Pass-thru for client authentication

US 7,644,275 B2
Filed: 04/15/2003
Issued: 01/05/2010
Est. Priority Date: 04/15/2003
Status: Expired due to Fees

First Claim

Patent Images

1. An apparatus comprising:

a first server for presenting evidence to a Domain Controller (DC) of a first authentication context being submitted from a client to the first server to obtain a delegable credential by;

the first server providing information to the client, wherein the client generates signed data, a client credential, and a premaster secret to communicate with the first server;

the first server authenticating the client using the client credential thereby establishing a secure channel between the client and the first server;

the first server presenting a first authentication to the Domain Controller;

the first server requesting a second authentication context from that same client to a second server using the client credential, wherein the Domain Controller assures the second server that the first server authenticated the client;

the first server being a front end server and the second server being a back end server; and

the first server proving to the Domain Controller that the first server authenticated the client, the proving being by the first server presenting evidence of that authentication to the Domain Controller thereby establishing another secure channel between the client and the second server;

the first server requesting a third authentication context from the same client to a third server and proving to the Domain Controller that the client authenticated itself to the first server wherein a series of secure and distinct channels is established between the client and each of the servers.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure pertains generally to client authentication. One aspect of the disclosure relates to a first server for presenting evidence to a Domain Controller (DC) of a first authentication context being submitted from a client to the first server to obtain a delegable credential, wherein the credential can be used to request a second authentication context from that client to a second server. Another aspect relates to the first server providing a pass-thru with evidence to a DC. The evidence relates to a first authentication context being submitted from a client to the first server that it obtained a delegable credential. The pass-thru is used in combination with the credential to request a second authentication context from the client to a second server.

Citations

23 Claims

1. An apparatus comprising:
- a first server for presenting evidence to a Domain Controller (DC) of a first authentication context being submitted from a client to the first server to obtain a delegable credential by;
  
  the first server providing information to the client, wherein the client generates signed data, a client credential, and a premaster secret to communicate with the first server;
  
  the first server authenticating the client using the client credential thereby establishing a secure channel between the client and the first server;
  
  the first server presenting a first authentication to the Domain Controller;
  
  the first server requesting a second authentication context from that same client to a second server using the client credential, wherein the Domain Controller assures the second server that the first server authenticated the client;
  
  the first server being a front end server and the second server being a back end server; and
  
  the first server proving to the Domain Controller that the first server authenticated the client, the proving being by the first server presenting evidence of that authentication to the Domain Controller thereby establishing another secure channel between the client and the second server;
  
  the first server requesting a third authentication context from the same client to a third server and proving to the Domain Controller that the client authenticated itself to the first server wherein a series of secure and distinct channels is established between the client and each of the servers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The apparatus of claim 1, wherein the second authentication context from that client to the second server is based on the first authentication context from that client to the first server.
  - 3. The apparatus of claim 1, wherein the first authentication context is based on a Kerberos ticket.
  - 4. The apparatus of claim 1, wherein the authentication context is based on a Secure Sockets Layer (SSL)/Transport Layer Security (TLS) security protocol.
  - 5. The apparatus of claim 1, wherein the first authentication context is based on a first ticket, and the second authentication context is based on a second ticket.
  - 6. The apparatus of claim 5, wherein the first ticket is a Kerberos ticket.
  - 7. The apparatus of claim 5, wherein the second ticket is a Kerberos ticket.
  - 8. The apparatus of claim 1, further comprising providing an SSL/TLS handshake protocol.
  - 9. The apparatus of claim 8, wherein the handshake protocol provides the first authentication context and the second authentication context.
  - 10. The apparatus of claim 1, further comprising the client generating a first master key, and the first server generating a second master key.
  - 11. The apparatus of claim 1, further comprising the client generating a first session key and the first server generating a second session key.

12. A method comprising:
- a first server providing information to a client wherein the client generates signed data, a client credential, and a premaster secret to communicate with a first server;
  
  the first server authenticating the client using the client credential thereby establishing a secure channel between the client and the first server;
  
  first server presenting a first authentication to a Domain Controller;
  
  the first server providing a pass-thru with evidence to the Domain Controller (DC), wherein the evidence relates to a first authentication context being submitted from the client to the first server that the client obtained a delegable credential;
  
  using the pass-thru in combination with the credential to request a second authentication context from the client to a second server, wherein the Domain Controller assures the second server that the first server authenticated the client;
  
  the first server being a front end server and the second server being a back end server; and
  
  the first server proving to the Domain Controller that the first server authenticated the client, the proving being by the first server presenting evidence of that authentication to the Domain Controller thereby establishing another secure channel between the client and the second server;
  
  the first server requesting a third authentication context from the same client to a third server and proving to the Domain Controller that the client authenticated itself to the first server wherein a series of secure and distinct channels is established between the client and each of the servers.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12, wherein the second authentication context from the client to the second server is based on the first authentication context from the client to the first server.
  - 14. The method of claim 12, wherein the first authentication context is based on a Kerberos ticket.
  - 15. The method of claim 12, wherein the authentication context is based on a secure sockets layer (SSL)/Transport Layer Security (TLS) security protocol.
  - 16. The method of claim 12, wherein the first authentication context is based on a first ticket, and the second authentication context is based on a second ticket.
  - 17. The method of claim 16, wherein the first ticket is a Kerberos ticket.
  - 18. The method of claim 16, wherein the second ticket is a Kerberos ticket.
  - 19. The method of claim 12, further comprising providing an SSL/TLS handshake protocol.
  - 20. The method of claim 19, wherein the handshake protocol provides the first authentication context and the second authentication context.
  - 21. The method of claim 12, further comprising the client generating a first master key, and the first server generating a second master key.
  - 22. The method of claim 12, further comprising the client generating a first session key and the first server generating a second session key.

23. A computer readable storage medium having computer executable instructions on a computing device for performing steps comprising:
- a first server providing information to a client wherein the client generates signed data, a client credential, and a premaster secret;
  
  the first server authenticating the client using the client credential thereby establishing a secure channel between the client and the first server;
  
  the first server presenting a first authentication to a Domain Controller;
  
  the first server providing a pass-thru with evidence to the Domain Controller (DC), wherein the evidence relates to a first authentication context being submitted from the client to the first server that the client obtained a delegable credential and wherein the pass-thru with evidence includes a plurality of handshake messages between the client and the first server created during the authenticating of the client;
  
  the first server using the pass-thru with evidence including the plurality of authentication handshake messages in combination with the credential to request a second authentication context from the client to a second server wherein the Domain Controller assures the second server that the first server authenticated the client;
  
  the first server being a front end server and the second server being a back end server;
  
  the first server proving to the Domain Controller that the first server authenticated the client, the proving being by the first server presenting the pass-thru with evidence including the plurality of authentication handshake messages to the Domain Controller thereby establishing another secure channel between the client and the second server; and
  
  the first server requesting a third authentication context from the same client to a third server and proving to the Domain Controller that the client authenticated itself to the first server wherein a series of secure and distinct channels is established between the client and each of the servers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Banes, John, Leach, Paul J., Simon, Daniel R., Mowers, David R.
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
To; Baotran N

Application Number

US10/413,799
Publication Number

US 20040210756A1
Time in Patent Office

2,457 Days
Field of Search

709/225, 709223-226, 709/237, 726/2, 726/5, 726/10, 713155-156, 713/189, 713/789, 713/159, 713/168, 380/279
US Class Current

713/168
CPC Class Codes

H04L 63/0442   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0869   for achieving mutual authen...

H04L 63/10   for controlling access to d...

H04L 63/12   Applying verification of th...

H04L 63/166   at the transport layer

H04L 67/01   Protocols

Pass-thru for client authentication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Pass-thru for client authentication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links