Disconnected credential validation using pre-fetched service tickets

US 20070192843A1
Filed: 02/13/2006
Published: 08/16/2007
Est. Priority Date: 02/13/2006
Status: Active Grant

First Claim

Patent Images

1. A computer readable medium bearing computer readable program codes configured to:

carry out a method to validate login credentials, the method comprising;

authenticating a login device with an authentication service;

obtaining a user service ticket from the authentication service for the login device to communicate with a selected party; and

storing the user service ticket for subsequent authentication of the selected party.

View all claims

26 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One or more user service tickets are obtained (i.e. pre-fetched) from an authentication server and stored in a ticket cache. The user service tickets facilitate a login device communicating with one or more users or group members associated with the login device. Login credentials for the users or group members may be subsequently authenticated against the user service tickets within the ticket cache thereby eliminating the need for immediate access to the authentication server or a previous login session by the users or group members. The user service tickets within the ticket cache may be refreshed as needed. In one embodiment, the user service tickets are refreshed daily and also in response to login attempts if the authentication service is readily accessible.

Citations

24 Claims

1. A computer readable medium bearing computer readable program codes configured to:
- carry out a method to validate login credentials, the method comprising;
  
  authenticating a login device with an authentication service;
  
  obtaining a user service ticket from the authentication service for the login device to communicate with a selected party; and
  
  storing the user service ticket for subsequent authentication of the selected party.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer readable medium of claim 1, wherein the method further comprises authenticating the selected party with the user service ticket.
  - 3. The computer readable medium of claim 2, wherein authenticating the selected party comprises receiving credentials from the selected party, generating a key for the selected party from the credentials, decrypting a portion of the user service ticket using the key for the selected party, and validating authentication data.
  - 4. The computer readable medium of claim 2, wherein authenticating the selected party comprises using the user service ticket to construct a Kerberos AP-REQ message structure that is immediately validated using a credential generated key for the selected party.
  - 5. The computer readable medium of claim 2, wherein authenticating the selected party with the user service ticket occurs in response to unavailability of the authentication service.
  - 6. The computer readable medium of claim 1, wherein the user service ticket is a Kerberos service ticket.
  - 7. The computer readable medium of claim 1, wherein the authentication service is a Kerberos key distribution center (KDC).
  - 8. The computer readable medium of claim 1, wherein the method further comprises authenticating the selected party via the KDC.
  - 9. The computer readable medium of claim 1, wherein the selected party is selected from the group consisting of a user, and a member of a group.
  - 10. The computer readable medium of claim 1, wherein the method further comprises refreshing the user service ticket.
  - 11. The computer readable medium of claim 10, wherein the user service ticket is refreshed in response to an event selected from the group consisting of expiration of a selected interval, a login request, a change in user credentials, and during a reboot cycle.

12. An apparatus to validate login credentials, the apparatus comprising:
- a ticket pre-fetch module configured to authenticate a login device with an authentication service;
  
  the ticket pre-fetch module further configured to obtain a user service ticket from the authentication service for the login device to communicate with a selected party;
  
  a ticket cache configured to store the user service ticket for subsequent authentication of the selected party.

13. The apparatus of claim 13, further comprising an authentication module configured to authenticate the selected party with the user service ticket.
- View Dependent Claims (16)
- - 16. The apparatus of claim 13, wherein the ticket pre-fetch module is further configured to refresh the user service ticket.

14. The apparatus of claim 14, wherein the authentication module is further configured to receiving credentials from the selected party, generate a key for the selected party from the credentials, decrypt a portion of the user service ticket using the key for the selected party, and validate authentication data associated with the user service ticket.
- View Dependent Claims (15)
- - 15. The apparatus of claim 14, wherein authentication module is further configured to use the user service ticket to construct a Kerberos AP-REQ message structure that is immediately validated using a key for the selected party.

17. The apparatus of claim 17, wherein the ticket pre-fetch module is further configured to refresh the user service ticket in response to an event selected from the group consisting of expiration of a selected interval, a change in user credentials, a login request, and a reboot cycle.

18. A system to validate login credentials, the system comprising:
- an authentication server configured to provide an authentication service;
  
  a ticket pre-fetch module configured to authenticate a login device with the authentication service and obtain a user service ticket from the authentication service for the login device to communicate with a selected party; and
  
  a ticket cache configured to store the user service ticket for subsequent authentication of the selected party.

19. The system of claim 19, further comprising an authentication module configured to authenticate the selected party with the user service ticket.
- View Dependent Claims (22, 23, 24)
- - 22. The system of claim 19, wherein user service ticket is a Kerberos service ticket.
  - 23. The system of claim 19, wherein authentication server is a Kerberos key distribution center (KDC).
  - 24. The system of claim 19, wherein the authentication server is a Windows domain controller.

20. The system of claim 20, wherein the authentication module is further configured to receive credentials from the selected party, generate a key for the selected party from the credentials, decrypt a portion of the user service ticket using the key for the selected party, and validate authentication data associated with the user service ticket.
- View Dependent Claims (21)
- - 21. The system of claim 20, wherein authentication module is further configured to use the user service ticket to construct a Kerberos AP-REQ message structure that is immediately validated using a key for the selected party.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
Quest Software, Inc.
Inventors
Peterson, Matthew, Webb, Jeff

Granted Patent

US 8,087,075 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/10
CPC Class Codes

H04L 63/0807 using tickets, e.g. Kerbero...

H04L 9/3213 using tickets or tokens, e....

Disconnected credential validation using pre-fetched service tickets

First Claim

26 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Disconnected credential validation using pre-fetched service tickets

First Claim

26 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links