Abstract: This disclosure describes methods, systems, and application programming interfaces for creating a credential managed account. This disclosure describes creating a new password managed account, defining the password managed account, wherein the password managed account is to access a service on a managed computing device, identifying the password managed account for a lifecycle, and automatically managing the password managed account by updating and changing a password for the password managed account on a periodic basis.

Abstract: Described is a technology by which a target machine (managed device) is provisioned with arbitrary states for subsequent communication with a central authority, in which the configuration provisioning of the device is decoupled from the collection of the provisioning data. In a provisioning phase, arbitrary state information for provisioning the managed device is obtained and packaged in a container. In a configuration phase, the container is accessed, and the arbitrary state information is unpackaged to apply state to the managed device. The target machine thus may be provisioned with arbitrary states without actively communicating with the central authority.

Abstract: Sharing security claims across different security contexts. A method includes, for a first security context, identifying a first set of security claims. The method further includes for the first security context identifying a second set of security claims from the first set of security claims that is allowed to be sent from the first security context. The first set of security claims is modified to create the second set of security claims. For a second security context, security claim requirements are identified. The second set of security claims is modified to satisfy the security claim requirements for the second security context.

Abstract: Described is a technology by which a target machine (managed device) is provisioned with arbitrary states for subsequent communication with a central authority, in which the configuration provisioning of the device is decoupled from the collection of the provisioning data. In a provisioning phase, arbitrary state information for provisioning the managed device is obtained and packaged in a container. In a configuration phase, the container is accessed, and the arbitrary state information is unpackaged to apply state to the managed device. The target machine thus may be provisioned with arbitrary states without actively communicating with the central authority.

Abstract: An offline trust system establishes a trust relationship between a trust authority computer system and a target computer system without relying on an active network connection between the computer systems. The offline trust system separates the trust establishment operation into a provisioning phase and a configuration phase. The provisioning phase can be performed entirely on the trust authority, while the configuration phase can be performed entirely on the target computer system requesting trust. The two phases can be performed at different times and do not assume any connection between the two computer systems. An administrator may perform the provisioning phase for many target computer systems at the same time. Thus, the offline trust system provides a way to establish trust between computer systems that is more reliable and less prone to failure.

Abstract: A server may bridge between a wide area network, such as the Internet, and a local area network and may process authentication requests from clients on the wide area network. The server may filter the requests to enable specific types of requests to pass, and may forward the requests to a credential server within the local area network and pass any responses back to the client. The server may be configured with some or all of a set of domain services objects, but such objects may be stored in a read only format. The server may further contain a minimum of or no sensitive data such that, if compromised, an attacker may gain little advantage. The client may request evidence of authentication available to devices within the local area network and may use the evidence of authentication to access services made available to the wide area network.

Abstract: An offline trust system establishes a trust relationship between a trust authority computer system and a target computer system without relying on an active network connection between the computer systems. The offline trust system separates the trust establishment operation into a provisioning phase and a configuration phase. The provisioning phase can be performed entirely on the trust authority, while the configuration phase can be performed entirely on the target computer system requesting trust. The two phases can be performed at different times and do not assume any connection between the two computer systems. An administrator may perform the provisioning phase for many target computer systems at the same time. Thus, the offline trust system provides a way to establish trust between computer systems that is more reliable and less prone to failure.

Abstract: This disclosure describes methods, systems, and application programming interfaces for creating a credential managed account. This disclosure describes creating a new password managed account, defining the password managed account, wherein the password managed account is to access a service on a managed computing device, identifying the password managed account for a lifecycle, and automatically managing the password managed account by updating and changing a password for the password managed account on a periodic basis.