The term “computer network” generally refers to a system for enabling communication between or among computers or equivalent computing devices. When configured to include a server providing a directory service, the computer network becomes an integrated distributed computing environment, hereinafter referred to as a “networked environment, where participating devices and users of these devices may utilize network resources, such as by using or sharing data or attached peripherals, or communicate with each other.
In order to use these network resources, a user, sometimes referred to as a real user, usually logs onto the networked environment that provides access to these network resources. Attempting to log-on to a networked environment initiates an authentication process. During the authentication process, the user will attempt to log-on to networked environment by entering a user name and password on a computing device. The device will then request credentials from an authentication service provided by the networked environment.
The computing device sends the request for credentials to the authentication service in the form of an authentication request packet that includes the user name. If the user name is valid, the authentication service will authenticate the user name of the real user by, among other things, replying with an authentication response packet, which may contain a session key encrypted using the user's password. The session key permits the real user's computing device to use and communicate with network resources on the networked environment. The authentication request packet and authentication response packet are sometimes respectively referred to as an authentication exchange request packet and an authentication exchange response packet under the Kerberos protocol.
However, the above approach is limited because it is primarily perimeter-based. Once the user name of a real user is authenticated, the real user can obtain access to network resources with minimal restrictions other than those provided by the security policy, which is defined in a directory service provided on the networked environment, for that user name. If the user name has full administrative authority under the security policy, then the real user utilizing the user name receives full access to network resources. If a real user obtains authentication for a user name for which the real user is not authorized to use, such a situation can lead to a disastrous compromise of network security since once authenticated on the network, the real user will have unrestrained access to network resources.
Consequently, a need exists for improved systems and methods for verifying the authentication of a user name after the user name has been authenticated on a networked environment.