Globally trusted credentials leveraged for server access control

US 7,519,596 B2
Filed: 03/09/2005
Issued: 04/14/2009
Est. Priority Date: 03/30/2004
Status: Active Grant

First Claim

Patent Images

1. An access control method implemented on a computing system, the method comprising:

identifying at least one resource principal for which an application program lacks at least one local trusted credential for authenticating at least one purported client credential provided in connection with at least one local access request on a first computer on which the application program is executing; and

authorizing at least one client to access the application program based on a determination by at least one separate non-local trusted authority, executing on a second computer different from the first computer, that the at least one purported client credential is valid for the at least one resource principal, andproviding access to the application program based on the determination by the at least one separate non-local authority,wherein the application program maintains locally trusted credentials for authenticating client credentials provided for local access requests.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, computer-readable media and application program interfaces are disclosed for enabling server applications to verify purported authentication information, such as passwords, provided by clients in connection with server access requests by leveraging trusted credentials maintained by separate trusted authorities. In some cases, the server applications may lack trusted credentials that may be used to verify the purported authentication information. In those cases, the server applications may identify security principal accounts managed by the separate trusted authorities for which the provided authentication information may be purported to be valid for by the requesting clients. Further, the server applications may request the separate trusted authorities to authenticate the purported authentication information before granting access to the requesting clients. In other cases, the server applications may maintain locally trusted credentials that may be used to verify the provided authentication information without involving the separate trusted authorities.

70 Citations

View as Search Results

20 Claims

1. An access control method implemented on a computing system, the method comprising:
- identifying at least one resource principal for which an application program lacks at least one local trusted credential for authenticating at least one purported client credential provided in connection with at least one local access request on a first computer on which the application program is executing; and
  
  authorizing at least one client to access the application program based on a determination by at least one separate non-local trusted authority, executing on a second computer different from the first computer, that the at least one purported client credential is valid for the at least one resource principal, andproviding access to the application program based on the determination by the at least one separate non-local authority,wherein the application program maintains locally trusted credentials for authenticating client credentials provided for local access requests.
- View Dependent Claims (2, 3, 4)
- - 2. The method as set forth in claim 1 further comprising:
    - obtaining at least one reference to at least one security identifier for the at least one resource principle via at least one application object managed by the application program; and
      
      requesting the at least one separate trusted authority to provide at least one account identifier for the at least one resource principle in exchange for the at least one security identifier obtained via the at least one application object.
  - 3. The method as set forth in claim 1 further comprising:
    - identifying at least one other resource principal for which the application program maintains at least one locally trusted credential for authenticating at least one other purported client credential provided in connection with at least one other access request; and
      
      authorizing at least one other client to access the application program based on another determination by the at least one application program that the at least one other purported client credential is valid for at least one other resource principal.
  - 4. The method as set forth in claim 3 further comprising:
    - authenticating the at least one other purported client credential provided in connection with the at least one other access request based on the at least one locally trusted credential maintained by the application program without involving the at least one non-local separate trusted authority.

5. At least one computer-readable storage medium having at least one instruction stored thereon, which when executed by at least one processing system in conjunction with at least one application program, causes the at least one application program to implement at least one access control method, the at least one medium comprising at least one instruction for:
- identifying at least one resource principal for which the at least one application program lacks at least one local trusted credential for authenticating at least one purported client credential provided in connection with at least one local access request on a first computing system on which the application program is executing;
  
  authorizing at least one client to access the at least one application program based on a determination by at least one separate non-local trusted authority, executing on a second computing system different from the first computing system, that the at least one purported client credential is valid for the at least one resource principal, andproviding access to the at least one application program based on the authorizing of the at least one client to access the at least one application program,wherein the application program maintains locally trusted credentials for authenticating client credentials provided for local access requests.
- View Dependent Claims (6, 7, 8)
- - 6. The at least one medium as set forth in claim 5 further comprising at least one other instruction for:
    - obtaining at least one reference to at least one security identifier for the at least one resource principle via at least one application object managed by the at least one application program; and
      
      requesting the at least one separate trusted authority to provide at least one account identifier for the at least one resource principle in exchange for the at least one security identifier obtained via the at least one application object.
  - 7. The at least one medium as set forth in claim 5 further comprising at least one other instruction for:
    - identifying at least one other resource principal for which the at least one application program maintains at least one locally trusted credential for authenticating at least one other purported client credential provided in connection with at least one other access request; and
      
      authorizing at least one other client to access the at least one application program based on another determination by the at least one application program that the at least one other purported client credential is valid for at least one other resource principal.
  - 8. The at least one medium as set forth in claim 5 wherein the at least one application program comprises at least one of either one or more directory services, one or more databases, or one or more of any other type of data store.

9. A computer readable storage medium having at least one application program interface (API) tangibly embodied as at least one instruction stored on the computer-readable storage medium, which when executed by at least one processing system in conjunction with at least one application program, causes the at least one application program to implement at least one access control method, the at least one API comprising:
- at least one access interface that accepts at least one request to access the at least one application program; and
  
  at least one credential parameter that accepts at least one purported client credential provided in connection with at least one call to the at least one access interface for which the at least one application program lacks at least one local trusted credential for authenticating, on a first computing system on which the application program is executing, and for which the at least one application program requests at least one separate non-local trusted authority to authenticate on a second computing system different from the first computing system,wherein the at least one interface grants access to the at least one application program on a determination based the at least one credential credential parameter, andwherein the at least one application program maintains locally trusted credentials for authenticating client credentials for access requests.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The medium as set forth in claim 9 further comprising at least one identifier parameter for the at least one access interface that accepts at least one identifier that identifies at least one application object of the at least one application program which references at least one resource principle managed by the separate trusted authority for which authentication of the at least one purported client credential is based on.
  - 11. The medium as set forth in claim 10 wherein the at least one identifier parameter accepts at least one other identifier that identifies at least one other application object maintaining at least one locally trusted credential which the at least one application program can use to authenticate at least one other purported client credential accepted by the at least one credential parameter without involving the at least one separate trusted authority.
  - 12. The medium as set forth in claim 9 wherein the at least one access interface returns at least one authentication result obtained by the at least one application program performing at least one of either requesting the at least one separate trusted authority to authenticate the at least one purported client credential or authenticating at least one other purported client credential accepted by the at least one credential parameter using at least one locally trusted credential maintained by at least one application object of the at least one application program.
  - 13. The medium as set forth in claim 9 wherein the at least one access interface is expressed using at least one of either a lightweight directory access protocol or one or more of any other protocol.
  - 14. The medium as set forth in claim 9 wherein the at least one application program comprises at least one of either one or more directory services, one or more databases, or one or more of any other type of data store.

15. A computer implemented method of requesting access to at least one application program on an application server, the method comprising:
- calling at least one access interface that has at least one credential parameter for requesting access to the at least one application program executing on a first computing system; and
  
  providing the at least one credential parameter with at least one purported client credential for which the at least one application program lacks at least one local trusted credential for authenticating and for which the at least one application program requests at least one separate non-local trusted authority to authenticate on a second computing system different from the first computing system, wherein the at least one application program maintains locally trusted credentials for authenticating client credentials for access requests; and
  
  accessing the application program on a determination based on the at least one credential parameter.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method as set forth in claim 15 wherein the at least one access interface also has at least one identifier parameter, the method further comprising:
    - providing the at least one identifier parameter with at least one identifier that identifies at least one application object of the at least one application program which references at least one resource principle managed by the separate trusted authority for which authentication of the at least one purported client credential is based on.
  - 17. The method as set forth in claim 16 further comprising:
    - providing the at least one identifier parameter with at least one other identifier that identifies at least one other application object maintaining at least one locally trusted credential which the at least one application program can use to authenticate at least one other purported client credential provided to the at least one credential parameter without involving the at least one separate trusted authority.
  - 18. The method as set forth in claim 15 wherein calling at least one access interface further comprises:
    - making at least one lightweight directory access protocol simple bind call or one or more other calls using any other protocol in connection with the at least one access interface call.
  - 19. The method as set forth in claim 15 further comprising:
    - obtaining at least one return value indicating successful or unsuccessful authentication of the at least one purported client credential.
  - 20. The method as set forth in claim 15 further comprising:
    - accessing the at least one application program responsive to obtaining at least one return value indicating successful authentication of the purported credential information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Iyer, Kannan C., Gavrilov, Dmitri
Primary Examiner(s)
Lewis; Cheryl

Application Number

US10/906,853
Publication Number

US 20050228981A1
Time in Patent Office

1,497 Days
Field of Search

707 1- 5, 707/9, 707/10, 709/203, 719/328
US Class Current

1/1
CPC Class Codes

H04L 63/08 for authentication of entit...

Globally trusted credentials leveraged for server access control

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

70 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Globally trusted credentials leveraged for server access control

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others