1. Field of the Invention
The present invention relates generally to client-server computer systems and, more particularly, to managing user accounts in a communication network.
2. Related Art
Computer systems commonly communicate through a communication network for the purpose of sharing information. These computer systems are typically general purpose computer systems that may function as either a "client", a "server", or both. A server computer system provides resources to client computers such as print, file, and fax services or the like. A client computer system is a system that uses such resources. An example of a client system is the Windows NT workstation client system available from the Microsoft Corporation and hereinafter referred to as a Windows NT client. Of the many available server systems, examples include the Novell NetWare and Windows NT server systems, available from Novell Incorporated and the Microsoft Corporation, respectively. These server systems will be referred to below as NetWare servers and Windows NT servers.
The server and client communicate via messages conforming to a communication protocol sent over the computer network. The server responds to request messages generated by clients, processes the request messages, and generates reply messages to the client. The client communicates with the server for the purposes of sharing information and accessing server resources. To access such resources, a the client-server system typically performs an authentication process to determine if the client is authorized to access the resources.
An authentication process is a process of verifying the identity of a user attempting to access a system. The user can be a person, a computer system, or a process running on a computer system. The authentication process is generally initiated by a user through a user interface presented to the user on the client system, and is typically performed by a "login" process performed on the client system. The login process provides the user interface to the user and performs the authentication process. During the authentication process, the login process gathers authentication information referred to in the art as "credentials" from the user within the client user interface, and transfers the credentials to the server through the communications network using the communications protocol. The server then compares credential information provided by the client to credentials located on the server, which may be a file or database on the server having credentials for each user. The server then allows or denies access to a user account based on a result of the comparison.
A user account is generally a service provided by a server wherein resources are provided to a user. Typically, there is a set of credentials associated with a user account. When proper credentials are provided to the server, that is, when the credentials provided by the user matches a set of credentials on the server, the user may be permitted to access a user account associated with the entered credentials. When the user obtains access, the user is referred to as being "logged on." When the user is logged on, the user may access one or more server resources based upon an access control list. An access control list (ACL) associated with a resource contains information that is used to determine the level of access with which a particular user may access a resource.
Credentials may include such types of information such as a "username" and "password". The username is a name used to identify the user and may have an associated password that is known by the user. The username and password are typically entered by a user within fields of the client user interface. The username and password are usually encrypted and then forwarded to the server which may then permit or deny access according to the entered username and password. Credentials may include additional information, depending on the type of server system being accessed. Such additional information may include login information for a database, a login script, or other information as permitted by the server. Other types of credential information used to identify a user are well-known in the art, including retinal scan and fingerprint information.
Client systems may also require local credentials to access the local client system resources, such as a local "shell" and associated programs. Local credentials are credentials used for verification of the user to a local authentication process. The local authentication process authenticates a user and provides access to local resources. Thus, a client may also have user accounts defined locally to the client, the accounts typically being created manually by a network administrator.
A shell is a piece of software, usually a separate program, that provides communication between the user and the operating system. For example, the Windows Program Manager program in the Windows operating system is a shell program that interacts with the MS-DOS operating system available from the Microsoft Corporation. A client system that requires local credentials includes the Windows NT operating system available from the Microsoft Corporation. To access the Windows NT shell, referred to as the "desktop shell," a user may need to provide a username and password to a user interface of a client login program. The user is authenticated by the Windows NT operating system which then provides the user access to the desktop shell. On a Windows NT client, the login process is performed by a login program having several components including a Winlogon program and a Microsoft Graphical Identification and Authentication (MSGINA) program. The Winlogon program, when executed, provides a process for authenticating and logging on the user. The MSGINA program is executed by the Winlogon program and is a replaceable component of the login program. The Winlogon program provides core functions such as authentication-policy independent functions and non-user interface functions. The MSGINA program provides authentication policy and identification and authentication user interaction functions.
To access a server system from such a client system, an additional authentication must be performed between the client and server systems. The credentials may be different between the client and server systems for a user, and thus the user may be required to provide a different set of credentials for each server system that is accessed. Administering accounts for both local and server systems may be unwieldily for a network administrator responsible for maintaining accounts on the network. To alleviate the problem of performing both a client and server authentication on a Windows NT client and Windows NT server, a centralized system for account management referred to as Microsoft Domains was developed.
The Microsoft Domains account management system allows the network administrator to define one or more domains used by an administrator to centrally manage Windows NT client accounts. A domain is a defined group of resources such as client workstations, printers, and the like, used to organize and maintain network resources. Administration of domains is typically performed by a network administrator with the assistance of an application program known as User Manager for Domains available from the Microsoft Corporation. There may be different types of domains, generally based upon the number of users and the level of security desired between domains. Administration of domains may be complex for large networks having a large number of user accounts since the Microsoft Domains system provides a flat hierarchical view of user accounts and does not adequately handle a large number of users. Administration of domains may be unfamiliar to network administrators trained only in NetWare network administration since the domain hierarchy has a different structure than a NetWare network hierarchy which is a has tree hierarchy.
A user may desire access to a NetWare server from a Windows NT client workstation. In many existing networks, the NetWare server operating system is a prevalent server type while Windows NT is currently a popular operating system for clients. It would be beneficial for Windows NT clients to freely share information and access NetWare server resources. However, for networks with both NetWare and Windows NT servers, the Microsoft Domains system does not provide authentication services for NetWare servers.
It also may be desired to incorporate Novell Directory Services (NDS) database functionality into the Windows NT operating system environment, since the NDS database provides a centralized source of network resource information and authentication process. The NetWare NDS database, through the use of the Microsoft Windows NT Explorer program, provides users and administrators with a view of NetWare network resources. This view simplifies network use as well as network administration and management. In addition, the NDS database, when used in conjunction with an administrative program such as the NetWare Administrator, allows centralized network management and administration and automation of many administrative tasks.
User account and credential information is stored within the NDS database for all users of a Novell network. The NDS database stores a number of objects, such as user objects, server objects, printer objects, and the like. The NDS database has an associated authentication process for authenticating users of the NDS database objects. When a user authenticates with the NDS authentication process, the user is provided access to multiple objects defined in the NDS database depending on an ACL associated with each object. Thus, a user may be authenticated once by the NDS authentication process to allow the user access to multiple systems on a Novell network, since the NDS authentication process authenticates the user to multiple objects transparently.
Problems in a client-server network using Windows NT as a client operating system with a Novell NetWare server include having to maintain credential information on both the client workstation and the server. Maintenance of multiple sets of credential information requires significant administrator labor in networks having many client workstations, since an administrator must travel to client workstation locations to maintain client workstation accounts. Also, manually synchronizing credential information frequently results in errors on behalf of the network administrator.
Furthermore, administrators must be trained to administer different authentication systems since users and groups are managed from separate administration programs. Specifically, in a NetWare operating system-based network (hereinafter referred to as a Novell network), it may not be preferred to implement the Microsoft Domains account management system since network administrators would require additional training for managing Microsoft Domains through the User Manager for Domains program. In addition, an administrator must be knowledgeable of the NetWare-based account management program, the NetWare Administrator program available from Novell Incorporated.
What is needed, therefore, is a system for maintaining credential information between client and server accounts and for managing user accounts from a central location that can provide authentication to different types of server systems, such as Novell NetWare and Windows NT.