公开(公告)号：WO2007011637A3

公开(公告)日：2007-07-12

申请号：PCT/US2006027182

申请日：2006-07-12

Applicant: MICROSOFT CORP

Inventor： CRALL CHRISTOPHER J ,  MEDVINSKY GENNADY ,  BALL JOSHUA ,  JAGANATHAN KARTHIK ,  LEACH PAUL J ,  ZHU LIQIANG ,  CROSS DAVID B

IPC: H04L9/00 ,  H04K1/00 ,  H04L9/32

CPC classification number: H04L9/3263 ,  H04L9/3273 ,  H04L63/0807 ,  H04L63/0823 ,  H04L63/0876 ,  H04L63/10 ,  H04L63/166

Abstract: A hint containing user mapping information is provided in messages that may be exchanged during authentication handshakes. For example, a client may provide user mapping information to the server during authentication. The hint (e.g., in the form of a TLS extension mechanism) may be used to send the domain/user name information of a client to aid the server in mapping the user's certificate to an account. The extension mechanism provides integrity and authenticity of the mapping data sent by the client. The user provides a hint as to where to find the right account or domain controller (which points to, or otherwise maintains, the correct account). Based on the hint and other information in the certificate, the user is mapped to an account. The hint may be provided by the user when he logs in. Thus, a certificate is mapped to an identity to authenticate the user. A hint is sent along with the certificate information to perform the binding. Existing protocols may be extended to communicate the additional mapping information (the hint) to perform the binding. A vendor specific extension to Kerberos is defined to obtain the authorization data based on an X.509 certificate and the mapping user name hint.

Abstract translation: 在认证握手期间可以交换的消息中提供了包含用户映射信息的提示。 例如，客户端可以在认证期间向服务器提供用户映射信息。 提示（例如，以TLS扩展机制的形式）可以用于发送客户端的域/用户名信息，以帮助服务器将用户的证书映射到帐户。 扩展机制提供客户端发送的映射数据的完整性和真实性。 用户提供关于在哪里找到正确的帐户或域控制器（指向或以其他方式维护正确的帐户）的提示。 根据证书中的提示和其他信息，用户被映射到一个帐户。 提示可以由用户在登录时提供。因此，证书被映射到身份以验证用户。 发送提示与证书信息一起执行绑定。 可以扩展现有协议以传达额外的映射信息（提示）来执行绑定。 定义了针对Kerberos的供应商特定扩展，以根据X.509证书和映射用户名提示获取授权数据。