This invention relates to an apparatus and method for automating authorized user access to a geographically dispersed network from any one of a plurality of workstations.
Today""s business environment is driven by information, and achieving the most effective use of information technology (IT) is a critical component in any organization""s success. But the evolution of IT and its extension into all aspects of corporate and personal life has created increasing challengesxe2x80x94both to IT professionals and end users.
Over the past decade, the standard model for IT systems has changed significantly. In place of the mainframe-based systems which were controlled from a single, central department, organizations are moving rapidly toward a distributed computing environment where applications and services may reside anywhere on the network on different vendors"" hardware and operating systems. The principal reason for connecting computers to networks, and connecting networks to other networks, is to enable computers to work together efficiently, and to simplify sharing of resources.
Distributed computer systems often have a global extent and may include many thousands of workstations in diverse geographic locations. Such systems are particularly useful to business travelers who may desire to access their network from virtually anywhere in the world. For example, a business traveler at a remote site may want to retrieve the latest cost data, obtain the status of a pending order, place a new order or simply read e-mail. Unfortunately, many client-server networks installed today include a wide variety of independent network server resources that prevent, or at least complicate this task. xe2x80x9cIndependentxe2x80x9d in this context means that the network resource has an independent, as opposed to a shared user database. In an independent network, users who are geographically remote from their home terminals who would like to log onto their home network server are forced to enter routing and authentication information such as a network server ID, user identification and password to access the local independent network resource in which their account is maintained. Forgetting passwords and accessing the wrong service or application are but two of the frustrations that users attempt to eliminate by choosing easily remembered passwords and even writing logon information down in readily accessible places. In doing so, however, they are undermining security. Computer savvy users familiar with network naming conventions can easily overcome the inconvenience of signing onto one""s workstation from a remote location while the large majority of other network users must either postpone completing a task or possibly resort to other non-network means of obtaining the information.
Real and potentially costly risks to modern day computing environmentsxe2x80x94from malicious or careless employees, hackers, or even espionage are sometimes tolerated to maintain productivity and avoid raising administrative overhead with security measures that hamper legitimate users. Prior art network access services have been developed to address the problems created when users attempt to access distributed networks from remote locations. These services provide user access to remote network resources through the use of authentication data stored in local memory. For example, U.S. Pat. No. 5,483,652 to Sudama et al. discloses a method and related apparatus for permitting a client entity to request access to a service or resource without knowledge of any more than a common name for the service or resource. Unfortunately, that system characteristically envisions that a user will attempt to access remote network resources (e.g., printers, special computers, and unique files) from his/her workstation and does not provide a capability for the user to either log onto the network or access such resources from remote workstations.
U.S. Pat. No. 5,598,536 to Slaughter et al., on the other hand, discloses an apparatus and method for providing remote users with access to their local computer network via a remote access network server. In that system, a remote user enters a unique user ID string to gain access to a remote computer. Once the remote user is authenticated, that remote user is granted access to the local network. While the system disclosed in Slaughter et al. has overcome many of the inconveniences that existed prior to its conception, it still requires a user to utilize two different authentication strings, depending upon whether he/she is attempting to log onto their local network server from either a local or remotely located workstation.
U.S. Pat. No. 5,655,077 to Jones et al. discloses a method and system for authenticating access to heterogenous computing services from a plurality of user workstations while minimizing the number of user interactions. To gain access to the system in Jones et al., a user designates a primary logon provider to provide an initial user interface. The user enters identification information and the computer system executes a logon sequence which first invokes the identified primary logon provider. The system authenticates the collected identification information to provide the user access to the network computer services. If the system logon procedure is not successful, then a logon sequence displays an additional screen to collect additional logon information. The logon sequence then invokes the logon routines of other logon providers to enable them to authenticate already collected identification information without displaying additional user interfaces. While this system attempts to log a user onto a network with the least amount of user interaction, it does require a user to designate a primary logon provider and then enter up to two strings of user authentication information before granting the user access to the network.
Still another concept for reducing the need for user interaction upon system logon is disclosed in U.S. Pat. No. 5,689,638 to Sadovsky which discloses a method and system for providing access to independent network resources. At system logon, the logon data is stored in the memory of a client computer. When a server is accessed, server authentication data is stored in a cache. System logon data and authorization data can be later applied to access another independent resource without requiring further user interaction. However, this patent does not address the problem of authenticating a user from a remote workstation whose default server fails to have stored therein the necessary user information that will allow initial authentication. In other words, if the default server does not recognize the entered user name and password, access to the network is denied.
An additional problem confronting network users wishing to log onto a remotely located network server is the necessity of communicating across the Internet and interfacing with the multiple protocols that operate on the Internet (e.g., IPX, TCP/IP, NetBEUI, etc.) In the past, a user wishing to communicate across multiple boundaries could not easily do so because of language and communication barriers between the user and the various network entities. The user had to know, and adapt to the specific protocol of each data storage entity in order to communicate requests for information to the entity in cognizable form and to translate information once received. Existing devices are limited in that they simply provide the capability to utilize a single protocol to communicate across the network.
In the last few years, a number of efforts have been undertaken to develop a standard database protocol, that allows users to communicate across a number of different network protocols. One such standard protocol is the X.500 standard, which was developed by the International Telegraph and Telephone Consultative Committee (CCITT). It provides a standard protocol which reduces the communication barriers presented by the number of different protocols operating on the Internet, and it permits local directories maintained by different entities to communicate with one another. CITT, The Directory-Overview Concepts, Models, and Services, X.500 Series Recommendation, Document AP IX-47-E. X.500 allows users to find information such as telephone numbers, addresses and other details of individuals and organizations in a convenient structure. X.500 directories are also characterized by their ability to efficiently handle large volumes of highly distributed information.
The subject invention dramatically simplifies the procedures for signing onto a network through the use of a single sign on procedure. Once the user logs on via a logon procedure, such as embodied in the procedure identified as AUTOSECURE(trademark) Single Sign On (SSO) described in the Features Guide for V5.1 entitled xe2x80x9cAutosecure SSO,xe2x80x9d copyrighted by PLATINUM technology, inc., 1997, wherein a user enters a user name and password, the system does the rest by enabling transparent access to all authorized applications and services and providing a simple, integrated view of the computer network. The single sign on capability functions whether a service is resident on a local or a remote network server, and it lets users sign on anywherexe2x80x94even when they""re traveling to remote locations. Also, the present invention is not restricted to securing only a particular (homogenous) environment. It operates across heterogenous platforms, which means that it can be used to control systems from any vendor or mix of vendors. This makes it far more applicable to an enterprise environment which can include any number of different vendors"" platformsxe2x80x94both now and in the future.
Accordingly, it is an object of the present invention to simplify the task of granting a user access to a heterogenous network by providing an apparatus and method that allows a user to log onto a computer network from any one of a plurality of geographically dispersed user workstations on the network, using the same user name and password.
It is another object of the present invention to achieve the above object, and also provide a network access apparatus and method that allows a user to log onto an intranet from any workstation on the enterprise through the use of a single user name, password and user role.
It is still another object of the present invention to achieve one or more of the above objects and also provide a network access apparatus and method that allows a user to transparently communicate across a network comprised of a plurality of network communication protocols.
It is yet another object of the present invention to achieve one or more of the above objects and also provide a network access apparatus and method that first transmits a logon request from a user workstation to a local security server that either grants the authentication request or identifies a second local security server on the network that may grant the authentication request.
It is a further object of the present invention to achieve one or more of the above objects and also provide a network access apparatus and method that evaluates a logon request by searching a local authentication database resident on a local security server to determine whether to grant a user access to the network via the local security server.
It is a still further object of the present invention to achieve one or more of the above objects and also provide a network access apparatus and method that encrypts passwords stored in a local authentication database.
It is yet a further object of the present invention to achieve one or more of the above objects and also provide a network access apparatus and method that accesses a network database resident in internal memory of a local security server to identify a second local security server on the network that may grant an authentication request, in the event the user is denied network access via the first local security server.
It is another object of the present invention to achieve one or more of the above objects and also provide a network access apparatus and method that communicates authentication requests from a first local security server directly to a second local security server in the event the first local security server is unable to grant network access.
It is still another object of the present invention to achieve one or more of the above objects and also provide a network access apparatus and method that automatically communicates authentication requests from a user workstation to at least one local security server without any user interaction.
It is another object of the present invention to achieve one or more of the above objects and also provide a network access apparatus and method that maintains an audit log of all failed attempts to access network resources.
It is still another object of the present invention to achieve one or more of the above objects and also provide a network access apparatus and method that monitors the number of failed attempts to access network resources and disables the network resource in the event the number of failed logon attempts exceeds a database number.
It is yet another object of the present invention to achieve one or more of the above objects and also provide a network access apparatus and method that provides a redundant local security server capability wherein one or more standby servers can be used in the event a primary local security server is unavailable for any reason.
It is a further object of the present invention to achieve one or more of the above objects and also provide a network access apparatus and method that allows a user to log onto the highest priority local security server available from any user workstation on the network, simply by entering a user name and password.
It is a further object of the present invention to achieve one or more of the above objects and also provide a network access apparatus and method that maintains a single, centralized X.500 database of authorized network users on each local security server.
It is still a further object of the subject invention to achieve one or more of the above objects and also provide a network access apparatus and method that maintains a map of connection information for each local security server operating on the enterprise.
It is yet a further object of the subject invention to achieve one or more of the above objects and also provide a network access apparatus and method that utilizes a service mapping file server to periodically provide each associated workstation with an updated map of connection information for each local security server operating on the enterprise.
It is another object of the subject invention to achieve one or more of the above objects and also provide a network access apparatus and method that maintains an updated map of connection information for each local security server by systematically polling the other local security servers on the enterprise.
It is still another object of the present invention to achieve one or more of the above objects and also provide a network access apparatus and method that allows a user logged onto the network to access an assortment of network services based on the user""s role.
It is yet another object of the present invention to provide a network access apparatus and method that maintains a single X.500 database on each local security server comprised of the users with their associated passwords that are authorized access to each local security server.
These and other more specific objects and advantages of the subject invention are demonstrated in a distributed computing network that provides an adaptive capability to log a user located at one of a plurality of user workstations, onto one of a plurality of predetermined network servers, through the use of a single logon. In a preferred embodiment, a primarily local security server adapted to be connected to a user workstation, authenticates user identification information entered by a user at the workstation, or generates a failed logon signal in the event the user-provided authentication information is not valid for granting access to the local security server. A person server operating on the local security server then receives the failed logon signal from the local security server, identifies an alternate local security server ID in which the previously entered user name corresponds to a valid user, and transmits the alternate local security server ID back to the first local security server. When the first local security server receives the alternate local security server ID, it transmits the user identification information to the alternate local security server and the user is validated on the alternate local security server and logged onto the computer network.