JP2007520791A - Method and apparatus for remote authentication in a server-based computer system - Google Patents

Abstract

A method and apparatus for remotely authenticating a user to a server in a server-based computing environment. The client computing device receives the user certificate and generates user authentication data based on the received certificate. The client computer device transmits the generated user authentication data to the server computer device. The server computing device authenticates the user in response to the transmitted user authentication data. The server computing device generates new user authentication data based on the transmitted user authentication data. The server computing device sends new user authentication data to the second server. The second server authenticates the user in response to the received user authentication data.

Description

  The present invention relates to a method and apparatus for providing distributed application processing in server-based computer systems, and in particular for remote authentication techniques in such systems.

  Techniques for providing remote access to networked resources include various client / server software combinations. One of these techniques is often referred to as a “thin-client” or “server-based computer” system. In these systems, the application program is executed by the server computer device for one or more client computer devices. Client input and application output to the application are transmitted between the client computer device and the server computer device. These systems generally require a user of a client computer device to authenticate themselves before the application can be executed for the user by the server computer device.

  A client computing device may require a user to log on locally before using the device. Logging on locally to a client computing device usually requires a username and password, but many client operating systems use biometrics such as, for example, token-based schemes, smart cards, or fingerprints. Allows the logon mechanism to be replaced to require you to log on.

  Despite authenticating to the client computer device, the user often also needs to authenticate to the server computer device. However, if a replacement logon mechanism as described above is used, the user cannot be authenticated to the server computer device because the server computer device often only allows a username and password. If the user authenticates using a technique such as biometric or smart card, the user may not know a valid username-password combination useful for authenticating to the server computer device. Some techniques allow intercept by a client computing device of a user-supplied username-password combination. However, these techniques do not work if the standard authentication mechanism is replaced.

  Therefore, an improved method for remotely authenticating a user of a thin client system is desired.

  In one aspect, the present invention provides a method for remotely authenticating a user of a client computing device. Citrix Systems, Inc., Lauderdale, Florida. Use the industry standard Generic Security Services Application Interface (GSAPI) in conjunction with the thin client protocol such as the ICA protocol produced by Microsoft or the RDP protocol produced by Microsoft Corporation in Redmond, Washington.

  In another aspect, the present invention enhances security by providing network providers with an alternative method of pass-through authentication. Instead of the client computing device sending user authentication credentials, eg, passwords, to the server computing device, the authentication virtual channel driver sends authentication data over the virtual channel within the thin client protocol. User authentication data can be used to verify a user's identity, but does not reveal authentication credentials hidden behind the user. The transmitted user authentication data is used to authenticate the user to the server computer device. The client therefore never accesses the user authentication credentials. It is not required to install a network provider that requires administrator privileges and makes the authentication credentials available to any local processing on the client computing device. The user's authentication credentials are not transmitted over the network in any way. Remote authentication is performed by an operating system hidden behind the server computer device.

  In one aspect of the invention, the client computing device receives a user certificate and generates user authentication data based on the received certificate. The client computer device transmits the generated user authentication data to the server computer device. The server computing device authenticates the user in response to the user authentication data. The server generates new user authentication data based on the received user authentication data. The server sends new user authentication data to the second server. The second server authenticates the user in response to the received user authentication data. In one embodiment, the user accesses available resources through a connection between the first server and the second server.

  In another aspect, the present invention uses virtual channels within the ICA or RDP protocol to exchange authentication data for remote authentication of users. A virtual channel is any logical combination between two or more endpoints for the purpose of transmitting data between the endpoints.

  In other aspects, the present invention uses GSSAPI for authentication. Thus, the present invention works with any authentication method supported by a GSSAPI implementation, such as the Kerberos authentication method, and can be used with any client computer platform or device that supports GSSAPI.

  In other aspects of the present invention, user authentication credentials (e.g., passwords) are not explicitly intercepted or handled by either the client or the server. User authentication credentials are not transmitted between the client computer device and the server computer device.

  In another aspect of the invention, the client computer device authenticates the server computer device, and the server computer device authenticates the user of the client computer device.

  In another aspect of the invention, a delegation security policy in Microsoft Windows is supported. For example, if a user account is enabled that sets “Account is sensitive and should not be delegated,” that user cannot use this remote authentication technique to log on to other servers.

  These and other aspects of the invention will become apparent from the following detailed description and the accompanying drawings, which are meant to illustrate rather than limit the invention.

  Exemplary embodiments of the present invention are applicable to distributed network environments where remote users request access to content. Before describing the features of the present invention, it may be helpful to discuss some network environments in which exemplary embodiments of the present invention may be used.

  Referring to FIG. 1, in a brief overview, one embodiment of a client server system in which the present invention may be used is shown. The first computer device (client computer device) 100 communicates with the second computer device (server computer device) 140 through the communication network 180. In some embodiments, the second computing device is also the client device 100. The topology of the network 180 in which the client device 100 communicates with the server device 140 can be a bus, star, or ring topology. The network 180 can be a local area network (LAN), a metropolitan area network (MAN), or a wide area information network (WAN) such as the Internet.

  Client and server devices 100, 140 may include a variety of standard telephone lines, LAN or WAN links (eg, T1, T3, 56 kb, X.25), broadband connections (ISDN, Frame Relay, ATM), and wireless connections. A connection can be made to the network 180 via the connection. Connections can be established using various communication protocols (eg, TCP / IP, IPX, SPX, NetBIOS, NetBEUI, SMB, Ethernet, ARCNET, Fiber Distributed Data Interface (FDDI), RS232, IEEE. 802.11, IEEE 802.11a, IEEE 802.11b, IEEE 802.11g and direct asynchronous connection). Other client devices and server devices (not shown) may also be connected to the network 180.

  Client device 100 is capable of receiving and displaying output from one or more server computing devices 140 from applications executing for that device, and operates in accordance with the protocols disclosed herein. Can be any device capable of. The client computer device 100 can be a personal computer, a Windows-based terminal, a network computer, an information device, an X device, a workstation, a minicomputer, a personal digital assistant, or a mobile phone.

  Similarly, server computer device 140 receives from client computer device 100 user input for an application to execute, executes an application program for client computer device 100, and uses the protocols disclosed herein. Any computer device capable of interacting with the client computing device. Server computer devices 140 may be provided as a group of server devices that logically act as a single server system referred to herein as a server farm. In one embodiment, the server computing device 140 is a multi-user server system that supports multiple simultaneously active client connections.

  2A and 2B show block diagrams of an exemplary computer 200 useful as the client computer device 100 and the server computer device 140. As shown in FIGS. 2A and 2B, each computer 200 includes a central processing unit 202 and a main memory unit 204. Each computer 200 communicates with other optional elements such as one or more input / output devices 230a-230b (generally referred to using reference number 230) and a central processing unit 202. May also be included.

  Central processing unit 202 is any logic circuit that responds to and processes instructions fetched from main memory unit 204. In many embodiments, the central processing unit is an 8088, 80286, 80386, 80486, Pentium (R), Pentium (R) Pro, all produced by Intel Corporation, located in Mountain View, California. , Pentium® II, Celeron, or Xeon processors; all produced by Motorola Corporation in Schaumburg, Illinois, 68000, 68010, 68020, 68030, 68040, PowerPC 601, PowerPC 604e, PowerPC 603e, M400. , MPC603ev, MPC603r, MPC 03p, MPC740, MPC745, MPC750, MPC755, MPC7400, MPC7410, MPC7441, MPC7445, MPC7447, MPC7450, MPC7451, MPC7455, MPC7457 processor; TM5500, Crusoe TM5400, Efficeon TM8600, Efficeon TM8300, Efficeon TM8620 processor; all by International Business Machines in White Plains, New York Produced RS / 6000 processor, RS64, RS64 II, P2SC, POWER3, RS64 III, POWER3-II, RS64 IV, POWER4, POWER4 +, POWER5, or POWER6 processors; or Advanced MicroD in Sunnyvale, California. Provided by a microprocessor unit such as an AMD Opteron, AMD Athlon 64FX, AMD Athlon, or AMD Duron processor.

  The main memory unit 204 is capable of storing data, and includes a static random access memory (SRAM), a burst SRAM or a sync burst SRAM (BSRAM), a dynamic random access memory (DRAM), and a fast page mode DRAM (FPM). Enhanced DRAM (EDRAM), Extended Data Output RAM (EDO RAM), Extended Data Output DRAM (EDO DRAM), Burst Extended Data Output DRAM (BED DRAM), Enhanced DRAM (Enhanced DRAM) DRAM), JEDEC SRAM, PC100 SDRAM, Double Data Rate SDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM), SyncLink DRAM (SLDRAM), Direct Rambus DRAM (DRDRAM) or Ferroelectric RAM (FRAM) 202 There can be one or more memory chips that allow any storage arrangement to be directly accessed. In the embodiment shown in FIG. 2A, processor 202 communicates with main memory 204 via system bus 220 (described in more detail below). FIG. 2B illustrates an embodiment of a computer system 200 where the processor communicates directly with main memory 204 via a memory port. For example, in FIG. 2B, the memory 204 can be a DRDRAM.

  2A and 2B illustrate an embodiment where the main processor 202 communicates directly with the cache memory 240 via a second bus, sometimes referred to as the “backside” bus. In other embodiments, the main processor 202 communicates with the cache memory 240 using the system bus 220. Cache memory 240 generally has a faster response time than main memory 204 and is typically provided by SRAM, BSRAM, EDRAM.

  In the embodiment shown in FIG. 2A, processor 202 communicates with various I / O devices 230 via local system bus 220. Various buses include an I / O device 230 including a central processing unit 202, a VESA VL bus, an ISA bus, an EISA bus, a MicroChannel Architecture (MCA) bus, a PCI bus, a PCI-X bus, a PCI-Express bus, or NuBus. Can be used to connect to. In embodiments where the I / O device is a video display, the processor 202 may use an Advanced Graphics Port (AGP) to communicate with the display. FIG. 2B illustrates an embodiment of a computer system 200 in which the main processor 202 communicates directly with the I / O device 230b via HyperTransport, Rapid I / O, or InfiniBand. FIG. 2B also illustrates an embodiment where direct communication is mixed with a local bus: processor 202 communicates directly with I / O device 230b while using a local interconnect bus to communicate with I / O device 230a. To do.

  A wide variety of I / O devices 230 may exist in computer system 200. Input devices include keyboards, mice, trackpads, trackballs, microphones, and drawing tablets. Output devices include video displays, speakers, ink jet printers, laser printers, and dye sublimation printers. The I / O device is a floppy (registered) for receiving a mass storage such as a hard disk drive, a floppy disk such as a 3.5 inch, 5.25 inch disk or a ZIP disk for the computer system 200. Trademark) disk drives, CD-ROM drives, CD-R / RW drives, DVD-ROM drives, various types of tape drives, and Twintech Industry, Inc., located in Los Alamitos, California. USB storage devices such as USB Flash Drive line devices produced by can also be provided.

  In a further embodiment, the I / O device 230 includes a system bus 220 and a USB bus, an Apple Desktop bus, an RS-232 serial connection, a SCSI bus, a FireWire bus, a FireWire 800 bus, an Ethernet (registered trademark) bus, an AppleTalk bus, a Gigabit. External communication between an Ethernet (registered trademark) bus, an asynchronous transfer mode bus, a HIPPI bus, a Super HIPPI bus, a SerialPlus bus, an SCI / LAMP bus, a Fiber Channel bus, or a Serial Attached small computer system interface bus Can be a bridge.

  The type of general-purpose desktop computer shown in FIGS. 2A and 2B generally operates under the control of an operating system that controls the scheduling of tasks and access to system resources. A typical operating system is Microsoft Corp., located in Redmond, Washington. MICROSOFT WINDOWS® produced by MacOS; MacOS produced by Apple Computer in Cupertino, California; OS / 2 produced by International Business Machines in Armonk, New York; Caldera Corp. Linux, which is an operating system that can be freely used among others distributed by.

  In other embodiments, the client computing device 100 may have different processors, operating systems, and input devices that are consistent with the device. For example, in one embodiment, the client computing device 100 is connected to Palm, Inc. Zire 71 personal digital assistant produced by In this embodiment, Zire 71 uses an OMAP 310 processor produced by Texas Instruments in Dallas, Texas, operates under the control of the PalmOS operating system, and includes a liquid crystal display screen, stylus input device, and 5-way (Five-way) Includes a navigator device.

  With reference to FIG. 3A, a block diagram illustrates an embodiment of a network 40 in which the present invention may be implemented. Servers 30, 32, and 34 may belong to an equivalent domain 38. In the network 40, a domain is a subgroup including a group of application servers and client nodes under the management of one security database. A domain may include one or more “server farms”. (A server farm is a group of servers that are linked together to act as a single server system to provide centralized management.) Conversely, a server farm includes one or more domains. obtain. In order for servers in two different domains to belong to an equivalent server farm, a trust relationship may need to exist between the domains. A trust relationship is a relationship between different domains that allows a user to access resources associated with each domain using only one logon authentication.

  In one embodiment, application server 36 is in a different domain than domain 38. In another embodiment, application server 36 is in a domain equivalent to servers 30, 32, and 34. For either embodiment, server 36 may belong to another server farm, while application servers 30, 32, and 34 may belong to one server farm, or application servers 30, 32, 34, and 36 All can belong to an equivalent server farm. When a new server is connected to the network 40, the new server either joins an existing server farm or starts a new server farm.

  Client nodes 10 and 20 can be in a domain or not connected to any domain. In one embodiment, client node 10 is in domain 38. In another embodiment, the client node 10 is in another domain that does not include any of the application servers 30, 32, 34, or 36. In another embodiment, client node 10 is not in any domain.

  In one embodiment, the client node 10 is in the domain 38 and the user of the client node provides a user credential to log on to the client node 10. The user certificate typically includes the client node's username, the user's password, and the domain name by which the user is recognized. User certificates can be smart cards, time-based tokens, social security numbers, user passwords, personal identification (PIN) numbers, digital certificates based on symmetric keys or elliptic curve cryptography, user biometric features, or client node user The identification can be obtained from any other means that can be obtained and submitted for authentication.

  The client node 10 generates user authentication data from the certificate provided by the user. The client node 10 transmits this user authentication data to the server 30. In this embodiment, the client certificate is not sent over the network and only the resulting user authentication data is sent by the client node.

  The server 30 can also determine from the user authentication data and application related information which application programs hosted by the application server farm that includes the server 30 are available for use by the user of the client node. The server 30 transmits information representing available application programs to the client node 10. This process eliminates the need for client node users to set up application connections. In addition, server farm administrators can control access to applications among various client node users.

  Although an application, such as the hosted application program described below, may exist on another server, the user authentication performed by the server 30 uses the use of each hosted application program shown in the client node 10. Enough to authenticate. Thus, in this embodiment, when a client node launches (ie begins execution) into one of the host applications, additional input of user credentials by the user is not allowed to authenticate use of that application. I need it. Thus, a single entry of user credentials can help determine available applications and authenticate such application launches without additional manual logon authentication processing by the client user.

  FIG. 3B illustrates another exemplary process by the client node 10 starting to run an available application and the server presenting the result of the application to the client node 10. The user of client node 10 requests a lunch of application 41 (eg, by clicking on an icon displayed on client node 10 representing the application). The request 42 for the application is directed to the first server node, which is the server 30 in this embodiment. If the application is on the first server node 30, the first server node 30 may execute the application and return the result to the client node 10. Alternatively, the first server node 30 may indicate to the client node 10 that the application 41 is available on another server, which in this example is the server 32 (arrow 43). The client node 10 and the server 32 establish a connection (arrows 45 and 46) when the client node 10 requests execution of the application 41. Server 32 may execute application 41 and transfer the results to client node 10 (ie, a graphical user interface).

  FIG. 3C shows another exemplary process by the client node 20 initiating execution of an available application in this example via the World Wide Web. The client node 20 executes a web browser application 80 such as MICROSOFT INTERNET EXPLORER produced by Microsoft Corporation in Redmond, Washington. The client node 20 transmits a request 82 to access a Uniform Resource Locator (URL) address corresponding to an HTML page dynamically generated by the server 30 via the web browser 80. In some embodiments, the first response 84 returned by the server 30 to the client node 20 is an authentication request that requires the client node 20 to be identified.

  The user provides a user certificate to the client node 20. The client node 20 generates user authentication data based on the provided user certificate. The authentication request allows the client node 20 to send user authentication data to the server 30 via the web browser 80 for authentication. The transmitted user authentication data is verified by the server 30.

  The server 30 can also determine from the user authentication data and application related information which application programs hosted by the application server are available for use by the user of the client node 20. The server 30 generates an HTML page including information representing an available application program and transmits it to the client node 20 via the web browser 80. The information includes a separate lunch URL address corresponding to each available application.

  In the present embodiment, available applications are displayed on the client node 20 via the web browser 80. The client node display has a window 58 showing a graphical icon 57 representing the available application program. The user of the client node 20 can launch the application program by clicking the icon 57 using the mouse. The client node 20 transmits a request 86 via the web browser 80 so as to access the URL address corresponding to the application launch service in the server 30. The server node 30 executes, via the web browser 80, the client node 20 through launch information 88 indicating how a connection can be established to execute the application and transfer the result to the client node 20. Send to.

  FIG. 3D illustrates an exemplary process of communication between the client node 10, a first server node, which in this example is a server 30, and the server 32. The client node 10 has a server 32 and an active connection 72. Client node 10 and server 32 may use active connection 72 to exchange information regarding the execution of the first application program. User authentication data generated by the client node 10 from the received user certificate is stored in the client node. Such storage of user authentication data is in cache memory.

  In the present embodiment, available applications are displayed on the client node 10. The client node display has a window 58 that shows a graphical icon 57 representing the second application program. The user of the client node 10 can launch the second application program by double-clicking the icon 57 using the mouse. The request passes to the first server node 30 via connection 59. The first server node 30 indicates to the client node 10 via connection 59 that the requested application is available on the server 32. The client node 10 signals the server 32 to establish the second connection 70. The server 32 requests user authentication data from the client node 10 in order to authenticate access to the second application program. The client node 10 generates user authentication data based on the stored user authentication data. The client node 10 then transmits user authentication data to the server 32. In successful authentication, the client node 10 and the server 32 establish a second connection 70 and exchange information regarding the execution of the second application program. Accordingly, the client node 10 and the server 32 communicate with each other through a plurality of connections.

  FIG. 4 illustrates in more detail a system for remotely authenticating a user of client node 100 to server computer device 140. As shown in FIG. 4, the client computing device 100 includes an authentication module 310 that is in communication with a thin client program 320. The authentication module 310 receives user authentication credentials that are provided for the purpose of authenticating the user to the client computer device 100, the server computer device 140, or both. The received authentication credentials include: username-password combination, graphical password data, RSA Security Inc. at Massachusetts, Bedford. May include data derived from time-based tokens such as the SecurlD line of tokens produced by, challenge response data, information from smart cards, and biometric information such as fingerprints, voiceprints or facial features. The authentication module 310 may use the provided authentication credentials to authenticate the user to the client computing device 100. For example, in a WINDOWS®-based environment, the authentication module 310 can be provided by a MSGINA dynamically linked library. In other embodiments, for example, in a Unix-based environment, the authentication module 310 can be provided by the Unix® Pluggable Authentication Manager using the pam_krb module. In still other embodiments, the authentication module 310 may be provided by a Unix® quit command program.

  In the embodiment shown in FIG. 4, the client computing device also includes a security service 312. In other embodiments, the authentication module 310 and the security service 312 are provided as an equivalent dynamically linked library. Security service 312 provides security services, such as authentication to client computer devices and authentication to remote host or network services, to modules and applications residing on client computer devices, including authentication module 310 and thin client application 320. For example, a security service 312 that can be a GS SAPI identified by the Internet Engineering Task Force (IETF) or an SSPI produced by Microsoft Corporation in Redmond, Washington, can be authenticated by a module or application request on a client computing device. A Kerberos ticket may be obtained in response to receipt of the certificate, and this ticket is used to obtain an additional Kerberos ticket for authenticating the user to the remote host or network service. The security service 312 may then use these Kerberos tickets as needed for remote authentication and generate user authentication data. In one embodiment, the security service 312 may generate user authentication data using an external authentication service such as a Key Distribution Center in a Kerberos environment or an Active Directory in a Windows-based environment.

  The security service 312 provides the thin client application 320 with generated user authentication data, such as, for example, a Kerberos ticket and an associated Kerberos authentication code. The thin client application 320 sends user authentication data to the server computing device 140 for remote user authentication. Thus, unlike existing single sign-on mechanisms for server-based computing, user-provided authentication credentials are not transmitted over the network 180 to the server computing device 140. The user authentication data generated by the security service 312 is independent of the method used by the user to authenticate to the client computing device 100. Thus, for example, whether a user attempts to use a username-password combination or biometric to authenticate to the client computer device 100, a Kerberos ticket for the user of the client computer device 100 is obtained.

  In the illustrated embodiment of FIG. 4, the thin client application 320 communicates with the server computing device 140 via a thin client protocol having one or more virtual channels 335. In these embodiments, the thin client application 320 loads a virtual channel driver and uses it to send and receive messages on the authentication virtual channel. In some embodiments, the virtual channel driver exposes a function to open the virtual channel and transmit data across it.

  The thin client application 320 indicates to the server-side thin client application 350 that an authentication virtual channel is available when a thin client protocol connection is established, and provides the server computer device 140 with a data structure for the virtual channel 335. Pass. In one embodiment, the virtual channel data structure for the authentication virtual channel provides an indication of the virtual channel information and the largest data packet size that the client computer device 100 can receive or transmit from the server computer device 140 over the virtual channel 335. Including. The data packet size is constrained by the maximum thin client size and any specific memory limit imposed by the client computing device 100. In one particular embodiment, the data structure for the authentication virtual channel is defined as follows:

サーバ側シンクライアントアプリケーション３５０は、仮想チャネルを開口し、チャネルにバインドリクエストメッセージを送信することによる、認証仮想チャネル３３５を使用して認証を実行する意図を、シンクライアントアプリケーション３２０に示す。仮想チャネルが一度開口されると、シンクライアントアプリケーション３２０にある仮想チャネルドライバは、一実施形態において、仮想チャネルからバインディングをリクエストするメッセージを読み取り、バインドリクエストに応答して仮想チャネルにメッセージを送信し、およびチャネルから「コミット」メッセージを読み取る。一実施形態において、バインディングをリクエストするメッセージは、サポートされているプロトコルバージョンを特定するデータを含む。他の実施形態において、プロトコルバージョンは、バインドリクエストおよびバインド応答メッセージを使用して、シンクライアントアプリケーション３２０とサーバ側シンクライアントアプリケーション３５０との間にてネゴシエートされ得る。

The server-side thin client application 350 indicates to the thin client application 320 the intention to perform authentication using the authentication virtual channel 335 by opening a virtual channel and sending a bind request message to the channel. Once the virtual channel is opened, the virtual channel driver in the thin client application 320, in one embodiment, reads a message requesting binding from the virtual channel and sends a message to the virtual channel in response to the bind request; And read "commit" messages from the channel. In one embodiment, the message requesting the binding includes data identifying a supported protocol version. In other embodiments, the protocol version may be negotiated between the thin client application 320 and the server-side thin client application 350 using a bind request and bind response message.

  The bind request, bind response, and bind commit initialization message allow the server-side thin client application 350 and the thin client application 320 to conduct a three-way handshake initiated by the server-side thin client application 350. , Negotiate the capability. If the current set of virtual channel possibilities can be negotiated using only a two-way handshake, the two-way handshake can be initiated by the server-side thin client application 350, but the three-way handshake is a new possibility Supported to allow more flexibility that may be required by future enhancements to gender or current potential. For example, after receiving a “menu” of possibilities from the server-side thin client application 350 in a three-way handshake, the thin client application 320 may indicate a specific preference, or alternatively, to a specific possibility. Allows the full set of related options, thus allowing the server-side thin client application 350 to make decisions on specific options. In a two-way handshake initiated by the thin client application 320, the thin client application 320 cannot indicate a specific preference because it cannot be supported by the host.

  Following channel setup, the virtual channel drivers in both thin client application 320 and server side thin client application 350 do the following in a loop until a “stop” or “error” message is received: virtual channel To provide as input any authentication data sent by other parties and retrieve the authentication data from the security services 312, 312 '; the extracted authentication data (if any) is sent to the virtual channel in the data message Send. If the withdrawal of data from the security services 312, 312 'returns a "STOP" message, the signal stops and closes the authentication virtual channel. In some embodiments, the virtual channel driver may reset itself in a “CONTINUE” signal. If the data withdrawal from the security services 312, 312 'returns a "continue" message, continue. If the withdrawal of authentication data from the security services 312 and 312 'returns “ERROR”, a signal that an error has occurred is signaled, and the authentication virtual channel is closed.

  Unless a “stop” or “error” signal is sent, the virtual channel driver of the thin client application 320 and the server-side thin client application 350 will generate a data buffer to which the security services 312, 312 ′ are transmitted. Data messages can be exchanged freely until stopped. In some embodiments, the number of messages exchanged may be limited by a virtual channel driver, server-side thin client application 350, or virtual channel 335. In other embodiments, the virtual channel drivers of the thin client application 320 and the server-side thin client application 350 exchange messages continuously, i.e., without replying to the first message sent to the other. One message is not sent in one direction. In either embodiment, the message exchange may stop after the message is sent in either direction.

  In some specific embodiments, the data message is initially transmitted through a virtual channel, the Last Significant Double Word (LSDW), the Last Significant Word (LSW), and the Last Significant Byte (LSB). In other specific embodiments, data messages are aligned on byte boundaries and fully packed into memory. In these embodiments, the data fields are arranged in memory to be written to or read from the virtual channel.

  Some messages sent on the authentication virtual channel span multiple virtual channel packets. To support this, every message should be preceded by a message that specifies the length of the next command to be sent. Examples of messages that can be used to specify the length of the following commands are:

である。

It is.

  In some of these embodiments, PKT_CMDLEN also includes a command number to indicate what type of message follows:

Ｌｅｎｇｔｈ＝０を含むＰＫＴ＿ＣＭＤＬＥＮパケットは、データはもう続かないことを示す（すなわち、論理チャネル閉路）。

A PKT_CMDLEN packet containing Length = 0 indicates that the data no longer continues (ie, logical channel closure).

  The server-side thin client application 350 passes authentication data received through the authentication virtual channel to the security service 312 '. If the server-side security service 312 'can verify the data, it generates an access token that represents a logon session for the user, allowing the user to authenticate to the server computing device 140 without resubmitting authentication credentials. An access token is a data object that contains a locally unique identifier (LUID) for a logon session, in addition to others. If the server-side security service 312 'cannot verify the data, the user is prompted to resubmit the authentication credentials.

  In some embodiments, the only virtual channel that a user can communicate with the server computing device 140 until the server-side security service 312 'authenticates the user is an authentication virtual channel. In some of these embodiments, after authentication, a new virtual channel is initiated for communication. In other embodiments, only one virtual channel exists and can be used only for authentication-related communications until the user is authenticated, and can be used for other communications after the user is authenticated.

  For embodiments in which the server-side computing device 140 operates under the control of the MICROSOFT WINDOWS® operating system, the access token generated by the server-side security service 312 ′ is an imitation with only network logon rights ( imperonation) token. That is, the generated access token is not suitable for use to initiate an application to run interactively as required in a WINDOWS server based computing environment. In order to allow the application to run interactively, a primary access token with interactive logon rights is required. In one embodiment, the generated access token is modified to provide the appropriate rights. In other embodiments, a new token is generated for the user.

  For embodiments in which server-side computing device 140 operates under the management of a Unix-based operating system, server-side security service 312 ′ receives from server-side thin client application 350 over an authentication virtual channel. When the authentication data is verified, the server-side thin client application 350 authorizes user access to the resource. In these embodiments, the server-side security service 312 'does not generate an access token.

  In some embodiments, after the server authenticates the user, the server shows an enumeration of resources available to the user. In these embodiments, the server may generate a page that is hosted by multiple servers and that describes the display of resources available to the client computing device. The server may then send the generated page to the client computing device for display and may receive a request from the client computing device to access one of the hosted resources.

  In some of these embodiments, a selected one of the available resources hosted by one of the plurality of servers is then executed without requiring further reception of user authentication data from the client computing device. Is done. In some of these embodiments, the server initiates a connection from the server to a second server hosting resources available to the user in response to a successful authentication by the user. In these embodiments, the available resources are executed through the connection. In some embodiments, the connection is a virtual channel.

  In other embodiments, the first server hosts a selected one of the available resources. In some of these embodiments, the server makes resources available to the user through existing connections. In other parts of these embodiments, the server makes resources available to users through new connections. In some of those embodiments, the new connection includes a virtual channel.

  The present invention may be provided as one or more computer readable programs incorporated in or on one or more articles of manufacture. The article of manufacture can be a floppy disk, hard disk, CD ROM, flash memory card, PROM, RAM, ROM, or magnetic tape. In general, a computer readable program may be implemented in any programming language. Some examples of languages that can be used include C, C ++, or JAVA. The software program can be stored as object code in one or more manufactured products.

  While the invention has been illustrated and described with respect to certain preferred embodiments, various changes in form and detail may be made without departing from the spirit and scope of the invention as defined by the appended claims. It will be appreciated by those skilled in the art that

FIG. 1 is a block diagram of an environment suitable for carrying out an exemplary embodiment of the present invention. FIG. 2A is a block diagram illustrating an embodiment of a computer useful in connection with the present invention. FIG. 2B is a block diagram illustrating a computer embodiment useful in connection with the present invention. FIG. 3A is a block diagram illustrating an embodiment of a network 40 in which the present invention may be implemented. FIG. 3B is a block diagram illustrating an embodiment of a process in which a client node starts executing an available application and the server presents the result of the application to the client node. FIG. 3C is a block diagram illustrating an embodiment of a process where a client node initiates execution of an available application via the World Wide Web. FIG. 3D is a block diagram illustrating an embodiment of a process for communication between a client node and two server nodes. FIG. 4 is a block diagram of an embodiment of a system for remotely authenticating a user of a client node to a server computing device.

Claims (36)

A method for remotely authenticating a user to a server in a server-based computing environment, the method comprising:
(A) receiving a user certificate at a client computing device;
(B) generating user authentication data based on the received certificate at the client computing device;
(C) transmitting the generated user authentication data to a server computing device;
(D) authenticating the user in response to the transmitted user authentication data at the server computing device.
(E) generating user authentication data by a first server based on the transmitted user authentication data;
(F) transmitting the user authentication data to the second server by the first server;
(G) authenticating the user by the second server in response to the received user authentication data;   The method of claim 1, further comprising allowing the user to access resources available to the user through the connection between the first server and the second server.   The method of claim 1, wherein step (a) comprises receiving a biometric user certificate at a client computing device.   The method of claim 1, wherein step (a) includes receiving a time-based passcode at a client computing device.   The method of claim 1, wherein step (a) comprises receiving a user certificate from a smart card at a client computing device.   The method of claim 1, wherein step (b) comprises generating an encrypted bit string representing the received user credentials at the client device.   The method of claim 1, wherein step (b) comprises generating user authentication data based on the received certificate by a security provider subsystem at the client device.   The method of claim 7, wherein the user authentication data is generated using an external authentication service.   The method of claim 7, wherein the user authentication data is generated by a Microsoft Windows® Security Service Provider Interface (SSPI).   The method according to claim 7, wherein the user authentication data is generated by a Generic Security Service Application Program Interface (GSSAPI).   The step (c) includes transmitting at least one virtual channel message to a server computing device, the at least one virtual channel message including at least a portion of the generated user authentication data. The method described in 1. Step (d) is
(Da) receiving at the server computer device the transmitted user authentication data;
(Db) providing the received user authentication data to a security subsystem executing locally;
The method of claim 1, comprising: (dc) authenticating the user in response to the user authentication data by the locally executing security subsystem. (E) generating a page hosted by a plurality of servers and indicating a display of resources available to the client computing device by the server;
(F) sending the generated page by the server to the client computing device for display;
(G) receiving a request from the client computing device to access one of the hosted resources;
(H) executing a selected one of the available resources hosted by one of the plurality of servers without requesting further reception of user authentication data from the client computing device; The method of claim 1 comprising.   The method of claim 1, further comprising initiating a connection from the client computing device to a server hosting resources available to the user in response to a successful authentication by the user.   The method of claim 14, wherein the connection comprises a virtual channel. A system for remotely authenticating a user to a server in a server-based computing environment, the system comprising:
A client computing device including a client-side authentication module, a client-side security provider subsystem, and a client-side virtual channel driver, wherein the client-side authentication module receives user authentication credentials and sends the client-side security provider subsystem A client that sends a certificate, and the client-side security provider subsystem generates user authentication data based on the user authentication certificate for transmission and sends the user authentication data to the client-side virtual channel driver. A computer device;
A server computer device including a server-side virtual channel driver, a server-side security provider subsystem, and a server-side authentication module, wherein the server-side virtual channel driver receives the transmitted user authentication data and receives the server-side authentication Providing the received authentication data to a module, wherein the server-side authentication module sends the user authentication data to the server-side security provider subsystem, the security provider subsystem using the authentication indication A server computing device that is responsive to the data and generates new user authentication data based on the received user authentication data;
A second server computer device that receives the new user authentication data generated by the first server computer device and authenticates the user based on the received new user authentication data.   The system of claim 16, wherein the client computing device comprises a personal computer.   The system of claim 16, wherein the client computing device comprises a personal digital assistant.   The system of claim 16, wherein the client computing device comprises a mobile phone.   The system of claim 16, wherein the client-side authentication module comprises a Microsoft Windows® graphical identification and authentication module.   The system of claim 16, wherein the client-side authentication module comprises a Unix® Pluggable Authentication Manager that uses a pam_krb module.   The system of claim 16, wherein the client-side authentication module comprises a Unix® quit command program.   The system of claim 16, wherein the client-side security provider subsystem comprises a Microsoft Windows® Security Service Provider Interface (SSPI).   The system of claim 16, wherein the client-side security provider subsystem comprises a Generic Security Service Application Program Interface (GSSAPI).   The system of claim 16, wherein the client-side virtual channel driver sends at least one virtual channel message that includes at least a portion of the user authentication data.   The system of claim 16, wherein the server-side authentication module comprises a Microsoft Windows® graphical identification and authentication module.   The system of claim 16, wherein the server-side security provider subsystem comprises a Microsoft Windows® Security Service Provider Interface (SSPI).   The system of claim 16, wherein the server-side security provider subsystem comprises a Generic Security Service Application Program Interface (GSSAPI).   The system of claim 16, wherein the server-side security provider subsystem generates a logon session and a corresponding access token in response to the user authentication data. An article of manufacture incorporating computer readable program means for remotely authenticating a user to a server in a server-based computing environment, the article comprising:
Computer readable program means for receiving a user certificate;
Computer readable program means for generating user authentication data based on the received certificate;
Computer readable program means for transmitting the generated user authentication data to a server computing device;
Computer readable program means for authenticating the user in response to the transmitted user authentication data;
Computer readable program means for generating new user authentication data based on the transmitted user authentication data;
Computer readable program means for transmitting the new user authentication data to a second server computer device by the server computer device;
An article of manufacture comprising: computer readable program means for authenticating the user in response to the transmitted user authentication data by the second server computing device.   32. The article of manufacture of claim 30, wherein the computer readable program means for receiving comprises computer readable program means for receiving a biometric user certificate.   32. The article of manufacture of claim 30, wherein the computer readable program means for receiving comprises computer readable program means for receiving a user certificate from a smart card.   31. The article of manufacture of claim 30, wherein the computer readable program means for generating comprises computer readable program means for generating an encrypted bit string representative of the received user credentials.   32. The article of manufacture of claim 30, wherein the computer readable program means for generating comprises computer readable program means for generating user authentication data based on the received user credentials.   The computer readable program means for transmitting comprises computer readable program means for transmitting at least one virtual channel message to a server computer device, wherein the at least one virtual channel message is generated by the generated user authentication. 32. The article of manufacture of claim 30, comprising at least a portion of the data.   The computer-readable program means for initiating a connection from the client computing device to a server hosting resources available to the user in response to a successful authentication by the user. Manufactured goods.

Images