Method and apparatus to permit automated server determination for foreign system login

US 6,826,692 B1
Filed: 12/23/1998
Issued: 11/30/2004
Est. Priority Date: 12/23/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method for automatic user access authentication, comprising:

receiving identification information at a first local security server from a prospective user at one of a plurality of workstations associated with the first local security server, the first local security server comprising a first local authentication database and a network database;

if the first local authentication database at the first local security server includes authentication information associated with the prospective user and the identification information matches the authentication information associated with the prospective user, authenticating the prospective user; and

if the first local authentication database at the first local security server does not include authentication information associated with the prospective user or the identification information does not match the authentication information associated with the prospective user;

communicating with the network database to identify a second local security server including a second local authentication database, the second local authentication database including the authentication information for the prospective user and associated with a second plurality of workstations; and

communicating the identification information to allow authentication of the prospective user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for providing automatic user access authentication of any user who is a member of a set of authorized users of a computer enterprise from any one of a plurality of geographically dispersed user workstations, onto one of a plurality of predetermined local security servers, through the use of a single logon. A person server resident on a local security server compares the user-provided identification information to entries contained in a local authentication database. If the person server finds a match, the user is granted access to the local security server. If the person server does not find a match, the user-provided authentication information is not valid for granting access to the local security server and the person server then searches a network database to determine whether the entered user name is known to the enterprise. If the person server finds a single user name matching the previously entered user name, it returns the name of the local security server associated with the computer enterprise whose local authentication database may have the information necessary for allowing proper authentication of the user. Upon receiving the name of the newly-identified server, the client then automatically retrieves the server'"'"'s logical location from a service mapping file and then repeats the authentication request to the new local security server. If the person server finds more than one user with the entered user name or if the person server fails to find any user name matching the previously entered user name, then it returns a failed logon request to the client. The system provides the capability to operate across a number of network protocols through its use of a standard directory protocol, such as the X.500 standard.

123 Citations

View as Search Results

66 Claims

1. A method for automatic user access authentication, comprising:
- receiving identification information at a first local security server from a prospective user at one of a plurality of workstations associated with the first local security server, the first local security server comprising a first local authentication database and a network database;
  
  if the first local authentication database at the first local security server includes authentication information associated with the prospective user and the identification information matches the authentication information associated with the prospective user, authenticating the prospective user; and
  
  if the first local authentication database at the first local security server does not include authentication information associated with the prospective user or the identification information does not match the authentication information associated with the prospective user;
  
  communicating with the network database to identify a second local security server including a second local authentication database, the second local authentication database including the authentication information for the prospective user and associated with a second plurality of workstations; and
  
  communicating the identification information to allow authentication of the prospective user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method of claim 1, further comprising maintaining an updated service mapping file for updating the workstations associated with the first local security server.
  - 3. The method of claim 2, the updated service mapping file comprising a version number with a listing of a plurality of local security servers and each local security server'"'"'s associated logical location.
  - 4. The method of claim 3, further comprising receiving from each workstation a version number of a stored service mapping file stored on the workstation when the prospective user attempts to log onto the first local security server.
  - 5. The method of claim 4 further comprising:
6. The method of claim 1 further comprising transmitting an identification of the second local security server from the first local security server to the workstation.
7. The method of claim 6, each workstation operable to:
- receive an identification of the second local security server from the first local security server; and
  
  dynamically route the identification information to the second local security server to authenticate the prospective user for access to the second local security server.
8. The method of claim 7, wherein each workstation operable to route the identification information to the second local security server comprises each workstation operable to access the updated service mapping file to identify a logical location of the second local security server.
9. The method of claim 1 further comprising communicating the identification information to the second local security server.
10. The method of claim 1, the identification information comprising a user name, a user password and a user role.
11. The method of claim 1, each local authentication database comprising a listing of users authorized to access each local security server with their associated passwords and user roles.
12. The method of claim 11, each workstation operable to:
- maintain a listing of the user roles with at least one network service authorized for each user role; and
  
  provide a logged-on user with access to the network services that correspond to the user'"'"'s role.
13. The method of claim 1, wherein each local authentication database is encrypted.
14. The method of claim 13 further comprising decrypting a user password contained in the first local authentication database prior to authenticating the prospective user for access.
15. The method of claim 1, the network database comprising a network database listing of a plurality of local security servers with each local security server'"'"'s associated connection information, authorized users, and at least one associated standby local security server.
16. The method of claim 15, each standby local security server comprising a local security server whose local authentication database is substantially identical to its associated local security server'"'"'s local authentication database.
17. The method of claim 15, the network database listing further comprising an operational status for each local security server.
18. The method of claim 17 further comprising identifying at least one of the associated standby local security servers in the event the local security server is not operational.
19. The method of claim 1 further comprising creating an audit entry for each failed attempt to access the local security server.
20. The method of claim 19, the audit entry comprising an identifier of the workstation, with a date and a time of the failed access attempt.
21. The method of claim 20 further comprising disabling the workstation from which a number of failed access attempts are received, in the event the number of failed access attempts exceeds a database value.
22. The method of claim 1, wherein each local authentication database and the network database are in X.500 format.

23. A system comprising:
- a plurality of local security servers, each local security server comprising a local authentication database and a network database and each local security server associated with a plurality of workstations, each of the local security servers operable to;
  
  receive identification information from a prospective user at one of the associated workstations;
  
  if the local authentication database includes authentication information associated with the prospective user and the identification information matches the authentication information associated with the prospective user, authenticate the prospective user; and
  
  if the local authentication database does not include authentication information associated with the prospective user or the identification information does not match the authentication information associated with the prospective user;
  
  communicate with the network database to identify one of the other local security servers whose local authentication database includes the authentication information for the prospective user; and
  
  communicating the identification information to allow authentication of the prospective user.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
- - 24. The system of claim 23, each of the local security servers further operable to maintain an updated service mapping file to update the associated workstations.
  - 25. The system of claim 24, the updated service mapping file comprising a version number with a listing of a plurality of local security servers and each local security server'"'"'s associated logical location.
  - 26. The system of claim 25, each workstation operable to communicate a version number of a stored service mapping file stored on the workstation to the associated local security server whenever the prospective user attempts to log onto the associated local security server.
  - 27. The system of claim 26, each of the local security servers further operable to:
28. The system of claim 23, each of the local security servers further operable to transmit an identification of the identified local security server to the associated workstation.
29. The system of claim 28, each workstation operable to:
- receive an identification of the identified local security server from the associated local security server; and
  
  dynamically route the identification information to the identified local security server to authenticate the prospective user for access to the identified local security server.
30. The system of claim 29, wherein each workstation operable to route the identification information to the identified local security server comprises each workstation operable to access the updated service mapping file to identify a logical location of the identified local security server.
31. The system of claim 23, each of the local security servers further operable to communicate the identification information to the identified local security server.
32. The system of claim 23, the identification information comprising a user name, a user password and a user role.
33. The system of claim 23, each local authentication database comprising a listing of users authorized to access each local security server with their associated passwords and user roles.
34. The system of claim 33, each workstation operable to:
- maintain a listing of the user roles with at least one network service authorized for each user role; and
  
  provide a logged-on user with access to the network services that correspond to the user'"'"'s role.
35. The system of claim 23, wherein each local authentication database is encrypted.
36. The system of claim 35, each of the local security servers further operable to decrypt a user password contained in the local authentication database prior to authenticating the prospective user for access.
37. The system of claim 23, the network database comprising a network database listing of the plurality of local security servers with each local security server'"'"'s associated connection information, authorized users, and at least one associated standby local security server.
38. The system of claim 37, each standby local security server comprising a local security server whose local authentication database is substantially identical to its associated local security server'"'"'s local authentication database.
39. The system of claim 37, the network database listing further comprising an operational status for each local security server.
40. The system of claim 39, each of the local security servers further operable to identify at least one of the associated standby local security servers in the event the local security server is not operational.
41. The system of claim 23, each of the local security servers further operable to create an audit entry for each failed attempt to access the local security server.
42. The system of claim 41, the audit entry comprising an identifier of the workstation, with a date and a time of the failed access attempt.
43. The system of claim 42, each of the local security servers further operable to disable the workstation from which a number of failed access attempts are received in the event the number of failed access attempts exceeds a database value.
44. The system of claim 23, wherein each local authentication database and the network database are in X.500 format.

45. Software embodied on at least one computer readable medium and operable when executed to:
- receive identification information at a first local security server from a prospective user at one of a plurality of workstations associated with the first local security server, the first local security server comprising a first local authentication database and a network database;
  
  if the first local authentication database at the first local security server includes authentication information associated with the prospective user and the identification information matching the authentication information associated with the prospective user, authenticate the prospective user; and
  
  if the first local authentication database at the first local security server does not include authentication information associated with the prospective user or the identification information does not match the authentication information associated with the prospective user;
  
  communicate with the network database to identify a second local security server including a second local authentication database, the second local authentication database including the authentication information for the prospective user and associated with a second plurality of workstations; and
  
  communicate the identification information to allow authentication of the prospective user.
- View Dependent Claims (46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66)
- - 46. The software of claim 45 further operable to maintain an updated service mapping file for updating the workstations associated with the first local security server.
  - 47. The software of claim 46, the updated service mapping file comprising a version number with a listing of a plurality of local security servers and each local security server'"'"'s associated logical location.
  - 48. The software of claim 47 further operable to receive from each workstation a version number of a stored service mapping file stored on the workstation when the prospective user attempts to log onto the first local security server.
  - 49. The software of claim 48 further operable to:
50. The software of claim 45 further operable to transmit an identification of the second local security server from the first local security server to the workstation.
51. The software of claim 50, each workstation operable to:
- receive an identification of the second local security server from the first local security server; and
  
  dynamically route the identification information to the second local security server to authenticate the prospective user for access to the second local security server.
52. The software of claim 51, wherein each workstation operable to route the identification information to the second local security server comprises each workstation operable to access the updated service mapping file to identify a logical location of the second local security server.
53. The software of claim 45 further operable to communicate the identification information to the second local security server.
54. The software of claim 45, the identification information comprising a user name, a user password and a user role.
55. The software of claim 45, each local authentication database comprising a listing of users authorized to access each local security server with their associated passwords and user roles.
56. The software of claim 55, each workstation operable to:
- maintain a listing of the user roles with at least one network service authorized for each user role; and
  
  provide a logged-on user with access to the network services that correspond to the user'"'"'s role.
57. The software of claim 45, wherein each local authentication database is encrypted.
58. The software of claim 57 further operable to decrypt a user password contained in the first local authentication database prior to authenticating the prospective user for access.
59. The software of claim 45, the network database comprising a network database listing of a plurality of local security servers with each local security server'"'"'s associated connection information, authorized users, and at least one associated standby local security server.
60. The software of claim 59, each standby local security server comprising a local security server whose local authentication database is substantially identical to its associated local security server'"'"'s local authentication database.
61. The software of claim 59, the network database listing further comprising an operational status for each local security server.
62. The software of claim 61 further operable to identify at least one of the associated standby local security servers in the event the local security server is not operational.
63. The software of claim 45 further operable to create an audit entry for each failed attempt to access the local security server.
64. The software of claim 63, the audit entry comprising an identifier of the workstation, with a date and a time of the failed access attempt.
65. The software of claim 64 further operable to disable the workstation from which a number of failed access attempts are received, in the event the number of failed access attempts exceeds a database value.
66. The software of claim 45, wherein each local authentication database and the network database are in X.500 format.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Original Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Inventors
White, Clive John
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
JACKSON, JENISE E

Application Number

US09/219,854
Time in Patent Office

2,169 Days
Field of Search

713/200, 713/201, 713/202, 709/223, 709/224, 709/225, 709/226, 709/229, 709/208
US Class Current

726/8
CPC Class Codes

G06F 21/41 where a single sign-on prov...

H04L 63/0815 providing single-sign-on or...

Method and apparatus to permit automated server determination for foreign system login

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

123 Citations

66 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus to permit automated server determination for foreign system login

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

123 Citations

66 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links