Disconnected credential validation using pre-fetched service tickets

US 9,288,201 B2
Filed: 11/11/2013
Issued: 03/15/2016
Est. Priority Date: 02/13/2006
Status: Active Grant

First Claim

Patent Images

1. A computerized method that processes login credentials, the method comprising:

pre-caching a Kerberos user service ticket in a ticket cache associated with a login device, the Kerberos user service ticket comprising an encrypted portion with identification information about a user that is used to subsequently authenticate the user, wherein the Kerberos user service ticket identifies the login device as a principal and a user as a service provider;

receiving an authentication request at the login device from the user subsequent to pre-caching the Kerberos user service ticket, the authentication request comprising one or more login credentials of the user;

in response to receiving the authentication request from the user, determining whether a Kerberos server is unavailable; and

in response to determining that the Kerberos server is unavailable, authenticating the user based on the Kerberos user service ticket stored in the ticket cache, said authenticating comprising decrypting the Kerberos user service ticket and comparing the identification information about the user stored in the Kerberos user service ticket with the one or more login credentials of the user.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One or more user service tickets are obtained (i.e. pre-fetched) from an authentication server and stored in a ticket cache. The user service tickets facilitate a login device communicating with one or more users or group members associated with the login device. Login credentials for the users or group members may be subsequently authenticated against the user service tickets within the ticket cache thereby eliminating the need for immediate access to the authentication server or a previous login session by the users or group members. The user service tickets within the ticket cache may be refreshed as needed. In one embodiment, the user service tickets are refreshed daily and also in response to login attempts if the authentication service is readily accessible.

437 Citations

19 Claims

1. A computerized method that processes login credentials, the method comprising:
- pre-caching a Kerberos user service ticket in a ticket cache associated with a login device, the Kerberos user service ticket comprising an encrypted portion with identification information about a user that is used to subsequently authenticate the user, wherein the Kerberos user service ticket identifies the login device as a principal and a user as a service provider;
  
  receiving an authentication request at the login device from the user subsequent to pre-caching the Kerberos user service ticket, the authentication request comprising one or more login credentials of the user;
  
  in response to receiving the authentication request from the user, determining whether a Kerberos server is unavailable; and
  
  in response to determining that the Kerberos server is unavailable, authenticating the user based on the Kerberos user service ticket stored in the ticket cache, said authenticating comprising decrypting the Kerberos user service ticket and comparing the identification information about the user stored in the Kerberos user service ticket with the one or more login credentials of the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computerized method of claim 1, wherein authenticating the user with the Kerberos user service ticket comprises using the Kerberos user service ticket to construct a Kerberos AP-REQ message structure that is validated using a credential generated key for the user.
  - 3. The computerized method of claim 1, wherein the Kerberos user service ticket stores an identifier of the login device in the encrypted portion of the Kerberos user service ticket.
  - 4. The computerized method of claim 1, wherein the Kerberos server is a Kerberos key distribution center (KDC).
  - 5. The computerized method of claim 1, wherein the method further comprises refreshing the Kerberos user service ticket.
  - 6. The computerized method of claim 5, wherein the Kerberos user service ticket is refreshed in response to an event selected from a group consisting of expiration of a selected interval, a login request, a change in user credentials, and during a reboot cycle.
  - 7. The computerized method of claim 1, wherein the Kerberos user service ticket comprises an identifier of the login device in a username field and an identifier of the user in a service name field.

8. An apparatus to validate login credentials, the apparatus comprising:
- a computer processor;
  
  a ticket pre-fetch module comprising computer-executable instructions that cause the processor to obtain a Kerberos user service ticket from a Kerberos server, wherein the Kerberos user service ticket identifies a login device as a principal and a user as a service provider and comprises an encrypted portion with identification information about the user that is used to subsequently authenticate the user;
  
  a ticket cache configured to pre-cache the Kerberos user service ticket for subsequent authentication of the user; and
  
  an authentication module comprising computer-executable instructions that cause the processor to;
  
  receive an authentication request at the login device for the user subsequent to pre-caching of the Kerberos user service ticket in the ticket cache, the authentication request comprising one or more login credentials of the user,determine whether the Kerberos server is available, andin response to determining that the Kerberos server is unavailable, authenticate the user with the Kerberos user service ticket by at least decrypting the Kerberos user service ticket and comparing the identification information about the user stored in the Kerberos user service ticket with one or more login credentials of the user.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The apparatus of claim 8, wherein the authentication module further causes the processor to generate a key for the user from the one or more login credentials, decrypt a portion of the Kerberos user service ticket using the key for the user, and validate authentication data associated with the Kerberos user service ticket.
  - 10. The apparatus of claim 8, wherein the authentication module further causes the processor to use the Kerberos user service ticket to construct a Kerberos AP-REQ message structure that is validated using a key for the user.
  - 11. The apparatus of claim 8, wherein the ticket pre-fetch module further causes the processor to refresh the Kerberos user service ticket.
  - 12. The apparatus of claim 11, wherein the ticket pre-fetch module further causes the processor to refresh the Kerberos user service ticket in response to an event selected from a group consisting of expiration of a selected interval, a change in user credentials, a login request, and a reboot cycle.
  - 13. The apparatus of claim 8, wherein the Kerberos user service ticket comprises an identifier of the login device in a username field and an identifier of the user in a service name field.

14. A tangible computer storage device having encoded thereon a plurality of computer-executable instructions that, when combined with computer hardware capable of executing the instructions, create computer circuitry that performs operations defined by the computer-executable instructions, the computer-executable instructions comprising:
- a first set of computer-executable instructions that causes the computer hardware to receive a first service ticket for a login device from an authentication server prior to receiving a login request of a user, wherein the first service ticket identifies the login device as a principal and the user as a service provider and the first service ticket further comprises an encrypted portion with identification information about the user that is used to subsequently authenticate the user;
  
  a second set of computer-executable instructions that causes the computer hardware to pre-cache the first service ticket in a ticket cache;
  
  a third set of computer-executable instructions that causes the computer hardware to receive a login request with the login device from the user to access a service subsequent to said pre-caching of the first service ticket, the login request from the user comprising a login credential;
  
  a fourth set of computer-executable instructions that causes the computer hardware to attempt to obtain a second service ticket from the authentication server in response to receiving the login request from the user; and
  
  a fifth set of computer-executable instructions that causes the computer hardware, in response to failing to receive the second service ticket, to authenticate the user by comparing information in the first service ticket stored in the ticket cache with the login credential.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The tangible computer storage device of claim 14, wherein said fourth set of computer-executable instructions that causes the computer hardware to attempt to obtain the second service ticket from the authentication server comprises instructions that cause the computer hardware to test for a timeout condition.
  - 16. The tangible computer storage device of claim 14, wherein said fifth set of computer-executable instructions that causes the computer hardware to authenticate the user by comparing information in the first service ticket stored in the ticket cache with the login credential comprises instructions that cause the computer hardware to authenticate the user by comparing information in the first service ticket stored in the ticket cache with the login credential in response to a timeout condition being satisfied.
  - 17. The tangible computer storage device of claim 14, wherein said first set of computer-executable instructions that causes the computer hardware to receive the first service ticket for the login device comprises instructions that cause the computer hardware to authenticate the login device used by the user.
  - 18. The tangible computer storage device of claim 14, wherein the first service ticket comprises an identifier of the login device in a username field and an identifier of the user in a service name field.
  - 19. The tangible computer storage device of claim 14, wherein said fifth set of computer-executable instructions that causes the computer hardware to authenticate the user by comparing the first service ticket and the login credential comprises instructions that cause the computer hardware to decrypt at least a portion of the first service ticket using a key generated from the login credential.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
Dell Software, Inc. (Dell Technologies Inc.)
Inventors
Peterson, Matthew T., Webb, Jeff Marsden
Primary Examiner(s)
AVERY, JEREMIAH L
Assistant Examiner(s)
Zecher, Cordelia

Application Number

US14/076,913
Publication Number

US 20140196132A1
Time in Patent Office

855 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 63/0807 using tickets, e.g. Kerbero...

H04L 9/3213 using tickets or tokens, e....

Disconnected credential validation using pre-fetched service tickets

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

437 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Disconnected credential validation using pre-fetched service tickets

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

437 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links