The invention pertains to client authorization in a network and specifically to client authorization in such a way that access to a logon screen or menu is avoided until after the client has been authorized to logon.
It is well known in network environments to verify that a user is entitled to service by a server or a remote application by presenting the user with a means to logon to the server or the remote application with a user identification and a password. While such means have been used for years with varying degrees of success, deficiencies still exist. For example, the presentation to a user of a logon screen or menu gives the user an opportunity to attempt to access the system, whether or not the user is actually entitled to service. It is also known to authenticate users with certificates provided by a trusted agency before providing to the user a logon screen. However, this certification authentication merely verifies that the user is who the user purports to be. It does not verify that the user is entitled to access. The provision of access alternatives, such as a logon screen or a menu or the like ,to a user after certificate authentication still gives the user an opportunity to attempt to access the system, even though the user may not be so entitled.
The invention verifies a network user as entitled to access a network node or server on the network node. It does this before the user is presented with any opportunity to access or logon to the system. When a user first attempts to access a network node, an initial exchange of conventional protocol messages occurs between the user and the node to establish initial communications. This is done without presenting to the user any opportunity to logon or to access an application. The network node requests the transmission of an authenticated user certificate from the user and the network node verifies that the user represented by the user certificate is entitled to access the node. If the user as identified by the certificate is not entitled to access, the initial connection is dropped and the user is denied any further access opportunity. If the user represented by the certificate is verified as being entitled to access, then and only then is the user presented with an access screen, such as a logon screen or an application menu.