI页面显示所述用户的虚拟机资源,以便所述用户选中需登录的虚拟机。The web server receives the query result sent by the DC, and displays the virtual machine resource of the user on the WI page, so that the user selects the virtual machine to be logged in.
结合第二方面或第二方面的第一、第二种可能的实现方式,在第二方面的第三种可能的实现方式中,所述非AD认证服务器为轻量目录访问协议LADP服务器或远程用户拨号认证服务器RADIUS。With reference to the second aspect or the first and second possible implementation manners of the second aspect, in a third possible implementation manner of the second aspect, the non-AD authentication server is a lightweight directory access protocol LADP server or a remote The user dials the authentication server RADIUS.
第二方面,公开了一种Windows桌面的用户登录方法,包括:In a second aspect, a user login method for a Windows desktop is disclosed, including:
登录插件接口模块接收用户输入的用户信息,通过服务插件管理模块向服务器对接插件模块发送所述用户信息;The login plug-in interface module receives the user information input by the user, and sends the user information to the server docking module through the service plug-in management module;
所述服务器对接插件模块将所述用户信息向对接的非活动目录AD认证服务器发送,以便于所述非AD认证服务器根据所述用户信息进行认证,得出认证结果;The server docking module sends the user information to the docked inactive directory AD authentication server, so that the non-AD authentication server performs authentication according to the user information, and obtains an authentication result;
所述服务器对接插件模块接收到所述非AD认证服务器发送的所述认证结果,通过所述服务插件管理模块向所述登录插件接口模块发送所述认证结果;Receiving, by the server plug-in module, the authentication result sent by the non-AD authentication server, and sending the authentication result to the login plug-in interface module by using the service plug-in management module;
所述登录插件接口模块接收所述认证结果,并向Windows操作系统发送所述认证结果,以便于所述Windows操作系统在所述认证结果为成功时,向用户终端呈现Windows桌面。The login plug-in interface module receives the authentication result, and sends the authentication result to the Windows operating system, so that the Windows operating system presents the Windows desktop to the user terminal when the authentication result is successful.
结合第二方面,在第二方面的第一种可能的实现方式中,所述非AD认证服务器为轻量目录访问协议LADP服务器或远程用户拨号认证服务器RADIUS。With reference to the second aspect, in a first possible implementation manner of the second aspect, the non-AD authentication server is a lightweight directory access protocol LADP server or a remote user dialing authentication server RADIUS.
第三方面,公开了一种物理主机,包括硬件层,运行在所述硬件层之上的虚拟机监控单元VMM,运行在所述VMM之上的至少一个虚拟机,所述物理主机还包括:运行在各虚拟机Windows操作系统之上的登录插件接口模 块、服务插件管理模块以及服务器对接插件模块,In a third aspect, a physical host is disclosed, including a hardware layer, a virtual machine monitoring unit VMM running on the hardware layer, and at least one virtual machine running on the VMM, where the physical host further includes: Login plugin interface module running on each virtual machine Windows operating system Block, service plugin management module, and server docking module,
所述登录插件接口模块,用于接收用户需登录虚拟机上的Windows操作系统发送的用户信息,将所述用户信息向服务插件管理模块发送;所述用户信息是所述用户需登录虚拟机上的Windows操作系统在桌面控制器DC上获取的;The login plug-in interface module is configured to receive user information that the user needs to log in to the Windows operating system on the virtual machine, and send the user information to the service plug-in management module; the user information is that the user needs to log in to the virtual machine. The Windows operating system is acquired on the desktop controller DC;
所述服务插件管理模块用于,接收所述登录插件接口模块发送的所述用户信息,向所述服务器对接插件模块发送所述用户信息;The service plug-in management module is configured to receive the user information sent by the login plug-in interface module, and send the user information to the server docking module;
所述服务器对接插件模块用于,将所述用户信息向对接的非活动目录AD认证服务器发送,以便于所述非AD认证服务器根据所述用户信息进行认证,得出认证结果;The server docking module is configured to send the user information to the docked inactive directory AD authentication server, so that the non-AD authentication server performs authentication according to the user information, and obtains an authentication result;
所述服务器对接插件模块还用于,接收到所述非AD认证服务器发送的所述认证结果,并将所述认证结果向所述服务插件管理模块发送;The server docking module is further configured to receive the authentication result sent by the non-AD authentication server, and send the authentication result to the service plug-in management module;
所述服务插件管理模块还用于,接收所述服务器对接插件模块发送的所述认证结果,将所述认证结果向所述登录插件接口模块发送;The service plug-in management module is further configured to receive the authentication result sent by the server docking module, and send the authentication result to the login plug-in interface module;
所述登录插件接口模块还用于,接收所述服务插件管理模块发送的所述认证结果,并向Windows操作系统发送所述认证结果,以便于所述Windows操作系统在所述认证结果为成功时,向用户终端呈现Windows桌面。The login plug-in interface module is further configured to receive the authentication result sent by the service plug-in management module, and send the authentication result to a Windows operating system, so that the Windows operating system is successful when the authentication result is successful. , presenting a Windows desktop to the user terminal.
第四方面,公开了一种物理主机,包括硬件层,运行在所述硬件层之上的Windows操作系统,所述物理主机还包括:运行在所述Windows操作系统之上的登录插件接口模块、服务插件管理模块以及服务器对接插件模块,A fourth aspect, a physical host, including a hardware layer, a Windows operating system running on the hardware layer, the physical host further includes: a login plug-in interface module running on the Windows operating system, Service plugin management module and server docking module,
所述登录插件接口模块,用于接收用户输入的用户信息,将所述用户信息向服务插件管理模块发送;The login plug-in interface module is configured to receive user information input by a user, and send the user information to a service plug-in management module;
所述服务插件管理模块用于,接收所述登录插件接口模块发送的所述用户信息,向所述服务器对接插件模块发送所述用户信息; The service plug-in management module is configured to receive the user information sent by the login plug-in interface module, and send the user information to the server docking module;
所述服务器对接插件模块用于,将所述用户信息向对接的非活动目录AD认证服务器发送,以便于所述非AD认证服务器根据所述用户信息进行认证,得出认证结果;The server docking module is configured to send the user information to the docked inactive directory AD authentication server, so that the non-AD authentication server performs authentication according to the user information, and obtains an authentication result;
所述服务器对接插件模块还用于,接收到所述非AD认证服务器发送的所述认证结果,并将所述认证结果向所述服务插件管理模块发送;The server docking module is further configured to receive the authentication result sent by the non-AD authentication server, and send the authentication result to the service plug-in management module;
所述服务插件管理模块还用于,接收所述服务器对接插件模块发送的所述认证结果,将所述认证结果向所述登录插件接口模块发送;The service plug-in management module is further configured to receive the authentication result sent by the server docking module, and send the authentication result to the login plug-in interface module;
所述登录插件接口模块还用于,接收所述服务插件管理模块发送的所述认证结果,并向Windows操作系统发送所述认证结果,以便于所述Windows操作系统在所述认证结果为成功时,向用户终端呈现Windows桌面。The login plug-in interface module is further configured to receive the authentication result sent by the service plug-in management module, and send the authentication result to a Windows operating system, so that the Windows operating system is successful when the authentication result is successful. , presenting a Windows desktop to the user terminal.
第五方面,公开了一种系统,包括:web服务器、物理主机以及非AD认证服务器,In a fifth aspect, a system is disclosed, including: a web server, a physical host, and a non-AD authentication server,
所述web服务器,用于接收用户在网页接口WI页面输入的用户信息,向所述非AD认证服务器发送所述用户信息,以便所述非AD认证服务器根据所述用户信息进行认证,得出认证结果;在所述认证结果为成功后,向桌面控制器DC查询所述用户的虚拟机资源;接收所述DC发送的查询结果,并在所述WI页面显示所述用户的虚拟机资源,以便所述用户选中需登录的虚拟机;The web server is configured to receive the user information input by the user on the webpage interface WI, and send the user information to the non-AD authentication server, so that the non-AD authentication server performs authentication according to the user information, and obtains the authentication. Result: after the authentication result is successful, querying the desktop controller DC for the virtual machine resource of the user; receiving the query result sent by the DC, and displaying the virtual machine resource of the user on the WI page, so that The user selects a virtual machine to be logged in;
所述非AD认证服务器,用于根据接收到的用户信息进行认证,得出认证结果;The non-AD authentication server is configured to perform authentication according to the received user information, and obtain an authentication result;
所述物理主机为上述技术方案第三方面所述的物理主机。The physical host is the physical host described in the third aspect of the technical solution.
第五方面,公开了一种系统,包括:物理主机以及非AD认证服务器,In a fifth aspect, a system is disclosed, including: a physical host and a non-AD authentication server,
所述物理主机为上述技术方案第四方面所述的物理主机;The physical host is the physical host described in the fourth aspect of the technical solution;
所述非AD认证服务器,用于根据接收到的用户信息进行认证,得出认 证结果。The non-AD authentication server is configured to perform authentication according to the received user information, and obtain the recognition Certificate results.
本发明实施例通过的Windows桌面的用户登录方法、设备及系统,登录插件接口模块获取用户信息,通过服务插件管理模块的传递将所述用户信息向服务插件管理模块发送。由服务器对接插件模块将所述用户信息向对接的非AD认证服务器发送,非AD认证服务器根据所述用户信息进行认证,得出认证结果。服务器对接插件模块接收到认证结果,并通过服务插件管理模块的传递将认证结果向服务插件管理模块发送。登录插件接口模块显示所述认证结果,并向Windows操作系统发送所述认证结果。在认证通过后,用户就可以使用Windows桌面。相比现有技术用户使用非AD认证服务器无法使用Windows桌面,本发明提供的方法、设备及系统,能够使用非AD认证服务器进行Windows桌面的认证登录。另一方面,客户对已有非AD认证服进行维护成本较低,可以避免由维护AD认证服务器带来的较高的费用。The user login method, device and system of the Windows desktop adopted by the embodiment of the present invention, the login plug-in interface module acquires user information, and sends the user information to the service plug-in management module through the delivery of the service plug-in management module. The server interface module sends the user information to the docked non-AD authentication server, and the non-AD authentication server performs authentication according to the user information to obtain an authentication result. The server docking module receives the authentication result and sends the authentication result to the service plugin management module through the delivery of the service plugin management module. The login plug-in interface module displays the authentication result and sends the authentication result to the Windows operating system. After the authentication is passed, the user can use the Windows desktop. Compared with the prior art, the non-AD authentication server cannot use the Windows desktop, and the method, device and system provided by the present invention can use the non-AD authentication server to perform the authentication login of the Windows desktop. On the other hand, the customer has lower maintenance costs for existing non-AD certified services, which can avoid the higher cost brought by maintaining the AD authentication server.
附图说明DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any creative work.
图1为本发明实施例1提供的物理主机的结构框图;1 is a structural block diagram of a physical host according to Embodiment 1 of the present invention;
图2为本发明实施例1提供的另一物理主机的结构框图;2 is a structural block diagram of another physical host according to Embodiment 1 of the present invention;
图3为本发明实施例2提供的Windows桌面的用户登录方法的流程示意图;3 is a schematic flowchart of a user login method of a Windows desktop according to Embodiment 2 of the present invention;
图4为虚拟机技术原理图;Figure 4 is a schematic diagram of a virtual machine technology;
图5为本发明实施例3提供的Windows桌面的用户登录方法的流程示意图;FIG. 5 is a schematic flowchart of a user login method of a Windows desktop according to Embodiment 3 of the present invention;
图6为本发明实施例4提供的Windows桌面的用户登录方法的流程示意图。 FIG. 6 is a schematic flowchart of a user login method of a Windows desktop according to Embodiment 4 of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
通常,若用户使用的认证服务器为AD,虚拟机登陆流程如下:用户在终端浏览器输入WI(Web Interface,web接口)域名访问WI,用户在WI页面上输入用户名及密码,WI将用户的用户名及密码发送至AD认证服务器进行初次认证,初次认证通过后WI会请求DC(Desktop Controller,桌面控制器)查询用户名下的虚拟机资源列表,并将查询结果呈现在WI页面供用户选择。用户选中要登录的虚拟机,终端上安装的Windows桌面协议客户端则会通过AG(Access Gateway,访问网关)连接用户选中的虚拟机,并将虚拟机桌面投送到终端上。同时,用户选中要登录的虚拟机的Windows操作系统还会再次将用户的用户名和密码发送到AD认证服务器上进行二次认证,二次认证通过后,用户才能成功登陆虚拟机,使用Windows桌面。Generally, if the authentication server used by the user is AD, the login process of the virtual machine is as follows: the user inputs the WI (Web Interface, web interface) domain name to access the WI in the terminal browser, and the user inputs the user name and password on the WI page, and the WI user The user name and password are sent to the AD authentication server for initial authentication. After the initial authentication, the WI requests the DC (Desktop Controller) to query the virtual machine resource list under the user name, and the query result is displayed on the WI page for the user to select. . The user selects the virtual machine to be logged in. The Windows desktop protocol client installed on the terminal connects to the virtual machine selected by the user through the AG (Access Gateway) and delivers the virtual machine desktop to the terminal. At the same time, the user selects the Windows operating system of the virtual machine to be logged in and sends the user's username and password to the AD authentication server for secondary authentication. After the secondary authentication is passed, the user can successfully log in to the virtual machine and use the Windows desktop.
若用户安装的是微软的操作系统,但使用的认证服务器不是微软默认的AD,而是非AD认证服务器。在进行上述初次验证时,WI将用户的用户名及密码发送至非AD认证服务器进行初次认证,进行上述二次验证时Windows操作系统会默认寻址AD认证服务器,意图发送用户的用户名和密码到AD认证服务器上进行二次认证。由于用户未使用AD认证服务器,会导致用户认证失败,进而导致用户无法正常使用Windows桌面。If the user installs Microsoft's operating system, but the authentication server used is not Microsoft's default AD, but a non-AD authentication server. During the initial verification, the WI sends the user's username and password to the non-AD authentication server for initial authentication. When the secondary authentication is performed, the Windows operating system will address the AD authentication server by default, and intends to send the user's username and password to the user. Secondary authentication is performed on the AD authentication server. As the user does not use the AD authentication server, the user authentication fails, which may result in the user not being able to use the Windows desktop normally.
对于非虚拟机用户而言,用户在Windows操作系统中的CP(Credential Provider,认证服务提供者)或GINA(Graphical Identification and Authentication,图形化识别和认证模块)提供的登录页面中输入用户名和密码,Windows操作系统同样会默认寻址AD认证服务器,意图发送用户的用 户名和密码到AD认证服务器上进行认证。由于用户未使用AD认证服务器,会导致用户认证失败,进而导致用户无法正常使用Windows桌面。For non-virtual machine users, the user enters a username and password in the login page provided by the CP (Credential Provider) or GINA (Graphical Identification and Authentication Module) in the Windows operating system. The Windows operating system will also address the AD authentication server by default, intended to send users. The account name and password are authenticated on the AD authentication server. As the user does not use the AD authentication server, the user authentication fails, which may result in the user not being able to use the Windows desktop normally.
本发明基于Windows操作系统中的CP/GINA进行扩展,提供一种方法及物理主机,在用户使用非AD认证服务器的场景下,将用户的用户名及密码重定向到非AD认证服务器上进行上述二次验证,或将用户输入的用户名和密码发送至非AD服务器上进行验证,可以用以实现用户认证的重定向,能够使用非AD认证服务器进行Windows桌面的认证登录。The present invention is based on the CP/GINA in the Windows operating system, and provides a method and a physical host. In the scenario where the user uses a non-AD authentication server, the user name and password of the user are redirected to the non-AD authentication server. The secondary authentication, or the user name and password input by the user are sent to the non-AD server for verification, which can be used to implement the redirection of the user authentication, and can use the non-AD authentication server to perform the authentication login of the Windows desktop.
实施例1:Example 1:
本发明实施提供一种物理主机,如图1所示,包括硬件层10,运行在所述硬件层之上的虚拟机监控单元VMM(Virtual Machine Monitor,虚拟机监控器)11,运行在所述VMM之上的至少一个虚拟机12,运行在各虚拟机操作系统(本发明特指Windows操作系统)之上的登录插件接口模块120、服务插件管理模块以121及服务器对接插件模块122。The embodiment of the present invention provides a physical host, as shown in FIG. 1 , including a hardware layer 10, and a virtual machine monitoring unit VMM (Virtual Machine Monitor) 11 running on the hardware layer, At least one virtual machine 12 above the VMM runs the login plug-in interface module 120, the service plug-in management module 121 and the server docking module 122 on the virtual machine operating system (specifically, the Windows operating system).
所述登录插件接口模块120,用于接收用户需登录虚拟机上的Windows操作系统发送的用户信息,将所述用户信息向服务插件管理模块发送;所述用户信息是所述用户需登录虚拟机上的Windows操作系统在桌面控制器DC上获取的。The login plug-in interface module 120 is configured to receive user information that the user needs to log in to the Windows operating system on the virtual machine, and send the user information to the service plug-in management module; the user information is that the user needs to log in to the virtual machine. The Windows operating system is obtained on the desktop controller DC.
所述服务插件管理模块121用于,接收所述登录插件接口模块120发送的所述用户信息,向所述服务器对接插件模块122发送所述用户信息。The service plug-in management module 121 is configured to receive the user information sent by the login plug-in interface module 120, and send the user information to the server docking module 122.
所述服务器对接插件模块122用于,将所述用户信息向对接的非活动目录AD认证服务器发送,以便于所述非AD认证服务器根据所述用户信息进行认证,得出认证结果。The server docking module 122 is configured to send the user information to the docked inactive directory AD authentication server, so that the non-AD authentication server performs authentication according to the user information, and obtains an authentication result.
所述服务器对接插件模块122还用于,接收到所述非AD认证服务器发送的所述认证结果,并将所述认证结果向所述服务插件管理模块121发送; The server docking module 122 is further configured to receive the authentication result sent by the non-AD authentication server, and send the authentication result to the service plug-in management module 121;
所述服务插件管理模块121还用于,接收所述服务器对接插件模块122发送的所述认证结果,将所述认证结果向所述登录插件接口模块120发送;The service plug-in management module 121 is further configured to receive the authentication result sent by the server docking module 122, and send the authentication result to the login plug-in interface module 120;
所述登录插件接口模块120还用于,接收所述服务插件管理模块121发送的所述认证结果,并向Windows操作系统发送所述认证结果,以便于所述Windows操作系统在所述认证结果为成功时,向用户终端呈现Windows桌面。The login plug-in interface module 120 is further configured to receive the authentication result sent by the service plug-in management module 121, and send the authentication result to the Windows operating system, so that the authentication result of the Windows operating system is When successful, the Windows desktop is presented to the user terminal.
本发明实施例还提供了一种物理主机,如图2所示,包括硬件层20,运行在所述硬件层之上的操作系统(本发明特指Windows操作系统)21,运行在所述Windows操作系统之上的登录插件接口模块210、服务插件管理模块211以及服务器对接插件模块212。The embodiment of the present invention further provides a physical host, as shown in FIG. 2, including a hardware layer 20, an operating system running on the hardware layer (specifically, the Windows operating system) 21, running on the Windows The login plug-in interface module 210, the service plug-in management module 211, and the server docking module 212 above the operating system.
所述登录插件接口模块210,用于接收用户输入的用户信息,将所述用户信息向服务插件管理模块发送。当然,所述登录插件接口模块210面向用户提供一个登录界面,以便用户输入用户名和密码。登录插件接口模块210还可以提供修改用户密码,锁定等功能。The login plug-in interface module 210 is configured to receive user information input by the user, and send the user information to the service plug-in management module. Of course, the login plug-in interface module 210 provides a login interface for the user to input a username and password. The login plug-in interface module 210 can also provide functions such as modifying a user password, locking, and the like.
所述服务插件管理模块211用于,接收所述登录插件接口模块210发送的所述用户信息,向所述服务器对接插件模块212发送所述用户信息。The service plug-in management module 211 is configured to receive the user information sent by the login plug-in interface module 210, and send the user information to the server docking module 212.
所述服务器对接插件模块212用于,将所述用户信息向对接的非活动目录AD认证服务器发送,以便于所述非AD认证服务器根据所述用户信息进行认证,得出认证结果。The server docking module 212 is configured to send the user information to the docked inactive directory AD authentication server, so that the non-AD authentication server performs authentication according to the user information, and obtains an authentication result.
所述服务器对接插件模块212还用于,接收到所述非AD认证服务器发送的所述认证结果,并将所述认证结果向所述服务插件管理模块211发送;The server docking module 212 is further configured to receive the authentication result sent by the non-AD authentication server, and send the authentication result to the service plug-in management module 211;
所述服务插件管理模块211还用于,接收所述服务器对接插件模块212发送的所述认证结果,将所述认证结果向所述登录插件接口模块210发送;The service plug-in management module 211 is further configured to receive the authentication result sent by the server docking module 212, and send the authentication result to the login plug-in interface module 210.
所述登录插件接口模块210还用于,接收所述服务插件管理模块211发 送的所述认证结果,并向Windows操作系统发送所述认证结果,以便于所述Windows操作系统在所述认证结果为成功时,向用户终端呈现Windows桌面。The login plug-in interface module 210 is further configured to receive the service plug-in management module 211 And sending the authentication result to the Windows operating system, so that the Windows operating system presents the Windows desktop to the user terminal when the authentication result is successful.
需要说明的是,登录插件接口模块可以是CP(Credential Provider,认证服务提供者)或GINA(Graphical Identification and Authentication,图形化识别和认证模块)。其中,在Windows Vista之前的Windows系统中,由GINA完成用户认证,在Windows Vista之后的Windows系统中,则是由CP来完成用户认证。服务插件管理模块可以是Extension Service(扩展服务)。服务器对接插件模块可以是Service Plugin(服务器插件)。另外,本发明实施提供的登录插件接口模块、服务插件管理模块以及服务器对接插件管理模块均为物理主机上的模块。非AD认证服务器可以是LADP(Lightweight Directory Access Protocol,轻量目录访问协议)服务器或RADIUS(Remote Authentication Dial In User Service,远程用户拨号认证服务器)。It should be noted that the login plug-in interface module may be a CP (Credential Provider) or a GINA (Graphical Identification and Authentication). Among them, in the Windows system before Windows Vista, the user authentication is completed by GINA, and in the Windows system after Windows Vista, the user authentication is performed by the CP. The service plugin management module may be an Extension Service. The server docking module can be a Service Plugin. In addition, the login plug-in interface module, the service plug-in management module, and the server docking management module provided by the implementation of the present invention are all modules on the physical host. The non-AD authentication server may be a LADP (Lightweight Directory Access Protocol) server or a RADIUS (Remote Authentication Dial In User Service).
本发明实施例通过的设备,登录插件接口模块获取用户信息,通过服务插件管理模块的传递将所述用户信息向服务插件管理模块发送。由服务器对接插件模块将所述用户信息向对接的非AD认证服务器发送,非AD认证服务器根据所述用户信息进行认证,得出认证结果。服务器对接插件模块接收到认证结果,并通过服务插件管理模块的传递将认证结果向服务插件管理模块发送。登录插件接口模块显示所述认证结果,并向Windows操作系统发送所述认证结果。在认证通过后,用户就可以使用Windows桌面。相比现有技术用户使用非AD认证服务器无法使用Windows桌面,本发明提供的设备,能够使用非AD认证服务器进行Windows桌面的认证登录。另一方面,客户对已有非AD认证服进行维护成本较低,可以避免由维护AD认证服务器带来的较高的费用。In the device that is used by the embodiment of the present invention, the login plug-in interface module acquires user information, and sends the user information to the service plug-in management module through delivery of the service plug-in management module. The server interface module sends the user information to the docked non-AD authentication server, and the non-AD authentication server performs authentication according to the user information to obtain an authentication result. The server docking module receives the authentication result and sends the authentication result to the service plugin management module through the delivery of the service plugin management module. The login plug-in interface module displays the authentication result and sends the authentication result to the Windows operating system. After the authentication is passed, the user can use the Windows desktop. Compared with the prior art, the non-AD authentication server cannot use the Windows desktop, and the device provided by the present invention can use the non-AD authentication server to perform the authentication login of the Windows desktop. On the other hand, the customer has lower maintenance costs for existing non-AD certified services, which can avoid the higher cost brought by maintaining the AD authentication server.
实施例2: Example 2:
本发明实施例提供一种Windows桌面的用户登录方法,如图3所示,所述方法包括以下步骤:An embodiment of the present invention provides a user login method for a Windows desktop. As shown in FIG. 3, the method includes the following steps:
301、登录插件接口模块接收用户信息,通过服务插件管理模块向服务器对接插件模块发送所述用户信息。301. The login plug-in interface module receives the user information, and sends the user information to the server docking module through the service plug-in management module.
其中,所述用户信息可以是用户的用户名和密码。所述用户信息是用户需登录虚拟机上的Windows操作系统在桌面控制器DC上获取之后向所述登录插件接口模块发送的。The user information may be a user name and password of the user. The user information is sent to the login plug-in interface module after the user needs to log in to the Windows operating system on the virtual machine to obtain the desktop controller DC.
另外,在步骤301之前,web(网页)服务器接收所述用户在网页接口WI页面输入的所述用户信息,向所述非AD认证服务器发送所述用户信息。所述非AD认证服务器根据所述用户信息进行认证,得出第二认证结果,并向所述web服务器发送所述第二认证结果。所述web服务器在所述第二认证结果为成功后,向DC查询所述用户的虚拟机资源。所述web服务器接收DC发送的查询结果,并在所述WI页面显示所述用户的虚拟机资源,以便所述用户选中需登录的虚拟机。In addition, before step 301, the web server receives the user information input by the user on the webpage interface WI page, and sends the user information to the non-AD authentication server. The non-AD authentication server performs authentication according to the user information, obtains a second authentication result, and sends the second authentication result to the web server. After the second authentication result is successful, the web server queries the DC for the virtual machine resource of the user. The web server receives the query result sent by the DC, and displays the virtual machine resource of the user on the WI page, so that the user selects the virtual machine to be logged in.
302、所述服务器对接插件模块将所述用户信息向对接的非活动目录AD认证服务器发送,以便于所述非AD认证服务器根据所述用户信息进行认证,得出第一认证结果。302. The server docking module sends the user information to the docked inactive directory AD authentication server, so that the non-AD authentication server performs authentication according to the user information to obtain a first authentication result.
这是由于服务插件管理模块负责管理各种服务插件,同时作为一个桥梁把用户输入的用户名和密码传递至服务器对接插件模块,因此,登录插件接口模块获取的用户信息必须经由服务插件管理模块才能被发送到服务器对接插件模块。This is because the service plug-in management module is responsible for managing various service plug-ins, and at the same time, as a bridge, the user name and password input by the user are passed to the server docking module. Therefore, the user information acquired by the login plug-in interface module must be managed by the service plug-in management module. Send to the server docking module.
由于非AD认证服务器中存储有用户的用户名、密码以及用户的其他权限之间的对应关系,因此,在使用非AD认证服务器也可对用户进行认证。具体地,非AD认证服务器将接收到的用户名、密码与保存在非AD服务器上的用户名、密码逐一进行比对,若存在与非AD认证服务器将接收到的用 户名、密码一致的用户名、密码,则认证成功;若不一致,则认证失败。Since the non-AD authentication server stores the correspondence between the user name and password of the user and other rights of the user, the user can be authenticated by using the non-AD authentication server. Specifically, the non-AD authentication server compares the received user name and password with the user name and password stored on the non-AD server one by one, and if there is a non-AD authentication server, the received one will be used. If the user name and password with the same username and password are correct, the authentication succeeds. If they are inconsistent, the authentication fails.
303、所述服务器对接插件模块接收到所述非AD认证服务器发送的所述第一认证结果,通过所述服务插件管理模块向所述登录插件接口模块发送所述第一认证结果。303. The server docking module receives the first authentication result sent by the non-AD authentication server, and sends the first authentication result to the login plug-in interface module by using the service plug-in management module.
同理,也是由于必须经过服务插件管理模块的传递,服务器对接插件模块才能把服务器的认证结果返回至登录插件接口模块。For the same reason, the server docking module can return the server authentication result to the login plug-in interface module because it must be passed through the service plug-in management module.
304、所述登录插件接口模块接收所述第一认证结果,并向Windows操作系统发送所述第一认证结果,以便于所述Windows操作系统在所述第一认证结果为成功时,向用户终端呈现Windows桌面。The login plug-in interface module receives the first authentication result, and sends the first authentication result to the Windows operating system, so that the Windows operating system sends the first authentication result to the user terminal when the first authentication result is successful. Render the Windows desktop.
这样,即使用户使用的是非AD认证服务器,也能够完成认证,在认证通过后使用Windows桌面。In this way, even if the user is using a non-AD authentication server, the authentication can be completed, and the Windows desktop is used after the authentication is passed.
需要说明的是,本实施例中所述第一认证结果、第二认证结果并无先后之意,仅仅是为了区别两次认证而做的定义。It should be noted that the first authentication result and the second authentication result in this embodiment are not meant to be sequential, but are merely definitions for distinguishing two authentications.
本发明实施例提供的Windows桌面的用户登录方法,登录插件接口模块获取用户信息,通过服务插件管理模块的传递将所述用户信息向服务插件管理模块发送。由服务器对接插件模块将所述用户信息向对接的非AD认证服务器发送,非AD认证服务器根据所述用户信息进行认证,得出认证结果。服务器对接插件模块接收到认证结果,并通过服务插件管理模块的传递将认证结果向服务插件管理模块发送。登录插件接口模块显示所述认证结果,并向Windows操作系统发送所述认证结果。在认证通过后,用户就可以使用Windows桌面。相比现有技术用户使用非AD认证服务器无法使用Windows桌面,本发明提供的方法,能够使用非AD认证服务器进行Windows桌面的认证登录。另一方面,客户对已有非AD认证服进行维护成本较低,可以避免由维护AD认证服务器带来的较高的费用。The user login method of the Windows desktop provided by the embodiment of the present invention, the login plug-in interface module acquires user information, and sends the user information to the service plug-in management module through delivery of the service plug-in management module. The server interface module sends the user information to the docked non-AD authentication server, and the non-AD authentication server performs authentication according to the user information to obtain an authentication result. The server docking module receives the authentication result and sends the authentication result to the service plugin management module through the delivery of the service plugin management module. The login plug-in interface module displays the authentication result and sends the authentication result to the Windows operating system. After the authentication is passed, the user can use the Windows desktop. Compared with the prior art, the non-AD authentication server cannot use the Windows desktop, and the method provided by the present invention can use the non-AD authentication server to perform the authentication login of the Windows desktop. On the other hand, the customer has lower maintenance costs for existing non-AD certified services, which can avoid the higher cost brought by maintaining the AD authentication server.
实施例2: Example 2:
这里,为方便理解,对虚拟机技术做以说明。如图4所示,为虚拟机技术的示意图。如图示,虚拟技术中资源存储在远程服务器(一般为数据中心),图示中远程服务器A就是一个服务于虚拟机的远程服务器。通过虚拟化技术虚拟出虚拟计算机B、C、D,虚拟计算机上安装操作系统(例如Windows操作系统),如果还安装了桌面操作系统,则可以提供虚拟桌面E(例如Windows桌面)。并通过远程桌面协议将虚拟桌面投递到终端F上显示给用户。当然,终端的输入输出也会映射到远程服务器。Here, for the sake of easy understanding, the virtual machine technology is explained. As shown in Figure 4, it is a schematic diagram of virtual machine technology. As shown, the resources in the virtual technology are stored in a remote server (generally a data center). In the figure, the remote server A is a remote server serving the virtual machine. Virtual machines B, C, and D are virtualized by virtualization technology, and an operating system (such as a Windows operating system) is installed on the virtual computer. If a desktop operating system is also installed, a virtual desktop E (for example, a Windows desktop) can be provided. The virtual desktop is delivered to the terminal F and displayed to the user through the remote desktop protocol. Of course, the input and output of the terminal will also be mapped to the remote server.
本发明实施例提供一种Windows桌面的用户登录方法,如图5所示,所述方法包括以下步骤:An embodiment of the present invention provides a user login method for a Windows desktop. As shown in FIG. 5, the method includes the following steps:
401、网页(web)服务器接收用户在终端上的WI页面输入的用户信息。401. A web server receives user information input by a user on a WI page on the terminal.
其中,所述用户信息可以是用户名和密码。WI页面是向用户提供虚拟机业务的一个网页,用户可以在WI页面上输入用户名、密码来查看自己的虚拟机资源,以便选择将登录的虚拟机。本实施例中,虚拟机上安装的操作系统是Windows操作系统。The user information may be a username and a password. The WI page is a web page that provides virtual machine services to users. Users can enter their user names and passwords on the WI page to view their virtual machine resources in order to select the virtual machine to be logged in. In this embodiment, the operating system installed on the virtual machine is a Windows operating system.
具体地,用户在终端上通过浏览器打开WI页面,之后输入用户名和密码。Specifically, the user opens the WI page through the browser on the terminal, and then inputs the user name and password.
402、web服务器将所述用户信息发送至非AD认证服务器。402. The web server sends the user information to a non-AD authentication server.
实际上,是通过HTTP(Hypertext Transfer Protocol,超文本传送协议)将用户在WI页面输入的用户名和密码发送至非AD认证服务器进行认证。In fact, the user name and password entered by the user on the WI page are sent to the non-AD authentication server for authentication by HTTP (Hypertext Transfer Protocol).
需要说明的是,步骤202web服务器将用户信息发送至非AD认证服务器是为了验证用户是否是合法的虚拟机用户。具体的,非AD认证服务器对比web服务器发送的用户信息,与自身存储的用户名、密码逐一进行比对,若存在与web服务器发送的用户信息一致的,则认证通过;若不存在,则认证失败。 It should be noted that the step 202 web server sends the user information to the non-AD authentication server to verify whether the user is a legitimate virtual machine user. Specifically, the non-AD authentication server compares the user information sent by the web server with the user name and password stored by the non-AD authentication server, and if the user information sent by the web server is consistent, the authentication passes; if not, the authentication is performed. failure.
403、认证成功后,web服务器根据用户名查询DC,获取用户的虚拟机资源。403. After the authentication succeeds, the web server queries the DC according to the user name to obtain the virtual machine resource of the user.
当然,web服务器是接收非AD认证服务器发送的认证结果,再根据接收到的认证结果确定认证成功。Of course, the web server receives the authentication result sent by the non-AD authentication server, and determines the authentication success according to the received authentication result.
这里,DC会为用户生成一个安全标识符,记录用户的用户名和密码与该安全标识符之间的对应关系。在后续的通信过程中,为了保证用户的网络安全,不会将用户的用户名和密码进行交互,而是用该安全标识符代替用户。Here, the DC generates a security identifier for the user, and records the correspondence between the user's username and password and the security identifier. In the subsequent communication process, in order to ensure the user's network security, the user's username and password are not interacted, but the security identifier is used instead of the user.
404、web服务器接收DC返回的用户的虚拟机资源并在WI页面呈现用户的虚拟机资源列表。404. The web server receives the virtual machine resource of the user returned by the DC and presents the virtual machine resource list of the user on the WI page.
这里,web服务器接收的是用户的安全标识符以及用户的虚拟机资源。Here, the web server receives the user's security identifier and the user's virtual machine resources.
405、用户通过终端向Windows操作系统发起登录请求。405. The user initiates a login request to the Windows operating system through the terminal.
其中,发起的登录请求携带用户的安全标识符,本发明特指Windows操作系统。这里的操作系统是用户选中的虚拟机上安装的Windows操作系统。The initiated login request carries the security identifier of the user, and the present invention specifically refers to the Windows operating system. The operating system here is the Windows operating system installed on the virtual machine selected by the user.
具体地,用户在WI页面上显示的虚拟机资源列表中选择要登录的虚拟机,由于用户操作(选中虚拟机),终端向选中的虚拟机安装的Windows操作系统发送登录请求。Specifically, the user selects the virtual machine to be logged in the virtual machine resource list displayed on the WI page. Because of the user operation (selecting the virtual machine), the terminal sends a login request to the Windows operating system installed by the selected virtual machine.
406、Windows操作系统向DC请求所述用户信息。406. The Windows operating system requests the user information from the DC.
具体地,由于步骤205终端向选中的虚拟机上安装的Windows操作系统发送登录请求,远程服务器(例如图示3中的远程服务器A)则向DC发送用户的安全标识符。DC在存储的对应关系表项中根据用户的安全标识符就可以锁定用户的用户名和密码,再将查找到的用户名和密码发送给远程服务器。远程服务器将接收到的用户名和密码发送给选中的虚拟机上安装的Windows操作系统。 Specifically, since the terminal 205 sends a login request to the Windows operating system installed on the selected virtual machine, the remote server (for example, remote server A in FIG. 3) transmits the security identifier of the user to the DC. The DC can lock the user name and password of the user according to the security identifier of the user in the stored correspondence table item, and then send the found user name and password to the remote server. The remote server sends the received username and password to the Windows operating system installed on the selected virtual machine.
需要说明的是,步骤401、402中的用户信息与步骤406之后的用户信息均为所述用户的用户名和密码。It should be noted that the user information in steps 401 and 402 and the user information after step 406 are both the user name and password of the user.
407、Windows操作系统向登录插件接口模块发送所述用户信息。407. The Windows operating system sends the user information to the login plug-in interface module.
408、登录插件接口模块通过服务插件管理模块向服务器对接插件模块发送所述用户信息。408. The login plug-in interface module sends the user information to the server docking module through the service plug-in management module.
其中,该服务器对接插件模块是与本实施例中所述的非AD认证服务器对接的。The server docking module is connected to the non-AD authentication server described in this embodiment.
409、服务器对接插件模块向非AD认证服务器发送所述用户信息。409. The server docking module sends the user information to a non-AD authentication server.
410、非AD认证服务器对所述用户信息进行认证,获得认证结果。410. The non-AD authentication server authenticates the user information, and obtains an authentication result.
这里,非AD认证服务器对比服务器对接插件模块发送的用户信息,与自身存储的用户名、密码逐一进行比对,若存在与web服务器发送的用户信息一致的,则认证通过;若不存在,则认证失败。Here, the non-AD authentication server compares the user information sent by the server docking module with the user name and password stored by itself, and if the user information sent by the web server is consistent, the authentication passes; if not, then Authentication failed.
411、非AD认证服务器向服务器对接插件模块发送认证结果。411. The non-AD authentication server sends the authentication result to the server docking module.
412、服务器对接插件模块通过服务插件管理模块向登录插件接口模块发送认证结果。412. The server docking module sends the authentication result to the login plug-in interface module through the service plug-in management module.
413、登录插件接口向Windows操作系统发送所述认证结果。413. The login plug-in interface sends the authentication result to the Windows operating system.
若认证成功,则进行步骤214。If the authentication is successful, step 214 is performed.
414、Windows操作系统向终端呈现Windows桌面。414. The Windows operating system presents the Windows desktop to the terminal.
具体地,所述用户选中的虚拟机上安装的Windows操作系统呈现Windows桌面,并通过远程桌面协议将Windows桌面呈现在用户的终端上,用户就可以使用Windows桌面。Specifically, the Windows operating system installed on the virtual machine selected by the user presents a Windows desktop, and the Windows desktop is presented on the user's terminal through a remote desktop protocol, and the user can use the Windows desktop.
需要说明的是,本实施例步骤405-413中的Windows操作系统均为用户在步骤405选中的将登陆的虚拟机上运行的Windows操作系统。 It should be noted that the Windows operating system in steps 405-413 of the embodiment is the Windows operating system running on the virtual machine to be logged in by the user in step 405.
本发明实施例提供的Windows桌面的用户登录方法,登录插件接口模块获取用户信息,通过服务插件管理模块的传递将所述用户信息向服务插件管理模块发送。由服务器对接插件模块将所述用户信息向对接的非AD认证服务器发送,非AD认证服务器根据所述用户信息进行认证,得出认证结果。服务器对接插件模块接收到认证结果,并通过服务插件管理模块的传递将认证结果向服务插件管理模块发送。登录插件接口模块显示所述认证结果,并向Windows操作系统发送所述认证结果。在认证通过后,用户就可以使用Windows桌面。相比现有技术用户使用非AD认证服务器无法使用Windows桌面,本发明提供的方法,能够使用非AD认证服务器进行Windows桌面的认证登录。另一方面,客户对已有非AD认证服进行维护成本较低,可以避免由维护AD认证服务器带来的较高的费用。The user login method of the Windows desktop provided by the embodiment of the present invention, the login plug-in interface module acquires user information, and sends the user information to the service plug-in management module through delivery of the service plug-in management module. The server interface module sends the user information to the docked non-AD authentication server, and the non-AD authentication server performs authentication according to the user information to obtain an authentication result. The server docking module receives the authentication result and sends the authentication result to the service plugin management module through the delivery of the service plugin management module. The login plug-in interface module displays the authentication result and sends the authentication result to the Windows operating system. After the authentication is passed, the user can use the Windows desktop. Compared with the prior art, the non-AD authentication server cannot use the Windows desktop, and the method provided by the present invention can use the non-AD authentication server to perform the authentication login of the Windows desktop. On the other hand, the customer has lower maintenance costs for existing non-AD certified services, which can avoid the higher cost brought by maintaining the AD authentication server.
实施例3:Example 3:
本发明实施例提供一种Windows桌面的用户登录方法,如图6所示,所述方法包括以下步骤:An embodiment of the present invention provides a user login method for a Windows desktop. As shown in FIG. 6, the method includes the following steps:
501、登录插件接口模块接收用户输入的用户信息。501. The login plug-in interface module receives user information input by the user.
其中,所述用户信息可以是用户名和密码。The user information may be a username and a password.
需要说明的是,在本实施例中,所述用户是物理主机用户,登录插件接口模块面向用户提供一个用户登录界面,以便用户在终端上显示的登陆界面上输入用户名和密码。It should be noted that, in this embodiment, the user is a physical host user, and the login plug-in interface module provides a user login interface for the user, so that the user inputs the user name and password on the login interface displayed on the terminal.
502、登录插件接口模块通过服务插件管理模块向服务器对接插件模块发送所述用户信息。502. The login plug-in interface module sends the user information to the server docking module through the service plug-in management module.
503、服务器对接插件模块向非AD认证服务器发送所述用户信息。503. The server docking module sends the user information to a non-AD authentication server.
504、非AD认证服务器对所述用户信息进行认证,获得认证结果。504. The non-AD authentication server authenticates the user information, and obtains an authentication result.
505、非AD认证服务器向服务器对接插件模块发送所述认证结果。 505. The non-AD authentication server sends the authentication result to the server docking module.
506、服务器对接插件模块通过服务插件管理模块向登录插件接口模块发送所述认证结果。506. The server docking module sends the authentication result to the login plug-in interface module by using the service plug-in management module.
507、登录插件接口模块向Windows操作系统发送所述认证结果。507. The login plug-in interface module sends the authentication result to the Windows operating system.
508、Windows操作系统接收所述认证结果,在所述认证结果为成功时,向用户终端呈现Windows桌面。508. The Windows operating system receives the authentication result, and when the authentication result is successful, presents a Windows desktop to the user terminal.
本发明实施例提供的Windows桌面的用户登录方法,登录插件接口模块获取用户信息,通过服务插件管理模块的传递将所述用户信息向服务插件管理模块发送。由服务器对接插件模块将所述用户信息向对接的非AD认证服务器发送,非AD认证服务器根据所述用户信息进行认证,得出认证结果。服务器对接插件模块接收到认证结果,并通过服务插件管理模块的传递将认证结果向服务插件管理模块发送。登录插件接口模块显示所述认证结果,并向Windows操作系统发送所述认证结果。在认证通过后,用户就可以使用Windows桌面。相比现有技术用户使用非AD认证服务器无法使用Windows桌面,本发明提供的方法,能够使用非AD认证服务器进行Windows桌面的认证登录。另一方面,客户对已有非AD认证服进行维护成本较低,可以避免由维护AD认证服务器带来的较高的费用。The user login method of the Windows desktop provided by the embodiment of the present invention, the login plug-in interface module acquires user information, and sends the user information to the service plug-in management module through delivery of the service plug-in management module. The server interface module sends the user information to the docked non-AD authentication server, and the non-AD authentication server performs authentication according to the user information to obtain an authentication result. The server docking module receives the authentication result and sends the authentication result to the service plugin management module through the delivery of the service plugin management module. The login plug-in interface module displays the authentication result and sends the authentication result to the Windows operating system. After the authentication is passed, the user can use the Windows desktop. Compared with the prior art, the non-AD authentication server cannot use the Windows desktop, and the method provided by the present invention can use the non-AD authentication server to perform the authentication login of the Windows desktop. On the other hand, the customer has lower maintenance costs for existing non-AD certified services, which can avoid the higher cost brought by maintaining the AD authentication server.
本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。A person skilled in the art can understand that all or part of the steps of implementing the above method embodiments may be completed by using hardware related to the program instructions. The foregoing program may be stored in a computer readable storage medium, and the program is executed when executed. The foregoing steps include the steps of the foregoing method embodiments; and the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以所述权利要求的保护范围为准。 The above is only a specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the appended claims.

Claims (10)

  1. 一种Windows桌面的用户登录方法,其特征在于,包括:A user login method for a Windows desktop, characterized in that it comprises:
    登录插件接口模块接收用户信息,通过服务插件管理模块向服务器对接插件模块发送所述用户信息;The login plug-in interface module receives the user information, and sends the user information to the server docking module through the service plug-in management module;
    所述服务器对接插件模块将所述用户信息向对接的非活动目录AD认证服务器发送,以便于所述非AD认证服务器根据所述用户信息进行认证,得出第一认证结果;The server docking module sends the user information to the docked inactive directory AD authentication server, so that the non-AD authentication server performs authentication according to the user information to obtain a first authentication result;
    所述服务器对接插件模块接收到所述非AD认证服务器发送的所述第一认证结果,通过所述服务插件管理模块向所述登录插件接口模块发送所述第一认证结果;Receiving, by the server plug-in module, the first authentication result that is sent by the non-AD authentication server, and sending, by the service plug-in management module, the first authentication result to the login plug-in interface module;
    所述登录插件接口模块接收所述第一认证结果,并向Windows操作系统发送所述第一认证结果,以便于所述Windows操作系统在所述第一认证结果为成功时,向用户终端呈现Windows桌面。The login plug-in interface module receives the first authentication result, and sends the first authentication result to the Windows operating system, so that the Windows operating system presents the user terminal to the Windows when the first authentication result is successful. desktop.
  2. 根据权利要求1所述的方法,其特征在于,所述用户信息是用户需登录虚拟机上的Windows操作系统在桌面控制器DC上获取之后向所述登录插件接口模块发送的。The method according to claim 1, wherein the user information is sent to the login plug-in interface module after the user needs to log in to the Windows operating system on the virtual machine to acquire the desktop controller DC.
  3. 根据权利要求2所述的方法,其特征在于,所述登录插件接口模块获取所述用户信息之前,所述方法还包括:The method according to claim 2, wherein before the login plug-in interface module acquires the user information, the method further includes:
    网页web服务器接收所述用户在网页接口WI页面输入的所述用户信息,向所述非AD认证服务器发送所述用户信息,以便所述非AD认证服务器根据所述用户信息进行认证,得出第二认证结果;The webpage web server receives the user information input by the user on the webpage interface WI page, and sends the user information to the non-AD authentication server, so that the non-AD authentication server performs authentication according to the user information, and obtains the first Second certification result;
    所述web服务器在所述第二认证结果为成功后,向DC查询所述用户的虚拟机资源;After the second authentication result is successful, the web server queries the DC for the virtual machine resource of the user;
    所述web服务器接收DC发送的查询结果,并在所述WI页面显示所述用户的虚拟机资源,以便所述用户选中需登录的虚拟机。The web server receives the query result sent by the DC, and displays the virtual machine resource of the user on the WI page, so that the user selects the virtual machine to be logged in.
  4. 根据权利要求1或3任一项所述的方法,其特征在于,所述非AD 认证服务器为轻量目录访问协议LADP服务器或远程用户拨号认证服务器RADIUS。Method according to any of claims 1 or 3, characterized in that said non-AD The authentication server is a lightweight directory access protocol LADP server or a remote user dial-up authentication server RADIUS.
  5. 一种Windows桌面的用户登录方法,其特征在于,包括:A user login method for a Windows desktop, characterized in that it comprises:
    登录插件接口模块接收用户输入的用户信息,通过服务插件管理模块向服务器对接插件模块发送所述用户信息;The login plug-in interface module receives the user information input by the user, and sends the user information to the server docking module through the service plug-in management module;
    所述服务器对接插件模块将所述用户信息向对接的非活动目录AD认证服务器发送,以便于所述非AD认证服务器根据所述用户信息进行认证,得出认证结果;The server docking module sends the user information to the docked inactive directory AD authentication server, so that the non-AD authentication server performs authentication according to the user information, and obtains an authentication result;
    所述服务器对接插件模块接收到所述非AD认证服务器发送的所述认证结果,通过所述服务插件管理模块向所述登录插件接口模块发送所述认证结果;Receiving, by the server plug-in module, the authentication result sent by the non-AD authentication server, and sending the authentication result to the login plug-in interface module by using the service plug-in management module;
    所述登录插件接口模块接收所述认证结果,并向Windows操作系统发送所述认证结果,以便于所述Windows操作系统在所述认证结果为成功时,向用户终端呈现Windows桌面。The login plug-in interface module receives the authentication result, and sends the authentication result to the Windows operating system, so that the Windows operating system presents the Windows desktop to the user terminal when the authentication result is successful.
  6. 根据权利要求5所述的方法,其特征在于,所述非AD认证服务器为轻量目录访问协议LADP服务器或远程用户拨号认证服务器RADIUS。The method according to claim 5, wherein the non-AD authentication server is a Lightweight Directory Access Protocol LADP server or a remote user dialing authentication server RADIUS.
  7. 一种物理主机,包括硬件层,运行在所述硬件层之上的虚拟机监控单元VMM,运行在所述VMM之上的至少一个虚拟机,其特征在于,所述物理主机还包括:运行在各虚拟机Windows操作系统之上的登录插件接口模块、服务插件管理模块以及服务器对接插件模块,A physical host includes a hardware layer, a virtual machine monitoring unit VMM running on the hardware layer, and at least one virtual machine running on the VMM, wherein the physical host further includes: running in a login plug-in interface module, a service plug-in management module, and a server docking module on each virtual machine Windows operating system,
    所述登录插件接口模块,用于接收用户需登录虚拟机上的Windows操作系统发送的用户信息,将所述用户信息向服务插件管理模块发送;所述用户信息是所述用户需登录虚拟机上的Windows操作系统在桌面控制器DC上获取的;The login plug-in interface module is configured to receive user information that the user needs to log in to the Windows operating system on the virtual machine, and send the user information to the service plug-in management module; the user information is that the user needs to log in to the virtual machine. The Windows operating system is acquired on the desktop controller DC;
    所述服务插件管理模块用于,接收所述登录插件接口模块发送的所述用户信息,向所述服务器对接插件模块发送所述用户信息; The service plug-in management module is configured to receive the user information sent by the login plug-in interface module, and send the user information to the server docking module;
    所述服务器对接插件模块用于,将所述用户信息向对接的非活动目录AD认证服务器发送,以便于所述非AD认证服务器根据所述用户信息进行认证,得出认证结果;The server docking module is configured to send the user information to the docked inactive directory AD authentication server, so that the non-AD authentication server performs authentication according to the user information, and obtains an authentication result;
    所述服务器对接插件模块还用于,接收到所述非AD认证服务器发送的所述认证结果,并将所述认证结果向所述服务插件管理模块发送;The server docking module is further configured to receive the authentication result sent by the non-AD authentication server, and send the authentication result to the service plug-in management module;
    所述服务插件管理模块还用于,接收所述服务器对接插件模块发送的所述认证结果,将所述认证结果向所述登录插件接口模块发送;The service plug-in management module is further configured to receive the authentication result sent by the server docking module, and send the authentication result to the login plug-in interface module;
    所述登录插件接口模块还用于,接收所述服务插件管理模块发送的所述认证结果,并向Windows操作系统发送所述认证结果,以便于所述Windows操作系统在所述认证结果为成功时,向用户终端呈现Windows桌面。The login plug-in interface module is further configured to receive the authentication result sent by the service plug-in management module, and send the authentication result to a Windows operating system, so that the Windows operating system is successful when the authentication result is successful. , presenting a Windows desktop to the user terminal.
  8. 一种物理主机,包括硬件层,运行在所述硬件层之上的Windows操作系统,其特征在于,所述物理主机还包括:运行在所述Windows操作系统之上的登录插件接口模块、服务插件管理模块以及服务器对接插件模块,A physical host includes a hardware layer, a Windows operating system running on the hardware layer, and the physical host further includes: a login plug-in interface module and a service plug-in running on the Windows operating system. Management module and server docking module,
    所述登录插件接口模块,用于接收用户输入的用户信息,将所述用户信息向服务插件管理模块发送;The login plug-in interface module is configured to receive user information input by a user, and send the user information to a service plug-in management module;
    所述服务插件管理模块用于,接收所述登录插件接口模块发送的所述用户信息,向所述服务器对接插件模块发送所述用户信息;The service plug-in management module is configured to receive the user information sent by the login plug-in interface module, and send the user information to the server docking module;
    所述服务器对接插件模块用于,将所述用户信息向对接的非活动目录AD认证服务器发送,以便于所述非AD认证服务器根据所述用户信息进行认证,得出认证结果;The server docking module is configured to send the user information to the docked inactive directory AD authentication server, so that the non-AD authentication server performs authentication according to the user information, and obtains an authentication result;
    所述服务器对接插件模块还用于,接收到所述非AD认证服务器发送的所述认证结果,并将所述认证结果向所述服务插件管理模块发送;The server docking module is further configured to receive the authentication result sent by the non-AD authentication server, and send the authentication result to the service plug-in management module;
    所述服务插件管理模块还用于,接收所述服务器对接插件模块发送的所述认证结果,将所述认证结果向所述登录插件接口模块发送; The service plug-in management module is further configured to receive the authentication result sent by the server docking module, and send the authentication result to the login plug-in interface module;
    所述登录插件接口模块还用于,接收所述服务插件管理模块发送的所述认证结果,并向Windows操作系统发送所述认证结果,以便于所述Windows操作系统在所述认证结果为成功时,向用户终端呈现Windows桌面。The login plug-in interface module is further configured to receive the authentication result sent by the service plug-in management module, and send the authentication result to a Windows operating system, so that the Windows operating system is successful when the authentication result is successful. , presenting a Windows desktop to the user terminal.
  9. 一种系统,其特征在于,包括:网页web服务器、物理主机以及非AD认证服务器,A system, comprising: a webpage web server, a physical host, and a non-AD authentication server,
    所述web服务器,用于接收用户在网页接口WI页面输入的用户信息,向所述非AD认证服务器发送所述用户信息,以便所述非AD认证服务器根据所述用户信息进行认证,得出认证结果;在所述认证结果为成功后,向桌面控制器DC查询所述用户的虚拟机资源;接收所述DC发送的查询结果,并在所述WI页面显示所述用户的虚拟机资源,以便所述用户选中需登录的虚拟机;The web server is configured to receive the user information input by the user on the webpage interface WI, and send the user information to the non-AD authentication server, so that the non-AD authentication server performs authentication according to the user information, and obtains the authentication. Result: after the authentication result is successful, querying the desktop controller DC for the virtual machine resource of the user; receiving the query result sent by the DC, and displaying the virtual machine resource of the user on the WI page, so that The user selects a virtual machine to be logged in;
    所述非AD认证服务器,用于根据接收到的用户信息进行认证,得出认证结果;The non-AD authentication server is configured to perform authentication according to the received user information, and obtain an authentication result;
    所述物理主机为权利要求7所述的物理主机。The physical host is the physical host of claim 7.
  10. 一种系统,其特征在于,包括:物理主机以及非AD认证服务器,A system, comprising: a physical host and a non-AD authentication server,
    所述物理主机为权利要求8所述的物理主机;The physical host is the physical host of claim 8;
    所述非AD认证服务器,用于根据接收到的用户信息进行认证,得出认证结果。 The non-AD authentication server is configured to perform authentication according to the received user information, and obtain an authentication result.
PCT/CN2015/083280 2014-11-28 2015-07-03 User login method, device and system for windows desktop WO2016082548A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410712291.7A CN104468550B (en) 2014-11-28 2014-11-28 A kind of user login method of windows desktop, equipment and system
CN201410712291.7 2014-11-28

Publications (1)

Publication Number Publication Date
WO2016082548A1 true WO2016082548A1 (en) 2016-06-02

Family

ID=52913922

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/083280 WO2016082548A1 (en) 2014-11-28 2015-07-03 User login method, device and system for windows desktop

Country Status (2)

Country Link
CN (1) CN104468550B (en)
WO (1) WO2016082548A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116962078A (en) * 2023-09-19 2023-10-27 成都运荔枝科技有限公司 Web system login management and control system based on browser plug-in

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104468550B (en) * 2014-11-28 2018-10-19 华为技术有限公司 A kind of user login method of windows desktop, equipment and system
CN106856471B (en) * 2015-12-09 2019-12-17 北京艾科网信科技有限公司 AD domain login authentication method under 802.1X
CN107086937B (en) * 2016-02-14 2020-01-10 华为技术有限公司 Monitoring method and device
CN106534219A (en) * 2016-12-31 2017-03-22 中国移动通信集团江苏有限公司 Security authentication method and device for desktop cloud portal
CN107026860B (en) * 2017-04-01 2020-10-16 成都灵跃云创科技有限公司 Login authentication method, device and system
CN107908940B (en) * 2017-11-06 2020-05-19 深圳市文鼎创数据科技有限公司 Fingerprint identification method and terminal equipment
CN111327578A (en) * 2018-12-17 2020-06-23 上海擎感智能科技有限公司 User ssh login authentication method
CN111193776B (en) * 2019-12-11 2022-02-25 福建升腾资讯有限公司 Method, device, equipment and medium for automatically logging in client under cloud desktop environment
CN112272219B (en) * 2020-10-16 2022-11-04 成都华栖云科技有限公司 Multi-platform automatic cloud desktop publishing method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102487380A (en) * 2010-12-01 2012-06-06 中兴通讯股份有限公司 Desktop virtual terminal entrusting method and system
CN103618768A (en) * 2013-11-15 2014-03-05 华为技术有限公司 Method and related device for deploying virtual machine
US8701174B1 (en) * 2011-09-27 2014-04-15 Emc Corporation Controlling access to a protected resource using a virtual desktop and ongoing authentication
CN104468550A (en) * 2014-11-28 2015-03-25 华为技术有限公司 User login method for Windows desktop, device and system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070174429A1 (en) * 2006-01-24 2007-07-26 Citrix Systems, Inc. Methods and servers for establishing a connection between a client system and a virtual machine hosting a requested computing environment
CN101754466B (en) * 2008-12-10 2012-09-05 运软网络科技(上海)有限公司 Mobile virtualized base installation and mobile virtualized base platform
CN102307099A (en) * 2011-09-06 2012-01-04 北京星网锐捷网络技术有限公司 Authentication method and system as well as authentication server

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102487380A (en) * 2010-12-01 2012-06-06 中兴通讯股份有限公司 Desktop virtual terminal entrusting method and system
US8701174B1 (en) * 2011-09-27 2014-04-15 Emc Corporation Controlling access to a protected resource using a virtual desktop and ongoing authentication
CN103618768A (en) * 2013-11-15 2014-03-05 华为技术有限公司 Method and related device for deploying virtual machine
CN104468550A (en) * 2014-11-28 2015-03-25 华为技术有限公司 User login method for Windows desktop, device and system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116962078A (en) * 2023-09-19 2023-10-27 成都运荔枝科技有限公司 Web system login management and control system based on browser plug-in

Also Published As

Publication number Publication date
CN104468550A (en) 2015-03-25
CN104468550B (en) 2018-10-19

Similar Documents

Publication Publication Date Title
WO2016082548A1 (en) User login method, device and system for windows desktop
US11888838B2 (en) System and method for single sign-on technical support access to tenant accounts and data in a multi-tenant platform
US10015157B2 (en) Multi-domain applications with authorization and authentication in cloud environment
US9398001B1 (en) System for and method of providing single sign-on (SSO) capability in an application publishing environment
US8516569B2 (en) Uninterrupted virtual private network (VPN) connection service with dynamic policy enforcement
AU2013274350B2 (en) Systems and methods for accessing a virtual desktop
US8365266B2 (en) Trusted local single sign-on
US8984621B2 (en) Techniques for secure access management in virtual environments
US9197644B1 (en) System and method for multitenant management of domains
CN107637044B (en) Secure in-band service detection
CN109997345B (en) Virtual machine control system and method based on cloud computing
US20180159842A1 (en) System and method for a single sign on connection in a zero-knowledge vault architecture
JP2013510351A (en) Single sign-on for remote user sessions
CN105162775A (en) Logging method and device of virtual machine
US10122702B2 (en) Single sign-on for interconnected computer systems
CN113746811A (en) Login method, device, equipment and readable storage medium
WO2023029138A1 (en) Login method, electronic device and computer-readable storage medium
US8949953B1 (en) Brokering multiple authentications through a single proxy
CN108683651B (en) Single sign-on method, server and system
US10735399B2 (en) System, service providing apparatus, control method for system, and storage medium
US20210352069A1 (en) Local authentication virtual authorization
CN113114464B (en) Unified security management system and identity authentication method
US20240073024A1 (en) Passkey integration techniques for identity management
TWI664590B (en) System for using the same certificate in domain set trough portal and method thereof
TW201824887A (en) System for using authentication server to implement free login in server group and method thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15862242

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15862242

Country of ref document: EP

Kind code of ref document: A1