Pass-thru for client authentication

US 20040210756A1
Filed: 04/15/2003
Published: 10/21/2004
Est. Priority Date: 04/15/2003
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a first server for presenting evidence to a Domain Controller (DC) of a first authentication context being submitted from a client to the first server to obtain a delegable credential, wherein the credential can be used to request a second authentication context from that same client to a second server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure pertains generally to client authentication. One aspect of the disclosure relates to a first server for presenting evidence to a Domain Controller (DC) of a first authentication context being submitted from a client to the first server to obtain a delegable credential, wherein the credential can be used to request a second authentication context from that client to a second server. Another aspect relates to the first server providing a pass-thru with evidence to a DC. The evidence relates to a first authentication context being submitted from a client to the first server that it obtained a delegable credential. The pass-thru is used in combination with the credential to request a second authentication context from the client to a second server.

Citations

44 Claims

1. An apparatus comprising:
- a first server for presenting evidence to a Domain Controller (DC) of a first authentication context being submitted from a client to the first server to obtain a delegable credential, wherein the credential can be used to request a second authentication context from that same client to a second server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The apparatus of claim 1, wherein the second authentication context from that client to the second server is based on the first authentication context from that client to the first server.
  - 3. The apparatus of claim 1, wherein the first authentication context is based on a Kerberos ticket.
  - 4. The apparatus of claim 1, wherein the authentication context is based on a Secure Sockets Layer (SSL)/Transport Layer Security (TLS) security protocol.
  - 5. The apparatus of claim 1, wherein the first authentication context is based on a first ticket, and the second authentication context is based on a second ticket.
  - 6. The apparatus of claim 5, wherein the first ticket is a Kerberos ticket.
  - 7. The apparatus of claim 5, wherein the second ticket is a Kerberos ticket.
  - 8. The apparatus of claim 1, further comprising providing an SSL/TLS handshake protocol.
  - 9. The apparatus of claim 8, wherein the handshake protocol provides the first authentication context and the second authentication context.
  - 10. The apparatus of claim 1, further comprising the client generating a first master key, and the first server generating a second master key.
  - 11. The apparatus of claim 1, further comprising the client generating a first session key and the first server generating a second session key.

12. A method comprising:
- a first server providing a pass-thru with evidence to a Domain Controller (DC), wherein the evidence relates to a first authentication context being submitted from a client to the first server that it obtained a delegable credential; and
  
  using the pass-thru in combination with the credential to request a second authentication context from the client to a second server.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12, wherein the second authentication context from the client to the second server is based on the first authentication context from the client to the first server.
  - 14. The method of claim 12, wherein the first authentication context is based on a Kerberos ticket.
  - 15. The method of claim 12, wherein the authentication context is based on a secure sockets layer (SSL)/Transport Layer Security (TLS) security protocol.
  - 16. The method of claim 12, wherein the first authentication context is based on a first ticket, and the second authentication context is based on a second ticket.
  - 17. The method of claim 16, wherein the first ticket is a Kerberos ticket.
  - 18. The method of claim 16, wherein the second ticket is a Kerberos ticket.
  - 19. The method of claim 12, further comprising providing an SSL/TLS handshake protocol.
  - 20. The method of claim 19, wherein the handshake protocol provides the first authentication context and the second authentication context.
  - 21. The method of claim 12, further comprising the client generating a first master key, and the first server generating a second master key.
  - 22. The method of claim 12, further comprising the client generating a first session key and the first server generating a second session key.

23. An apparatus, comprising:
- a first ticket providing a first authentication context for authenticating a client for a first server by performing authentication calculations;
  
  a second ticket providing a second authentication context for authenticating the client for a second server, wherein the second ticket is generated based on a pass-through with evidence produced by a Domain Controller (DC).
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
- - 24. The apparatus of claim 23, wherein the first ticket and the second ticket are both Kerberos tickets.
  - 25. The apparatus of claim 23, further comprising generating a credential at the DC.
  - 26. The apparatus of claim 23, further comprising a delegable credential that generates the second ticket from the first ticket.
  - 27. The apparatus of claim 23, wherein the evidence includes evidence authenticating the client for the first server.
  - 28. The apparatus of claim 23, wherein the DC re-computes the authentication calculations associated with the first authentication context for authenticating the client for the first server.
  - 29. The apparatus of claim 23, wherein the first ticket includes a Kerberos ticket.
  - 30. The apparatus of claim 23, wherein the second ticket includes a Kerberos ticket.

31. A method comprising:
- a client transmitting a request for an authentication context from a server;
  
  the server performing authentication calculations in response to the request for authentication context;
  
  the server transmitting the request for an authentication context to a Domain Controller (DC); and
  
  the DC re-performing the authentication calculations associated with the client.
- View Dependent Claims (32)
- - 32. The method of claim 31, wherein the request for the authentication context relates to a first authentication context being submitted from a client to the first server that it obtained a delegable credential;
    - and the request for authentication context transmitted from the server to the DC includes a pass-thru with evidence that is used to request a second authentication context from the client to a second server.

33. A method of authenticating a client at a Domain Controller (DC) using a Secure Sockets Layer (SSL)/Transport Layer Security (TLS) security protocol.

34. A method comprising:
- authenticating a client at a server; and
  
  proving to an authentication authority that the server authenticated, the client.
- View Dependent Claims (35, 36, 37, 38)
- - 35. The method of claim 34, wherein the authentication authority is a centralized authentication authority.
  - 36. The method of claim 34, further comprising passing the authentication of the client from the server to a second server.
  - 37. The method of claim 34, wherein the authentication of the client at the server is based on a Secure Sockets Layer/Transport Layer Security (SSL/TLS) handshake.
  - 38. The method of claim 34, wherein the proving to an authentication authority that the server authenticated the client is based on a Secure Sockets Layer/Transport Layer Security (SSL/TLS) handshake.

39. A computer readable medium having computer executable instructions for performing steps comprising:
- a first server providing a pass-thru with evidence to a Domain Controller (DC), wherein the evidence relates to a first authentication context being submitted from a client to the first server that it obtained a delegable credential; and
  
  using the pass-thru in combination with the credential to request a second authentication context from the client to a second server.

40. A computer readable medium having computer executable instructions for performing steps comprising:
- authenticating a client at a server; and
  
  proving to an authentication authority that the server authenticated the client.
- View Dependent Claims (41, 42, 43, 44)
- - 41. The computer readable medium having computer executable instructions for performing steps of claim 40, wherein the authentication authority is a centralized authentication authority.
  - 42. The computer readable medium having computer executable instructions for performing steps of claim 40, further comprising passing the authentication of the client from the server to a second server.
  - 43. The computer readable medium having computer executable instructions for performing steps of claim 40, wherein the authentication of the client at the server is based on a Secure Sockets Layer/Transport Layer Security (SSL/TLS) handshake.
  - 44. The computer readable medium having computer executable instructions for performing steps of claim 40, wherein the proving to an authentication authority that the server authenticated the client is based on a Secure Sockets Layer/Transport Layer Security (SSL/TLS) handshake.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Leach, Paul J., Simon, Daniel R., Mowers, David R., Banes, John

Granted Patent

US 7,644,275 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

H04L 63/0442   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0869   for achieving mutual authen...

H04L 63/10   for controlling access to d...

H04L 63/12   Applying verification of th...

H04L 63/166   at the transport layer

H04L 67/01   Protocols

Pass-thru for client authentication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Pass-thru for client authentication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links