Methods and systems for selecting methodology for authenticating computer systems on a per computer system or per user basis

US 7,444,368 B1
Filed: 08/31/2000
Issued: 10/28/2008
Est. Priority Date: 02/29/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method in a server computer system of authenticating client computer systems using various authentication mechanisms, the method comprising:

receiving from a controlling client computer system a first instruction identifying a first client computer system, identifying a first information related to the controlling client computer system available to the first client computer system through a service of the server computer system, and identifying at least one first authentication mechanism that can be used to authenticate the first client computer system, the first authentication mechanism specifying at least one first type of information necessary to verify a first purported identity of the first client computer system, the first client computer system having client-specific knowledge of the information necessary to verify the first purported identity of the first client computer system, the first client computer system being separate from the controlling client computer system;

receiving from the controlling client computer system a second instruction identifying a second client computer system, identifying a second information related to the controlling client computer system available to the second client computer system through the service of the server computer system, identifying a second authentication mechanism that can be used to authenticate the second client computer system, and identifying a third authentication mechanism that can be used to authenticate the second client computer system, the second authentication mechanism specifying a second type of information necessary to verify a second purported identity of the second client computer system, the second client computer system having client-specific knowledge of the information necessary to verify the second purported identity of the second client computer system, the third authentication mechanism specifying a third type of information necessary to verify a third purported identity of the second client computer system, the second client computer system having client-specific knowledge of the information necessary to verify the third purported identity of the second client computer system, the second client computer system being separate from the controlling client computer system;

storing, for the first client computer system, an indication of the first authentication mechanism;

storing, for the second client computer system, an indication of the second authentication mechanism and the third authentication mechanism;

after receiving the first instruction and before authenticating the first client computer system, receiving a first request from the first client computer system to access the service of the server computer system, the first request including information of the type specified by the first authentication mechanism that is necessary to verify the first purported identity of the first client computer system, wherein the information is known specifically to the first client computer system;

initially authenticating the first client computer system using the first authentication mechanism based on the information received from the first client computer system that is necessary to verify the first purported identity of the first client computer system;

after receiving the second instruction and before authenticating the second client computer system, receiving a second request from the second client computer system to access the service of the server computer system;

upon receiving the second request from the second client computer system to access the service of the server computer system, selecting a selected authentication mechanism from the second and third authentication mechanisms, the selected authentication mechanism being different from the first authentication mechanism; and

authenticating the second client computer system using the selected authentication mechanism based on information received from the second client computer system that is necessary to verify the second or third purported identity of the second client computer system corresponding to the selected authentication mechanism.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and systems are disclosed for enabling a computer system to generate a request that includes an instruction identifying the authentication method or methods to be used when authenticating a subset of the client computer systems or users network connected to a server computer system. The subset of client computer systems or users may include as little a single computer system or user. The request is then transmitted to the server computer system. When receiving subsequent requests for service from any of the subset of client computer systems or users, the server computer system will refer to the information in the instruction to determine which authentication methods are acceptable in authenticating the client computer system or user.

103 Citations

View as Search Results

19 Claims

1. A method in a server computer system of authenticating client computer systems using various authentication mechanisms, the method comprising:
- receiving from a controlling client computer system a first instruction identifying a first client computer system, identifying a first information related to the controlling client computer system available to the first client computer system through a service of the server computer system, and identifying at least one first authentication mechanism that can be used to authenticate the first client computer system, the first authentication mechanism specifying at least one first type of information necessary to verify a first purported identity of the first client computer system, the first client computer system having client-specific knowledge of the information necessary to verify the first purported identity of the first client computer system, the first client computer system being separate from the controlling client computer system;
  
  receiving from the controlling client computer system a second instruction identifying a second client computer system, identifying a second information related to the controlling client computer system available to the second client computer system through the service of the server computer system, identifying a second authentication mechanism that can be used to authenticate the second client computer system, and identifying a third authentication mechanism that can be used to authenticate the second client computer system, the second authentication mechanism specifying a second type of information necessary to verify a second purported identity of the second client computer system, the second client computer system having client-specific knowledge of the information necessary to verify the second purported identity of the second client computer system, the third authentication mechanism specifying a third type of information necessary to verify a third purported identity of the second client computer system, the second client computer system having client-specific knowledge of the information necessary to verify the third purported identity of the second client computer system, the second client computer system being separate from the controlling client computer system;
  
  storing, for the first client computer system, an indication of the first authentication mechanism;
  
  storing, for the second client computer system, an indication of the second authentication mechanism and the third authentication mechanism;
  
  after receiving the first instruction and before authenticating the first client computer system, receiving a first request from the first client computer system to access the service of the server computer system, the first request including information of the type specified by the first authentication mechanism that is necessary to verify the first purported identity of the first client computer system, wherein the information is known specifically to the first client computer system;
  
  initially authenticating the first client computer system using the first authentication mechanism based on the information received from the first client computer system that is necessary to verify the first purported identity of the first client computer system;
  
  after receiving the second instruction and before authenticating the second client computer system, receiving a second request from the second client computer system to access the service of the server computer system;
  
  upon receiving the second request from the second client computer system to access the service of the server computer system, selecting a selected authentication mechanism from the second and third authentication mechanisms, the selected authentication mechanism being different from the first authentication mechanism; and
  
  authenticating the second client computer system using the selected authentication mechanism based on information received from the second client computer system that is necessary to verify the second or third purported identity of the second client computer system corresponding to the selected authentication mechanism.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein selecting the selected authentication mechanism is based on an ability of the server computer system to support the second and third authentication mechanisms and access rights of the second client computer system to access resources of the service of the server computer system.
  - 3. The method of claim 1 wherein the second request includes information of the type specified by the third authentication mechanism that is necessary to verify the third purported identity of the second client computer system, wherein the information is known specifically to the second client computer system, the method further comprising initially authenticating the second client computer system using the third authentication mechanism based on the information received from the second client computer system that is necessary to verify the third purported identity of the second client computer system.
  - 4. The method of claim 3, wherein the third authentication mechanism is the same as the first authentication mechanism.
  - 5. The method of claim 1 wherein the selected authentication mechanism includes an assertion authentication, and wherein the type of information specified by the assertion authentication is an indication of an identity of the second client computer system.
  - 6. The method of claim 1 wherein the selected authentication mechanism includes a basic HTTP authentication, and wherein the type of information specified by the basic HTTP authentication is a password of the second client computer system.
  - 7. The method of claim 1 wherein the selected authentication mechanism includes digest authentication, and wherein the type of information specified by the digest authentication is a digest generated by hashing a series of numbers associated with the second client computer system.
  - 8. The method of claim 1 wherein the selected authentication mechanism includes an NTLM authentication, and wherein the type of information specified by the NTLM authentication comprises credentials of the second client computer system, wherein the credentials include a user name and an encrypted password of the second client computer system.

9. A method in a controlling client computer system for providing indications of authentication mechanisms to a server computer system, the method comprising:
- generating a first instruction identifying a first client computer system, identifying a first resource of information related to the controlling client computer system of a service of the server computer system, and identifying a first authentication mechanism that can be used to authenticate the first client computer system, the first authentication mechanism specifying a type of information necessary to verify a purported identity of the first client computer system, the first client computer system having client-specific knowledge of the information necessary to verify the purported identity of the first client computer system, the first client computer system being different from the controlling client computer system;
  
  generating a second instruction identifying a second client computer system, identifying a second resource of information different from the first resource of information and related to the controlling client computer system of the service of the server computer system, and identifying a second authentication mechanism different from the first authentication mechanism that can be used to authenticate the second client computer system, the second authentication mechanism specifying a type of information necessary to verify a purported identity of the second client computer system, the second client computer system having client-specific knowledge of the information necessary to verify the purported identity of the second client computer system, the second client computer system being different from the controlling client computer system; and
  
  sending the first and second instructions to the server computer system so that upon receiving a first request from the first client computer system to access information related to the controlling client computer system through the service of the server computer system, after the first instruction is received at the server computer system, the server computer authenticates the first client computer using the first authentication mechanism and provides the first resource of information to the first client computer based on the first instruction, and upon receiving a second request from the second client computer system to access information related to the controlling client computer system through the service of the server computer system, after the second instruction is received at the server computer system, when the second client computer system can be authenticated using multiple authentication mechanisms, the server computer system selects a selected authentication mechanism based on authentication abilities of the second client computer system to support the selected authentication mechanism, authentication abilities of the server computer system to support the selected authentication mechanism, and access rights of the second client computer system to access information related to the controlling client computer system, the server computer system initially authenticates the second client computer system using the selected authentication mechanism based on information received from the second client computer system that is necessary to verify the purported identity of that client computer system, and in response to the authentication of the second client computer system, the server computer system provides the second resource of information.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9 wherein a plurality of instructions indicate that the same authentication mechanism is to be used to authenticate multiple client computer systems when associated with the same resource of information related to the controlling client computer, and wherein the multiple client computer systems are authenticated by the server computer system using the indicated authentication mechanism.
  - 11. The method of claim 9 wherein the selected authentication mechanism includes an assertion authentication, and wherein the type of information specified by the assertion authentication is an indication of an identity of the second client computer system.
  - 12. The method of claim 9 wherein the selected authentication mechanism includes a basic HTTP authentication, and wherein the type of information specified by the basic HTTP authentication is a password of the second client computer system.
  - 13. The method of claim 9 wherein the selected authentication mechanism includes digest authentication, and wherein the type of information specified by the digest authentication is a digest generated by hashing a series of numbers associated with the second client computer system.
  - 14. The method of claim 9 wherein the selected authentication mechanism includes an NTLM authentication, and wherein the type of information specified by the NTLM authentication comprises credentials of the second client computer system, wherein the credentials include a user name and an encrypted password of the second client computer system.

15. A physical computer-readable medium containing instructions for controlling a server computer system to authenticate entities using various authentication mechanisms, by a method comprising:
- receiving from a controlling client computer system a first instruction identifying a first client computer system, identifying a first information related to the controlling client computer system available to the first client computer system through a service of the server computer system, and identifying at least one first authentication mechanism that can be used to authenticate the first client computer system, the first authentication mechanism specifying at least one first type of information necessary to verify a first purported identity of the first client computer system, the first client computer system having client-specific knowledge of the information necessary to verify the first purported identity of the first client computer system, the first client computer system being separate from the controlling client computer system;
  
  receiving from the controlling client computer system a second instruction identifying a second client computer system, identifying a second information related to the controlling client computer system available to the second client computer system through the service of the server computer system, identifying a second authentication mechanism that can be used to authenticate the second client computer system, and identifying a third authentication mechanism that can be used to authenticate the second client computer system, the second authentication mechanism specifying a second type of information necessary to verify a second purported identity of the second client computer system, the second client computer system having client-specific knowledge of the information necessary to verify the second purported identity of the second client computer system, the third authentication mechanism specifying a third type of information necessary to verify a third purported identity of the second client computer system, the second client computer system having client-specific knowledge of the information necessary to verify the third purported identity of the second client computer system, the second client computer system being separate from the controlling client computer system;
  
  storing, for the first client computer system, an indication of the first authentication mechanism;
  
  storing, for the second client computer system, an indication of the second authentication mechanism and the third authentication mechanism;
  
  after receiving the first instruction and before authenticating the first client computer system, receiving a first request from the first client computer system to access the service of the server computer system, the first request including information of the type specified by the first authentication mechanism that is necessary to verify the first purported identity of the first client computer system, wherein the information is known specifically to the first client computer system;
  
  initially authenticating the first client computer system using the first authentication mechanism based on the information received from the first client computer system that is necessary to verify the first purported identity of the first client computer system;
  
  after receiving the second instruction and before authenticating the second client computer system, receiving a second request from the second client computer system to access the service of the server computer system;
  
  upon receiving the second request from the second client computer system to access the service of the server computer system, selecting a selected authentication mechanism from the second and third authentication mechanisms, the selected authentication mechanism being different from the first authentication mechanism; and
  
  authenticating the second client computer system using the selected authentication mechanism based on information received from the second client computer system that is necessary to verify the second or third purported identity of the second client computer system corresponding to the selected authentication mechanism.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The physical computer-readable medium of claim 15 wherein selecting the selected authentication mechanism is based on an ability of the server computer system to support the second and third authentication mechanisms and access rights of the second client computer system to access resources of the service of the server computer system.
  - 17. The physical computer-readable medium of claim 15 wherein the second request includes information of the type specified by the third authentication mechanism that is necessary to verify the third purported identity of the second client computer system, wherein the information is known specifically to the second client computer system, the method further comprising initially authenticating the second client computer system using the third authentication mechanism based on the information received from the second client computer system that is necessary to verify the third purported identity of the second client computer system.
  - 18. The physical computer-readable medium of claim 15, wherein the third authentication mechanism is the same as the first authentication mechanism.
  - 19. The physical computer-readable medium of claim 15 wherein the selected authentication mechanism is a member of a group consisting of an assertion authentication, a basic HTTP authentication, a digest authentication, and an NTLM authentication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Wong, Leon, Beebee, Peter, Aggarwal, Sudhanshu, Vincent, Jesse
Primary Examiner(s)
Jaroenchonwanit; Bunjob
Assistant Examiner(s)
WIDHALM, ANGELA M

Application Number

US09/652,360
Time in Patent Office

2,980 Days
Field of Search

709/223, 709/203, 705/12, 345/826, 707/104.1, 726/6, 726/18
US Class Current

709/200
CPC Class Codes

G06F 21/31 User authentication

H04L 63/083 using passwords cryptograph...

Methods and systems for selecting methodology for authenticating computer systems on a per computer system or per user basis

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

103 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Methods and systems for selecting methodology for authenticating computer systems on a per computer system or per user basis

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others