+

WO2005055025A1 - Procedes et appareils pour l'authentification a distance dans un systeme informatique a base de serveur - Google Patents

Procedes et appareils pour l'authentification a distance dans un systeme informatique a base de serveur Download PDF

Info

Publication number
WO2005055025A1
WO2005055025A1 PCT/US2004/039442 US2004039442W WO2005055025A1 WO 2005055025 A1 WO2005055025 A1 WO 2005055025A1 US 2004039442 W US2004039442 W US 2004039442W WO 2005055025 A1 WO2005055025 A1 WO 2005055025A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
user
authentication data
computing device
client
Prior art date
Application number
PCT/US2004/039442
Other languages
English (en)
Inventor
Andrew Innes
Chris Mayers
David Halls
Simon Waterhouse
Original Assignee
Citrix Systems, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Citrix Systems, Inc. filed Critical Citrix Systems, Inc.
Priority to JP2006541682A priority Critical patent/JP2007520791A/ja
Priority to EP04812045A priority patent/EP1695180A1/fr
Priority to AU2004296049A priority patent/AU2004296049A1/en
Priority to CA002546872A priority patent/CA2546872A1/fr
Publication of WO2005055025A1 publication Critical patent/WO2005055025A1/fr
Priority to IL175842A priority patent/IL175842A0/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/41User authentication where a single sign-on provides access to a plurality of computers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0846Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2115Third party

Definitions

  • the present invention relates to methods and apparatus for providing distributed application processing in a server-based computing system and, in particular, to remote authentication techniques in such a system.
  • Technologies for providing remote access to networked resources include a variety of client/server software combinations.
  • One of these technologies is often referred to as a "thin-client” or “server-based computing” system.
  • an application program is executed by a server computing device on behalf of one or more client computing devices. Only client input to the application and application output are transmitted between a client computing device and a server computing device.
  • These systems generally require users ⁇ . of client computing devices to authenticate themselves before applications may be executed on their behalf by the server computing devices.
  • the client computing device may require the user to log on locally before using the device. Logging on locally to the client computing device usually requires a username and password, but many client operating systems allow the logon mechanism to be replaced, for example, to require the user to log on with a token-based scheme, a smartcard or a biometric such as a fingerprint.
  • the user Despite authenticating to the client computing device, the user will often also need to authenticate to the server computing device. However, if a replacement logon mechanism such as those described above is used, the user may not be able to authenticate to the server computing device because the server computing device will often accept only a username and password; if the user has authenticated using a technique such as a biometric or smart card, the user may not know a valid username-password combination useful to authenticate to the server computing device. Some technologies allow interception by the client computing device of a user-supplied usemame- password combination. However, these technologies will not work if the standard authentication mechanism is replaced.
  • the present invention uses the industry standard Generic Security Services Application Program Interface (GSSAPI) in conjunction with a thin-client protocol such as the ICA protocol, manufactured by Citrix Systems, Inc. of Ft. Lauderdale, Florida, or the RDP protocol, manufactured by Microsoft Corporation of Redmond, Washington, to remotely authenticate users of client computing devices.
  • GSSAPI Generic Security Services Application Program Interface
  • the invention enhances security by providing an alternative to the network provider method of pass-through authentication.
  • user authentication credentials e.g., a password
  • an authentication virtual . channel driver sends user authentication data over a virtual channel within a thin-client protocol.
  • User authentication data can be used to verify the identity of a user but does not reveal the user's underlying authentication credentials.
  • the transmitted user authentication data is used to authenticate the user to the server computing device.
  • the client therefore, never accesses the user authentication credentials; it is not required to install a network provider which requires administrator privileges and makes the authentication credentials available to any local processes on the client computing device; the user's authentication credentials are not sent over the network in any form; and remote authentication is performed by the server computing device's underlying operating system.
  • a client computing device receives user credentials and generates user authentication data based on the received credentials.
  • the client computing device transmits the generated user authentication data to a server computing device.
  • the server computing device authenticates the user responsive to the user authentication data.
  • the server generates new user authentication data based on the received user authentication data.
  • the server transmits the new user authentication data to a second server.
  • the second server authenticates the user, responsive to the received user authentication data.
  • the user accesses available resources over a connection between the first server and the second server.
  • the present invention uses a virtual channel within the ICA protocol or the RDP protocol to exchange authentication data for remote authentication of users.
  • a virtual channel is any logical association between two or more endpoints for the purpose of transmitting data between the endpoints.
  • the present invention uses the GSSAPI for authentication, and therefore works with any authentication method supported by a GSSAPI implementation, such as the Kerberos authentication method, and can be used on any client computing platform or device that supports GSSAPI.
  • .v.user authentication credentials (e.g. a password) are not explicitly intercepted or handled by either the client or the server and user authentication credentials are not transmitted between a client computing device and a server computing device.
  • the client computing device authenticates the server computing device and the server computing device authenticates the user of the client computing device.
  • the delegation security policy in Microsoft Windows is upheld. For example, if the user account setting "Account is sensitive and must not be delegated" is enabled, that user will not be able to use this remote authentication technique to logon to another server.
  • FIG. 1 is a block diagram of an environment suitable for practicing the illustrative embodiment of the present invention
  • FIG. 2A and 2B are block diagrams depicting embodiments of computers useful in connection with the present invention.
  • FIG. 3A is a block diagram depicting an embodiment of the network 40 in which the invention may be performed.
  • Fig. 3B is a block diagram depicting an embodiment of the process by which a client node initiates execution of an available application and a server presents the results of the application to the client node;
  • Fig. 3C is a block diagram depicting an embodiment of the process by which a client node initiates execution of an available application via the World Wide Web;
  • Fig. 3D is a block diagram depicting an embodiment of the process of communication among a client node and'two server' nodes.
  • FIG. 4 is a block diagram of an embodiment of a system for remotely authenticating a user of a client node to a server computing device.
  • the illustrative embodiment of the present invention is applicable to a distributed networking environment where a remote user requests access to content. Prior to discussing the specifics of the present invention, it may be helpful to discuss some of the network environments in which the illustrative embodiment of the present invention may be employed.
  • a first computing device (client computing device) 100 communicates with a second computing device (server computing device) 140 over a communications network 180.
  • the second computing device is also a client device 100.
  • the topology of the network 180 over which the client devices 100 communicate with the server device 140 may be a bus, star, or ring topology.
  • the network 180 can be a local area network (LAN), a metropolitan area network (MAN), or a wide area network (WAN) such as the Internet.
  • LAN local area network
  • MAN metropolitan area network
  • WAN wide area network
  • the client and server devices 100, 140 can connect to the network 180 through a variety of connections including standard telephone lines, LAN or WAN links (e.g., T1 , T3, 56 kb, X.25), broadband connections (ISDN, Frame Relay, ATM), and wireless connections. Connections can be established using a variety of communication protocols (e.g., TCP/IP, IPX, SPX, NetBIOS, NetBEUI, SMB, Ethernet, ARCNET, Fiber Distributed Data Interface (FDDI), RS232, IEEE 802.11 , IEEE 802.11a, IEE 802.11 b, IEEE 802.11g and direct asynchronous connections). Other client devices and server devices (not shown) may also be connected to the network 180.
  • TCP/IP IPX
  • SPX NetBIOS
  • NetBEUI NetBEUI
  • SMB Ethernet
  • ARCNET Fiber Distributed Data Interface
  • FDDI Fiber Distributed Data Interface
  • Other client devices and server devices may also be connected to the network 180.
  • the client device 100 can be any device capable of receiving and displaying output from applications executed on its behalf by one or more server computing devices 140 and capable of operating in accordance with a protocol as disclosed herein.
  • the client computing device 100 may be a personal computer, windows-based terminal, network computer, information appliance, X- device, workstation, mini computer, personal digital assistant or cell phone.
  • the server computing device 140 can be any computing device capable of: receiving from a client computing device 100 user input for an executing application, executing an application program on behalf of a client computing device 100, and interacting with the client computing device using a protocol as disclosed herein.
  • the server computing device 140 can be provided as a group of server devices logically acting as a single server system, referred to herein as a server farm.
  • the server computing device 140 is a multi-user server system supporting multiple concurrently active client connections.
  • FIGs. 2A and 2B depict block diagrams of a typical computer 200 useful as client computing devices 100 and server computing devices 140.
  • each computer 200 includes a central processing unit 202, and a main memory unit 204.
  • Each computer 200 may also include other optional elements, such as one or more input/output devices 230a-230-b (generally referred to using reference numeral 230), and a cache memory 240 in communication with the central processing unit 202.
  • the central processing unit 202 is any logic circuitry that responds to and processes instructions fetched from the main memory unit 204.
  • the central processing unit is provided by a microprocessor unit, such as: the 8088, the 80286, the 80386, the 80486, the Pentium, Pentium Pro, the Pentium II, the Celeron, or the Xeon processor, all of which are manufactured by Intel Corporation of Mountain View, California; the 68000, the 68010, the 68020, the 68030, the 68040, the PowerPC 601 , the PowerPC604, the PowerPC604e, the MPC603e, the MPC603ei, the MPC603ev, the MPC603r, the MPC603p, the MPC740, the MPC745, the MPC750, the MPC755, the MPC7400, the MPC7410, the MPC7441 , the MPC7445, the MPC7447, the MPC7450, the MPC7451 ,
  • TM5800 the Crusoe TM5600, the Crusoe TM5500, the Crusoe TM5400, the l Efficeon TM8600, the Efficeon TM8300, or the Efficeon TM8620 processor, manufactured by Transmeta Corporation of Santa Clara, California; the RS/6000 processor, the RS64, the RS 64 II, the P2SC, the POWER3, the RS64 III, the POWER3-II, the RS 64 IV, the POWER4, the POWER4+, the POWER5, or the POWER6 processor, all of which are manufactured by International Business Machines of White Plains, New York; or the AMD Opteron, the AMD Athlon 64 FX, the AMD Athlon, or the AMD Duron processor, manufactured by Advanced Micro Devices of Sunnyvale, California.
  • Main memory unit 204 may be one or more memory chips capable of storing data and allowing any storage location to be directly accessed by the microprocessor 202, such as Static random access memory (SRAM), Burst SRAM or SynchBurst SRAM (BSRAM), Dynamic random access memory (DRAM), Fast Page Mode DRAM (FPM DRAM), Enhanced DRAM (EDRAM), Extended Data Output RAM (EDO RAM), Extended Data Output DRAM (EDO DRAM), Burst Extended Data Output DRAM (BEDO DRAM), Enhanced DRAM (EDRAM), synchronous DRAM (SDRAM), JEDEC SRAM, PC100 SDRAM, Double Data Rate SDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM), SyncLink DRAM (SLDRAM), Direct Rambus DRAM (DRDRAM), or Ferroelectric RAM (FRAM).
  • SRAM Static random access memory
  • BSRAM SynchBurst SRAM
  • DRAM Dynamic random access memory
  • FPM DRAM Fast Page Mode DRAM
  • EDRAM Enhanced D
  • FIG. 2A the processor 202 communicates with main memory 204 via a system bus 220 (described in more detail below).
  • FIG. 2B depicts an embodiment of a computer system 200 in which the processor communicates directly with main memory 204 via a memory port.
  • the main memory 204 may be DRDRAM.
  • FIGs. 2A and 2B depict embodiments in which the main processor 202 communicates directly with cache memory 240 via a secondary bus, sometimes referred to as a "backside" bus.
  • the main processor 202 communicates with cache memory 240 using the system bus 220.
  • Cache memory 240 typically has a faster response time than main memory 204 and is typically provided by SRAM, BSRAM, or EDRAM.
  • the processor 202 communicates with various I/O devices 230 via a local system bus 2,20.
  • Various busses may be used to connect the central processing unit 202 to the I/O devices 230, including a VESA VL bus, an ISA bus, an EISA bus, a MicroChannel Architecture (MCA) bus, a PCI bus, a PCI-X bus, a PCI-Express bus, or a NuBus.
  • MCA MicroChannel Architecture
  • PCI bus PCI bus
  • PCI-X bus PCI-X bus
  • PCI-Express PCI-Express bus
  • NuBus NuBus.
  • the processor 202 may use an Advanced Graphics Port (AGP) to communicate with the display.
  • AGP Advanced Graphics Port
  • FIG. 2B depicts an embodiment of a computer system 200 in which the main processor 202 communicates directly with I/O device 230b via HyperTransport, Rapid I/O, or InfiniBand.
  • FIG. 2B also depicts an embodiment in which local busses and direct communication are mixed: the processor 202 communicates with I/O device 230a using a local interconnect bus while communicating with I/O device 230b directly.
  • I/O devices 230 may be present in the computer system 200.
  • Input devices include keyboards, mice, trackpads, trackballs, microphones, and drawing tablets.
  • Output devices include video displays, speakers, inkjet printers, laser printers, and dye-sublimation printers.
  • An I/O device may also provide mass storage for the computer system 200 such as a hard disk drive, a floppy disk drive for receiving floppy disks such as 3.5-inch, 5.25-inch disks or ZIP disks, a CD-ROM drive, a CD-R/RW drive, a DVD-ROM drive, tape drives of various formats, and USB storage devices such as the USB Flash Drive line of devices manufactured by Twintech Industry, Inc. of Los Alamitos, California.
  • an I/O device 230 may be a bridge between the system bus 220 and an external communication bus, such as a USB bus, an Apple Desktop Bus, an RS-232 serial connection, a SCSI bus, a FireWire bus, a FireWire 800 bus, an Ethernet bus, an AppleTalk bus, a Gigabit Ethernet bus, an Asynchronous Transfer Mode bus, a HIPPI bus, a Super HIPPI bus, a SerialPlus bus, a SCI/LAMP bus, a FibreChannel bus, or a Serial Attached small computer system interface bus.
  • an external communication bus such as a USB bus, an Apple Desktop Bus, an RS-232 serial connection, a SCSI bus, a FireWire bus, a FireWire 800 bus, an Ethernet bus, an AppleTalk bus, a Gigabit Ethernet bus, an Asynchronous Transfer Mode bus, a HIPPI bus, a Super HIPPI bus, a SerialPlus bus, a SCI/LAMP bus, a FibreChannel bus, or
  • General-purpose desktop computers of the sort depicted in FIGs. 2A and 2B typically operate under the control of operating systems, which control scheduling of tasks and access to system resources.
  • Typical operating systems include: MICROSOFT WINDOWS, manufactured by Microsoft Corp. of Redmond, Washington; MacOS, manufactured by Apple Computer of Cupertino, California; OS/2, manufactured by International Business Machines of Armonk, New York; and Linux, a freely-available operating system distributed by Caldera Corp. of Salt Lake City, Utah, among others.
  • the client computing device 100 may have different processors, operating systems, and input devices consistent with the device.
  • the client computing device 100 is a Zire 71 personal digital assistant manufactured by Palm, Inc.
  • the Zire 71 uses an OMAP 310 processor manufactured by Texas Instruments, of Dallas, Texas, operates under the control of the PalmOS operating system and includes a liquid-crystal display screen, a stylus input device, and a five-way navigator device.
  • a block diagram depicts an embodiment of the network 40 in which the invention may be performed.
  • the servers 30, 32, and 34 can belong to the same domain 38.
  • a domain is a subnetwork comprising a group of application servers and client nodes under control of one security database.
  • a domain can include one or more "server farms.” (A server farm is a group of servers that are linked together to act as a single server system to provide centralized administration.) Conversely, a server farm can include one or more domains. For servers of two different domains to belong to the same server farm, a trust relationship may need to exist between the domains.
  • a trust relationship is an association between the different domains that allows a user to access the resources associated with each domain with just one log-on authentication.
  • the application server 36 is in a different domain than the domain 38. In another embodiment, the application server 36 is in the same domain as servers 30, 32, and 34. For either embodiment, application servers 30, 32, and 34 can belong to one server farm, while the server 36 belongs to another server farm, or all of the application servers 30, 32, 34, and 36 can belong to the same server farm. When a new server is connected to the network 40, the new server either joins an existing server farm or starts a new server farm.
  • the client nodes 10, 20 may be in a domain, or may be unconnected with any domain. In one embodiment, the client node 10 is in the domain 38. In another embodiment, the client node 10 is in another domain that does not include any of the application servers 30, 32, 34 or 36. In another embodiment, the client node 10 is not in any domain.
  • the client node 10 is in the domain 38 and the user of the client node provides user credentials to log onto the client node 10.
  • User credentials typically include the name of the user of the client node, the password of the user, and the name of the domain in which the user is recognized.
  • the user credentials can be obtained from smart cards, time-based tokens, social security numbers, user passwords, personal identification (PIN) numbers, digital certificates based on symmetric key or elliptic curve cryptography, biometric characteristics of the user, or any other means by which the identification of the user of the client node can be obtained and submitted for authentication.
  • the client node 10 From the user-provided credentials, the client node 10 generates user authentication data.
  • the client node 10 transmits this user authentication data to the server 30.
  • the client credentials are not transmitted over a network, only the resulting user authentication data is transmitted by the client node.
  • the server 30 can also determine which application programs hosted by the application server farm containing server 30 are available for use by the user of the client node.
  • the server 30 transmits information representing the available application programs to the client node 10. This process eliminates the need for a user of the client node to set up application connections. Also, an administrator of the server farm can control access to applications among the various client node users.
  • the user authentication performed by the server 30 can suffice to authorize the use of each hosted application program presented to the client node 10, although such applications may reside at another server. Accordingly, in this embodiment, when the client node launches (i.e., initiates execution of) one of the hosted applications, additional input of user credentials by the user will be unnecessary to authenticate use of that application. Thus, a single entry of the user credentials can serve to determine the available applications and to authorize the launching of such applications without an additional, manual logon authentication process by the client user.
  • Fig. 3B shows another exemplary process by which the client node 10 initiates execution of an available application and a server presents the results of the application to the client node 10.
  • the user of client node 10 requests the launch of the application 41 (e.g., by clicking on an icon displayed on the client node 10 representing the application).
  • the request 42 for the application is directed to the first server node, in this example server 30.
  • the first server node 30 can execute the application, if the application is on the first server node 30, and return the results to the client node 10.
  • the first server node 30 can indicate (arrow 43) to the client node 10 that the application 41 is available on another server, in this example server 32.
  • the client node 10 and server 32 establish a connection (arrows 45 and 46) by which the client node 10 requests execution of the application 41.
  • the server 32 can execute the application 41 and transfer the results (i.e., the graphical user interface) to the client node 10.
  • Fig. 3C shows another exemplary process by which a client node 20 initiates execution of an available application, in this example via the World Wide Web.
  • a client node 20 executes a web browser application 80, such as MICROSOFT INTERNET EXPLORER, manufactured by Microsoft Corporation of Redmond, Washington.
  • the client node 20, via the web browser 80 transmits a request 82 to access a Uniform Resource Locator (URL) address corresponding to an HTML page generated dynamically by server 30.
  • URL Uniform Resource Locator
  • the first response returned 84 to the client node 20 by the server 30 is an authentication request that seeks to identify the client node 20.
  • a user provides user credentials to. the client node 20.
  • the client node 20 generates user authentication data, based upon the user credentials provided to it.
  • the authentication request allows the client node 20 to transmit user authentication data, via the web browser 80, to the server 30 for authentication. Transmitted user authentication data is verified by the server 30.
  • the server 30 can also determine which application programs hosted by the application servers are available for use by the user of the client node 20.
  • the server 30 generates an HTML page containing information representing the available application programs and transmits this to the client node 20, via the web browser 80.
  • the information includes a distinct launch URL address corresponding to each available application.
  • the available applications are displayed on the client node 20 via the web browser 80.
  • the client node display has a window 58 in which appears a graphical icon 57 representing an available application program.
  • a user of the client node 20 can launch the application program by clicking the icon 57 with the mouse.
  • the client node 20, via the web browser 80 transmits a request 86 to access the URL address corresponding to the application launch service residing on server 30.
  • the server node 30 transmits launch information 88 to the client node 20, via the web browser 80, which indicates how a connection can be established to cause execution of the application and transfer the results to the client node 20.
  • Fig. 3D shows an exemplary process of communication among the client node 10, the first server node, in this example server 30, and the server 32.
  • the client node 10 has an active connection 72 with the server 32.
  • the client node 10 and server 32 can use the active connection 72 to exchange information regarding the execution of a first application program.
  • the user authentication data generated by the client node 10 from received user credentials are stored at the client node. Such storage of the user authentication data is in cache memory.
  • the available applications are displayed on the client node 10.
  • the client node, display has:a window 58. in> which appears a graphical icon 57 representing a second application program.
  • a user of the client node 10 can launch the second application program by double-clicking the icon 57 with the mouse.
  • the request passes to the first server node 30 via a connection 59.
  • the first server node 30 indicates to the client node 10 via the connection 59 that the sought-after application is available on server 32.
  • the client node 10 signals the server 32 to establish a second connection 70.
  • the server 32 requests user authentication data from the client node 10 to authenticate access to the second application program.
  • the client node 10 generates user authentication data based upon the stored user authentication data.
  • FIG. 4 depicts in more detail a system for remotely authenticating a user of a client node 100 to a server computing device 140.
  • the client computing device 100 includes an authentication module 310 in communication with a thin-client program 320.
  • the authentication module 310 receives user authentication credentials provided for the purposes of authenticating a user to the client computing device 100, the server computing device 140, or both.
  • Received authentication credentials can include username- password combinations, graphical password data, data derived from time-based tokens such as the SecuriD line of tokens manufactured by RSA Security Inc. of Bedford, Massachusetts, challenge-response data, information from smart cards, and biometric information such as fingerprints, voiceprints, or facial features.
  • the authentication module 310 may use the provided authentication credentials to authenticate the user to the client computing device 100.
  • the authentication module 310 may be provided by the MSGINA dynamically-linked library.
  • the authentication module 310 may be provided by the Unix Pluggable Authentication Manager, using the pam_krb module.
  • the authentication module 310 may be provided by the Unix kinit command program.
  • the client computing device also includes a security service 312.
  • the authentication module 310 and the security service 312 are provided as the same dynamically- linked library.
  • the security service 312 provides security services to modules and applications on the client computing device, including the authentication module 310 and the thin-client application 320, such as authentication to the client computing device and authentication to remote hosts or network services.
  • the security service 312 which may be the GSSAPI specified by the Internet Engineering Task Force (IETF) or the SSPI manufactured by Microsoft Corporation of Redmond, Washington, may obtain a Kerberos ticket in response to receipt of the user authentication credentials and use this ticket to obtain additional Kerberos tickets to authenticate the user to remote hosts or network services, at the request of modules or applications on the client computing device.
  • the security service 312 may then generate user authentication data using these Kerberos tickets if needed for remote authentication.
  • the security service 312 may generate the user authentication data using an external authentication service, such as a Key Distribution Center in a Kerberos environment or Active Directory in a Windows- based environment.
  • the security service 312 provides the generated user authentication data, e.g., Kerberos ticket and associated Kerberos authenticator, to the thin-client application 320.
  • the thin-client application 320 transmits the user authentication data to a server computing device 140 for remote authentication of the user.
  • user-provided authentication credentials are not transmitted over the network 180 to a server computing device 140.
  • the user authentication data generated by the security service 312 is independent of the method used by the user to authenticate to the client computing device 100.
  • a Kerberos ticket for the user of client computing device 100 is obtained whether the user uses a username-password combination or a biometric to authenticate to the client computing device 100.
  • the thin-client application 320 communicates with the server computing device 140 via a thin-client protocol having one or more virtual channels 335.
  • the thin-client application 320 loads a virtual channel driver and uses it to send and receive messages on the authentication virtual channel.
  • the virtual channel driver exposes functions for opening the virtual channel and sending data over it.
  • the thin-client application 320 passes a data structure to the server computing device 140 for the virtual channel 335 when the thin-client protocol connection is established, indicating to the server-side thin-client application 350 that the authentication virtual channel is available.
  • the virtual channel data structure for the authentication virtual channel contains the virtual channel information and a representation of the size of the largest data packet the client computing device 100 can accept from or send to the server computing device 140 over the virtual channel 335.
  • the data packet size is constrained by the maximum thin-client size and any specific memory restrictions imposed by the client computing device 100.
  • the data structure for the authentication virtual channel is defined as: typedef struct _C2H ⁇ VD_C2H Header; UINT16 cbMaxDataSize; ⁇ C2H, *PC2H;
  • the server-side thin-client application 350 indicates to the thin-client application 320 its intention to perform authentication using the authentication virtual channel 335 by opening the virtual channel and sending a bind request message onto the channel.
  • the virtual channel driver in the thin-client application 320 reads ⁇ a message requesting a binding from the virtual channel, sends a message onto the virtual channel responding to the bind request; and reads a "commit" message from the channel.
  • the message requesting a binding includes data specifying the protocol version that is supported.
  • the protocol version can be negotiated between the thin-client application 320 and the server-side thin-client application 350 using the bind request and bind response messages.
  • the bind request, bind response, and bind commit initialization messages allow the server-side thin-client application 350 and the thin-client application 320 to conduct a 3-way handshake initiated by the server-side thin-client application 350, and negotiate capabilities.
  • a 2-way handshake may be initiated by the server-side thin-client application 350 when the current set of virtual channel capabilities can be negotiated using a 2-way handshake only, but a 3- way handshake is supported to allow more flexibility that might be required by new capabilities or future enhancements to current capabilities.
  • the thin-client application 320 can exhibit a specific preference or could instead acknowledge a whole set of options pertaining to a specific capability thus letting the server-side thin-client application 350 decide on a specific option.
  • the thin-client application 320 could not exhibit a specific preference because it might not be supported by the host.
  • the virtual channel driver of both the thin-client application 320 and the server-side thin-client application 350 does the following in a loop until a "stop" message or an "error” message is received: retrieve authentication data from the security service 312, 312', providing as input any authentication data sent by the other party via the virtual channel; and send the retrieved authentication data (if any) onto the virtual channel in a data message. If the retrieval of data from the security service 312, 312' returned a "STOP" message, then signal stop and close the authentication virtual channel. In some embodiments the virtual channel driver may reset itself on a "stop" signal. If the ⁇ retrieval of data from the security service 312, 312' returned a "CONTINUE" message, then continue. If the retrieval of authentication data from the security service 312, 312' returned an "ERROR", then signal that an error has occurred and close the authentication virtual channel.
  • the virtual channel driver of the thin-client application 320 and the server-side thin-client application 350 are free to exchange data messages until the security service 312, 312' stops producing data buffers to be sent.
  • the number of messages exchanged may be limited by the virtual channel driver, the server- side thin-client application 350, or the virtual channel 335.
  • the virtual channel driver of the thin-client application 320 and the server-side thin-client application 350 exchange messages sequentially, that is, two messages are not sent in one direction without a reply to the first being sent in the other. In either embodiment, message exchange can stop after a message has been sent in either direction.
  • the data messages are sent over the virtual channel Least Significant Double Word (LSDW), Least Significant Word (LSW), Least Significant Byte (LSB) first.
  • LSDW Least Significant Double Word
  • LSW Least Significant Word
  • LSB Least Significant Byte
  • the data messages are aligned at a byte boundary and fully packed in memory. In these embodiments, data fields will be aligned in memory as written to or read from the virtual channel.
  • Some messages transmitted on the authentication virtual channel span multiple virtual channel packets. To support this, every message must be preceded by a message specifying the length of the next transmitted command.
  • An example of a message that may be used to specify the length of the next command is: typedef struct _PKT_CMDLEN ⁇ UINT32 Length; UINT8 Command; UINT8 FlagsBitMask; ⁇ PKT CMDLEN, *PPKT_CMDLEN;
  • PKT_CMDLEN also contains a command number to indicate what type of message is to follow:
  • the server-side thin-client application 350 passes the authentication data it receives over the authentication virtual channel to its security service 312'. If the server-side security service 312' is able to verify the data, it generates an access token representing a logon session for the user, allowing the user to authenticate to the server computing device 140 without resubmitting authentication credentials.
  • An access token is a data object that includes, among other things, a locally unique identifier (LUID) for the logon session. If the server-side security service 312' is not able to verify the data, the user is prompted to resubmit authentication credentials.
  • LID locally unique identifier
  • the only virtual channel over which the user may communicate with the server computing device 140 is the authentication virtual channel.
  • new virtual channels are initiated for communication.
  • only one virtual channel exists and it may only be used for authentication-related communications until the user is authenticated, and it may be used for other communications after the user is authenticated.
  • the access token generated by the server-side security service 312' is an impersonation token that has only network logon rights. That is, the generated access token is not suitable to use for starting applications to run interactively, as is required in the WINDOWS server-based computing environment. To allow applications to run interactively, a primary access token is needed that has interactive logon rights. In one embodiment, the generated access token is modified to provide the appropriate rights. In another embodiment, a new token is generated for the user.
  • the server-side security service 312' verifies the authentication data it receives over the authentication virtual channel from the server-side thin-client application 350, the server-side thin-client application 350 will grant the user access to the resources. In these embodiments, the server-side security service 312' does not generate an access token.
  • the server after the server has authenticated the user, the server presents an enumeration of resources available to the user.
  • the server may create a page describing a display of resources, hosted by a plurality of servers, available to the client computing device. The server may then transmit the created page to the client computing device for display and receive from the client computing device, a request to access one of the hosted resources.
  • the selected one of the available resources hosted by one of the plurality of servers is then executed without requiring further receipt of user authentication data from the client computing device.
  • the server initiates, in response to successful authentication by the user, a connection from the server to a second server which is hosting a resource available to the user.
  • the available resource is executed over the connection.
  • the connection is a virtual channel.
  • the first server is hosting the selected one of the available resources.
  • the server makes the resource available to the user over the existing connection.
  • the server makes the resource available to the user over a new connection.
  • the new connection comprises a virtual channel.
  • the present invention may be provided as one or more computer- readable programs embodied on or in one or more articles of manufacture.
  • the article of manufacture may be a floppy disk, a hard disk, a CD ROM, a flash memory card, a PROM, a RAM, a ROM, or a magnetic tape.
  • the computer-readable programs may be implemented in any programming language. Some examples of languages that can be used include C, C++, or JAVA.
  • the software programs may be stored on or in one or more articles of manufacture as object code.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Mathematical Physics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

La présente invention a trait à un appareil pour l'authentification à distance d'un utilisateur auprès d'un serveur dans un environnement informatique à base de serveur. Un dispositif informatique client reçoit des authentifiants de serveur et génère des données d'authentification d'utilisateur selon les authentifiants reçus. Le dispositif informatique transmet les données d'authentification générées vers un dispositif informatique de serveur. Le dispositif informatique de serveur authentifie l'utilisateur sur la base des données d'authentification transmises. Le dispositif informatique de serveur génère de nouvelles données d'authentification d'utilisateur selon les données d'authentification transmises. Le dispositif informatique de serveur transmet vers un deuxième serveur les nouvelles données d'authentification d'utilisateur. Le deuxième serveur authentifie l'utilisateur, sur la base des nouvelles données d'authentification d'utilisateur.
PCT/US2004/039442 2003-11-26 2004-11-23 Procedes et appareils pour l'authentification a distance dans un systeme informatique a base de serveur WO2005055025A1 (fr)

Priority Applications (5)

Application Number Priority Date Filing Date Title
JP2006541682A JP2007520791A (ja) 2003-11-26 2004-11-23 サーバベースのコンピュータシステムにおけるリモート認証のための方法および装置
EP04812045A EP1695180A1 (fr) 2003-11-26 2004-11-23 Procedes et appareils pour l'authentification a distance dans un sys informatique a base de serveur
AU2004296049A AU2004296049A1 (en) 2003-11-26 2004-11-23 Methods and apparatus for remote authentication in a server-based
CA002546872A CA2546872A1 (fr) 2003-11-26 2004-11-23 Procedes et appareils pour l'authentification a distance dans un systeme informatique a base de serveur
IL175842A IL175842A0 (en) 2003-11-26 2006-05-23 Methods and apparatus for remote authentication in a server-based computing system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US48170803P 2003-11-26 2003-11-26
US60/481,708 2003-11-26

Publications (1)

Publication Number Publication Date
WO2005055025A1 true WO2005055025A1 (fr) 2005-06-16

Family

ID=34652233

Family Applications (2)

Application Number Title Priority Date Filing Date
PCT/US2004/041187 WO2005055026A1 (fr) 2003-11-26 2004-11-23 Procedes et appareils pour une authentification a distance dans un systeme fonde sur un serveur
PCT/US2004/039442 WO2005055025A1 (fr) 2003-11-26 2004-11-23 Procedes et appareils pour l'authentification a distance dans un systeme informatique a base de serveur

Family Applications Before (1)

Application Number Title Priority Date Filing Date
PCT/US2004/041187 WO2005055026A1 (fr) 2003-11-26 2004-11-23 Procedes et appareils pour une authentification a distance dans un systeme fonde sur un serveur

Country Status (7)

Country Link
EP (2) EP1695180A1 (fr)
JP (2) JP2007520789A (fr)
KR (2) KR20060120148A (fr)
AU (2) AU2004294668A1 (fr)
CA (2) CA2546872A1 (fr)
IL (2) IL175841A0 (fr)
WO (2) WO2005055026A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2021026651A (ja) * 2019-08-08 2021-02-22 富士通クライアントコンピューティング株式会社 情報処理システム、情報処理装置およびプログラム

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100759813B1 (ko) 2005-12-12 2007-09-20 한국전자통신연구원 생체정보를 이용한 사용자 인증 방법
US8997193B2 (en) * 2012-05-14 2015-03-31 Sap Se Single sign-on for disparate servers
KR102447501B1 (ko) 2015-12-24 2022-09-27 삼성전자주식회사 생체 정보를 처리하는 전자 장치 및 그 제어 방법
US10620855B2 (en) * 2016-09-06 2020-04-14 Samsung Electronics Co., Ltd. System and method for authenticating critical operations on solid-state drives

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001063567A2 (fr) * 2000-02-25 2001-08-30 Identix Incorporated Systeme de transactions securisees
WO2002095589A1 (fr) * 2001-05-17 2002-11-28 Identix Incorporated Verification d'identite de mobile
US6490679B1 (en) * 1999-01-18 2002-12-03 Shym Technology, Inc. Seamless integration of application programs with security key infrastructure
US20030187925A1 (en) * 1998-12-08 2003-10-02 Inala Suman Kumar Software engine for enabling proxy chat-room interaction

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030187925A1 (en) * 1998-12-08 2003-10-02 Inala Suman Kumar Software engine for enabling proxy chat-room interaction
US6490679B1 (en) * 1999-01-18 2002-12-03 Shym Technology, Inc. Seamless integration of application programs with security key infrastructure
WO2001063567A2 (fr) * 2000-02-25 2001-08-30 Identix Incorporated Systeme de transactions securisees
WO2002095589A1 (fr) * 2001-05-17 2002-11-28 Identix Incorporated Verification d'identite de mobile

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2021026651A (ja) * 2019-08-08 2021-02-22 富士通クライアントコンピューティング株式会社 情報処理システム、情報処理装置およびプログラム

Also Published As

Publication number Publication date
CA2546872A1 (fr) 2005-06-16
CA2547407A1 (fr) 2005-06-16
IL175841A0 (en) 2006-10-05
JP2007520789A (ja) 2007-07-26
KR20060120148A (ko) 2006-11-24
KR20060118510A (ko) 2006-11-23
EP1687693A1 (fr) 2006-08-09
WO2005055026A1 (fr) 2005-06-16
IL175842A0 (en) 2006-10-05
AU2004296049A1 (en) 2005-06-16
AU2004294668A1 (en) 2005-06-16
JP2007520791A (ja) 2007-07-26
EP1695180A1 (fr) 2006-08-30

Similar Documents

Publication Publication Date Title
US8621587B2 (en) Systems and methods for facilitating distributed authentication
US9143502B2 (en) Method and system for secure binding register name identifier profile
CN112995219B (zh) 一种单点登录方法、装置、设备及存储介质
US9438633B1 (en) System, method and computer program product for providing unified authentication services for online applications
EP1081914B1 (fr) Enregistrement unique dans un réseau qui contient plusieurs ressources à accès limité controllées séparement
US6954792B2 (en) Pluggable authentication and access control for a messaging system
US7877492B2 (en) System and method for delegating a user authentication process for a networked application to an authentication agent
TWI400922B (zh) 在聯盟中主用者之認證
US7356833B2 (en) Systems and methods for authenticating a user to a web server
US20060236385A1 (en) A method and system for authenticating servers in a server farm
US8042165B2 (en) Method and system for requesting and granting membership in a server farm
WO2005055025A1 (fr) Procedes et appareils pour l'authentification a distance dans un systeme informatique a base de serveur
WO2001071961A1 (fr) Systeme, procede et produit de programme informatique pour fournir des services d'authentification unifies pour applications en ligne
JP2003521779A (ja) 通信プロトコルによってイネーブルされるクライアントによる情報へのアクセスを登録および認証するためのシステム、方法およびコンピュータプログラム製品
Markantonakis A Smart Card Web Server in the Web of Things
Linwood et al. Security and Single Sign-On

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

WWE Wipo information: entry into national phase

Ref document number: 175842

Country of ref document: IL

Ref document number: 2546872

Country of ref document: CA

Ref document number: 2004296049

Country of ref document: AU

WWE Wipo information: entry into national phase

Ref document number: 1399/KOLNP/2006

Country of ref document: IN

Ref document number: 2006541682

Country of ref document: JP

WWE Wipo information: entry into national phase

Ref document number: 1020067010250

Country of ref document: KR

WWE Wipo information: entry into national phase

Ref document number: 2004812045

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Ref document number: DE

ENP Entry into the national phase

Ref document number: 2004296049

Country of ref document: AU

Date of ref document: 20041123

Kind code of ref document: A

WWP Wipo information: published in national office

Ref document number: 2004296049

Country of ref document: AU

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWP Wipo information: published in national office

Ref document number: 2004812045

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 1020067010250

Country of ref document: KR

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载