Disconnected credential validation using pre-fetched service tickets
First Claim
1. A computerized method that processes login credentials, the method comprising:
- prior to a request from a user of a login device to authenticate, obtaining, from a Kerberos server, a user service ticket for the login device, wherein the user service ticket identifies the login device as a principal and the user as a service provider, the user service ticket further comprising an encrypted portion with identification information about the user that is used to subsequently authenticate the user;
pre-caching the user service ticket in a ticket cache associated with the login device;
receiving an authentication request at the login device from the user subsequent to pre-caching the user service ticket, the authentication request comprising one or more login credentials of the user;
in response to receiving the authentication request from the user, determining whether the Kerberos server is unavailable; and
in response to determining that the Kerberos server is unavailable, authenticating the user based on the user service ticket stored in the ticket cache, said authenticating comprising decrypting the user service ticket and comparing the identification information about the user stored in the user service ticket with the one or more login credentials of the user.
23 Assignments
0 Petitions
Accused Products
Abstract
One or more user service tickets are obtained (i.e. pre-fetched) from an authentication server and stored in a ticket cache. The user service tickets facilitate a login device communicating with one or more users or group members associated with the login device. Login credentials for the users or group members may be subsequently authenticated against the user service tickets within the ticket cache thereby eliminating the need for immediate access to the authentication server or a previous login session by the users or group members. The user service tickets within the ticket cache may be refreshed as needed. In one embodiment, the user service tickets are refreshed daily and also in response to login attempts if the authentication service is readily accessible.
-
Citations
20 Claims
-
1. A computerized method that processes login credentials, the method comprising:
-
prior to a request from a user of a login device to authenticate, obtaining, from a Kerberos server, a user service ticket for the login device, wherein the user service ticket identifies the login device as a principal and the user as a service provider, the user service ticket further comprising an encrypted portion with identification information about the user that is used to subsequently authenticate the user; pre-caching the user service ticket in a ticket cache associated with the login device; receiving an authentication request at the login device from the user subsequent to pre-caching the user service ticket, the authentication request comprising one or more login credentials of the user; in response to receiving the authentication request from the user, determining whether the Kerberos server is unavailable; and in response to determining that the Kerberos server is unavailable, authenticating the user based on the user service ticket stored in the ticket cache, said authenticating comprising decrypting the user service ticket and comparing the identification information about the user stored in the user service ticket with the one or more login credentials of the user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus to validate login credentials, the apparatus comprising:
-
a computer processor; a ticket pre-fetch module comprising computer-executable instructions that cause the processor to obtain a user service ticket from a Kerberos server prior to a request from a user of a login device to authenticate, wherein the user service ticket identifies the login device as a principal and the user as a service provider and comprises an encrypted portion with identification information about the user that is used to subsequently authenticate the user; a ticket cache configured to pre-cache the user service ticket for subsequent authentication of the user; and an authentication module comprising computer-executable instructions that cause the processor to; receive an authentication request at the login device for the user subsequent to pre-caching of the user service ticket in the ticket cache, the authentication request comprising one or more login credentials of the user, determine whether the Kerberos server is available, and in response to determining that the Kerberos server is unavailable, authenticate the user with the user service ticket by at least decrypting the user service ticket and comparing the identification information about the user stored in the user service ticket with one or more login credentials of the user. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A system of validating login credentials comprising:
-
a computer processor; a first set of computer-executable instructions that causes the processor to request a first service ticket for a login device from an authentication server prior to receiving a login request of a user; a second set of computer-executable instructions that causes the processor to receive the first service ticket from the authentication server, wherein the service ticket identifies the login device as a principal and the user as a service provider and the service ticket further comprises an encrypted portion with identification information about the user that is used to subsequently authenticate the user; a third set of computer-executable instructions that causes the processor to pre-cache the first service ticket in a ticket cache; a fourth set of computer-executable instructions that causes the processor to receive a login request with the login device from the user to access a service subsequent to said pre-caching of the first service ticket, the login request from the user comprising a login credential; a fifth set of computer-executable instructions that causes the processor to attempt to obtain a second service ticket from the authentication server in response to receiving the login request from the user; and a sixth set of computer-executable instructions that causes the processor, in response to failing to receive the second service ticket, to authenticate the user by comparing information in the first service ticket stored in the ticket cache with the login credential. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification