CN104270368B - Authentication method, certificate server and Verification System - Google Patents

Authentication method, certificate server and Verification System Download PDF

Info

Publication number
CN104270368B
CN104270368B CN201410524606.5A CN201410524606A CN104270368B CN 104270368 B CN104270368 B CN 104270368B CN 201410524606 A CN201410524606 A CN 201410524606A CN 104270368 B CN104270368 B CN 104270368B
Authority
CN
China
Prior art keywords
windows
certificate server
domain servers
upn
domain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410524606.5A
Other languages
Chinese (zh)
Other versions
CN104270368A (en
Inventor
李健强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruijie Networks Co Ltd
Original Assignee
Fujian Star Net Communication Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Star Net Communication Co Ltd filed Critical Fujian Star Net Communication Co Ltd
Priority to CN201410524606.5A priority Critical patent/CN104270368B/en
Publication of CN104270368A publication Critical patent/CN104270368A/en
Application granted granted Critical
Publication of CN104270368B publication Critical patent/CN104270368B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention provides a kind of authentication method, certificate server and Verification System, wherein, certificate server is obtained after user name, multiple Windows AD domain servers into network send the query messages for carrying user name, so that Windows AD domain servers determine whether to preserve user principal name UPN corresponding with user name, if receiving the inquiry response for the carrying UPN that a target Windows AD domain server is returned, Lightweight Directory Access Protocol ldap authentication request message is then constructed according to UPN, and send to target Windows AD domain servers, receive the authentication result information that target Windows AD domain servers are sent.Wherein, the UPN corresponding with user name that certificate server is sent according to Windows AD domain servers constructs ldap authentication request message, can cause the success of subdomain user authentication, further causes the normal access network communication of computer corresponding with user.

Description

Authentication method, certificate server and Verification System
Technical field
The present invention relates to network authentication techniques, more particularly to a kind of authentication method, certificate server and Verification System.
Background technology
With developing rapidly for local area network technology, the network security problem of large and medium-sized enterprise becomes increasingly conspicuous, and each enterprise faces One of network security threats be exactly, from internal unauthorized access, therefore to set up Intranet access defense system gesture and exist It must go, present enterprise, which typically all uses, passes through 802.1X agreements and Windows Active Directories (Windows Active Directory, referred to as:Windows AD) scheme that is combined of field technique, to realize legal checking and the pipe of equipment access Reason, and network service can be just only normally carried out by the computer of Windows AD domain certifications.
In the prior art, when there is multiple Windows AD domains, Windows AD domains verification process now is:User's meeting Username and password is inputted in Authentication Client first, username and password is forwarded to certificate server by Authentication Client, by Be not aware which Windows AD domain is this user name belong in certificate server, thus certificate server can poll each Windows AD domain servers, be specially:Certificate server is according to user name, password and the Windows that need to currently inquire about first The corresponding domain name construction Lightweight Directory Access Protocol in AD domains (Lightweight Directory Access Protocol, referred to as For:LDAP) authentication request packet, and the user principal name (User in ldap authentication request message is set Principal Name, referred to as:When UPN), by the way of fixed, i.e., by user name and the Windows that need to currently inquire about The corresponding domain name in AD domains is stitched together, and then the ldap authentication request message of construction is sent to the Windows that need to currently inquire about AD domain servers, Windows AD domain servers are received after ldap authentication request message, verify user identity and result is anti- Feed certificate server, certificate server is received after check results, if logged on failure, then continue poll other Windows AD domain servers;If certification success, user profile is obtained from Windows AD domain servers and is stored in locally, simultaneously Open the controlled mouth of the 802.1X interchangers belonging to user so that the computer of user normally access network can communicate.
But if the configuration surroundings of multiple Windows AD domain servers are Windows AD forests, due to Windows Typically the domain name part in the UPN of subdomain can be configured on the AD forests particularity of itself, Windows AD domain servers For father field domain name, and utilize the mode for constructing UPN in the prior art, certificate server will can ask the user name of certification directly with The domain name splicing of the corresponding subdomain of the subdomain itself, so as to cause user name authentification failure, the computer of user can not normally connect Enter network service.
The content of the invention
The embodiment of the present invention provides a kind of authentication method, certificate server and Verification System, with overcome in the prior art without Method causes the problem of subdomain user obtains certification.
First aspect present invention provides a kind of authentication method, including:
Certificate server obtains user name;
Multiple Windows active directory domain servers of the certificate server into network send query messages, institute State and the user name is carried in query messages, so that the Windows AD domain servers determine whether to preserve and the user The corresponding user principal name UPN of name;
If the certificate server receives the inquiry response that Windows AD domain servers described in a target are returned, described The UPN is carried in inquiry response, then the certificate server constructs Lightweight Directory Access Protocol ldap authentication according to the UPN Request message, and the ldap authentication request message is sent to the target Windows AD domain servers;
The certificate server receives the authentication result information that the target Windows AD domain servers are sent.
In the first possible implementation of first aspect, the certificate server is multiple into network Windows AD domain servers are sent before query messages, in addition to:
The certificate server determines common enquiring account corresponding with each Windows AD domain server, and will be described Common enquiring account is carried in the query messages.
With reference to the first possible implementation of first aspect or first aspect, second in first aspect is possible In implementation, multiple Windows AD domain servers of the certificate server into network send query messages, specific bag Include:
The certificate server sends inquiry to the multiple Windows AD domain servers successively using polling mode and disappeared Breath, until the certificate server receives the inquiry response that the target Windows AD domain servers are sent.
With reference to the first possible implementation of first aspect or first aspect, the third in first aspect is possible In implementation, the certificate server receive inquiry response that Windows AD domain servers described in a target return it Afterwards, in addition to:
The certificate server preserves UPN corresponding with the user name, so as to the target corresponding with the UPN Windows AD domain servers carry out follow-up user name certification.
Second aspect of the present invention provides a kind of certificate server, including:
Acquisition module, for obtaining user name;
Sending module, query messages are sent for multiple Windows active directories domain servers into network, described The user name that the acquisition module is obtained is carried in query messages, so that the Windows AD domain servers determine whether Preserve user principal name UPN corresponding with the user name;
First determining module, it is described if receiving the inquiry response that Windows AD domain servers described in a target are returned The UPN is carried in inquiry response, then Lightweight Directory Access Protocol ldap authentication request message is constructed according to the UPN, and will The ldap authentication request message is sent to the target Windows AD domain servers;
Receiving module, for receiving the authentication result information that the target Windows AD domain servers are sent.
In the first possible implementation of second aspect, in addition to:Second determining module, for being sent described Multiple Windows AD domain servers of the module into network are sent before query messages, it is determined that being taken with each Windows AD domain The corresponding common enquiring account of business device, and the common enquiring account is carried in the query messages.
With reference to the first possible implementation of second aspect or second aspect, second in second aspect is possible In implementation, the sending module, specifically for:Using polling mode successively to the multiple Windows AD domain servers Query messages are sent, until the certificate server receives the inquiry sound that the target Windows AD domain servers are sent Should.
With reference to the first possible implementation of second aspect or second aspect, the third in second aspect is possible In implementation, in addition to:Memory module, for receiving Windows AD domains described in a target in first determining module After the inquiry response that server is returned, UPN corresponding with the user name is preserved, so as to the mesh corresponding with the UPN Mark Windows AD domain servers and carry out follow-up user name certification.
Third aspect present invention provides a kind of Verification System, including:Such as the of claim second aspect or second aspect Certificate server and multiple Windows active directories domain servers described in a kind of possible implementation.
In the first possible implementation of the third aspect, the Windows AD domain servers are used to receive described User name is carried in the query messages that certificate server is sent, the query messages;
Whether the Windows AD domain servers inquiry preserves user principal name corresponding with the user name UPN,
If preserving, the Windows AD domain servers send inquiry response, the inquiry to the certificate server The UPN is carried in response, is asked so that the certificate server constructs Lightweight Directory Access Protocol ldap authentication according to the UPN Seek message;
The Windows AD domain servers receive the ldap authentication request message that the certificate server is sent;
The Windows AD domain servers send authentication result information according to the ldap authentication request message of reception To the certificate server.
The present invention has put forward a kind of authentication method, certificate server and Verification System, wherein, certificate server obtains user name Afterwards, multiple Windows AD domain servers into network send the query messages for carrying user name, so that Windows AD domains Server determines whether to preserve user principal name UPN corresponding with user name, if certificate server receives a target UPN is carried in the inquiry response that Windows AD domain servers are returned, inquiry response, then certificate server constructs light according to UPN Type directory access protocol ldap authentication request message, and ldap authentication request message is sent to the service of target Windows AD domains Device, and receive the authentication result information of target Windows AD domain servers transmission.Wherein, certificate server is according to inquiring UPN corresponding with the user name construction ldap authentication request messages that target Windows AD domain servers are sent, can cause son Domain user authentication success, further causes the normal access network communication of computer corresponding with user.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are this hairs Some bright embodiments, for those of ordinary skill in the art, without having to pay creative labor, can be with Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is a kind of flow chart of authentication method provided in an embodiment of the present invention;
Fig. 2 is a kind of structural representation one of certificate server provided in an embodiment of the present invention;
Fig. 3 is a kind of structural representation two of certificate server provided in an embodiment of the present invention;
Fig. 4 is a kind of structural representation three of certificate server provided in an embodiment of the present invention;
Fig. 5 is a kind of structural representation of Verification System provided in an embodiment of the present invention.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is A part of embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art The every other embodiment obtained under the premise of creative work is not made, belongs to the scope of protection of the invention.
Fig. 1 is a kind of flow chart of authentication method provided in an embodiment of the present invention, as shown in figure 1, the method for the present embodiment It can include:
Step 101:Certificate server obtains user name.
Specifically, certificate server can obtain username and password to be certified.
Step 102:Multiple Windows active directory domain servers of the certificate server into network send inquiry and disappeared User name is carried in breath, query messages, so that Windows AD domain servers determine whether to preserve use corresponding with user name Family principal name UPN.
Specifically, after certificate server gets user name to be certified, certificate server can using polling mode according to It is secondary to send query messages to multiple Windows AD domain servers, wherein, query messages include Windows AD domain servers Corresponding common enquiring account and user name to be certified.
After Windows AD domain servers receive the query messages of certificate server transmission, taken according in query messages The user name to be certified of band, inquires about whether preserve UPN corresponding with user name to be certified in domain user's table of self maintained, Then Query Result is sent to certificate server, itself is preserved and user to be certified if Windows AD domain servers are inquired The corresponding UPN of name, then send inquiry response to certificate server, carries being inquired with user name to be certified in inquiry response Corresponding UPN, so that certificate server performs subsequent authentication procedure according to the UPN inquired;If Windows AD domain servers UPN corresponding with user name to be certified itself is not preserved in inquiry, then directly transmits inquiry response to certificate server, inquiry Inquiry failed message is carried in response, so that certificate server sends query messages to other Windows AD domain servers.
Wherein, domain user table preserves the corresponding relation of UPN and password, the corresponding common enquiring of Windows AD domain servers Account can be preset in certificate server in advance, or certificate server actively sends to Windows AD domain servers and asked Common enquiring account is sought, so as to itself possess the authority of inquiry Windows AD domain servers, the present invention is not to obtaining public look into The mode for asking account is any limitation as.
Step 103:If certificate server receives the inquiry response that a target Windows AD domain server is returned, inquiry UPN is carried in response, then certificate server constructs Lightweight Directory Access Protocol ldap authentication request message according to UPN, and will Ldap authentication request message is sent to target Windows AD domain servers.
Specifically, after certificate server receives the inquiry response that a target Windows AD domain server is returned, Ldap authentication request message is constructed according to the UPN carried in query response message, and ldap authentication request message is sent to mesh Windows AD domain servers are marked, wherein, ldap authentication request message not only carries UPN corresponding with user name to be certified, also Carry the password corresponding with user name to be certified that certificate server is obtained.
Step 104:Certificate server receives the authentication result information that target Windows AD domain servers are sent.
Specifically, certificate server is sent after ldap authentication request message to target Windows AD domain servers, if The UPN and password carried in target Windows AD domain servers verification ldap authentication request message is correct, then sends certification and ring Results messages are answered to certificate server, so that the corresponding computer of username and password to be certified normally access network can lead to Letter.
Optionally, present invention could apply to the process for the certification that linked based on 802.1X and Windows AD domains, specifically, User initiates certification in 802.1X Authentication Clients input username and password, wherein, 802.1X clients are client devices The software of middle operation or the computer software of independent operating, effect are that the necessary information of reception certification (is typically user name and close Code), according to form as defined in 802.1X agreements, corresponding message is packaged into, authenticator is sent to, while handling what authenticator responded Response message, performs the identifying procedure of client.
Authenticator's (authenticating device) receives the certification request that 802.1X Authentication Clients are initiated, and certification request is carried out into phase The processing answered, is then packaged as upper-layer protocol (agreement on IP layers) and is forwarded in certificate server to be authenticated, if recognized Card server thinks the username and password certification success that user inputs in 802.1X clients, then allows 802.1X certification clients End accesses the Internet resources needed, if certificate server thinks that the username and password that user inputs in 802.1X clients is recognized Card failure, then do not allow 802.1X Authentication Clients to access Internet resources.In the present invention, authenticator can exchange for 802.1X Machine.
Wherein, Extensible Authentication Protocol (Expanded is used between 802.1X Authentication Clients and 802.1X interchangers Authentication Protocol, referred to as:EAP) exchange authentication information, because EAP messages are packaged in Ethernet What 802.3 frames were transmitted, so message actually interactive between 802.1X Authentication Clients and 802.1X interchangers is EAPOL (EAP Over LAN) message.
It is also interactive EAP messages between 802.1X interchangers and certificate server, but is generally encapsulated in EAP messages remotely Subscriber dialing Verification System agreement (Remote Authentication Dial In User Service, referred to as:Radius) Interacted in this kind of upper-layer protocol.
802.1X Authentication Clients are connected is divided into controlled ports inside the port of 802.1X interchangers, its port by logic Two kinds of (Controlled Port) and uncontrolled port (UnControlled Port).Uncontrolled port is used for transmitting EAPOL Message, all the time in two-way UNICOM's state, can receive and send at any time EAPOL messages;Controlled ports are used for transmitting other nets Network message (client accesses the data message of Internet resources), acquiescence is not turned on, i.e., do not forward any message, and only 802.1X recognizes After demonstrate,proving successfully, just allow to forward network message.
Optionally, in a kind of achievable mode of the present invention, performing the process of certification can be:In certificate server Get after username and password to be certified, itself whether saved Windows corresponding with user name can be inquired about first AD domain servers information and UPN information, if certificate server itself is saved, directly set up ldap authentication request message, and Ldap authentication request message is sent to corresponding Windows AD domain servers, wherein, carried in ldap authentication request message UPN corresponding with user name and password corresponding with user name to be certified, recognize when Windows AD domain servers are received Demonstrate,prove after the ldap authentication request message that server is sent, check whether itself safeguards the UPN carried in ldap authentication request message, And whether verification password is correct, if Windows AD domain servers check self maintained UPN, and password is correct, then Windows AD domain servers send authentication response object information to certificate server, and certificate server receives authentication response object information, and Certification success is determined, authentication response results messages 802.1X interchangers are forwarded to, so that the controlled end in 802.1X interchangers Mouth is opened so that the normal access network of computer of user, is communicated.
In another achievable mode of the present invention, performing the process of certification can be:If certificate server itself Corresponding with user name Windows AD domain servers information and UPN information are not preserved, certificate server sends query messages To certificate server, inquire about UPN corresponding with user name, wherein carried in query messages user name to be certified and with it is to be checked The corresponding common enquiring account of Windows AD domain servers of inquiry, when Windows AD domain servers receive query messages Afterwards, if Windows AD domain servers, which are inquired about, itself does not preserve UPN corresponding with user name, inquiry response is directly transmitted extremely Inquiry failed message is carried in certificate server, inquiry response, so that certificate server is to other Windows AD domain servers Send query messages.
Certificate server is received after inquiry response, continues to send query messages to other Windows AD domain servers, directly Carried to the inquiry response for receiving the transmission of target Windows AD domain servers, and in inquiry response and user name to be certified Corresponding UPN, certificate server is according to the UPN corresponding with user name to be certified received, construction ldap authentication request report Text, this message includes the UPN and to be certified user corresponding with user name of target Windows AD domain servers transmission The corresponding password of name, and the ldap authentication request message is sent to target Windows AD domain servers, if certification success, Namely UPN corresponding with user name to be certified and password are correctly, then target Windows AD domain servers send certification and rung Answer result to certificate server, then, certificate server sends authentication result to 802.1X interchangers, so that 802.1X is exchanged Machine opens controlled ports, and allows the normal access network of the corresponding computer of username and password to be certified.
Optionally, when certificate server receives the UPN corresponding with user name that target Windows AD domain servers are sent Afterwards, this UPN can be preserved to local, so that target Windows AD domain servers corresponding with UPN carry out follow-up user Name certification.
Optionally, the method for offer of the invention can be applied to the field that Windows AD domains are Windows AD forests Scape, due to constructing UPN mode, i.e. UPN=username@domainName in the prior art, wherein, username is use The user name of family input, and domainName is the domain name of user name corresponding name server in itself, specifically, Windows Domain name in the UPN of the subdomain preserved on AD domain servers can be with father field domain name, certificate server construction ldap authentication request report During UPN in text, the corresponding domain name parts of UPN of subdomain can be configured to the domain name of subdomain itself, for example, there is father field yf8b.com With subdomain test.yf8b.com, then user construction ldap authentication request of the certificate server on for subdomain test.yf8b.com During message, test.yf8b.com domain names can be selected to construct UPN, wherein UPN=username@domainName, that is, UPN is only It is simple by user name and domain name splicing (i.e. father field user splices father field domain name, subdomain user splicing subdomain domain name), but this Subdomain user (the son preserved on Windows AD domain servers will be caused by planting the simple mode by user name and domain name splicing The UPN domain name parts of domain user are father field domain name) it can not be certified, so that can not access network proper communication.
For example:Three AD domains accounts shown in following table, wherein rootuser is the user of father field, subuser1 and subuser3 For the user of subdomain, UPN takes the way of splicing to may result in subuser1 can not correctly certification.
User name Affiliated AD domains domain name Affiliated AD domains IP UserPrincipalName actual values
rootuser yf8b.com 172.18.34.43 [email protected]
subuser1 test.yf8b.com 172.18.34.42 [email protected]
subuser3 test.yf8b.com 172.18.34.42 [email protected]
Wherein, subuser1 is by the way of construction UPN of the prior art, i.e., simple to splice user name and domain name Mode, will will should for subuser1 yf8b.com UPN splicing turn into subuser1 test.yf8b.com, So as to cause subuser1 user can not obtain certification, it is impossible to which access network carries out proper communication.
And the authentication method provided according to the application, query messages can be constructed according to user name subuser1 first, and take turns All Windows AD domain servers in Windows AD forests are ask, are sent until receiving Windows AD domain servers The UPN related to user name subuser1, that is, receive [email protected] (actual value inquired), this When certificate server just can directly according to receive UPN construction ldap authentication request message, wherein, in LDAP request messages Also include the password corresponding with user name to be certified for user's input that certificate server is obtained, then ask ldap authentication Message is sent to corresponding Windows AD domain servers, then performs follow-up authenticated by Windows AD domain servers Journey, this process is identical with the mode of certification in the prior art, and here is omitted.
Optionally, the present embodiment is only scene when Windows AD forests are second-level domain's structure (father field and subdomain), But the authentication method that the present embodiment is provided in practice can also be applied to the feelings that Windows AD forests are multistage domain structure Scape.
The embodiment of the present invention has put forward a kind of authentication method, wherein, certificate server is obtained after user name, many into network Individual Windows AD domain servers send the query messages for carrying user name, so that Windows AD domain servers determine whether to protect There is user principal name UPN corresponding with user name, if certificate server receives a target Windows AD domain server UPN is carried in the inquiry response of return, inquiry response, then certificate server constructs Lightweight Directory Access Protocol LDAP according to UPN Authentication request packet, and ldap authentication request message is sent to target Windows AD domain servers, and receive target The authentication result information that Windows AD domain servers are sent.Wherein, certificate server is according to the target Windows inquired AD domain servers send UPN corresponding with user name construction ldap authentication request message, can cause subdomain user authentication into Work(, further causes the normal access network communication of computer corresponding with user.
Fig. 2 is a kind of structural representation of certificate server provided in an embodiment of the present invention, as shown in Fig. 2 the present embodiment The certificate server 200 of offer, including:
Acquisition module 201, for obtaining user name;
Sending module 202, query messages are sent for multiple Windows active directories domain servers into network, The user name that the acquisition module 201 is obtained is carried in the query messages, so that the Windows AD domain servers Determine whether to preserve user principal name UPN corresponding with the user name;
First determining module 203, if receiving the inquiry response that Windows AD domain servers described in a target are returned, institute State and the UPN is carried in inquiry response, then Lightweight Directory Access Protocol ldap authentication request message is constructed according to the UPN, and The ldap authentication request message is sent to the target Windows AD domain servers;
Receiving module 204, for receiving the authentication result information that the target Windows AD domain servers are sent.
Further, as shown in figure 3, certificate server provided in an embodiment of the present invention 200, in addition to:Second determines mould Block 205, before sending query messages for multiple Windows AD domain servers in the sending module 202 into network, It is determined that common enquiring account corresponding with each Windows AD domain server, and the common enquiring account is carried described In query messages.
Optionally, the sending module 202, specifically for:Using polling mode successively to the multiple Windows AD Domain server sends query messages, until the certificate server receives the institute that the target Windows AD domain servers are sent State inquiry response.
Further, as shown in figure 4, certificate server provided in an embodiment of the present invention 200 also includes:Memory module 206, For first determining module 203 receive a target described in Windows AD domain servers return inquiry response it Afterwards, UPN corresponding with the user name is preserved, so that the target Windows AD domain servers corresponding with the UPN enter The follow-up user name certification of row.
The device of the present embodiment, can be used for the technical scheme for performing embodiment of the method shown in Fig. 1, its realization principle and skill Art effect is similar, and here is omitted.
Fig. 5 provides a kind of structural representation of Verification System for the embodiment of the present invention, as shown in figure 5, the present embodiment is provided Verification System 300 include:Certificate server 301 and multiple Windows AD domain servers 302, wherein certificate server 301 The technical scheme of embodiment of the method in the structure of any certificate server embodiments of Fig. 2-Fig. 4, and executable Fig. 1 can be used, Each Windows AD domain server 302 in multiple Windows AD domain servers 302 is used to perform:
The Windows AD domain servers 302 are used to receive the query messages that the certificate server 301 is sent, described User name is carried in query messages;
Whether the Windows AD domain servers 302 are inquired about preserves user principal name corresponding with the user name UPN,
If preserving, the Windows AD domain servers 302 send inquiry response, institute to the certificate server 301 State and the UPN is carried in inquiry response, so that the certificate server 301 constructs Lightweight Directory Access Protocol according to the UPN Ldap authentication request message;
The Windows AD domain servers 302 receive the ldap authentication request message that the certificate server 301 is sent;
The Windows AD domain servers 302 send authentication result according to the ldap authentication request message of reception Information is to the certificate server 301.
The Verification System 300 that the present embodiment is provided is similar with the implementing principle and technical effect of embodiment of the method in Fig. 1, this Place is repeated no more.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above-mentioned each method embodiment can lead to The related hardware of programmed instruction is crossed to complete.Foregoing program can be stored in a computer read/write memory medium.The journey Sequence upon execution, performs the step of including above-mentioned each method embodiment;And foregoing storage medium includes:ROM, RAM, magnetic disc or Person's CD etc. is various can be with the medium of store program codes.
Finally it should be noted that:Various embodiments above is merely illustrative of the technical solution of the present invention, rather than its limitations;To the greatest extent The present invention is described in detail with reference to foregoing embodiments for pipe, it will be understood by those within the art that:Its according to The technical scheme described in foregoing embodiments can so be modified, or which part or all technical characteristic are entered Row equivalent substitution;And these modifications or replacement, the essence of appropriate technical solution is departed from various embodiments of the present invention technology The scope of scheme.

Claims (10)

1. a kind of authentication method, it is characterised in that including:
Certificate server obtains user name;
Multiple Windows active directory domain servers of the certificate server into network send query messages, described to look into Ask in message and carry the user name, so that the Windows AD domain servers determine whether to preserve and the user name pair The user principal name UPN answered;
If the certificate server receives the inquiry response that Windows AD domain servers described in a target are returned, the inquiry The UPN is carried in response, then the certificate server constructs Lightweight Directory Access Protocol ldap authentication according to the UPN and asked Message, and the ldap authentication request message is sent to the target Windows AD domain servers;
The certificate server receives the authentication result information that the target Windows AD domain servers are sent.
2. according to the method described in claim 1, it is characterised in that multiple Windowss of the certificate server into network AD domain servers are sent before query messages, in addition to:
The certificate server determines common enquiring account corresponding with each Windows AD domain server, and will be described public Account is inquired about to carry in the query messages.
3. method according to claim 1 or 2, it is characterised in that the certificate server is multiple into network Windows AD domain servers send query messages, specifically include:
The certificate server sends query messages to the multiple Windows AD domain servers successively using polling mode, directly The inquiry response that the target Windows AD domain servers are sent is received to the certificate server.
4. method according to claim 1 or 2, it is characterised in that the certificate server is received described in a target After the inquiry response that Windows AD domain servers are returned, in addition to:
The certificate server preserves UPN corresponding with the user name, so as to the target corresponding with the UPN Windows AD domain servers carry out follow-up user name certification.
5. a kind of certificate server, it is characterised in that including:
Acquisition module, for obtaining user name;
Sending module, query messages, the inquiry are sent for multiple Windows active directories domain servers into network The user name that the acquisition module is obtained is carried in message, so that the Windows AD domain servers determine whether to preserve There is user principal name UPN corresponding with the user name;
First determining module, if receiving the inquiry response that Windows AD domain servers described in a target are returned, the inquiry The UPN is carried in response, then Lightweight Directory Access Protocol ldap authentication request message is constructed according to the UPN, and will be described Ldap authentication request message is sent to the target Windows AD domain servers;
Receiving module, for receiving the authentication result information that the target Windows AD domain servers are sent.
6. certificate server according to claim 5, it is characterised in that also include:Second determining module, for described Multiple Windows AD domain servers of the sending module into network are sent before query messages, it is determined that with each Windows AD The corresponding common enquiring account of domain server, and the common enquiring account is carried in the query messages.
7. the certificate server according to claim 5 or 6, it is characterised in that the sending module, specifically for:Using Polling mode sends query messages to the multiple Windows AD domain servers successively, until the certificate server receives institute State the inquiry response of target Windows AD domain servers transmission.
8. the certificate server according to claim 5 or 6, it is characterised in that also include:Memory module, for described First determining module is received after the inquiry response that Windows AD domain servers described in a target are returned, and is preserved and is used with described The corresponding UPN of name in an account book, recognizes so that the target Windows AD domain servers corresponding with the UPN carry out follow-up user name Card.
9. a kind of Verification System, it is characterised in that including:Certificate server as described in claim any one of 5-8 and multiple Windows active directory domain servers.
10. Verification System according to claim 9, it is characterised in that the Windows AD domain servers are used to receive User name is carried in the query messages that the certificate server is sent, the query messages;
Whether the Windows AD domain servers inquiry preserves user principal name UPN corresponding with the user name,
If preserving, the Windows AD domain servers send inquiry response, the inquiry response to the certificate server It is middle to carry the UPN, reported so that the certificate server constructs the request of Lightweight Directory Access Protocol ldap authentication according to the UPN Text;
The Windows AD domain servers receive the ldap authentication request message that the certificate server is sent;
The Windows AD domain servers send authentication result information to institute according to the ldap authentication request message of reception State certificate server.
CN201410524606.5A 2014-10-08 2014-10-08 Authentication method, certificate server and Verification System Active CN104270368B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410524606.5A CN104270368B (en) 2014-10-08 2014-10-08 Authentication method, certificate server and Verification System

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410524606.5A CN104270368B (en) 2014-10-08 2014-10-08 Authentication method, certificate server and Verification System

Publications (2)

Publication Number Publication Date
CN104270368A CN104270368A (en) 2015-01-07
CN104270368B true CN104270368B (en) 2017-11-03

Family

ID=52161858

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410524606.5A Active CN104270368B (en) 2014-10-08 2014-10-08 Authentication method, certificate server and Verification System

Country Status (1)

Country Link
CN (1) CN104270368B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106230683B (en) * 2016-07-29 2019-06-21 北京北信源软件股份有限公司 A kind of method and system of linkage certification dynamic vlan switching
CN106506239B (en) * 2016-12-09 2020-02-11 上海斐讯数据通信技术有限公司 Method and system for authentication in organization unit domain
CN110399713B (en) * 2018-07-27 2024-06-25 腾讯科技(北京)有限公司 Information authentication method and related device
CN111787007B (en) * 2020-06-30 2022-09-16 北京天融信网络安全技术有限公司 Information processing method, information processing device, electronic equipment and storage medium
CN116827586A (en) * 2023-03-07 2023-09-29 北京火山引擎科技有限公司 Network authentication method, device, storage medium and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101986598A (en) * 2010-10-27 2011-03-16 北京星网锐捷网络技术有限公司 Authentication method, server and system
CN102307099A (en) * 2011-09-06 2012-01-04 北京星网锐捷网络技术有限公司 Authentication method and system as well as authentication server
CN102325029A (en) * 2011-09-20 2012-01-18 深圳市深信服电子科技有限公司 AD (Active Directory) domain single sign on method and server
CN102970308A (en) * 2012-12-21 2013-03-13 北京网康科技有限公司 User authentication method and server

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2003591B1 (en) * 2007-06-14 2011-12-28 Software AG Method and system for authenticating a user

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101986598A (en) * 2010-10-27 2011-03-16 北京星网锐捷网络技术有限公司 Authentication method, server and system
CN102307099A (en) * 2011-09-06 2012-01-04 北京星网锐捷网络技术有限公司 Authentication method and system as well as authentication server
CN102325029A (en) * 2011-09-20 2012-01-18 深圳市深信服电子科技有限公司 AD (Active Directory) domain single sign on method and server
CN102970308A (en) * 2012-12-21 2013-03-13 北京网康科技有限公司 User authentication method and server

Also Published As

Publication number Publication date
CN104270368A (en) 2015-01-07

Similar Documents

Publication Publication Date Title
US10972478B2 (en) Data processing method and apparatus, terminal, and access point computer
US9344421B1 (en) User access authentication based on network access point
CN104270368B (en) Authentication method, certificate server and Verification System
CN104753887B (en) Security management and control implementation method, system and cloud desktop system
CN105187431B (en) Login method, server, client and the communication system of third-party application
CN107493280A (en) Method, intelligent gateway and the certificate server of user authentication
CN105493453B (en) It is a kind of to realize the method, apparatus and system remotely accessed
CN108667612A (en) A kind of trust service framework and method based on block chain
CN107040922A (en) Wireless network connecting method, apparatus and system
ES2607495T3 (en) Mobile witness
CN104159225A (en) Wireless network based real-name registration system management method and system
CN107070945A (en) Identity logs method and apparatus
CN103503408A (en) System and method for providing access credentials
CN101986598B (en) Authentication method, server and system
CN101714918A (en) Safety system for logging in VPN and safety method for logging in VPN
CN108881308A (en) A kind of user terminal and its authentication method, system, medium
CN106230594B (en) Method for user authentication based on dynamic password
CN101087236B (en) VPN access method and device
CN106656911A (en) Portal authentication method, access device and management server
CN108347428A (en) Accreditation System, the method and apparatus of application program based on block chain
CN104580553A (en) Identification method and device for network address translation device
CN109495503A (en) A kind of SSL VPN authentication method, client, server and gateway
CN103634111B (en) Single-point logging method and system and single sign-on client-side
CN108600234A (en) A kind of auth method, device and mobile terminal
CN109548022A (en) Method for mobile terminal user to remotely access local network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: Cangshan District of Fuzhou City, Fujian province 350002 Jinshan Road No. 618 Garden State Industrial Park 19 floor

Patentee after: RUIJIE NETWORKS Co.,Ltd.

Address before: Cangshan District of Fuzhou City, Fujian province 350002 Jinshan Road No. 618 Garden State Industrial Park 19 floor

Patentee before: Beijing Star-Net Ruijie Networks Co.,Ltd.