As computer networks proliferate and the use of the internet, intranets and other remote methods of providing computer resources and services become more popular, the problem of authenticating users becomes more and more important. It is imperative for providers of resources such as banking services, databases holding personal or other sensitive information and internal company resources, for example, to be able to reliably identify users attempting to access their resources. As such, well known standards and methods have been developed to provide for user authentication. Many such standards and methods involve the remote exchange of some type of user authentication credential.
A user attempting to access a secure resource might be asked to enter some identifying information, such as a user id and/or a password. Behind the scenes and transparent to the user, the user's system would send the identifying information to an authentication server connected to the user's system via a network, such as the internet. Assuming the authentication server recognizes the identifying information as associated with an authorized user, an authenticated credential would be returned to the user's system, with which the user would be allowed to access the requested resource. The nature of the identifying information and the methods used by the user's system and the authentication server to verify the user's right to access the resource can all be in accordance with any one of the well-known standards regarding such functions. These methods and standards are easily identified by those skilled in the relevant arts.
One popular standard that has been developed for remote authentication of users is the Light-weight Directory Access Protocol (LDAP). LDAP may be used to authenticate users to access resources that may reside locally or remotely to the user. Typically, especially in small business environments, the LDAP server is located remotely from the user. Utilizing a remote LDAP server provided through a service provider allows the small business to save the cost of providing its own local LDAP servers. Connectivity to the LDAP server is provided via the internet, an intranet or other computer network. FIG. 1 shows one possible LDAP configuration. The user's system (or client) 10 is located on a local area network (LAN) 20 to which resources 30 are also connected. These resources can include various media such as databases or world-wide web content or computer-implemented services such as banking services, training courseware, etc. Some of these resources 30 may be secure resources, the use of which requires user authentication. The client 10 is also connected to a computer network 40, such as the internet or an intranet, via a secure gateway machine 50. The gateway machine 50 may provide connectivity to the network for other clients (not shown) as well. The presence of the gateway 50 is optional as the client 10 may be connected directly to the computer network 40. Also connected to the network 40 is an LDAP server 60 for providing LDAP user authentication services for the client 10 and other systems utilizing its services (not shown) and other secure resources (30) which may be accessed by the client 10.
In order to access resources 30 which require user authentication, the client 10 must contact the LDAP server 60 and receive an authenticated credential. When the LDAP server is unavailable, such as when any of the connections between the client and the LDAP server are down (i.e., the client-gateway connection, the gateway-network connection or the network-LDAP server connection) or when the LDAP server or the gateway machine is down, user authentication is not possible and the user is unable to access the desired secure resource(s). In the case of a business environment, this can cause serious productivity losses.
In some instances, some resources 30 may be located on the client machine 10. Authentication of the user by the LDAP server 60 would still be required before the user could access such resources. In the case where the client 10 is a mobile computer, the client will often be disconnected from the network. In such an instance, the user would be unable to access the secure resources on the mobile client because there would be no connectivity to the LDAP server. Again, serious productivity losses could result.
For these reasons, and others readily identified by those skilled in the art, it would be desirable to develop techniques to allow user's some access rights to secure resources when a remote authentication server is unavailable while maintaining a high degree of trust.