Credential Sharing Between Multiple Client Applications

US 20100146611A1
Filed: 12/09/2008
Published: 06/10/2010
Est. Priority Date: 12/09/2008
Status: Active Grant

First Claim

Patent Images

1. A method for sharing user credentials between remote access client applications, comprising:

receiving from a user a request to launch a remote access client application;

instantiating a credential repository, wherein the repository exposes interfaces for storing and deleting the user'"'"'s authentication credentials and associates the authentication credentials with a list of resources available to the user;

validating the request to launch a remote access client application;

attaching at least one of said authentication credentials to the request and sending the request to the remote access client application, wherein the at least one authentication credential can be used to authenticate the user and allow access to a resource associated with the remote access client application; and

deleting the credential repository upon receiving a logoff indication.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are techniques for sharing user credentials between multiple client applications when connecting to a set of remote resources. The mechanism enables a single sign-on between a terminal server web access service and the remote applications, remote desktops and corresponding terminal servers accessible through the service. User credentials may be received by one of the client applications and passed to a credential store running as a local software object in association with the user'"'"'s logon session. Further requests to launch a new remote connection may then pass through the credential store. Upon successful validation of the request, the credential store may attach user credential information to the request and pass the request to the requested client. The requested client may also execute as a software object associated with the current logon session. The client may then use the supplied credential for authentication to the requested resource or application.

108 Citations

View as Search Results

20 Claims

1. A method for sharing user credentials between remote access client applications, comprising:
- receiving from a user a request to launch a remote access client application;
  
  instantiating a credential repository, wherein the repository exposes interfaces for storing and deleting the user'"'"'s authentication credentials and associates the authentication credentials with a list of resources available to the user;
  
  validating the request to launch a remote access client application;
  
  attaching at least one of said authentication credentials to the request and sending the request to the remote access client application, wherein the at least one authentication credential can be used to authenticate the user and allow access to a resource associated with the remote access client application; and
  
  deleting the credential repository upon receiving a logoff indication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 further comprising redirecting a request to launch a second client application to the credential repository.
  - 3. The method of claim 1 wherein the user authentication credentials are received via a terminal services web access web page.
  - 4. The method of claim 3 wherein remote applications, remote desktops and corresponding terminal servers are accessible via the credential repository.
  - 5. The method of claim 1, wherein the credential repository executes as a local Component Object Model (COM) server within a logon session.
  - 6. The method of claim 1, wherein the remote access client application executes as a COM server within a logon session.
  - 7. The method of claim 1, wherein the credentials in the credential repository are stored in encrypted form such that only applications executing on behalf of the logged on user can decrypt the credentials.
  - 8. The method of claim 1, wherein the list of resources available to the user is predetermined and received from a host providing a remote access user interface.
  - 9. The method of claim 1, wherein the list of resources comprises a unique identifier and information for verifying authenticity of connection requests.
  - 10. The method of claim 9, wherein the information comprises a list of trusted certificates.
  - 11. The method of claim 1, wherein a plurality of credential repositories can be instantiated for a plurality of users.
  - 12. The method of claim 1, wherein said deleting is performed after a predefined timeout.

13. A system adapted to share user credentials between remote access client applications, comprising:
- at least one processor; and
  
  at least one memory communicatively coupled to said at least one processor, the memory having stored therein computer-executable instructions for;
  
  receiving from a user via a terminal services web access web page a request to launch a remote access client application;
  
  instantiating a credential repository, wherein the credential repository comprises the user'"'"'s authentication credentials stored in encrypted form such that only applications executing on behalf of the user during a current session can decrypt the credentials in the credential repository;
  
  validating the request to launch a remote access client application;
  
  attaching at least one of said authentication credentials to the request and sending the request to a resource associated with the remote access client application; and
  
  deleting the credential repository upon receiving a logoff indication.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The system of claim 13 wherein the repository exposes interfaces for storing and deleting the authentication credentials and associates the authentication credentials with a list of resources available to the user.
  - 15. The system of claim 13 wherein the credential repository executes as a local Component Object Model (COM) server within a logon session.
  - 16. The system of claim 13, wherein the list of resources comprises a unique identifier and a list of trusted certificates for verifying authenticity of connection requests.
  - 17. The system of claim 13 further comprising computer-executable instructions for redirecting a plurality of requests to launch additional client applications to the credential repository.

18. A computer readable storage medium storing thereon computer executable instructions for sharing user credentials between remote access client applications, the medium comprising instructions for:
- receiving from a user a request to initiate a logon session and launch a first remote access client application;
  
  instantiating a credential repository for the user comprising the user'"'"'s authentication credentials;
  
  validating the request to launch the first remote access client application;
  
  attaching a first user credential to the request and sending the request to a first resource associated with the first remote access client application;
  
  redirecting a request to launch a second remote access client application to the credential repository;
  
  validating the request to launch the second remote access client application; and
  
  attaching a second user credential to the request to launch a second remote access client application and sending the request to a second resource associated with the second remote access client application.
- View Dependent Claims (19, 20)
- - 19. The computer readable storage medium of claim 18, wherein the credential repository exposes interfaces for storing and deleting the authentication credentials and associates the authentication credentials with a list of resources available to the user.
  - 20. The computer readable storage medium of claim 18, further comprising deleting the credential repository upon completion of a current logon session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Kuzin, Sergey, Mehmood, Kashif, Sampath, Sriram, Erdogan, Ersev Samim, Palekar, Ashwin, Ivanova, Olga

Granted Patent

US 8,413,210 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/8
CPC Class Codes

G06F 21/41 where a single sign-on prov...

H04L 63/0815 providing single-sign-on or...

Credential Sharing Between Multiple Client Applications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

108 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Credential Sharing Between Multiple Client Applications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

108 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links