Methods and systems for authentication through multiple proxy servers that require different authentication data

US 6,839,761 B2
Filed: 04/19/2001
Issued: 01/04/2005
Est. Priority Date: 04/19/2001
Status: Expired due to Term

First Claim

Patent Images

1. In a network configuration that includes a client computer system, a server computer system and a plurality of proxy computer systems that the client computer system would need to communicate through in order to communicate with the server computer system, the plurality of proxy computer systems including at least a first proxy that requires authentication using first authentication data and a second proxy that requires authentication using second authentication data, a method of the client computer system transmitting a request to the server computer system notwithstanding that the first and second proxies require different authentication data, the method comprising the following:

an act of the client computer system dispatching a first request for a service through the first proxy;

an act of the client computer system receiving a first authentication request from the first proxy;

an act of the client computer system retrieving first authentication data associated with the first proxy;

an act of the client computer system dispatching a second request for the service, the second request including the first authentication data;

an act of the client computer system receiving a second authentication request from the second proxy, the first proxy using the first authentication data to authenticate the client computer system and forwarding the second request for the service to the second proxy, the second proxy then receiving the second request for the service;

an act of the client computer system retrieving second authentication data associated with the second proxy; and

an act of the client computer system dispatching a third request for the service to the server computer system, the third request including the first authentication data and the second authentication data, the first proxy using the first authentication data to authenticate the client computer system and thereafter forwarding the third request for the service to the second proxy, the second proxy using the second authentication data to authenticate the client computer system and thereafter forwarding the third request to the server computer system or to a third proxy that requires third authentication data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, computer program products and data structures are described which allow a client to communicate with a server even though multiple proxies that require different authentication data must be traversed to allow such communication. In operation, the client first authenticates to a first proxy using authentication data appropriate for the first proxy. The client then authenticates to a second proxy using different authentication data that is appropriate for the second proxy. This proxy authentication continues through as many proxies as necessary until the client is in communication with the server.

Citations

46 Claims

1. In a network configuration that includes a client computer system, a server computer system and a plurality of proxy computer systems that the client computer system would need to communicate through in order to communicate with the server computer system, the plurality of proxy computer systems including at least a first proxy that requires authentication using first authentication data and a second proxy that requires authentication using second authentication data, a method of the client computer system transmitting a request to the server computer system notwithstanding that the first and second proxies require different authentication data, the method comprising the following:
- an act of the client computer system dispatching a first request for a service through the first proxy;
  
  an act of the client computer system receiving a first authentication request from the first proxy;
  
  an act of the client computer system retrieving first authentication data associated with the first proxy;
  
  an act of the client computer system dispatching a second request for the service, the second request including the first authentication data;
  
  an act of the client computer system receiving a second authentication request from the second proxy, the first proxy using the first authentication data to authenticate the client computer system and forwarding the second request for the service to the second proxy, the second proxy then receiving the second request for the service;
  
  an act of the client computer system retrieving second authentication data associated with the second proxy; and
  
  an act of the client computer system dispatching a third request for the service to the server computer system, the third request including the first authentication data and the second authentication data, the first proxy using the first authentication data to authenticate the client computer system and thereafter forwarding the third request for the service to the second proxy, the second proxy using the second authentication data to authenticate the client computer system and thereafter forwarding the third request to the server computer system or to a third proxy that requires third authentication data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. A method in accordance with claim 1, further comprising the following:
    - an act of the first proxy removing the first authentication data from the third request; and
      
      an act of the first proxy forwarding the third request to the second proxy without the first authentication data.
  - 3. A method in accordance with claim 2, wherein the act of the client computer system including the first and second authentication data in the third request using an HTTP authentication method comprises the following:
    - an act of the client computer system including the first and second authentication data in a WWW-Authenticate Response Header associated with the digest authentication method.
  - 4. A method in accordance with claim 1, wherein the act of the client computer system dispatching a third request for the service to the server computer system comprises the following:
    - an act of the client computer system including the first and second authentication data in the third request using an HTTP authentication method.
  - 5. A method in accordance with claim 4, wherein the act of the client computer system including the first and second authentication data in the third request using an HTTP authentication method comprises the following:
    - an act of identifying the first authentication data using a first realm associated with the first proxy; and
      
      an act of identifying the second authentication data using a second realm associated with the second proxy.
  - 6. A method in accordance with claim 1, wherein the first and second proxies are administered by different entities.
  - 7. A method in accordance with claim 6, wherein the client computer system comprises a wireless device, and the first proxy is administered by a wireless carrier.
  - 8. A method in accordance with claim 7, wherein the second proxy is administered by a corporate entity.
  - 9. A method in accordance with claim 1, wherein the first authentication data comprises a first user ID and a first password.
  - 10. A method in accordance with claim 1, wherein the second authentication data comprises a second user ID and a second password.
  - 11. A method in accordance with claim 1, wherein the act of the client computer system dispatching a first request, the act of the client computer system receiving a first authentication request, the act of the client computer system dispatching a second request, the act of the client computer system receiving a second authentication request, and the act of the client computer system dispatching a third request are each performed in accordance with the HyperText Transport Protocol (HTTP).
  - 12. A method in accordance with claim 1, wherein the act of the client computer system retrieving first authentication data and the act of the client computer system dispatching a second request are each performed automatically, without user intervention, upon completion of the act of the client computer system receiving a first authentication request from the first proxy.
  - 13. A method in accordance with claim 12, wherein the act of the client computer system retrieving second authentication data and the act of the client computer system dispatching a third request are each performed automatically, without user intervention, upon completion of the act of the client computer system receiving a second authentication request from the first proxy.
  - 14. A method in accordance with claim 1, wherein the act of the client computer system retrieving second authentication data and the act of the client computer system dispatching a third request are each performed automatically, without user intervention, upon completion of the act of the client computer system receiving a second authentication request from the first proxy.

15. In a computer program product for use in a network configuration that includes a client computer system, a server computer system and a plurality of proxy computer systems that the client computer system would need to communicate through in order to communicate with the server computer system, the plurality of proxy computer systems including at least a first proxy that requires authentication using first authentication data and a second proxy that requires authentication using second authentication data, the computer program product for implementing a method of the client computer system transmitting a request to the server computer system notwithstanding that the first and second proxies require different authentication data, the computer program product comprising a computer-readable medium having computer-executable instructions for performing the following:
- an act of the client computer system causing a first request for a service to be dispatched through the first proxy;
  
  an act of the client computer system detecting the receipt of a first authentication request from the first proxy;
  
  an act of the client computer system causing first authentication data associated with the first proxy to be retrieved;
  
  an act of the client computer system causing a second request for the service to be dispatched, the second request including the first authentication data;
  
  an act of the client computer system detecting the receipt of a second authentication request from the second proxy, the first proxy using the first authentication data to authenticate the client computer system and forwarding the second request for the service to the second proxy, the second proxy then receiving the second request for the service;
  
  an act of the client computer system causing second authentication data associated with the second proxy to be retrieved; and
  
  an act of the client computer system causing a third request for the service to be dispatched to the server computer system, the third request including the first authentication data and the second authentication data, the first proxy using the first authentication data to authenticate the client computer system and thereafter forwarding the third request for the service to the second proxy, the second proxy using the second authentication data to authenticate the client computer system and thereafter forwarding the third request to the server computer system or to a third proxy that requires third authentication data.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. A computer program product in accordance with claim 15, wherein the computer-executable instructions for performing the act of the client computer system causing a third request for the service to be dispatched to the server computer system comprises computer-executable instructions for performing the following:
    - an act of including the first and second authentication data in the third request using an HTTP authentication method.
  - 17. A computer program product in accordance with claim 16, wherein the computer-executable instructions for performing the act of including the first and second authentication data in the third request using an HTTP authentication method comprises computer-executable instructions for implementing the following:
    - an act of identifying the first authentication data using a first realm associated with the first proxy; and
      
      an act of identifying the second authentication data using a second realm associated with the second proxy.
  - 18. A computer program product in accordance with claim 16, wherein the computer-executable instruction for performing the act of including the first and second authentication data in the third request using an HTTP authentication method comprises computer-executable instructions for implementing the following:
    - an act of including the first and second authentication data in a WWW-Authenticate Response Header associated with the digest authentication method.
  - 19. A computer program product in accordance with claim 15, wherein the computer-executable instructions for implementing an act of the client computer system causing a first request to be dispatched, the act of the client computer system detecting the receipt of a first authentication request, the act of the client computer system causing a second request to be dispatched, the act of the client computer system detecting the receipt a second authentication request, and the act of the client computer system causing a third request to be dispatched are each performed in accordance with the HyperText Transport Protocol (HTTP).
  - 20. A computer-program product in accordance with claim 15, wherein the computer-readable medium is a physical computer-readable medium.

21. In a network configuration that includes a client computer system, a server computer system and a plurality of proxy computer systems that the client computer system would need to communicate through in order to communicate with the server computer system, the plurality of proxy computer systems including at least a first proxy that requires authentication using first authentication data and a second proxy that requires authentication using second authentication data, a method of the client computer system connecting to the server computer system notwithstanding that the first and second proxies require different authentication data, the method comprising the following:
- an act of the client computer system dispatching a connect request to the first proxy;
  
  an act of the client computer system receiving a first authentication request from the first proxy;
  
  an act of the client computer system retrieving first authentication data associated with the first proxy;
  
  an act of the client computer system dispatching a connect request to the second proxy, the connect request to the second proxy including the first authentication data, wherein the first proxy uses the first authentication data to authenticate the client computer system, enters byte forwarding mode, and forwards the connect request to the second proxy server;
  
  an act of the client computer system receiving, via the first proxy, a second authentication request from the second proxy;
  
  an act of the client computer system retrieving second authentication data associated with the second proxy; and
  
  an act of the client computer system dispatching a connect request to the server computer system or to a third proxy that requires third authentication data, the connect request to the server computer system or to the third proxy including the first authentication data and the second authentication data, wherein the second proxy uses the second authentication data to authenticate the client computer system, enters byte forwarding mode, and forwarding the connect request to the server computer system or to the third proxy.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 22. A method in accordance with claim 21, wherein the act of the client computer system dispatching a connect request to the server computer system or to a third proxy comprises the following:
    - an act of the client computer system including the first and second authentication data in the third request using an HTTP authentication method.
  - 23. A method in accordance with claim 22, wherein the act of the client computer system including the first and second authentication data in the third request using an HTTP authentication method comprises the following:
    - an act of identifying the first authentication data using a first realm associated with the first proxy; and
      
      an act of identifying the second authentication data using a second realm associated with the second proxy.
  - 24. A method in accordance with claim 22, wherein the act of the client computer system including the first and second authentication data in the third request using an HTTP authentication method comprises the following:
    - an act of the client computer system including the first and second authentication data in a WWW-Authenticate Response Header associated with the digest authentication method.
  - 25. A method in accordance with claim 21, wherein the first and second proxies are administered by different entities.
  - 26. A method in accordance with claim 25, wherein the client computer system comprises a wireless device, and the first proxy is administered by a wireless carrier.
  - 27. A method in accordance with claim 26, wherein the second proxy is administered by a corporate entity.
  - 28. A method in accordance with claim 21, wherein the first authentication data comprises a first user ID and a first password.
  - 29. A method in accordance with claim 21, wherein the second authentication data comprises a second user ID and a second password.
  - 30. A method in accordance with claim 21, wherein the act of the client computer system dispatching a connect request to the first proxy, the act of the client computer system receiving a first authentication request from the first proxy, the act of the client computer system dispatching a connect request to the second proxy, the act of the client computer system receiving a second authentication request from the second proxy, and the act of the client computer system dispatching a connect request to the server computer system or to a third proxy are performed in accordance with the Secure Socket Layer (SSL) protocol.
  - 31. A method in accordance with claim 21, wherein the act of the client computer system dispatching a connect request to the first proxy, the act of the client computer system receiving a first authentication request from the first proxy, the act of the client computer system dispatching a connect request to the second proxy, the act of the client computer system receiving a second authentication request from the second proxy, and the act of the client computer system dispatching a connect request to the server computer system or to a third proxy are performed in accordance with the HyperText Transport Protocol (HTTP).
  - 32. A method in accordance with claim 31, wherein the act of the client computer system retrieving first authentication data and the act of the client computer system dispatching a connect request to the second proxy are performed automatically, without user intervention, upon completion of the act of the client computer system receiving a first authentication request from the first proxy.
  - 33. A method in accordance with claim 32, wherein the act of the client computer system retrieving second authentication data and the act of the client computer system dispatching a connect request to the server computer system or to a third proxy are performed automatically, without user intervention, upon completion of the act of the client computer system receiving a second authentication request from the second proxy.
  - 34. A method in accordance with claim 21, wherein the act of the client computer system retrieving second authentication data and the act of the client computer system dispatching a connect request to the server computer system or to a third proxy are performed automatically, without user intervention, upon completion of the act of the client computer system receiving a second authentication request from the second proxy.

35. A computer program product for use in a network configuration that includes a client computer system, a server computer system and a plurality of proxy computer systems that the client computer system would need to communicate through in order to communicate with the server computer system, the plurality of proxy computer systems including at least a first proxy that requires authentication using first authentication data and a second proxy that requires authentication using second authentication data, the computer program product for implementing a method of the client computer system connecting to the server computer system notwithstanding that the first and second proxies require different authentication data, the computer program product comprising a computer-readable medium having computer-executable instructions for performing the following:
- an act of the client computer system causing a connect request to be dispatched to the first proxy;
  
  an act of the client computer system detecting the receipt of a first authentication request from the first proxy;
  
  an act of the client computer system causing the first authentication data associated with the first proxy to be retrieved;
  
  an act of the client computer system causing a connect request to be dispatched to the second proxy, the connect request to the second proxy including the first authentication data, wherein the first proxy uses the first authentication data to authenticate the client computer system, enters byte forwarding mode, and forwards the connect request to the second proxy server;
  
  an act of the client computer system detecting the receipt of a second authentication request from the second proxy;
  
  an act of the client computer system causing the second authentication data associated with the second proxy to be retrieved; and
  
  an act of the client computer system causing a connect request to be dispatched to the server computer system or to a third proxy that requires third authentication data, the connect request to the server computer system or to the third proxy including the first authentication data and the second authentication data, wherein the second proxy uses the second authentication data to authenticate the client computer system, enters byte forwarding mode, and forwarding the connect request to the server computer system or to the third proxy.
- View Dependent Claims (36, 37, 38, 39, 40, 41)
- - 36. A computer program product in accordance with claim 35, wherein the computer-executable instructions for performing the act of the client computer system causing a connect request to be dispatched to the server computer system or to a third proxy comprises computer-executable instructions for performing the following:
    - an act of including the first and second authentication data in the third request using an HTTP authentication method.
  - 37. A computer program product in accordance with claim 36, wherein the computer-executable instructions for performing the act of including the first and second authentication data in the third request using an HTTP authentication method comprises computer-executable instructions for implementing the following:
    - an act of identifying the first authentication data using a first realm associated with the first proxy; and
      
      an act of identifying the second authentication data using a second realm associated with the second proxy.
  - 38. A computer program product in accordance with claim 36, wherein the computer-executable instructions for performing the act of including the first and second authentication data in the third request using an HTTP authentication method comprises computer-executable instructions for implementing the following:
    - an act of including the first and second authentication data in a WWW-Authenticate Response Header associated with the digest authentication method.
  - 39. A computer program product in accordance with claim 35, wherein the computer-executable instructions for implementing an act of the client computer system causing a connect request to be dispatched to the first proxy, the act of the client computer system detecting the receipt of a first authentication request, the act of the client computer system causing a connect request to be dispatched to the second proxy, the act of the client computer system detecting the receipt a second authentication request, and the act of the client computer system causing a connect request to be dispatched are each performed in accordance with the HyperText Transport Protocol (HTTP).
  - 40. A computer program product in accordance with claim 35, wherein the computer-executable instructions for implementing an act of the client computer system causing a connect request to be dispatched to the first proxy, the act of the client computer system detecting the receipt of a first authentication request, the act of the client computer system causing a connect request to be dispatched to the second proxy, the act of the client computer system detecting the receipt a second authentication request, and the act of the client computer system causing a connect request to be dispatched are each performed in accordance with the Secure Socket Layer (SSL) protocol.
  - 41. A computer-program product in accordance with claim 35, wherein the computer-readable medium is a physical computer-readable medium.

42. A computer-readable medium for use in a network configuration that includes a client computer system, a server computer system and a plurality of proxy computer systems that the client computer system would need to communicate through in order to communicate with the server computer system, the plurality of proxy computer systems including at least a first proxy that requires authentication using first authentication data and a second proxy that requires authentication using second authentication data, the computer-readable medium having stored thereon a data structure, the data structure comprising the following:
- a first field representing authentication data, the first field comprising the following;
  
  a second field representing an authentication header that identifies the first field as containing the authentication data;
  
  a third field representing authentication data for the first proxy; and
  
  a fourth field representing authentication data for the second proxy, wherein the third field comprises the following;
  
  a fifth field representing an identifier that identifies the third field as containing authentication data for the first proxy; and
  
  a sixth field representing the first authentication data;
  
  wherein the fourth field comprises the following;
  
  a seventh field representing an identifier that identifies the fourth field as containing authentication data for the second proxy; and
  
  an eighth field representing the second authentication data.
- View Dependent Claims (43, 44, 45, 46)
- - 43. A data structure in accordance with claim 42, wherein the fifth field and the seventh field each identify a realm in accordance with the digest authentication method.
  - 44. A data structure in accordance with claim 42, wherein the first and second authentication data in the sixth field and the eighth field, respectively, are at least partially encrypted.
  - 45. A data structure in accordance with claim 42, wherein the fifth field comprises the following:
    - a ninth field representing a first user ID recognizable by the first proxy as identifying a user associated with the client computer system; and
      
      a tenth field representing a first password recognizable by the first proxy as identifying a password associated with the user;
      
      wherein the seventh field comprises the following;
      
      an eleventh field representing a second user ID recognizable by the second proxy as identifying the user associated with the client computer system; and
      
      a twelfth field representing a second password recognizable by the second proxy as identifying a password associated with the user.
  - 46. A data structure in accordance with claim 45, wherein the tenth field and the twelfth field respectively represent the first and second passwords in encrypted form.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Fishman, Neil S., Kramer, Michael, Damour, Kevin T., Kadyk, Donald J.
Primary Examiner(s)
Coulter, Kenneth R.

Application Number

US09/838,408
Publication Number

US 20020156906A1
Time in Patent Office

1,356 Days
Field of Search

709/203, 709/229, 709/237, 709/227, 713/201
US Class Current

709/229
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/083   using passwords cryptograph...

Methods and systems for authentication through multiple proxy servers that require different authentication data

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for authentication through multiple proxy servers that require different authentication data

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links