Methods and apparatus for implementing authentication
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
H04L-029/06
H04L-009/32
G06F-007/04
G06F-017/30
G06F-015/16
출원번호
US-0152097
(2011-06-02)
등록번호
US-8397059
(2013-03-12)
발명자
/ 주소
Ferguson, JC
출원인 / 주소
F5 Networks, Inc.
대리인 / 주소
LeClairRyan, a Professional Corporation
인용정보
피인용 횟수 :
8인용 특허 :
181
초록▼
A proxy (e.g., a switch) resides in a respective network environment between one or more clients and multiple servers. One purpose of the proxy is to provide the clients a unified view of a distributed file system having respective data stored amongst multiple remote and disparate storage locations
A proxy (e.g., a switch) resides in a respective network environment between one or more clients and multiple servers. One purpose of the proxy is to provide the clients a unified view of a distributed file system having respective data stored amongst multiple remote and disparate storage locations over a network. Another purpose of the proxy is to enable the clients to retrieve data stored at the multiple servers. To establish a first connection between the proxy and a respective client, the proxy communicates with an authentication agent (residing at a location other than at the client) to verify a challenge response received from the client. When establishing a set of second connections with the multiple servers, the proxy communicates with the authentication agent to generate challenge responses on behalf of the client. The proxy facilitates a flow of data on the first connection and the set of second connections.
대표청구항▼
1. A method for authenticating communications in a network environment, the method comprising: engaging, with a proxy device, in a first set of communications to establish a first communication link with a client, the first set of communications comprising sending to the client a first challenge, ob
1. A method for authenticating communications in a network environment, the method comprising: engaging, with a proxy device, in a first set of communications to establish a first communication link with a client, the first set of communications comprising sending to the client a first challenge, obtaining from the client a first challenge response, sending the first challenge response to a resource independent of the client, and receiving a notification from the resource that the client has been authenticated, the notification generated using security information associated with the client;engaging, with the proxy device, in a second set of communications to establish a set of second communication links with multiple servers on behalf of the client, the second set of communications comprising receiving a second challenge from each of the servers, sending the second challenges to the resource, receiving a second challenge response for each of the servers from the resource, each of the second challenge responses generated using a respective one of the second challenges and the security information, and forwarding a respective one of the second challenge responses to each of the servers; andfacilitating, with the proxy device, a flow of traffic between the first communication link and the set of second communication links to enable the client to access information from the multiple servers. 2. A method as in claim 1, wherein the engaging in the first set of communications and the second set of communications includes propagating an identity of the client to the multiple servers via an authentication process used to establish the second set of communication links with the multiple servers on behalf of the client, wherein the security information includes the identity of the client. 3. A method as in claim 1, wherein engaging in the first set of communications and the second set of communications occurs in response to the client attempting to mount a respective file system supported by the multiple servers. 4. A method as in claim 1, wherein the first challenge is a request generated by the proxy device on behalf of the multiple servers for the client to produce an encrypted value based on a proper password associated with the client, wherein the challenge response includes the encrypted value. 5. A method as in claim 1, wherein the engaging in the second set of communications includes: receiving a unique value from each of the multiple servers, wherein each of the second challenges includes one of the unique values; andreplying to multiple unique values from the multiple servers with a different one of the second challenge responses on behalf of the client. 6. A method as in claim 1, wherein the resource is an authentication agent and the security information associated with the client is obtained from a domain controller associated with the network environment, the method further comprising: enabling, with the proxy device, the agent to obtain a memory dump from the domain controller associated with the network environment, the memory dump including security information comprising username information and corresponding password encryption key information for each of multiple clients authorized to communicate with the multiple servers; andinitiating, with the proxy device, the agent to authenticate the client based on respective username information associated with the client retrieved from the memory dump and applying a respective password encryption key associated with the respective username information to a numerical value included in the first challenge. 7. A method as in claim 1 wherein the facilitating the flow of traffic further comprises utilizing at least one access control list associated with the multiple servers to enable the client to retrieve at least some of the information stored in the multiple servers and prevent other clients from accessing at least some of the information stored in the multiple servers. 8. A method as in claim 1, wherein the facilitating the flow of traffic comprises: managing how information is stored in the multiple servers; andproviding the client a unified view of accessible information stored in the multiple servers. 9. A proxy device, comprising: one or more processors, a network interface controller, and a memory, at least one of the processors or the network interface controller configured to be capable of executing instructions to implement: engaging in a first set of communications to establish a first communication link with a client, the first set of communications comprising sending to the client a first challenge, obtaining from the client a first challenge response, sending the first challenge response to a resource independent of the client, and receiving a notification from the resource that the client has been authenticated, the notification generated using security information associated with the client;engaging in a second set of communications to establish a set of second communication links with multiple servers on behalf of the client, the second set of communications comprising receiving a second challenge from each of the servers, sending the second challenges to the resource, receiving a second challenge response for each of the servers from the resource, each of the second challenge responses generated using a respective one of the second challenges and the security information, and forwarding a respective one of the second challenge responses to each of the servers;andfacilitating a flow of traffic between the first communication link and the set of second communication links to enable the client to access information from the multiple servers. 10. A proxy device as in claim 9, wherein the engaging in the first set of communications and the second set of communications includes propagating an identity of the client to the multiple servers via an authentication process used to establish the second set of communication links with the multiple servers on behalf of the client, wherein the security information includes the identity of the client. 11. A proxy device as in claim 9, wherein the engaging in the first set of communications and the second set of communications occurs in response to the client attempting to mount a respective file system supported by the multiple servers. 12. A proxy device as in claim 9, wherein the first challenge is a request generated on behalf of the multiple servers for the client to produce an encrypted value based on a proper password associated with the client, wherein the challenge response includes the encrypted value. 13. A proxy device as in claim 9, wherein the engaging in the second set of communications includes: receiving a unique value from each of the multiple servers, wherein each of the second challenges includes one of the unique values; andreplying to multiple unique values from the multiple servers with a different one of the second challenge responses on behalf of the client. 14. A proxy device as in claim 9, wherein the resource is an authentication agent and the security information associated with the client is obtained from a domain controller associated with the network environment and the at least one of the processors or the network interface controller is further configured to be capable of executing instructions to implement: enabling the agent to obtain a memory dump from the domain controller associated with the network environment, the memory dump including security information comprising username information and corresponding password encryption key information for each of multiple clients authorized to communicate with the multiple servers; andinitiating the agent to authenticate the client based on respective username information associated with the client retrieved from the memory dump and applying a respective password encryption key associated with the respective username information to a numerical value included in the first challenge. 15. A proxy device as in claim 9, wherein the facilitating the flow of traffic further comprises utilizing at least one access control list associated with the multiple servers to enable the client to retrieve at least some of the information stored in the multiple servers and prevent other clients from accessing at least some of the information stored in the multiple servers. 16. A proxy device as in claim 9, wherein the facilitating the flow of traffic includes: managing how information is stored in the multiple servers; andproviding the client a unified view of accessible information stored in the multiple servers. 17. A non-transitory computer readable medium having instructions stored thereon for authenticating communications in a network environment comprising machine executable code which when executed by a processing device, causes the processing device to perform steps comprising: engaging in a first set of communications to establish a first communication link with a client, the first set of communications comprising sending to the client a first challenge, obtaining from the client a first challenge response, sending the first challenge response to a resource independent of the client, and receiving a notification from the resource that the client has been authenticated, the notification generated using security information associated with the client;engaging in a second set of communications to establish a set of second communication links with multiple servers on behalf of the client, the second set of communications comprising receiving a second challenge from each of the servers, sending the second challenges to the resource, receiving a second challenge response for each of the servers from the resource, each of the second challenge responses generated using a respective one of the second challenges and the security information, forwarding a respective one of the challenge responses to each of the servers;facilitating a flow of traffic between the first communication link and the set of second communication links to enable the client to access information from the multiple servers. 18. The computer readable medium as in claim 17, wherein the engaging in the first set of communications and the second set of communications includes propagating an identity of the client to the multiple servers via an authentication process used to establish the second set of communication links with the multiple servers on behalf of the client, wherein the security information includes the identity of the client. 19. The computer readable medium as in claim 17, wherein the engaging in the first set of communications and the second set of communications occurs in response to the client attempting to mount a respective file system supported by the multiple servers. 20. The computer readable medium as in claim 17, wherein the first challenge is a request generated on behalf of the multiple servers for the client to produce an encrypted value based on a proper password associated with the client, wherein the challenge response includes the encrypted value. 21. The computer readable medium as in claim 17, wherein the engaging in the second set of communications further comprises: receiving a unique value from each of the multiple servers, wherein each of the second challenges includes one of the unique values; andreplying to multiple unique values from the multiple servers with a different one of the second challenge responses on behalf of the client. 22. The computer readable medium as in claim 17, wherein the resource is an authentication agent and the security information associated with the client is obtained from a domain controller associated with the network environment, the medium further having stored thereon machine executable code which when executed by a processing device, causes the processing device to perform steps further comprising enabling the agent to obtain a memory dump from the domain controller associated with the network environment, the memory dump including security information comprising username information and corresponding password encryption key information for each of multiple clients authorized to communicate with the multiple servers; andinitiating the agent to authenticate the client based on respective username information associated with the client retrieved from the memory dump and applying a respective password encryption key associated with the respective username information to a numerical value included in the first challenge. 23. The computer readable medium as in claim 17, wherein the facilitating the flow of traffic further comprises utilizing at least one access control list associated with the multiple servers to enable the client to retrieve at least some of the information stored in the multiple servers and prevent other clients from accessing at least some of the information stored in the multiple servers. 24. The computer readable medium as in claim 17, wherein the facilitating the flow of traffic further comprises: managing how information is stored in the multiple servers; andproviding the client a unified view of accessible information stored in the multiple servers. 25. A system for authenticating communications in a network environment, the system comprising: a plurality of servers, a resource device, and a proxy device, the proxy device comprises one or more processors, a network interface controller configured to communicate with the plurality of servers and the resource device, and a memory, at least one of the processors or the network interface controller configured to implement:engaging in a first set of communications to establish a first communication link with a client, the first set of communications comprising sending to the client a first challenge, obtaining from the client a first challenge response, sending the first challenge response to the resource device, the resource device independent of the client, and receiving a notification from the resource device that the client has been authenticated, the notification generated using security information associated with the client;engaging in a second set of communications to establish a set of second communication links with the servers on behalf of the client, the second set of communications comprising receiving a second challenge from each of the servers, sending the second challenges to the resource device, receiving a second challenge response for each of the servers from the resource device, each of the second challenge responses generated using a respective one of the second challenges and the security information, and forwarding a respective one of the second challenge responses to each of the servers; andfacilitating a flow of traffic between the first communication link and the set of second communication links to enable the client to access information from the servers. 26. The system as in claim 25, wherein the engaging in the first set of communications and the second set of communications includes propagating an identity of the client to the multiple servers via an authentication process used to establish the second set of communication links with the multiple servers on behalf of the client, wherein the security information includes the identity of the client. 27. The system as in claim 25, wherein the engaging in the first set of communications and the second set of communications occurs in response to the client attempting to mount a respective file system supported by the multiple servers. 28. The system as in claim 25, wherein the first challenge is a request generated on behalf of the multiple servers for the client to produce an encrypted value based on a proper password associated with the client, wherein the challenge response includes the encrypted value. 29. The system as in claim 25, wherein the engaging in the second set of communications further comprises: receiving a unique value from each of the multiple servers, wherein each of the second challenges includes one of the unique values; andreplying to multiple unique values from the multiple servers with a different one of the second challenge responses on behalf of the client. 30. The system as in claim 25, further comprising a domain controller and wherein the resource device is an authentication agent and the security information associated with the client is obtained from the domain controller, the medium further having stored thereon machine executable code which when executed by a processing device, causes the processing device to perform steps further comprising enabling the agent to obtain a memory dump from the domain controller associated with the network environment, the memory dump including security information comprising username information and corresponding password encryption key information for each of multiple clients authorized to communicate with the multiple servers; andinitiating the agent to authenticate the client based on respective username information associated with the client retrieved from the memory dump and applying a respective password encryption key associated with the respective username information to a numerical value included in the first challenge. 31. The system as in claim 25, wherein the facilitating the flow of traffic further comprises utilizing at least one access control list associated with the multiple servers to enable the client to retrieve at least some of the information stored in the multiple servers and prevent other clients from accessing at least some of the information stored in the multiple servers. 32. The system as in claim 25, wherein the facilitating the flow of traffic further comprises: managing how information is stored in the multiple servers; andproviding the client a unified view of accessible information stored in the multiple servers.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (181)
Agarwalla,Rajesh S.; Doyle,Ronald P.; Jiang,Tianyu; Niranjan,Thirumale; Ramamurthy,Srikanth, Addressing the name space mismatch between content servers and content caching systems.
Miloushev, Vladimir I.; Nickolov, Peter A., Aggregated opportunistic lock and aggregated implicit lock management for locking aggregated files in a switched file system.
Gardner Alan S. (Potomac MD) McElrath Rodney D. (Fairfax VA) Harvey Stephen L. (Port Haywood VA), Apparatus and method for data storage and retrieval using bandwidth allocation.
Ackaouy,Emmanuel; Amdur,Matthew; Ayyar,Kartik; Grunwald,David; Prakash,Ashish; Quirion,Brian, Apparatus and method for storing data in a proxy cache in a network.
Yuval Ofek ; Zoran Cakeljic ; Samuel Krikler IL; Sharon Galtzur IL; Michael Hirsch IL; Dan Arnon ; Peter Kamvysselis, Apparatus and methods for copying, backing up, and restoring data using a backup segment size larger than the storage block size.
McCann,Peter John; Martin,Brian James; Clark,Roy, Apparatus, method and system for writing data to network accessible file system while minimizing risk of cache data loss/ data corruption.
Bahar, Cameron; Hopfield, Joseph; Nalam, Naveen; Zafman, David B.; Oskouy, Rasoul M., Asynchronous file replication and migration in a storage network.
Golding, Richard Andrew; Wong, Theodore Ming-Tao; Zaki, Omer Ahmed, Computer program and method for managing resources in a distributed storage system.
Peters,Eric C.; Rabinowitz,Stanley; Jacobs,Herbert R., Computer system and process for transferring multiple high bandwidth streams of data between multiple storage units and multiple applications in a scalable and reliable manner.
Reed Drummond Shattuck ; Heymann Peter Earnshaw ; Mushero Steven Mark ; Jones Kevin Benard ; Oberlander Jeffrey Todd ; Banay Dan, Computer-based communication system and method using metadata defining a control structure.
Bober, Paul M.; Vahalia, Uresh; John, Aju; Alexander, Jeffrey L.; Gupta, Uday K., Concurrent file across at a target file server during migration of file systems between file servers using a network file system access protocol.
Blickenstaff Ronald L. (Boulder CO) Brant Catherine I. (Boulder CO) Dodd Paul D. (Niwot CO) Kirchner Anton H. (Boulder CO) Montez Jennifer K. (Thornton CO) Trede Brian E. (Boulder CO) Winter Richard , Data storage management for network interconnected processors.
Blickenstaff Ronald L. ; Brant Catherine Irlam ; Dodd Paul David ; Kirchner Anton H. ; Montez Jennifer Kay ; Trede Brian Eldred ; Winter Richard Allen, Data storage management for network interconnected processors.
Chiu Sheng-Yang ; Menon Sathis N. ; Hollar Jeffrey D., Database-independent, scalable, object-oriented architecture and API for managing digital multimedia assets.
Leblang David B. (Wayland MA) Allen Larry W. (Cambridge MA) Chase ; Jr. Robert P. (Newton MA) Douros Bryan P. (Framingham MA) Jabs David E. (Sudbury MA) McLean ; Jr. Gordon D. (Brookline MA) Minard D, Dynamic rule-based version control system.
Akizawa Mitsuru (Hachioji JPX) Yamashita Hirofumi (Yokohama JPX) Kawaguchi Hisamitsu (Sagamihara JPX) Tada Katsumi (Yokohama JPX) Kato Kanji (Yokohama JPX) Kito Akira (Ebina JPX) Yamada Hidenori (Had, File server system and file access control method of the same.
Vahalia, Uresh K.; Tzelnic, Percy, File server system providing direct data sharing between clients with a server acting as an arbiter and coordinator.
Xu Yikang ; Vahalia Uresh K. ; Jiang Xiaoye ; Gupta Uday ; Tzelnic Percy, File server system using file system storage, data movers, and an exchange of meta data among data movers for file locking and direct access to shared file systems.
Krakauer Arno S. (San Jose CA) Gawlick Dieter (Palo Alto CA) Colgrove John A. (Mountain View CA) Wilmot ; II Richard B. (Lafayette CA), File system for a plurality of storage classes.
Steven R. Soltis ; Matthew T. O'Keefe ; Thomas M. Ruwart ; Gerald A. Houlder ; James A. Coomes ; Michael H. Miller ; Edward A. Soltis ; Raymond W. Gilson ; Kenneth W. Preslan, Global file system and data storage device locks.
Meijer Ronald ; Hebenthal Douglas C. ; Dillingham Lara N. ; Stebbens Kim A. ; Jacoby James D. ; Romano Anthony C., Integration of physical and virtual namespace.
Mahalingam, Mallik; Zhang, Zheng; Karamanolis, Christos; Muntz, Daniel A., Logical volume-level migration in a partition-based distributed file system.
Berger, Michael A.; Curley, Robert T.; Dietterich, Daniel J.; Ferguson, JC; Homberg, Michael J.; McCann, Benjamin E.; Nicklin, Jonathan C.; Porter, David; Raman, Suchi; Rasmussen, Craig S.; Soha, Michael J.; Teixeira, Thomas J.; Whitmore, Bryan T.; Wisniewski, Leonard F.; Wu, Chin-Cheng, Method and apparatus for adaptive services networking.
Savitzky Stephen R. ; Wolff Gregory J., Method and apparatus for document processing using agents to process transactions created based on document content.
Cabrera Luis Felipe ; Long Darrell Don Earl, Method and apparatus for establishing and maintaining the status of membership sets used in mirrored read and write inpu.
Harrison Joel N. ; Rege Satish L. ; Carlson ; Jr. Frederick R., Method and apparatus for storage application programming interface for digital mass storage and retrieval based upon data object type or size and characteristics of the data storage device.
Bazot,Philippe; Legoll,Jean Jacques; Livigni,Fabrice; Marmigere,Gerard, Method and system for accessing internet resources through a proxy using the form-based authentication.
Kee,Thomas E.; Kearny,Ryan C.; DeCaprio,Donald Joseph; Saether,Christian D., Method and system for automatically updating content stored on servers connected by a network.
Dan Asit ; Kienzle Martin Gerhard ; Sitaram Dinkar ; Yu Philip Shi-lung, Method and system for load balancing by replicating a portion of a file being read by a first stream onto second device and reading portion with a second stream capable of accessing.
Gabbe John D. (Little Silver NJ) Ginsberg Allen (Jackson NJ) Robinson Bethany S. (Colts Neck NJ), Method and system for operating a data processor to index primary data in real time with iconic table of contents.
Havewala, Sarosh Cyrus; Thind, Ravinder S.; Christiansen, Neal R.; Kalach, Ran; Benton, James R., Method and system of detecting file system namespace changes and restoring consistency.
Taylor, Clement G.; Chin, Danny; Lerman, Jesse S.; Goode, Christopher W. B., Method of data management for efficiently storing and retrieving data to respond to user access requests.
Quatrano, Stephen R.; Cummings, Charles D.; Cleasby, Andrew R.; Gladstein, Brian S.; Anuszczyk, Jeffrey J., Methods and apparatus for providing shared access to an application.
Kadyk, Donald J.; Fishman, Neil S.; Damour, Kevin T.; Kramer, Michael, Methods and systems for authentication through multiple proxy servers that require different authentication data.
Lownsbrough,Derek Leigh, Methods, apparatuses and systems for transparently intermediating network traffic over connection-based authentication protocols.
Ulrich,Thomas R.; Schweitzer,James R.; Bolstad,Gregory D.; Randall,Jay G.; Staub,John R.; Priester,George W., Replacing file system processors by hot swapping.
William J. Bolosky ; John R. Douceur ; Scott M. Cutshall ; Richard F. Rashid ; Nathan P. Myhrvold ; David A. Goebel, Single instance store for file systems.
Ericson, George M.; Solomon, Robert C.; Brown, Jeffrey A.; Haynes, Jr., John E., Switch-based acceleration of computer data storage employing aggregations of disk arrays.
Cox, Benjamin T. H.; Kazar, Michael; Nydick, Daniel S.; Sanzi, Jr., Richard N.; Eisler, Michael, System and method for a sidecar authentication mechanism.
Newland, Richard, System and method for archival of messages in size-limited containers and separate archival of attachments in content addressable storage.
Beal David Grant ; Milillo Michael Steven ; West Christopher James, System and method for enabling pair-pair remote copy storage volumes to mirror data in another storage volume.
Anand Tejwansh S. ; Wikle Glenn K. ; Lindsay Marshall P. ; Schubert Richard N. ; Lettington Drew T. ; Ludwig Jeffrey P., System and method for performing intelligent analysis of a computer database.
Panchbudhe, Ankur P.; Colgrove, John A.; Kekre, Anand A., System and method for providing data protection by using sparse files to represent images of data stored in block devices.
Ma,Xiaonan; Hsu,Windsor Wee Sun, System and method for reliably storing data and providing efficient incremental backup and asynchronous mirroring by preferentially handling new data.
Yasuda, Yoshiko; Higuchi, Tatsuo; Kawamoto, Shinichi; Ebata, Atsushi; Okitsu, Jun, System and method for virtualizing network storages into a single file system view.
Craig J. Bunger ; Latha S. Colby ; Richard L. Cole ; Galt Johnson ; William J. McKenna ; Gopal B. Mulagund ; David G. Wilhite, Jr., System for maintaining precomputed views.
Mahoney James V. ; Blomberg Jeanette L. ; Trigg Randall H. ; Shin Christian K., System for searching a corpus of document images by user specified document layout components.
Patel,Sujal M.; Mikesell,Paul A.; Schack,Darren P.; Passey,Aaron J., Systems and methods for providing a distributed file system incorporating a virtual hot spare.
Miller Arnold (Bellevue WA) Neeman Yuval (Bellevue WA) Contorer Aaron M. (Kirkland WA) Misra Pradyumna K. (Issaquah WA) Seaman Michael R. C. (Kirkland WA) Rubin Darryl E. (Redmond WA), Unification of directory service with file system services.
Bainbridge Andrew John,GBX ; Cocks Stephen James,GBX ; Ferguson Donald Francis ; Freund Thomas,GBX ; Leff Avraham ; Normington Glyn,GBX ; Rayfield James Thomas ; Storey Robert Anthony,GBX, Updating server-related data at a client.
Fitzgerald Robert P. (Redmond WA) Barrera ; III Joseph S. (Issaquah WA) Bolosky William J. (Issaquah WA) Draves ; Jr. Richard P. (Kirkland WA) Jones Michael B. (Redmond WA) Levi Steven P. (Redmond WA, Video on demand system comprising stripped data across plural storable devices with time multiplex scheduling.
Cai, Hao; Michels, Timothy S.; Szabo, Paul I., Hardware assisted flow acceleration and L2 SMAC management in a heterogeneous distributed multi-tenant virtualized clustered system.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.