GLOBALLY TRUSTED CREDENTIALS LEVERAGED FOR SERVER ACCESS CONTROL

US 20050228981A1
Filed: 03/09/2005
Published: 10/13/2005
Est. Priority Date: 03/30/2004
Status: Active Grant

First Claim

Patent Images

1. At least one access control method implemented by at least one application program, the at least one method comprising:

identifying at least one resource principal for which the at least one application program lacks at least one trusted credential for authenticating at least one purported client credential provided in connection with at least one access request; and

authorizing at least one client to access the at least one application program based on a determination by at least one separate trusted authority that the at least one purported client credential is valid for the at least one resource principal.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, computer-readable media and application program interfaces are disclosed for enabling server applications to verify purported authentication information, such as passwords, provided by clients in connection with server access requests by leveraging trusted credentials maintained by separate trusted authorities. In some cases, the server applications may lack trusted credentials that may be used to verify the purported authentication information. In those cases, the server applications may identify security principal accounts managed by the separate trusted authorities for which the provided authentication information may be purported to be valid for by the requesting clients. Further, the server applications may request the separate trusted authorities to authenticate the purported authentication information before granting access to the requesting clients. In other cases, the server applications may maintain locally trusted credentials that may be used to verify the provided authentication information without involving the separate trusted authorities.

Citations

20 Claims

1. At least one access control method implemented by at least one application program, the at least one method comprising:
- identifying at least one resource principal for which the at least one application program lacks at least one trusted credential for authenticating at least one purported client credential provided in connection with at least one access request; and
  
  authorizing at least one client to access the at least one application program based on a determination by at least one separate trusted authority that the at least one purported client credential is valid for the at least one resource principal.
- View Dependent Claims (2, 3, 4)
- - 2. The at least one method as set forth in claim 1 further comprising:
    - obtaining at least one reference to at least one security identifier for the at least one resource principle via at least one application object managed by the at least one application program; and
      
      requesting the at least one separate trusted authority to provide at least one account identifier for the at least one resource principle in exchange for the at least one security identifier obtained via the at least one application object.
  - 3. The at least one method as set forth in claim 1 further comprising:
    - identifying at least one other resource principal for which the at least one application program maintains at least one locally trusted credential for authenticating at least one other purported client credential provided in connection with at least one other access request; and
      
      authorizing at least one other client to access the at least one application program based on another determination by the at least one application program that the at least one other purported client credential is valid for at least one other resource principal.
  - 4. The at least one method as set forth in claim 3 further comprising:
    - authenticating the at least one other purported client credential provided in connection with the at least one other access request based on the at least one locally trusted credential maintained by the at least one application program without involving the at least one separate trusted authority.

5. At least one computer-readable medium having at least one instruction stored thereon, which when executed by at least one processing system in conjunction with at least one application program, causes the at least one application program to implement at least one access control method, the at least one medium comprising at least one instruction for:
- identifying at least one resource principal for which the at least one application program lacks at least one trusted credential for authenticating at least one purported client credential provided in connection with at least one access request; and
  
  authorizing at least one client to access the at least one application program based on a determination by at least one separate trusted authority that the at least one purported client credential is valid for the at least one resource principal.
- View Dependent Claims (6, 7, 8)
- - 6. The at least one medium as set forth in claim 5 further comprising at least one other instruction for:
    - obtaining at least one reference to at least one security identifier for the at least one resource principle via at least one application object managed by the at least one application program; and
      
      requesting the at least one separate trusted authority to provide at least one account identifier for the at least one resource principle in exchange for the at least one security identifier obtained via the at least one application object.
  - 7. The at least one medium as set forth in claim 5 further comprising at least one other instruction for:
    - identifying at least one other resource principal for which the at least one application program maintains at least one locally trusted credential for authenticating at least one other purported client credential provided in connection with at least one other access request; and
      
      authorizing at least one other client to access the at least one application program based on another determination by the at least one application program that the at least one other purported client credential is valid for at least one other resource principal.
  - 8. The at least one medium as set forth in claim 5 wherein the at least one application program comprises at least one of either one or more directory services, one or more databases, or one or more of any other type of data store.

9. At least one application program interface (API) tangibly embodied as at least one instruction stored on at least one computer-readable medium, which when executed by at least one processing system in conjunction with at least one application program, causes the at least one application program to implement at least one access control method, the at least one API comprising:
- at least one access interface that accepts at least one request to access the at least one application program; and
  
  at least one credential parameter that accepts at least one purported client credential provided in connection with at least one call to the at least one access interface for which the at least one application program lacks at least one trusted credential for authenticating and for which the at least one application program can request at least one separate trusted authority to authenticate.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The at least one API as set forth in claim 9 further comprising at least one identifier parameter for the at least one access interface that accepts at least one identifier that identifies at least one application object of the at least one application program which references at least one resource principle managed by the separate trusted authority for which authentication of the at least one purported client credential is based on.
  - 11. The at least one API as set forth in claim 10 wherein the at least one identifier parameter accepts at least one other identifier that identifies at least one other application object maintaining at least one locally trusted credential which the at least one application program can use to authenticate at least one other purported client credential accepted by the at least one credential parameter without involving the at least one separate trusted authority.
  - 12. The at least one API as set forth in claim 9 wherein the at least one access interface returns at least one authentication result obtained by the at least one application program performing at least one of either requesting the at least one separate trusted authority to authenticate the at least one purported client credential or authenticating at least one other purported client credential accepted by the at least one credential parameter using at least one locally trusted credential maintained by at least one application object of the at least one application program.
  - 13. The at least one API as set forth in claim 9 wherein the at least one access interface is expressed using at least one of either a lightweight directory access protocol or one or more of any other protocol.
  - 14. The at least one API as set forth in claim 9 wherein the at least one application program comprises at least one of either one or more directory services, one or more databases, or one or more of any other type of data store.

15. A method of requesting access to at least one application program via at least one application program interface, the method comprising:
- calling at least one access interface that has at least one credential parameter for requesting access to the at least one application program; and
  
  providing the at least one credential parameter with at least one purported client credential for which the at least one application program lacks at least one trusted credential for authenticating and for which the at least one application program can request at least one separate trusted authority to authenticate.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method as set forth in claim 15 wherein the at least one access interface also has at least one identifier parameter, the method further comprising providing the at least one identifier parameter with at least one identifier that identifies at least one application object of the at least one application program which references at least one resource principle managed by the separate trusted authority for which authentication of the at least one purported client credential is based on.
  - 17. The method as set forth in claim 16 further comprising providing the at least one identifier parameter with at least one other identifier that identifies at least one other application object maintaining at least one locally trusted credential which the at least one application program can use to authenticate at least one other purported client credential provided to the at least one credential parameter without involving the at least one separate trusted authority.
  - 18. The method as set forth in claim 15 wherein calling at least one access interface further comprises making at least one lightweight directory access protocol simple bind call or one or more other calls using any other protocol in connection with the at least one access interface call.
  - 19. The method as set forth in claim 15 further comprising obtaining at least one return value indicating successful or unsuccessful authentication of the at least one purported client credential.
  - 20. The method as set forth in claim 15 further comprising accessing the at least one application program responsive to obtaining at least one return value indicating successful authentication of the purported credential information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Gavrilov, Dmitri, Iyer, Kannan C.

Granted Patent

US 7,519,596 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/100
CPC Class Codes

H04L 63/08 for authentication of entit...

GLOBALLY TRUSTED CREDENTIALS LEVERAGED FOR SERVER ACCESS CONTROL

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

GLOBALLY TRUSTED CREDENTIALS LEVERAGED FOR SERVER ACCESS CONTROL

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links