System and method for supporting distributed computing mechanisms in a local area network server environment
First Claim
1. A method for improving mutual authentication during session setup with a distributed computing environment (DCE) credentials between clients and servers interconnected in a LAN server environment which does not support remote procedure calls (RPC) natively, comprising the steps of:
- predefining an extension of a server management block (SMB) protocol to exchange credentials;
accessing with said server as a function of said predefined extension a generic security subsystem (GSS) through a GSS API interface defined by said DCE, said accessing step further includingretrieving tokens with said clients and said server encapsulating information necessary to perform said mutual authentication, and activating a second bit in an SMB-- secmode field in a negotiate protocol (NP) response;
detecting with said server an SMBsecpkgX response;
exchanging, in response to said detecting, GSS tokens between said client and said server to effect said mutual authentication;
defining a GSS/DCE token package corresponding to said SMBsecpkqX response;
calling with said client a GSS-- initiate-- sec-- context function to obtain a first token to send to said server;
transferring a second token in response to said first token from said client to said GSS-- initiate-- sec-- context function; and
returning with said GSS-- initiate-- sec-- context function whether or not said server is authenticated; and
obtaining and validating said credentials from said GSS in response to said accessing.
1 Assignment
0 Petitions
Accused Products
Abstract
LAN server machines are configured to utilize their existing mechanisms to pass generic security subsystem (GSS) distributed computing environment (DCE) credentials. The server management block (SMB) protocol is extended to facilitate exchange of such credentials wherein the server utilizes the GSS API interface to obtain and validate such credentials. The GSS interface provides tokens which encapsulate all necessary information to perform mutual authentication between the client and server. A new protocol level is defined with respect to such SMB protocol extensions which includes a new protocol name exchanged in the negotiate protocol (NP) SMB. Pre-existing LAN servers will turn on a bit in the SMB-- Secmode field in the NP response indicating that the server supports exchange of secpkgX SMB. The server will then wait for an SMB secpkgX or SMB sesssetupX response. The former response will permit the user/client and server to exchange GSS tokens utilizing a conventional LAN server mechanism and to thereby and mutually authenticate.
219 Citations
9 Claims
-
1. A method for improving mutual authentication during session setup with a distributed computing environment (DCE) credentials between clients and servers interconnected in a LAN server environment which does not support remote procedure calls (RPC) natively, comprising the steps of:
-
predefining an extension of a server management block (SMB) protocol to exchange credentials; accessing with said server as a function of said predefined extension a generic security subsystem (GSS) through a GSS API interface defined by said DCE, said accessing step further including retrieving tokens with said clients and said server encapsulating information necessary to perform said mutual authentication, and activating a second bit in an SMB-- secmode field in a negotiate protocol (NP) response; detecting with said server an SMBsecpkgX response; exchanging, in response to said detecting, GSS tokens between said client and said server to effect said mutual authentication; defining a GSS/DCE token package corresponding to said SMBsecpkqX response; calling with said client a GSS-- initiate-- sec-- context function to obtain a first token to send to said server; transferring a second token in response to said first token from said client to said GSS-- initiate-- sec-- context function; and returning with said GSS-- initiate-- sec-- context function whether or not said server is authenticated; and obtaining and validating said credentials from said GSS in response to said accessing. - View Dependent Claims (2, 3)
-
-
4. Apparatus for improving mutual authentication during session setup with a distributed computing environment (DCE) credentials between clients and servers interconnected in a LAN server environment which does not support remote procedure calls (RPC) natively, comprising:
-
means for predefining an extension of a server management block (SMB) protocol to exchange credentials; means for accessing with said server as a function of said predefined extension a generic security subsystem (GSS) through a GSS API interface defined by said DCE, said means for accessing further including means for retrieving tokens with said clients and said servers encapsulating information necessary to perform said mutual authentication; means for activating a second bit in an SMB secmode field in a negotiate protocol (NP) response; means for detecting with said server an SMBsecpkgX response; means for exchanging, in response to said detecting, GSS tokens between said client and said server to effect said mutual authentication; means for defining a GSS/DCE token package corresponding to said SMBsecpkqX response; means for calling with said client a GSS-- initiate-- sec-- context function to obtain a first token to send to said server; means for transferring a second token in response to said first token from said client to said GSS-- initiate-- sec-- context function; and means for returning with said GSS-- initiate-- sec-- context function whether or not said server is authenticated; and means for obtaining and validating said credentials from said GSS in response to said accessing. - View Dependent Claims (5, 6)
-
-
7. A computer program product for improving mutual authentication during session setup with a distributed computer environment (DCE) credentials between clients and servers interconnected in a LAN server environment which does not support remote procedure (RPC) natively, said computer program product comprising:
- a computer usable medium having computer readable program code embodied in said medium for improving mutual authentication during session setup with the DCE, said computer program product including;
computer readable program code means for predefining an extension of a server management block (SMB) protocol to exchange credentials further including computer readable program code means for activating a second bit in an SMB-- secmode field in a negotiate protocol (NP) response; computer readable program code means for accessing with said server as a function of said predefined extension a generic security subsystem (GSS) through a GSS API interface defined by said DCE, said computer readable program product means for accessing further including computer readable program code means for retrieving tokens with said clients and said servers encapsulating information necessary to perform said mutual authentication; and computer readable program code means for detecting with said server an SMBsecpkqX response; computer readable program code means for exchanging, in response to said detecting, GSS tokens between said client and said server to effect said mutual authentication; computer readable program code means for defining a GSS/DCE token package corresponding to said SMBsecpkgX response; computer readable program code means for calling with said client a GSS-- initiate-- sec-- context function to obtain a first token to send to said server; computer readable program code means for transferring a second token in response to said first token from said client to said GSS-- initiate-- sec-- context function; and computer readable program code means for returning with said GSS-- initiate-- sec-- context function whether or not said server is authenticated; and computer readable program code means for obtaining and validating said credentials from said GSS in response to said accessing. - View Dependent Claims (8, 9)
- a computer usable medium having computer readable program code embodied in said medium for improving mutual authentication during session setup with the DCE, said computer program product including;
Specification