Abstract: Techniques are described herein that are capable of dynamically failing over authentication traffic to a backup authentication system by a proxy system. An authentication request, which requests authentication of a principal, is received at the proxy system. The authentication request is directed to a primary authentication system. A determination is made, by the proxy system, that the primary authentication system is incapable of providing a valid response to the authentication request. The backup authentication system is caused, by the proxy system, to authenticate the principal using an authentication package received from the primary authentication system by dynamically routing the authentication request to the backup authentication system as a result of the primary authentication system being incapable of providing a valid response to the authentication request.

Abstract: Techniques are described herein that are capable of using an authentication package from a primary authentication system to authenticate a principal by a backup authentication system. The authentication package includes an authentication artifact, which is signed with a cryptographic key by the primary authentication system and which includes claim(s) that are usable to authenticate the principal, and further includes metadata. The metadata includes credential verification information that is usable to verify a credential of the principal and a first principal identifier that identifies the principal. A request to authenticate the principal is received at the backup authentication system. The request includes the credential and a second principal identifier that identifies the principal.

Abstract: Techniques are described herein that are capable of using an authentication package from a primary authentication system to authenticate a principal by a backup authentication system. The authentication package includes an authentication artifact, which is signed with a cryptographic key by the primary authentication system and which includes claim(s) that are usable to authenticate the principal, and further includes metadata. The metadata includes credential verification information that is usable to verify a credential of the principal and a first principal identifier that identifies the principal. A request to authenticate the principal is received at the backup authentication system. The request includes the credential and a second principal identifier that identifies the principal.

Abstract: Techniques are described herein that are capable of dynamically routing an authentication request to a backup authentication system by a client device. For instance, the client device stores a list, which identifies authentication systems that are authorized to respond to authentication requests from the client device. The client device sends the authentication request toward a primary authentication system based at least in part on the authentication request identifying the primary authentication system as a recipient of the authentication request. The authentication request requests authentication of a principal by the primary authentication system.

Abstract: Techniques are described herein that are capable of dynamically failing over authentication traffic to a backup authentication system by a proxy system. An authentication request, which requests authentication of a principal, is received at the proxy system. The authentication request is directed to a primary authentication system. A determination is made, by the proxy system, that the primary authentication system is incapable of providing a valid response to the authentication request. The backup authentication system is caused, by the proxy system, to authenticate the principal using an authentication package received from the primary authentication system by dynamically routing the authentication request to the backup authentication system as a result of the primary authentication system being incapable of providing a valid response to the authentication request.

Abstract: Systems and methods are described that provide terminal services through a firewall. In one implementation, data is wrapped with an RPC-based protocol, wherein the data to be wrapped is configured according to a stream-based protocol consistent with establishing a server/client relationship. The RPC-based protocol is then layered over HTTPS. The wrapped data is then passed through the firewall.

Abstract: An improved method and system for layering RPC communications on top of an HTTP transport. An RPC data stream of individual request/reply packets is mapped to HTTP primitives, and RPC requests are mapped to one large, HTTP, POST-like request (IN channel). Corresponding replies are mapped to another large, HTTP, GET-like request (OUT channel). The client establishes the IN channel and OUT channel as simultaneously open connections with a large content-length for each. Before the content-length is exhausted, the client and server open a new IN or OUT channel while the corresponding channel is still alive, so that there is always at least one opened IN or OUT channel available. If traffic is too infrequent, the client keeps the connection alive so that it will not be closed for being idle. This provides a bi-directional virtual connection that remains open for an unlimited time for tunneling unlimited amounts of RPC traffic.

Abstract: An improved method and system for layering RPC communications on top of an HTTP transport. An RPC data stream of individual request/reply packets is mapped to HTTP primitives, and RPC requests are mapped to one large, HTTP, POST-like request (IN channel). Corresponding replies are mapped to another large, HTTP, GET-like request (OUT channel). The client establishes the IN channel and OUT channel as simultaneously open connections with a large content-length for each. Before the content-length is exhausted, the client and server open a new IN or OUT channel while the corresponding channel is still alive, so that there is always at least one opened IN or OUT channel available. If traffic is too infrequent, the client keeps the connection alive so that it will not be closed for being idle. This provides a bi-directional virtual connection that remains open for an unlimited time for tunneling unlimited amounts of RPC traffic.