Sometimes, a server application accessed via a client requires the credentials of a user of the client to be delegated to the server in order to support the scenarios enabled by the server application. In such a delegation situation, the password of the user of the remote terminal is required on the server side in order for the server applications to emulate the functionality that is available when a user is simply logged in as a local user of the server applications.
However, current systems for delegating credentials from a client to a server application for access to the capabilities of the server application are not secure enough, i.e., insufficient protection exists when delegating/transmitting the user's credentials from the client to the server, leaving the user's credentials vulnerable to certain forms of attack. Currently, for instance, the calling application on either the server or client side sometimes has access to the user's clear text credentials, and thus the user's credentials are somewhat insecure. In addition, there is currently no policy-driven way to control and restrict the delegation of user credentials from the client to the server that applies to any type of user credentials, i.e., username/password, smartcard pin, one time passcodes (OTP), etc.
As described in more detail below with respect to the invention, it would be desirable to improve upon these and other deficiencies of the state of the art.