Method and apparatus to permit automated server determination for foreign system login
First Claim
1. A method for automatic user access authentication, comprising:
- receiving identification information at a first local security server from a prospective user at one of a plurality of workstations associated with the first local security server, the first local security server comprising a first local authentication database and a network database;
if the first local authentication database at the first local security server includes authentication information associated with the prospective user and the identification information matches the authentication information associated with the prospective user, authenticating the prospective user; and
if the first local authentication database at the first local security server does not include authentication information associated with the prospective user or the identification information does not match the authentication information associated with the prospective user;
communicating with the network database to identify a second local security server including a second local authentication database, the second local authentication database including the authentication information for the prospective user and associated with a second plurality of workstations; and
communicating the identification information to allow authentication of the prospective user.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for providing automatic user access authentication of any user who is a member of a set of authorized users of a computer enterprise from any one of a plurality of geographically dispersed user workstations, onto one of a plurality of predetermined local security servers, through the use of a single logon. A person server resident on a local security server compares the user-provided identification information to entries contained in a local authentication database. If the person server finds a match, the user is granted access to the local security server. If the person server does not find a match, the user-provided authentication information is not valid for granting access to the local security server and the person server then searches a network database to determine whether the entered user name is known to the enterprise. If the person server finds a single user name matching the previously entered user name, it returns the name of the local security server associated with the computer enterprise whose local authentication database may have the information necessary for allowing proper authentication of the user. Upon receiving the name of the newly-identified server, the client then automatically retrieves the server'"'"'s logical location from a service mapping file and then repeats the authentication request to the new local security server. If the person server finds more than one user with the entered user name or if the person server fails to find any user name matching the previously entered user name, then it returns a failed logon request to the client. The system provides the capability to operate across a number of network protocols through its use of a standard directory protocol, such as the X.500 standard.
123 Citations
66 Claims
-
1. A method for automatic user access authentication, comprising:
-
receiving identification information at a first local security server from a prospective user at one of a plurality of workstations associated with the first local security server, the first local security server comprising a first local authentication database and a network database;
if the first local authentication database at the first local security server includes authentication information associated with the prospective user and the identification information matches the authentication information associated with the prospective user, authenticating the prospective user; and
if the first local authentication database at the first local security server does not include authentication information associated with the prospective user or the identification information does not match the authentication information associated with the prospective user;
communicating with the network database to identify a second local security server including a second local authentication database, the second local authentication database including the authentication information for the prospective user and associated with a second plurality of workstations; and
communicating the identification information to allow authentication of the prospective user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
comparing the version number of the stored service mapping file with the version number of the updated service mapping file; and
transmitting the updated service mapping file to the workstation in the event that a difference between the two version numbers exceeds a database value.
-
-
6. The method of claim 1 further comprising transmitting an identification of the second local security server from the first local security server to the workstation.
-
7. The method of claim 6, each workstation operable to:
-
receive an identification of the second local security server from the first local security server; and
dynamically route the identification information to the second local security server to authenticate the prospective user for access to the second local security server.
-
-
8. The method of claim 7, wherein each workstation operable to route the identification information to the second local security server comprises each workstation operable to access the updated service mapping file to identify a logical location of the second local security server.
-
9. The method of claim 1 further comprising communicating the identification information to the second local security server.
-
10. The method of claim 1, the identification information comprising a user name, a user password and a user role.
-
11. The method of claim 1, each local authentication database comprising a listing of users authorized to access each local security server with their associated passwords and user roles.
-
12. The method of claim 11, each workstation operable to:
-
maintain a listing of the user roles with at least one network service authorized for each user role; and
provide a logged-on user with access to the network services that correspond to the user'"'"'s role.
-
-
13. The method of claim 1, wherein each local authentication database is encrypted.
-
14. The method of claim 13 further comprising decrypting a user password contained in the first local authentication database prior to authenticating the prospective user for access.
-
15. The method of claim 1, the network database comprising a network database listing of a plurality of local security servers with each local security server'"'"'s associated connection information, authorized users, and at least one associated standby local security server.
-
16. The method of claim 15, each standby local security server comprising a local security server whose local authentication database is substantially identical to its associated local security server'"'"'s local authentication database.
-
17. The method of claim 15, the network database listing further comprising an operational status for each local security server.
-
18. The method of claim 17 further comprising identifying at least one of the associated standby local security servers in the event the local security server is not operational.
-
19. The method of claim 1 further comprising creating an audit entry for each failed attempt to access the local security server.
-
20. The method of claim 19, the audit entry comprising an identifier of the workstation, with a date and a time of the failed access attempt.
-
21. The method of claim 20 further comprising disabling the workstation from which a number of failed access attempts are received, in the event the number of failed access attempts exceeds a database value.
-
22. The method of claim 1, wherein each local authentication database and the network database are in X.500 format.
-
23. A system comprising:
-
a plurality of local security servers, each local security server comprising a local authentication database and a network database and each local security server associated with a plurality of workstations, each of the local security servers operable to;
receive identification information from a prospective user at one of the associated workstations;
if the local authentication database includes authentication information associated with the prospective user and the identification information matches the authentication information associated with the prospective user, authenticate the prospective user; and
if the local authentication database does not include authentication information associated with the prospective user or the identification information does not match the authentication information associated with the prospective user;
communicate with the network database to identify one of the other local security servers whose local authentication database includes the authentication information for the prospective user; and
communicating the identification information to allow authentication of the prospective user. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
compare the version number of the stored service mapping file with the version number of the updated service mapping file; and
transmit the updated service mapping file to the workstation in the event that a difference between the two version numbers exceeds a database value.
-
-
28. The system of claim 23, each of the local security servers further operable to transmit an identification of the identified local security server to the associated workstation.
-
29. The system of claim 28, each workstation operable to:
-
receive an identification of the identified local security server from the associated local security server; and
dynamically route the identification information to the identified local security server to authenticate the prospective user for access to the identified local security server.
-
-
30. The system of claim 29, wherein each workstation operable to route the identification information to the identified local security server comprises each workstation operable to access the updated service mapping file to identify a logical location of the identified local security server.
-
31. The system of claim 23, each of the local security servers further operable to communicate the identification information to the identified local security server.
-
32. The system of claim 23, the identification information comprising a user name, a user password and a user role.
-
33. The system of claim 23, each local authentication database comprising a listing of users authorized to access each local security server with their associated passwords and user roles.
-
34. The system of claim 33, each workstation operable to:
-
maintain a listing of the user roles with at least one network service authorized for each user role; and
provide a logged-on user with access to the network services that correspond to the user'"'"'s role.
-
-
35. The system of claim 23, wherein each local authentication database is encrypted.
-
36. The system of claim 35, each of the local security servers further operable to decrypt a user password contained in the local authentication database prior to authenticating the prospective user for access.
-
37. The system of claim 23, the network database comprising a network database listing of the plurality of local security servers with each local security server'"'"'s associated connection information, authorized users, and at least one associated standby local security server.
-
38. The system of claim 37, each standby local security server comprising a local security server whose local authentication database is substantially identical to its associated local security server'"'"'s local authentication database.
-
39. The system of claim 37, the network database listing further comprising an operational status for each local security server.
-
40. The system of claim 39, each of the local security servers further operable to identify at least one of the associated standby local security servers in the event the local security server is not operational.
-
41. The system of claim 23, each of the local security servers further operable to create an audit entry for each failed attempt to access the local security server.
-
42. The system of claim 41, the audit entry comprising an identifier of the workstation, with a date and a time of the failed access attempt.
-
43. The system of claim 42, each of the local security servers further operable to disable the workstation from which a number of failed access attempts are received in the event the number of failed access attempts exceeds a database value.
-
44. The system of claim 23, wherein each local authentication database and the network database are in X.500 format.
-
45. Software embodied on at least one computer readable medium and operable when executed to:
-
receive identification information at a first local security server from a prospective user at one of a plurality of workstations associated with the first local security server, the first local security server comprising a first local authentication database and a network database;
if the first local authentication database at the first local security server includes authentication information associated with the prospective user and the identification information matching the authentication information associated with the prospective user, authenticate the prospective user; and
if the first local authentication database at the first local security server does not include authentication information associated with the prospective user or the identification information does not match the authentication information associated with the prospective user;
communicate with the network database to identify a second local security server including a second local authentication database, the second local authentication database including the authentication information for the prospective user and associated with a second plurality of workstations; and
communicate the identification information to allow authentication of the prospective user. - View Dependent Claims (46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66)
compare the version number of the stored service mapping file with the version number of the updated service mapping file; and
transmit the updated service mapping file to the workstation in the event that a difference between the two version numbers exceeds a database value.
-
-
50. The software of claim 45 further operable to transmit an identification of the second local security server from the first local security server to the workstation.
-
51. The software of claim 50, each workstation operable to:
-
receive an identification of the second local security server from the first local security server; and
dynamically route the identification information to the second local security server to authenticate the prospective user for access to the second local security server.
-
-
52. The software of claim 51, wherein each workstation operable to route the identification information to the second local security server comprises each workstation operable to access the updated service mapping file to identify a logical location of the second local security server.
-
53. The software of claim 45 further operable to communicate the identification information to the second local security server.
-
54. The software of claim 45, the identification information comprising a user name, a user password and a user role.
-
55. The software of claim 45, each local authentication database comprising a listing of users authorized to access each local security server with their associated passwords and user roles.
-
56. The software of claim 55, each workstation operable to:
-
maintain a listing of the user roles with at least one network service authorized for each user role; and
provide a logged-on user with access to the network services that correspond to the user'"'"'s role.
-
-
57. The software of claim 45, wherein each local authentication database is encrypted.
-
58. The software of claim 57 further operable to decrypt a user password contained in the first local authentication database prior to authenticating the prospective user for access.
-
59. The software of claim 45, the network database comprising a network database listing of a plurality of local security servers with each local security server'"'"'s associated connection information, authorized users, and at least one associated standby local security server.
-
60. The software of claim 59, each standby local security server comprising a local security server whose local authentication database is substantially identical to its associated local security server'"'"'s local authentication database.
-
61. The software of claim 59, the network database listing further comprising an operational status for each local security server.
-
62. The software of claim 61 further operable to identify at least one of the associated standby local security servers in the event the local security server is not operational.
-
63. The software of claim 45 further operable to create an audit entry for each failed attempt to access the local security server.
-
64. The software of claim 63, the audit entry comprising an identifier of the workstation, with a date and a time of the failed access attempt.
-
65. The software of claim 64 further operable to disable the workstation from which a number of failed access attempts are received, in the event the number of failed access attempts exceeds a database value.
-
66. The software of claim 45, wherein each local authentication database and the network database are in X.500 format.
Specification