FRAMEWORK FOR NOTIFYING A DIRECTORY SERVICE OF AUTHENTICATION EVENTS PROCESSED OUTSIDE THE DIRECTORY SERVICE

US 20090077645A1
Filed: 09/08/2008
Published: 03/19/2009
Est. Priority Date: 09/14/2007
Status: Active Grant

First Claim

Patent Images

1. A method of authenticating an end user for a client application using a directory service having an authentication control policy that tracks failed authentication attempts and allows lock out of an account after a predetermined number of failures, the method comprising:

receiving end user identity information and security information at the client application;

sending a search request to the directory service for an entry associated with the end user identity information and, if a match is found, receiving a authentication token from the directory service associated with the end user identity information;

comparing the received authentication token with the security information;

if the authentication token matches the security information, sending a request to update the directory service to indicate that successful authentication of the end user has occurred; and

if the authentication token does not match the security information, sending a request to update the directory service to indicate that a failed attempt at authentication of the end user has occurred.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems and machine-readable media for authenticating an end user for a client application are disclosed. According to one embodiment of the invention, a method of authenticating an end user for a client application using a directory service having an authentication control policy that tracks failed authentication attempts and allows lock out of an account after a predetermined number of failures comprises receiving end user identity information and security information at the client application; sending a search request to the directory service for an entry associated with the end user identity information and, if a match is found, receiving a authentication token from the directory service associated with the end user identity information; comparing the received authentication token with the security information; if the authentication token matches the security information, sending a request to update the directory service to indicate that successful authentication of the end user has occurred; and if the authentication token does not match the security information, sending a request to update the directory service to indicate that a failed attempt at authentication of the end user has occurred.

Citations

25 Claims

1. A method of authenticating an end user for a client application using a directory service having an authentication control policy that tracks failed authentication attempts and allows lock out of an account after a predetermined number of failures, the method comprising:
- receiving end user identity information and security information at the client application;
  
  sending a search request to the directory service for an entry associated with the end user identity information and, if a match is found, receiving a authentication token from the directory service associated with the end user identity information;
  
  comparing the received authentication token with the security information;
  
  if the authentication token matches the security information, sending a request to update the directory service to indicate that successful authentication of the end user has occurred; and
  
  if the authentication token does not match the security information, sending a request to update the directory service to indicate that a failed attempt at authentication of the end user has occurred.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein the security information received at the client application is generated by a hashing function and the authentication token received from the directory service is generated by the same hashing function.
  - 3. The method of claim 1 wherein the security information is passed through a hashing function after being received at the client application and the authentication token received from the directory service is generated by the same hashing function and the step of comparing the authentication token to the security information compares the authentication token to the security information in hashed form.
  - 4. The method of claim 1 wherein the end user information is a username and the security information is generated by hashing a cleartext password entered by the end user.
  - 5. The method of claim 4 wherein the authentication token stored in the directory service is generated by hashing a password associated with the end user using the same hash function that is used to generate the security information received at the client application.
  - 6. The method of claim 1 wherein the directory service:
    - in response to receiving a request indicating a successful authentication attempt, resets a count associated with a number of failed attempts to zero; and
      
      in response to receiving a request indicating a failed authentication attempt, increases the count associated with the number of failed attempts by one and, if the number of failed attempts exceeds a predetermined number of allowed failures, locks out the account associated with the end user.
  - 7. The method of claim 1 wherein the authentication token is a hashed value of a text-based password and authentication of an end user occurs without sending a cleartext password to the directory service.
  - 8. The method of claim 7 wherein the directory service is an LDAP (light directory access protocol) server, the search request is an LDAP Search operation and the requests to update the directory service to indicate successful or failed authentication attempts are LDAP Modify operations on an LDAP Entry within the directory service associated with the end user.

9. A method of authenticating a user for a client application over the Internet with a directory service that implements an authentication control policy to track failed authentication attempts, the method comprising:
- receiving account identity information and security information at the client application;
  
  sending a search request comprising the account identity information to the directory service;
  
  receiving an authentication token from the directory service associated with the account identity information if an entry associated with the account identity information exists on the directory service;
  
  comparing the received authentication token with the security information; and
  
  sending a request to update the directory service to indicate that a failed attempt at authentication of the end user has occurred if the authentication token does not match the security information.
- View Dependent Claims (10, 11, 12)
- - 10. The method of claim 9 further comprising sending a request to update the directory service to indicate that successful authentication of the end user has occurred if the authentication token matches the security information.
  - 11. The method of claim 9 wherein the authentication token is generated from a one-way hash function;
    - the security information is put through the same hash function; and
      
      the step of comparing the received authentication token with the security information compares the hashed version of the security information to the authentication token.
  - 12. The method of claim 9 wherein the authentication token is generated from a one-way hash function;
    - the security information received is hashed security information that was put through the same hash function; and
      
      the step of comparing the received authentication token with the security information compares the hashed security information to the authentication token.

13. A method of authenticating a user for a client application using a directory service having an authentication control policy that tracks failed authentication attempts and allows lock out of an account after a predetermined number of failures, the method comprising:
- receiving a search request including user identity information at the directory service;
  
  comparing the user identity information with entries in the directory service;
  
  if a match is found, sending an authentication token associated with the user identity information to a client application; and
  
  receiving a request at the directory service to update the directory service with information that indicates whether successful authentication of the user occurred at the client application.
- View Dependent Claims (14, 15)
- - 14. The method of claim 13 wherein the directory service stores security information for users and wherein the method further comprises generating the authentication token from the security information using a one-way hash function prior to sending the authentication token to the client application.
  - 15. The method of claim 13 wherein the directory service generates authentication tokens when user entries are initially populated and stores the authentication token directly in an entry associated for the user.

16. A machine-readable medium for a computer system, the machine-readable medium having stored thereon a series of instructions which, when executed by a processing component of the computer system, cause the processing component to attempt authentication of a user for a client application over the Internet with a directory service that implements an authentication control policy to track failed authentication attempts by:
- receiving account identity information and security information at the client application;
  
  sending a search request comprising the account identity information to the directory service;
  
  receiving an authentication token from the directory service associated with the account identity information if an entry associated with the account identity information exists on the directory service;
  
  comparing the received authentication token with the security information; and
  
  sending a request to update the directory service to indicate that a failed attempt at authentication of the end user has occurred if the authentication token does not match the security information.
- View Dependent Claims (17, 18, 19)
- - 17. The machine-readable medium set forth in claim 16 wherein the series of instructions further causes the processing component to send a request to update the directory service to indicate that successful authentication of the end user has occurred if the authentication token matches the security information.
  - 18. The machine-readable medium set forth in claim 16 wherein the authentication token is generated from a one-way hash function;
    - the security information is put through the same hash function; and
      
      the instructions that compare the received authentication token with the security information compare the hashed version of the security information to the authentication token.
  - 19. The machine-readable medium set forth in claim 16 wherein the authentication token is generated from a one-way hash function;
    - the security information received is hashed security information that was put through the same hash function; and
      
      the instructions that compare the received authentication token with the security information compare the hashed security information to the authentication token.

20. A machine-readable medium for a computer system, the machine-readable medium having stored thereon a series of instructions which, when executed by a processing component of the computer system, cause the processing component to attempt authentication of a user for a client application using a directory service having an authentication control policy that tracks failed authentication attempts and allows lock out of an account after a predetermined number of failures by:
- receiving a search request including user identity information at the directory service;
  
  comparing the user identity information with entries in the directory service;
  
  if a match is found, sending an authentication token associated with the user identity information to a client application; and
  
  receiving a request at the directory service to update the directory service with information that indicates whether successful authentication of the user occurred at the client application.
- View Dependent Claims (21, 22)
- - 21. The machine-readable medium set forth in claim 20 having further stored thereon security information for users and wherein the series of instructions further cause the processing component to generate the authentication token from the security information using a one-way hash function prior to sending the authentication token to the client application.
  - 22. The method of claim 20 wherein the series of instructions further cause the processing component to generate authentication tokens when user entries are initially populated and store the authentication token directly in an entry associated for the user.

23. A computer processing system comprising:
- a directory service having an authentication control policy that tracks failed authentication attempts and allows lock out of an account after a predetermined number of failures, the directory service adapted to (i) receive a search request including user identity information;
  
  (ii) compare the user identity information with entries in the directory service;
  
  (iii) send an authentication token associated with the user identity information to a client application if a match is found; and
  
  (iv) receive a request at the directory service to update the directory service with information that indicates whether successful authentication of the user occurred at the client application.
- View Dependent Claims (24, 25)
- - 24. The system of claim 23 wherein the directory service stores security information for users, and generates the authentication token from the security information using a one-way hash function prior to sending the authentication token to the client application.
  - 25. The system of claim 23 wherein the directory service generates authentication tokens when user entries are initially populated and stores the authentication token directly in an entry associated for the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Kottahachchi, Buddhika Nandana

Granted Patent

US 8,738,923 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/9
CPC Class Codes

G06F 21/31   User authentication

G06F 21/33   using certificates

H04L 63/0838   using one-time-passwords

H04L 9/3271   using challenge-response

FRAMEWORK FOR NOTIFYING A DIRECTORY SERVICE OF AUTHENTICATION EVENTS PROCESSED OUTSIDE THE DIRECTORY SERVICE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

FRAMEWORK FOR NOTIFYING A DIRECTORY SERVICE OF AUTHENTICATION EVENTS PROCESSED OUTSIDE THE DIRECTORY SERVICE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links