US20050198379A1 - Automatically reconnecting a client across reliable and persistent communication sessions - Google Patents

Abstract

The invention relates to methods and systems for reconnecting a client and providing user authentication across a reliable and persistent communication session. A first protocol that encapsulates a plurality of secondary protocols is used to communicate over a network. A first protocol service, using the first protocol, provides session persistence and a reliable connection between a client and a host service. When there is a disruption in the network connection between a client and a host service, the connection is reestablished and the user re-authenticated to the host service without the user re-entering his or her authentication credentials or without the user re-establishing the user session with the host service

Description

CROSS REFERENCE TO RELATED APPLICATIONS
• This present application is a continuation-in-part of and claims priority to U.S. Pat. Ser. No. 09/880,268, entitled “Method and Apparatus for Transmitting Authentication Credentials of a User Across Communication Sessions”, filed Jun. 13, 2001, and U.S. patent application Ser. No. 10/683,881, entitled “Encapsulating Protocol For Session Persistence And Reliability”, filed Oct. 10, 2003, both of which are incorporated herein by reference.
TECHNICAL FIELD
• The invention generally relates to network and client-server communications. More particularly, the invention relates to systems and methods for re-establishing client communications using a communication protocol that encapsulates other protocols to provide session persistence and reliability and for facilitating the reauthentication of a user using a client computer to communicate with a server computer via the encapsulating protocol.
BACKGROUND OF THE INVENTION
• Communications over a network between two computers, for example a client and a server, can be implemented using a variety of known communication protocols. Often, however, the network connection is susceptible to breakdown. For instance, a wireless connection between a client and a server is often unreliable. In other cases, the network connection is intermittent. As such, a connection can be lost when one enters an elevator or tunnel and may only be restored following one's exit from the elevator or tunnel.
• If an established communication session between the client and the server computer abnormally terminates, the client generally has to re-establish the connection by starting a new communication session. To begin the new communication session, the user typically has to retransmit the authentication credentials, such as a login/password pair, to the server computer so that the server computer can authorize the user for the new communication session. This retransmission of the authentication credentials of a user across multiple communication sessions repeatedly exposes the authentication credentials of that user to potential attackers, thereby decreasing the level of security of the authentication credentials. In addition, this often is a slow process that also results in user frustration and inefficiency. Furthermore, in establishing a new communication session, the network may require the client obtains a new network identifier, such as an internet protocol address. The applications or programs on the client may need to be restarted because of the change in the clients network identifier. Thus, it is desirable to provide a technique for automatically re-authenticating a client when a communication session between a client computer and a server computer is re-established without requiring repeated transmission of the client's authentication credentials or restarting of programs.
• Improved systems and methods are needed for re-establishing a communication session between a client computer and a server computer without repeatedly transmitting the authentication credentials.
BRIEF SUMMARY OF THE INVENTION
• The present invention relates to systems and methods for providing a client with a persistent and reliable connection to a host service and for reconnecting the client to the persistent and reliable connection. Reconnecting the client includes re-establishing the clients communication session with the host service and re-authenticating the user of the client to the host service. A persistent and reliable connection to a host service is maintained by a first protocol service on behalf of a client. The first protocol service ensures that data communicated between the client and the host service is buffered and maintained during any disruption in the network connection with the client and the first protocol service. For example, a temporary disruption in a network connection may occur when a client, such as a mobile client, roams between different access points in the same network, or when a client switches between networks (e.g., from a wired network to a wireless network). When roaming between different access points, the client may need to be assigned a different network identifier, such as an internet protocol address, as required by the network topology. In addition to maintaining buffered data during a network disruption, the first protocol service re-authenticates the client to the host service when re-establishing the client's connection to the first protocol service. After re-authenticating, the first protocol service re-links the clients connection to the host service. This prevents the user of the client from re-entering authentication credentials to re-establish its connection with the host service. Furthermore, the first protocol service will automatically manage changes to the client's network identifier that may need to occur after a network disruption. This prevents the user from restarting any applications or programs that would customarily need to be restarted when the client's assigned network identifier changes. The user can seamlessly continue using the client as the user roams between network access points without interruption from changes by the network to the clients assigned network identifier. In summary, the present invention provides automatic reconnection of a disrupted client connection to a host service without restarting applications or re-establishing sessions, including re-authentication without the user reentering authentication credentials.
• In one aspect, the invention relates to a method for reconnecting a client to a host service after a disruption to a network connection. The method uses a first protocol service to re-establish the connection between a client and a host service. The method includes providing a first connection between a client and a first protocol service and a second connection between the first protocol service and a host service. When a disruption is detected in the first connection, the second connection between the first protocol service and the host service is maintained. Then the first connection between the client and the first protocol service is re-established. The first protocol service receives a ticket associated with the client and validates the ticket. After the ticket is validated, the re-established first connection is linked to the maintained second connection.
• In one embodiment of the invention, the method includes further validating the ticket before linking the re-established first connection with the maintained second connection. The validating method further includes obtaining a session identifier and a key from the ticket received by the first protocol service. The session identifier from the ticket is used to retrieve the stored and encrypted authentication credentials of the client. Then the key from the ticket is used to decrypt the retrieved authentication credentials.
• In another embodiment, the invention provides for re-authentication of the client to the host service when re-establishing the client's connection to the host service. The method further includes authenticating the client to the host service when providing the first connection between the client and the first protocol service and the second connection between the first protocol service and the host service. When re-establishing the first connection after a disruption in the connection is detected, the method further includes re-authenticating the client to the host service.
• In another embodiment of the invention, the method further includes the first protocol service generating a ticket associated with the client. Additionally, the method further includes deleting the ticket after it is validated. In another embodiment, the ticket can be automatically deleted after a pre-determined period of time. Moreover, after the ticket is deleted, a replacement ticket can be generated. In another embodiment, a copy of the ticket can be saved at the first protocol service. Furthermore, the ticket can be transmitted from the first protocol service to the client.
• In another aspect, the invention relates to a system for reconnecting a client to host service after a disruption to a network connection. The system re-establishes the connection between a client and a host service using a first protocol service. The client is configured to maintain a first connection with the first protocol service. The first protocol service is configured to maintain the first connection with the client and a second connection with the host service. In accordance with this system, a disruption is detected in the first connection and the first connection is re-established between the client and the first protocol service while the second connection between the first protocol service and the host service is maintained. The client transmits a ticket associated with the client to the first protocol service. The ticket is validated and, after it is validated, the first protocol service links the re-established first connection with the maintained second connection.
• In one embodiment of the invention, the system includes further validating the ticket before linking the re-established first connection with the maintained second connection. Validation of the ticket further includes obtaining a session identifier and a key from the ticket received by the first protocol service. The session identifier from the ticket is used to retrieve the stored and encrypted authentication credentials of the client. Then the system decrypts the retrieved authentication credentials by using the key from the ticket.
• In another embodiment, the invention provides a system for re-authenticating the client to the host service when re-establishing the client connection to the host service. The system further includes authenticating the client to the host service when providing the first connection between the client and the first protocol service and the second connection between the first protocol service and the host service. When re-establishing a connection after detecting a disruption in the connection, the system uses the retrieved authenticated credentials to re-authenticate the client to the host service.
• In another embodiment of the invention, the system further includes the first protocol service generating a ticket associated with the client. Additionally, the system further includes deleting the ticket, after it is validated. In one embodiment, the first protocol service will automatically delete the ticket after a pre-determined period of time. Moreover, after the ticket is deleted, the system generates a replacement ticket. In another embodiment, the first protocol service saves a copy of the ticket. Furthermore, the first protocol service can transmit the ticket to the client.
BRIEF DESCRIPTION OF THE DRAWINGS
• The foregoing and other objects, aspects, features, and advantages of the invention will become more apparent and may be better understood by referring to the following description taken in conjunction with the accompanying drawings, in which:
• FIG. 1A is a block diagram of a system for providing a client with a reliable connection to a host service according to an illustrative embodiment of the invention;
• FIG. 1B is a block diagram of a system for providing a client with a reliable connection to a host service according to another illustrative embodiment of the invention;
• FIG. 2A depicts communications occurring over a network according to an illustrative embodiment of the invention;
• FIG. 2B depicts communications occurring over a network according to another illustrative embodiment of the invention;
• FIG. 3 depicts a process for encapsulating a plurality of secondary protocols within a first protocol for communication over a network according to an illustrative embodiment of the invention;
• FIG. 4 is a block diagram of an embodiment of a computer system to maintain authentication credentials in accordance with the invention;
• FIG. 5A is a flow diagram of the steps followed in an embodiment of the computer system ofFIG. 5 to maintain authentication credentials during a first communication session in accordance with the invention;
• FIG. 5B is a flow diagram of the steps followed in an embodiment of the computer system ofFIG. 4 to maintain authentication credentials during a second communication session following the termination of the first communication session ofFIG. 6A in accordance with the invention;
• FIG. 6 is a block diagram of an embodiment of a computer system to maintain authentication credentials in accordance with another embodiment of the invention;
• FIG. 7A is a flow diagram of the steps followed in an embodiment of the computer system ofFIG. 6 to maintain authentication credentials during a first communication session in accordance with the invention;
• FIG. 7B is a flow diagram of the steps followed in an embodiment of the computer system ofFIG. 6 to maintain authentication credentials during a second communication session following the termination of the first communication session ofFIG. 6 in accordance with the invention;
• FIG. 7C is a flow diagram of the steps followed in an embodiment of the computer system ofFIG. 6 to maintain authentication credentials during a second communication session following the termination of a second communication channel of the first communication session ofFIG. 6 in accordance with the invention;
• FIG. 8A is a block diagram of a system to maintain authentication credentials and provide a client with a reliable connection to a host service according to an illustrative embodiment of the invention;
• FIG. 8B is a block diagram of a system to maintain authentication credentials and provide a client with a reliable connection to a host service according to another illustrative embodiment of the invention;
• FIG. 9A is a block diagram of a system to maintain authentication credentials and provide a client with a reliable connection to a host service according to another illustrative embodiment of the invention;
• FIG. 9B is a block diagram of a system to maintain authentication credentials and provide a client with a reliable connection to a host service according to another illustrative embodiment of the invention;
• FIG. 10A is a block diagram of a system for providing a client with a reliable connection to a host service and further including components for reconnecting the client to a host service according to an illustrative embodiment of the invention;
• FIG. 10B is a block diagram of an embodiment of a system for providing a client with a reliable connection to a host service and further including components for reconnecting the client to a host service;
• FIG. 11A is a block diagram of an embodiment ofFIG. 10A further including components for initially connecting the client to a host service;
• FIG. 11B is a block diagram of the illustrative system ofFIG. 10B further including components for initially connecting the client to a host service and to maintain authentication credential according to an illustrative embodiment of the invention;
• FIG. 12A is a flow diagram of a method for network communications according to an illustrative embodiment of the invention;
• FIG. 12B is a flow diagram of a method for reconnecting the client to the host services;
• FIGS. 13A-13C are flow diagrams of a method for connecting a client to a plurality of host services according to an illustrative embodiment of the invention;
• FIG. 14 is a flow diagram of a method for providing a client with a reliable connection to host services and for reconnecting the client to the host services according to an illustrative embodiment of the invention; and
• FIGS. 15A-15B are flow diagrams of a method for reconnecting a client to host services according to an illustrative embodiment of the invention.
DETAILED DESCRIPTION OF THE INVENTION
• Certain embodiments of the present invention are described below. It is, however, expressly noted that the present invention is not limited to these embodiments, but rather the intention is that additions and modifications to what is expressly described herein also are included within the scope of the invention. Moreover, it is to be understood that the features of the various embodiments described herein are not mutually exclusive and can exist in various combinations and permutations, even if such combinations or permutations are not made express herein, without departing from the spirit and scope of the invention.
• Referring toFIG. 1A, in general, the invention pertains to network communications and can be particularly useful for providing a client with a reliable connection to a host service. In a broad overview, asystem100 for network communications includes a client108 (e.g., a first computing device) in communication with a first protocol service112 (e.g., a second computing device) over anetwork104. Also included in thesystem100 are a plurality of host services116a-116n(e.g., third computing devices) that are in communication, over anetwork104′, with thefirst protocol service112 and, through thefirst protocol service112 and over thenetwork104, with theclient108. Alternatively, in another illustrative embodiment of the invention, and with reference now toFIG. 1B, thefirst protocol service112 and the host services116a-116nare not implemented as separate computing devices, as shown inFIG. 1A, but, rather, they are incorporated into the same computing device, such as, for example,host node118a. Thesystem100 can include one, two, or any number of host nodes118a-118n.
• In one embodiment, thenetworks104 and104′ are separate networks, as inFIG. 1A. Thenetworks104 and104′ can be thesame network104, as shown inFIG. 1B. In one embodiment, thenetwork104 and/or thenetwork104′ is, for example, a local-area network (LAN), such as a company Intranet, or a wide area network (WAN), such as the Internet or the World Wide Web. Theclient108, thefirst protocol service112, the host services116a-116n, and/or the host nodes118a-118ncan be connected to thenetworks104 and/or104′ through a variety of connections including, but not limited to, standard telephone lines, LAN or WAN links (e.g., 802.11, T1, T3, 56 kb, X.25), broadband connections (e.g., ISDN, Frame Relay, ATM), wireless connections, or some combination of any or all of the above.
• Moreover, theclient108 can be any workstation, desktop computer, laptop, handheld computer, mobile telephone, or other form of computing or telecommunications device that is capable of communication and that has sufficient processor power and memory capacity to perform the operations described herein. Additionally, theclient108 can be a local desktop client on alocal network104 or can be a remote display client of aseparate network104. Theclient108 can include, for example, a visual display device (e.g., a computer monitor), a data entry device (e.g., a keyboard), persistent and/or volatile storage (e.g., computer memory), a processor, and a mouse. An example of aclient agent128 with a user interface is a Web Browser (e.g. a Microsoft® Internet Explorer browser and/or Netscape™ browser).
• Similarly, with reference toFIG. 1A, each of thefirst protocol service112 and the host services116a-116ncan be provided on any computing device that is capable of communication and that has sufficient processor power and memory capacity to perform the operations described herein. Alternatively, where the functionality of thefirst protocol service112 and the host services116a-116nare incorporated into the same computing device, such as, for example, one of the host nodes118a-118n, as inFIG. 1B, thefirst protocol service112 and/or the host services116a-116ncan be implemented as a software program running on a general purpose computer and/or as a special purpose hardware device, such as, for example, an ASIC or an FPGA.
• Similar to theclient108, each of the host nodes118a-118ncan be any computing device described above (e.g. a personal computer) that is capable of communication and that has sufficient processor power and memory capacity to perform the operations described herein. Each of the host nodes118a-118ncan establish communication over the communication channels124a-124nusing a variety of communication protocols (e.g., ICA, HTTP, TCP/IP, and IPX). SPX, NetBIOS, Ethernet, RS232, and direct asynchronous connections).
• In one embodiment, each of the host services116a-116nhosts one or more application programs that are remotely available to theclient108. The same application program can be hosted by one or any number of the host services116a-116n. Examples of such applications include word processing programs, such as MICROSOFT WORD, and spreadsheet programs, such as MICROSOFT EXCEL, both of which are available from Microsoft Corporation of Redmond, Wash. Other examples of application programs that may be hosted by any or all of the host services116a-116ninclude financial reporting programs, customer registration programs, programs providing technical support information, customer database applications, and application set managers. Moreover, in one embodiment, one or more of the host services116a-116nis an audio/video streaming server that provides streaming audio and/or streaming video to theclient108. In another embodiment, the host services116a-116ninclude file servers that provide any/all file types to theclient108.
• Referring still to the illustrative embodiments ofFIGS. 1A and 1B, theclient108 is configured to establish aconnection120 between theclient108 and afirst protocol service112 over thenetwork104 using a first protocol. For its part, thefirst protocol service112 is configured to accept theconnection120. Theclient108 and thefirst protocol service112 can, therefore, communicate with one another using the first protocol as described below in reference toFIGS. 2A-2B andFIG. 3.
• In some embodiments, as shown inFIGS. 1A and 1B, aclient agent128 is included within theclient108. Theclient agent128 can be, for example, implemented as a software program and/or as a hardware device, such as, for example, an ASIC or an FPGA. Theclient agent128 can use any type of protocol and it can be, for example, an HTTP client agent, an FTP client agent, an Oscar client agent, a Telnet client agent, an Independent Computing Architecture (ICA) client agent from Citrix Systems, Inc. of Fort Lauderdale, Fla., or a Remote Desktop Procedure (RDP) client agent from Microsoft Corporation of Redmond, Wash. In some embodiments, theclient agent128 is itself configured to communicate using the first protocol. In some embodiments (not shown), theclient108 includes a plurality ofclient agents128a-128n, each of which communicates with a host service116a-116n, respectively.
• In another embodiment, a standalone client agent is configured to enable theclient108 to communicate using the first protocol. The standalone client agent can be incorporated within theclient108 or, alternatively, the standalone client agent can be separate from theclient108. The standalone client agent is, for example, a local host proxy. In general, the standalone client agent can implement any of the functions described herein with respect to theclient agent128.
• As also described further below, thefirst protocol service112 is, in one embodiment, itself configured to communicate using the first protocol. Thefirst protocol service112 is configured to establish a connection124a-124nbetween thefirst protocol service112 and the host service116a-116n, respectively. For example, thefirst protocol service112 can establish aconnection124abetween thefirst protocol service112 and onehost service116aand aconnection124bbetween thefirst protocol service112 and anotherhost service116b. In one embodiment, thefirst protocol service108 separately establishes such connections124a-124n(i.e., thefirst protocol service112 establishes one connection at a time). In another embodiment, thefirst protocol service112 simultaneously establishes two or more of such connections124a-124n.
• In yet another embodiment, thefirst protocol service112 can concurrently establish and maintain multiple connections124a-124n. Thefirst protocol service112 is configured to provide two or more connections124a-124nwithout interrupting theconnection120 with theclient108. For example, thefirst protocol service112 can be configured to establish theconnection124abetween thefirst protocol service112 and thehost service116awhen a user of theclient108 requests execution of a first application program residing on thehost service116a. When the user ends execution of the first application program and initiates execution of a second application program residing, for example, on thehost service116b, thefirst protocol service112 is, in one embodiment, configured to interrupt theconnection124aand establish theconnection124bbetween thefirst protocol service112 and thehost service116b, without disrupting theconnection120 between thefirst protocol service112 and theclient108.
• Thefirst protocol service112 and the host services116a-116ncan communicate over the connections124a-124n, respectively, using any one of a variety of secondary protocols, including, but not limited to, HTTP, FTP, Oscar, Telnet, the ICA remote display protocol from Citrix Systems, Inc. of Fort Lauderdale, Fla., and/or the RDP remote display protocol from Microsoft Corporation of Redmond, Wash. For example, thefirst protocol service112 and thehost service116acan communicate over theconnection124ausing the ICA remote display protocol, while thefirst protocol service112 and thehost service116bcan communicate over theconnection124busing the RDP remote display protocol.
• In one embodiment, the secondary protocol used for communicating between thefirst protocol service112 and a host service116, such as, for example, the ICA remote display protocol, includes a plurality of virtual channels. A virtual channel is a session-oriented transmission connection that is used by application-layer code to issue commands for exchanging data. For example, each of the plurality of virtual channels can include a plurality of protocol packets that enable functionality at theremote client108. In one embodiment, one of the plurality of virtual channels includes protocol packets for transmitting graphical screen commands from a host service116, through thefirst protocol service112, to theclient108, for causing theclient108 to display a graphical user interface. In another embodiment, one of the plurality of virtual channels includes protocol packets for transmitting printer commands from a host service116, through thefirst protocol service112, to theclient108, for causing a document to be printed at theclient108.
• In another embodiment, the first protocol is a tunneling protocol. Thefirst protocol service112 encapsulates a plurality of secondary protocols, each used for communication between one of the host services116a-116nand thefirst protocol service112, within the first protocol. As such, the host services116a-116nand thefirst protocol service112 communicate with theclient108 via the plurality of secondary protocols. In one embodiment, the first protocol is, for example, an application-level transport protocol, capable of tunneling the multiple secondary protocols over a TCP/IP connection.
• Referring toFIG. 2A, communications between theclient108 and thefirst protocol service112 via theconnection120 take the form of a plurality of secondary protocols200a-200n(e.g., HTTP, FTP, Oscar, Telnet, ICA, and/or RDP) encapsulated within afirst protocol204. This is indicated by the location of secondary protocols200a-200ninside thefirst protocol204. Where secure communication is not called for, thefirst protocol204 can be, as illustrated inFIG. 2A, communicated over an unsecured TCP/IP connection208.
• Referring now toFIG. 2B, if secure communication is used, thefirst protocol204 is communicated over an encrypted connection, such as, for example, a TCP/IP connection212 secured by using asecure protocol216 such as the Secure Socket Layer (SSL). SSL is a secure protocol first developed by Netscape Communication Corporation of Mountain View, Calif., and is now a standard promulgated by the Internet Engineering Task Force (IETF) as the Transport Layer Security (TLS) protocol and described in IETF RFC-2246.
• Thus, the plurality of secondary protocols200a-200nare communicated within thefirst protocol204 with (FIG. 2B) or without (FIG. 2A) asecure protocol216 over theconnection120. The secondary protocols that can be used to communicate over the connections124a-124ninclude, but are not limited to, HTTP, FTP, Oscar, Telnet, ICA, and RDP. Moreover, in one embodiment, at least one of the secondary protocols, as described above, includes a plurality of virtual channels, each of which can include a plurality of protocol packets enabling functionality at theremote client108. For example, in one embodiment, onehost service116ais a web server, communicating with thefirst protocol service112 over theconnection124ausing the HTTP protocol, and anotherhost service116bis an application server, communicating with thefirst protocol service112 over theconnection124busing the ICA protocol. Thehost service116bgenerates both protocol packets for transmitting graphical screen commands to theclient108, for causing theclient108 to display a graphical user interface, and protocol packets for transmitting printer commands to theclient108, for causing a document to be printed at theclient108.
• Another aspect of the present invention is the method and systems described herein reduce the number of times network connections are opened and closed. In one embodiment, thefirst protocol204 allows the secondary protocol connections200a-200ntunneled therein, such as, for example, anHTTP connection200n, to be opened and/or closed, repetitively, without also requiring the transport connection over which thefirst protocol204 is communicated (e.g.,TCP connection208 and/or212), thesecure protocol connection216, or thefirst protocol connection204 itself to similarly be repetitively opened and/or closed. Without the encapsulation of thefirst protocol204, the secondary protocol200a-200nmay frequently open and close network connections, such as TCP connections. This would add significant delays and overhead to the system. These delays and overhead would be further increased by the use of asecure encapsulation protocol214, such as SSL, which have significant overhead in establishing network connections. By encapsulating the secondary protocol200a-200nwithin thefirst protocol204 and maintaining the connection of the transport connection (208,212), the secondary protocols200a-200n, as part of the payload of thefirst protocol204, do not need to perform frequent and costly open and closes of thenetwork connection120. Furthermore, since the secondary protocols200a-200ncan be communicated within thefirst protocol204 with asecure protocol216, the secondary protocols200a-200nalso do not need to open and close secured connections such as with SSL. The transport connection (208,212) establishes and maintains thenetwork connection120 so that the encapsulated second protocols200a-200ncan be communicated without repetitively opening and closing the secured orunsecured network connection120. This significantly increases the speed of operation in communicating the secondary protocols200a-200n.
• As described above, the secondary protocols200a-200ncarry protocol packets related to applications using such protocols as HTTP, FTP, Oscar, Telnet, RDA or ICA. The secondary protocol packets304a-304ntransport data related to the application functionality transacted between theclient108 and the host service116a-116n. For example, a user on theclient108 may interact with a web page provided by a host service116a-116n. In transactions between theclient108 and the host service116a-116n, the secondary protocol200a-200nencapsulated in thefirst protocol204 may have http protocol packets related to displaying the web page and receiving any user interaction to communicate to the host service116a-116n. Since the transport connection (208,212) is not maintained by the secondary protocols200a-200n, the secondary protocols200a-200ndo not need to handle any network-level connection interruptions. As such, the secondary protocols200a-200nmay not provide any network-level connection interruption information in their payloads. In the above example, the http related secondary protocol packets304a-304nof the secondary protocol200a-200ntransmitted to theclient108 would not provide a notification that a network interruption occurred, e.g., an error message on a web page. Therefore, the user on theclient108 will not be notified of any network-level connection interrupts through the secondary protocol200a-200n. This effectively hides the network connection interruptions from the user during the use of the applications related to the secondary protocols200a-200n.
• Referring toFIG. 3, anexample process300 used by thefirst protocol service112 and theclient agent128 of theclient108 encapsulates the plurality of secondary protocols200 (e.g., HTTP, FTP, Oscar, Telnet, ICA, and/or RDP) within thefirst protocol204 for communication via theconnection120. Optionally, as described below, theexample process300 used by thefirst protocol service112 and theclient agent128 of theclient108 also compresses and/or encrypts the communications at the level of the first protocol prior to communications via theconnection120. From the point of view of thefirst protocol service112, secondary protocol packets304a-304nare received via the connections124a-124nat thefirst protocol service112. For example, twosecondary protocol packets304aand304bare received by thefirst protocol service112. One, two, or any number of secondary protocol packets304a-304ncan be received. In one embodiment, the secondary protocol packets304a-304nare transmitted by the host services116 to thefirst protocol service112 over the connection124. The secondary protocol packets304a-304ninclude a header308 and a data packet312, also referred to as a data payload.
• Following receipt of the secondary protocol packets304a-304n, thefirst protocol service112 encapsulates one or more of the secondary protocol packets304 within afirst protocol packet316. In one embodiment, thefirst protocol service112 generates a firstprotocol packet header320 and encapsulates within thedata payload324 of thefirst protocol packet316 one or more secondary protocol packets304a-304n, such as, for example, twosecondary protocol packets304aand304b. In another embodiment, only onesecondary protocol packet304ais encapsulated in eachfirst protocol packet316.
• In one embodiment, thefirst protocol packets316 are then transmitted over theconnection120, for example over theconnection208 described with reference toFIG. 2A, to theclient agent128 of theclient108. Alternatively, in another embodiment, thefirst protocol service112 is further configured to encrypt, prior to the transmission of anyfirst protocol packets316, communications at the level of thefirst protocol204. In one such embodiment, thefirst protocol packets316 are encrypted by using, for example, the SSL protocol described with reference toFIG. 2B. As a result, asecure packet328, including aheader332 and an encryptedfirst protocol packet316′ as adata payload336, is generated. Thesecure packet328 can then be transmitted over theconnection120, for example over the secure TCP/IP connection212 illustrated inFIG. 2B, to theclient agent128 of theclient108.
• In another embodiment, thefirst protocol service112 is further configured to compress, prior to the transmission of anyfirst protocol packets316, communications at the level of thefirst protocol204. In one embodiment, prior to encrypting thefirst protocol packet316, thefirst protocol service112 compresses, using a standard compression technique, thefirst protocol packet316. As such, the efficiency of thesystem100 is improved.
• Referring again toFIGS. 1A-1B, thesystem100 of the present invention, in one embodiment, provides theremote client108 with a persistent connection to a host service116, such as, for example, thehost service116a. For example, if theclient108 establishes aconnection120 between theclient108 and thefirst protocol service112 and thefirst protocol service112 establishes aconnection124abetween thefirst protocol service112 and thehost service116a, then either theclient agent128, thefirst protocol service112, or both are configured to maintain a queue of the first protocol data packets most recently transmitted via theconnection120. For example, the queued data packets can be maintained by theclient agent128 and/or thefirst protocol service112 both before and upon a failure of theconnection120. Moreover, upon a failure of theconnection120, thefirst protocol service112 and, likewise, thehost service116aare configured to maintain theconnection124a.
• Following a failure of theconnection120, theclient108 establishes anew connection120 with thefirst protocol service112, without losing any data. More specifically, because theconnection124ais maintained upon a failure of theconnection120, a newly establishedconnection120 can be linked to the maintainedconnection124a. Further, because the most recently transmitted first protocol data packets are queued, they can again be transmitted by theclient108 to thefirst protocol service112 and/or by thefirst protocol service112 to theclient108 over the newly establishedconnection120. As such, the communication session between thehost service116aand theclient108, through thefirst protocol service112, is persistent and proceeds without any loss of data.
• In one embodiment, theclient agent128 of theclient108 and/or thefirst protocol service112 number the data packets that they transmit over theconnection120. For example, each of theclient agent128 and thefirst protocol service112 separately numbers its own transmitted data packets, without regard to how the other is numbering its data packets. Moreover, the numbering of the data packets can be absolute, without any re-numbering of the data packets, i.e., the first data packet transmitted by theclient agent128 and/or thefirst protocol service112 can be numbered as No. 1, with each data packet transmitted over theconnection120 by theclient agent128 and/or thefirst protocol service112, respectively, consecutively numbered thereafter.
• In one such embodiment, following a disrupted and re-establishedconnection120, theclient agent128 and/or thefirst protocol service112 informs the other of the next data packet that it requires. For example, where theclient agent128 had received data packets Nos. 1-10 prior to the disruption ofconnection120, theclient agent128, upon re-establishment of theconnection120, informs thefirst protocol service112 that it now requires data packet No. 11. Similarly, thefirst protocol service112 can also operate as such. Alternatively, in another such embodiment, theclient agent128 and/or thefirst protocol service112 informs the other of the last data packet received. For example, where theclient agent128 had received data packets Nos. 1-10 prior to the disruption ofconnection120, theclient agent128, upon re-establishment of theconnection120, informs thefirst protocol service112 that it last received data packet No. 10. Again, thefirst protocol service112 can also operate as such. In yet another embodiment, theclient agent128 and/or thefirst protocol service112 informs the other, upon re-establishment of theconnection120, of both the last data packet received and the next data packet it requires.
• In such embodiments, upon re-establishment of theconnection120, theclient agent128 and/or thefirst protocol service112 can retransmit the buffered data packets not received by the other, allowing the communication session between a host service116 and theclient108, through thefirst protocol service112, to proceed without any loss of data. Moreover, upon re-establishment of theconnection120, theclient agent128 and/or thefirst protocol service112 can flush from each of their respective buffers the buffered data packets now known to be received by the other.
• By providing theclient108 with a reliable and persistent connection to a host service116a-116n, the present invention avoids the process of opening a new user session with the host service116a-116nby maintaining the user session through network connection interruptions. For each user session with a host service116a-116n, theclient108 and the host service116a-116nmay maintain session specific context and caches, and other application specific mechanisms related to that instance of the user session. For each new user session established, these session specific context and caches need to be re-populated or re-established to reflect the new user session. For example, a user on theclient108 may have an http session with a host service116a-116n. The host service116a-116nmay keep context specific to providing this instance of the http session with theclient108. The context may be stored in the memory of the server, in files of the server, a database or other component related to providing the functionality of the host service116a-116n. Also, theclient108 may have local context specific to the instance of the http session, such as a mechanism for keeping track of an outstanding request to the host service116a-116n. This context may be stored in memory of theclient108, in files on theclient108, or other software component interfaced with theclient108. If the connection between theclient108 and the host service116a-116nis not persistent, then a new user session needs to be established with new session specific context on the host service116a-116nand theclient108. The present invention maintains the session so that a new session, and therefore new specific session context, does not need to be re-established.
• The present invention maintains the user session through network level connection interruptions and without notification to the user of the client that the session was interrupted. In operation of this aspect of the invention, thefirst protocol service112 establishes and maintains a first connection with aclient108 and a second connection with a host service116a-116n. Via the first connection and the second connection, a session between theclient108 and the host service116a-116nis established. Thefirst protocol service112 can store and maintain any session related information such as authentication credentials, andclient108 and host service116a-116ncontext for the established session. A user on theclient108 will exercise the functionality provided by the host service116a-116nthrough the established session. As such, related secondary protocol packets304a-304nwill contain data related to the transaction of such functionality. These secondary protocol packets304a-304nas part of the secondary protocol200a-200nare encapsulated and communicated in afirst protocol204. Upon detection of a disruption in either the first connection or the second connection, thefirst protocol service112 can re-establish the disrupted connection while maintaining the other connection that may have not been disrupted. The network connection disruption may cause an interruption to the session between theclient108 and the host service116a-116n. However, since the transport mechanism is not maintained by the secondary protocols200a-200n, the session can be re-established after the network connection is re-established without the user on theclient108 having notification that the session was interrupted. The secondary protocol200a-200ndoes not need to contain any interruption related information to transmit to theclient108. Thus, the interruption of the session caused by the network connection disruption is effectively hidden from the user because of the encapsulation of thefirst protocol204.
• Thefirst protocol service112 maintaining session related information can re-establish the session between theclient108 and the host service116a-116n. For example, if the first connection between theclient108 and the first protocol service116 is disrupted, thefirst protocol service112 can keep theclients108 session active or open between thefirst protocol service112 and the host service116a-116n. After the first connection is re-established, thefirst protocol service112 can link the session of theclient108 to the maintained session between thefirst protocol service112 and the host service116. Thefirst protocol service112 can send to theclient108 any data that was queued prior to the disruption in the first connection. As such, theclient108 will be using the same session prior to the disruption, and the host service116a-116nandclient108 can continue to use any session specific context that may have in memory or stored elsewhere. Furthermore, because of the intermediary of thefirst protocol service112, the host service116a-116nmay not be aware of the network disruption between thefirst protocol service112 and theclient108.
• In another example, if the second connection between thefirst protocol service112 and the host service116a-116nis disrupted, the first protocol service can maintain the first connection with theclient108 while re-establishing the second connection with the host service116a-116n. After re-establishing the second connection, thefirst protocol service112 can re-establish the client's session, on behalf of the client, with the host service116a-116n. Since thefirst protocol service112 was maintaining any session relation information, the first protocol service may re-establish the same session or a similar session so that theclient108 is not aware of the disruption in the second network connection and the resulting disruption to the session between thefirst protocol service112 and the host service116a-116n. During re-establishing the second network connection and the session, thefirst protocol service112 can queue any session transactions sent by theclient108 during the disruption. Then, after re-establishing the session with the host service116a-116n, thefirst protocol service112 can transmit the queued transactions to the host service116a-116nand the session can continue normally. In this manner, theclient108 continues to operate as if there was not an interruption to the session.
• Additionally, by providing a reliable and persistent connection, the present invention also avoids interruptions to transactions, commands or operations as part of the functionality exercised between theclient108 and aserver415, or a host service116a-116n. For example, a file copy operation using Windows Explorer has not been designed to continue working after there is a disruption in a network connection. A user on theclient108 may use the file copy feature of Windows Explorer to copy a file from theclient108 to aserver415. Because of the size of the file or files, this operation may take a relatively extended period of time to complete. If during the middle of the operation of the copy of the file to theserver415, there is an interruption in the network connection between theclient108 and theserver415, the file copy will fail. Once the network connection is re-established, the user will need to start another file copy operation from Windows Explorer to copy the file from theclient108 to theserver415. Under the present invention, the user would not need to start another file copy operation. The network connection would be re-established as part of thefirst protocol204 connection. The file copy operations would be encapsulated in the payload of the secondary protocols200a-200n. As such, the file copy of Windows Explorer would not get notified of the interruption in the network connection and therefore, would not fail. Thefirst protocol service112 would re-establish any connections and transmits any queued data so that operation can continue without failure. Thefirst protocol service112 would maintain a queue of the data related to the file copy operations that has not been transferred to theserver415 because of the interruption in the network connection. Once the network connection is re-established, thefirst protocol service112 can transmit the queued data and then continue on with transferring the data related to the file copy operation in due course.
• Although this aspect of the invention is described in terms of a file copy operation example, one ordinarily skilled in the art will recognize that any operation, transaction, command, function call, etc. transacted between theclient108 and theserver415, or host service116a-116n, can be maintained and continued without failure from the network connection disruption, and, furthermore, without theclient108 recognizing there was a disruption or having notice of the disruption.
• Furthermore, by providing a reliable and persistent connection, the present invention also enables aclient108 to traverse through different network topologies without re-starting a session or an application on theclient108. For example, theclient108 may be a computer notebook with a wireless network connection. As theclient108 moves from a first wireless network to a second wireless network, theclients network connection120 may be temporarily disrupted from the first wireless network as a network connection is established with the second wireless network. The second wireless network may assign a new network identifier, such as a host name or internet protocol address, to theclient108. This new network identifier may be different than the network identifier assigned to theclient108 by the first wireless network. In another example, theclient108 may be physically connected through an Ethernet cable to a port on the network. The physical connection may be unplugged and theclient108 moved to another location to plug into a different port on the network. This would cause a disruption into the network connection102 and possible a change in the assigned network identifier. Without the present invention, any sessions with a host service116a-116non theclient108 or application on theclient108 accessing the network may need to be restarted due to the change in the network topology, the disruption to thenetwork connection120, and/or the change in the assigned network identifier. By the method and systems described herein, the present invention maintains the network connection for the client and automatically re-established the client's108 network connection including handling changes in the network topology and network identifier. Theclient108, and any applications or sessions on theclient108, can continue to operate as if there was not a network connection disruption or a change in the network identifier. Furthermore, the user on theclient108 may not recognize there were any interruptions or changes, and theclient108 may not receive any notice of such interruptions.
• Even with a reliable and persistent communication session as described above, network connections are still disrupted. When re-establishing the clients connection to the host service, theclient108 also needs to be re-authenticated to the host service116. One embodiment of the invention relates to systems and methods for authenticating aclient108 to a host service116 and re-authenticating theclient108 to the host service116 without re-entering authentication credentials.
• FIG. 4 depicts an illustrative embodiment of asystem400 that is capable of reconnecting theclient108 to a host service116 using an automatic client reconnect service referred to as auto client reconnect service orACR Service405. In brief overview, aclient108 communicates with aserver computer415, also referred to as a server, over acommunication channel418. Thecommunication channel418 may include anetwork104. For example, thecommunication channel418 can be over a local-area network (LAN), such as a company Intranet, or a wide area network (WAN) such as the Internet or the World Wide Web. Theserver415 provides auto client reconnect services through anACR Service405. Theclient108 accesses theserver415 through thecommunication channel418. TheACR Service405 of theserver415 provides authentication services to authenticate theclient108 to theserver415. When there is a disruption in a network connection, theACR Service405 further provides re-authentication services to re-authenticate theclient108 to theserver415. Although illustrated with asingle client108 and onecommunication channel418, any number of clients (e.g.108,108′) and number of communication channels (e.g.418,418′) can be part of thesystem100.
• In one embodiment, theserver415 includes aprocessor425 andmemory430 that communicates over asystem bus432. Thememory430 may include random access memory (RAM) and/or read only memory (ROM). In another embodiment, theserver415 accessesmemory430 from a remote site (e.g., another computer, an external storage device).
• TheACR Service405 running on theserver415 includes akey generator435, a session identifier (SID)generator438, anencryptor440, akey destroyer445, and adecryptor448. Thekey generator435 generates a key when theserver415 or theACR Service405 receives authentication credentials from theclient108. In one embodiment, thekey generator435 derives the key from a characteristic of theserver415. Particular examples include thekey generator435 deriving the key from the temperature of theprocessor425, the time thatserver415 received the authentication credentials, and the number of keys stored inmemory430. In a further embodiment, the key and the authentication credentials are the same size (e.g. eight bits). In one embodiment, the key generator is a software module. In another embodiment, thekey generator435 is a random number generator.
• TheSID generator438 generates the unique SID to enable theserver415 to identify a particular communication session. In one embodiment, theSID generator438 is a software module. In another embodiment, theSID generator438 is a random number generator. In another embodiment, the SID generator transmits the SID to the host service116. In one embodiment, theSID generator438 obtains the SID from a host service116 running on the server. In yet another embodiment, the SID generator generates the SID by receiving a session identifier from the host service116 establishing a user session.
• Theencryptor440 encrypts the key with the authentication credentials to create encrypted authentication credentials. In one embodiment, theencryptor440 encrypts the key with the authentication credentials by performing an exclusive OR operation (i.e. XOR) on the key and the authentication credentials. In another embodiment, theencryptor440 adds the authentication credentials to the key to encrypt the authentication credentials; that is, theencryptor440 performs a “Caesar Cipher” on the authentication credentials using the key as the shift value. In another embodiment, theencryptor440 performs a hash function, such as MD4, MD5, or SHA-1, on the authentication credentials. It should be clear that theencryptor440 can perform any type of manipulation on the authentication credentials as long as theACR Service405 can decrypt the encrypted authentication credentials with the key.
• In one embodiment, theencryptor440 is a software module that executes mathematical algorithms on the key and the authentication credentials to create the encrypted authentication credentials. In another embodiment, theencryptor440 is a logic gate of theserver computer415, such as an exclusive OR (XOR) gate.
• In one embodiment, theencryptor440 stores the encrypted authentication credentials with the SID in a table455 inmemory430. In another embodiment, theencryptor440 stores the encrypted authentication credentials in the table455 and theSID generator438 stores the SID in the table455. In one embodiment, the table455 is an area inmemory430 allocated by theprocessor455 for us by theencryptor440. In another embodiment, theencryptor440 stores the encrypted authentication credentials with the SID in a database (not shown inFIG. 4) separate frommemory430.
• In one embodiment, theACR Service405 uses the SID as a vector to the location of the encrypted authentication credentials in the table455. In another embodiment, theACR Service405 uses the SID as a database key to locate and retrieve the encrypted authentication credentials in a database (not shown inFIG. 4). Each encrypted authentication credential created by theencryptor440 is associated with only one unique SID. Thus, theACR Service405 can locate and retrieve the encrypted authentication credentials by using a particular SID.
• Thekey destroyer445 deletes the key once theACR Service405 determines that the key is no longer needed. In one embodiment, thekey destroyer445 is a delete function of a software program such as the operating system of theserver415.
• Thedecryptor448 decrypts the encrypted authentication credentials once theACR Service405 receives the key and the SID from theclient108. In one embodiment, thedecryptor448 is a software module that performs the inverse function or algorithm that theencryptor440 performed to create the encrypted credentials. In another embodiment, thedecryptor448 is a hardware component (e.g. a logic gate) to perform the inverse operation of theencryptor440.
• In one embodiment, one or more of thekey generator435, theSID generator438, theencryptor440, thekey destroyer445 and thedecryptor448 are joined into one software module representing theACR Service405. In another embodiment, these components (436,438,440,445 and448) can be hardware components such as logic gates. In a further embodiment, these components (435,438,440,445 and448) are included in a single integrated circuit. In yet another embodiment, some of the components, for example thekey generator435 and theSID generator438, can be hardware components, and other components, for example theencryptor440, thekey destroyer445 and thedecryptor448, can be software components.
• In another embodiment, the present invention also provides methods for reconnecting aclient108 to a host service116 when there is a disruption in the clients connection to the network. The methods include re-establishing the clients connection to the host service116 and using theACR Service405 to re-authenticate the client to the host service.
• Referring toFIG. 5A, theclient108 establishes a first communication session with theserver415 over thecommunication channel418. Theclient108 obtains (step500) authentication credentials from a user of theclient108. In asystem100 not using an Open System Interconnection (OSI) protocol as the transmission protocol for communications between theclient108 and theserver415, the authentication credentials may be a login password that is needed to establish the first communication session. In this embodiment, the obtaining of the authentication credentials from the user precedes the establishment of the communication session. In another embodiment, the authentication credential is personal information of the user that theclient108 obtains after the first communication session has been established. Examples of authentication credentials include a login password, a social security number, a telephone number, an address, biometric information, a time-varying pass code and a digital certification. Theclient108 then transmits (step505) the authentication credentials to theserver415 over thecommunication channel418 so that theserver415 can authenticate theclient108 or the user of theclient108.
• After theserver415 receives the authentication credentials, theACR Service405 provides its auto client reconnect services. Thekey generator435 creates (step510) a first encryption key for use with the authentication credentials. In one embodiment, the encryption key is a random number. In another embodiment, the encryption key is any standard cryptographic key. Theencryptor440 then encrypts (step515) the authentication credentials with the first key to generate encrypted authentication credentials. This prevents an attacker who gains access to theserver415 from accessing the authentication credentials without the key. TheSID generator438 then creates (step520) a first SID to identify the first communication session between aclient108 and theserver415. In one embodiment, the first communication session is with a host service116 hosted by theserver415. Theencryptor440 then stores (step525) the encrypted authentication credentials with the first SID in the table455 described above.
• In one embodiment, theencryptor440 stores the encrypted authentication credentials with the first SID in a certain location for more efficient retrieval at a later time. For instance, theencryptor440 stores all encrypted authentication credentials and SIDs that have been created within a predetermined amount of time in RAM30. TheACR service405 transfers all encrypted authentication credentials and SIDS created before a predetermined time to a second, external memory (not shown). In another embodiment, theencryptor440 stores the encrypted authentication credentials with the SID in a database (not shown).
• The SID and the encrypted authentication credentials stored in thememory430 can be arranged in any particular order and/or format. For example, the SID and encrypted authentication credentials can be stored in chronological order with respect to the creation time of the encrypted authentication credentials.
• Theserver415 then transmits (step535) the first key and associated first SID to theclient108 over thenetwork104. Theclient108 stores (step540) the first key and the first SID in theclients108 memory (not shown). Then thekey destroyer445 of theACR Service405 deletes (step545) the key stored inmemory430.
• In another embodiment, theACR Service405 does not delete the first key frommemory430 until theACR Service405 has notification that theclient108 has received the key. For example, theclient108 transmits an acknowledgment message to theserver415 after theclient108 successfully received the key. Once theACR Service405 receives notification, thekey destroyer445 then deletes (step545) the key from thememory430. This prevents theACR Service405 from deleting the key before theclient108 successfully received the key. By not deleting the key until the acknowledgment message, theACR Service405 can retransmit the key and the SID to theclient108 upon a failure in the transmission.
• By deleting the key instep545, theACR Service405 does not have the mechanism needed to decrypt the encrypted authentication credentials stored in the table455. Thus, if an attacker accesses thememory430 of theserver415, the attacker can retrieve the encrypted authentication credentials but cannot decrypt the encrypted authentication credentials. Therefore, the attacker cannot read the authentication credentials. In short, the encrypted authentication credentials stored on theserver415 do not provide any information that the attacker can interpret or understand. As such, theserver415 does not possess any information to decrypt the encrypted authentication credentials.
• In addition, theclient108 is the only device that can provide the key to the encrypted authentication credentials. With the possibility ofmany clients108 as part of thenetwork104, an attacker may have to attempt to gain access to each client (e.g.108,108′) individually to find theclient108 that possesses the correct key. This can be time consuming and tedious and, as a result, may deter an attacker from an attempt to decrypt the encrypted authentication credentials.
• In another embodiment, theserver415 has a timeout feature with respect to accessing the encrypted authentication credentials. For instance, theserver415 starts a timer after the first communication is abnormally terminated. If the timer reached a predetermined value before theclient108 re-establishes the second communication session and transmits the key to theserver415 for decryption, theACR Service405 deletes the encrypted authentication credentials from the table455. If no timer is used, the key acts as a de facto password for future sessions.
• Once theclient108 receives the first key and the first SID from theserver415 as described above in reference toFIG. 5A, the session can be re-established, as shown inFIG. 5B, without requiring the user to reenter his or her authentication credentials. When a disruption or break occurs in the first communication session (step500) between theclient108 and theserver415, thefirst communication session418 needs to be re-established and theclient108 re-authenticated to theserver415. TheACR Service405 provides a system and method for re-establishing and re-authenticating theclient108 to theserver415.
• When theclient108 and theserver415 re-establish a second communication session, theclient108 transmits the first key and the first SID (step555) to theserver415. TheACR Service405 uses the SID (step558) to locate and retrieve the encrypted authentication credentials in theservers memory430 and uses the key (step560) to decrypt the retrieved authentication credentials. Theserver415 then re-authenticates theclient108 to the server415 (step565) by validating the authentication credentials from theclient108. In one embodiment, the authentication and re-authentication is facilitated through the security services provided by the operating system of the computing device of theserver415. For example, the authentication credentials are a login and password to theserver415. In another embodiment, the authentication and re-authentication is facilitated through application level security services of an application or software program on theserver415. For example, the authentication credentials are an application login and password to a specific host service116.
• To illustrate, upon an abnormal termination of a first communication session (step550) in which the user's login password was the authentication credential, theclient108 attempts to establish a second communication session with theserver415. As part of the request to theserver415 to establish a second communication session with theserver415, theclient108 transmits the key and the SID (step555) of the first terminated communication session to theserver415. Instead of prompting the user to enter the users login password again, theserver415, through theACR Service405, uses the SID (step558) to locate and retrieve the encrypted authentication credentials associated with the user, uses the key (step560) to decrypt the retrieved authentication credentials, and reauthenticates the client using the decrypted authentication information (step565).
• In one embodiment, during the second communication session, theACR Service405 creates (step570) a second key for the authentication credentials and then encrypts (step575) the authentication credentials using the second key. A second SID is created (step580) to identify the second communication session and associate the session with theclient108. The second encrypted authentication credentials are stored (step525) with the second SID in the table455.
• In this embodiment, the server then transmits (step585) the second key and the second SID to theclient108. Theclient108 then stores (step590) the second key and the second SID in memory (not shown) for future retrieval. TheACR Service405 then deletes (Step595) the second key from thememory430. Thus, theACR Service405 can only decrypt the second encrypted authentication upon obtaining the second key and the second SID from theclient108. TheACR Service405 has created a new key and a new SID for the second communication session that is used with the same authentication credentials that the user had transmitted during the first communication session. Therefore, a users authentication credentials do not have to be retransmitted upon a second communication channel after an abnormal termination of the first communication session.
• Although the invention is discussed in terms of authentication credentials, any confidential information which can be maintained across sessions if there is a communication failure can be used. Thus if credit card information is required by an application and the credit card information is sent to the server, the subsequent disconnect between the client and the server does not require the credit card information to be reentered if this invention is issued. Further, although a session identifier, or SID, is discussed as providing a pointer to the stored authentication credentials, any number or value which is suitable as a pointer may be used.
• FIG. 6 depicts another illustrative embodiment of asystem600 that is capable of reconnecting aclient108 to aserver415 using anACR Service405 executing on anintermediary node650. Theintermediary node650 is a computing device different from theserver415 and can be any computing device that is capable of communication and that has sufficient processor power and memory capacity to perform the operations described herein. In brief overview, theclient108 is in communication with anintermediary node650 over acommunication channel418. Thecommunication channel418 may include anetwork104. Theintermediary node650 provides auto client reconnect services, via anACR Service405, to theclient108 for the connection of theclient108 to theserver415. Theintermediary node650 is in communications with theserver415 over acommunication channel418′. Thecommunication channel418′ may include anetwork104′. Theclient108 accesses the services of theserver415 through theintermediary node650. TheACR Service405 on theintermediary node650 provides auto client reconnect services for the connection of theclient108 to theserver415. Although illustrated with asingle client108 over acommunication channel418, any number of clients and number of communication channels can be part of thesystem600.
• In a further embodiment (not shown), thesystem600 includes multipleintermediary nodes650 that are in communication with one ormore clients108 through anetwork104 overadditional communication channels418,418′. Although illustrated inFIG. 6 with a singleintermediary node650 over acommunication channel418, any number of intermediary nodes and number of communication channels can part of thesystem600.
• In another embodiment, the invention relates to methods to facilitate establishing and authenticating aclients108 connection to aserver415 using one or moreintermediary nodes650. As shown inFIG. 7A, anintermediary node650 establishes (step520A) a session with theserver415.
• Theclient108 establishes a first communication session with theintermediary node650 over thecommunication channel418. Theclient108 obtains (step500) authentication credentials from a user of theclient108. Theclient108 then transmits (step505) the authentication credentials to theintermediary node650 over thecommunication channel418 so that theintermediary node650 can authenticate the user with theserver415.
• After theintermediary node650 receives the authentication credentials, theACR Service405 provides its auto client reconnect services. TheACR Service405 creates (step510) a first encryption key for use with the authentication credentials and then encrypts (step515) the authentication credentials with the first key to generate encrypted authentication credentials. This prevents an attacker who gains access to theserver415 from accessing the authentication credentials without the key. Then a session is established with the server415 (step520A) and theclient108 is authenticated to theserver415 using the authentication credentials. Thereby, theACR Service405 creates a first SID to identify the first communication session. The encrypted authentication credentials are stored (step525) with the first SID in the table455 described above. Theintermediary node650 then transmits (step535) the first key and the first SID to theclient108 over thenetwork104. Theclient108 stores (step540) the first key and the first SID in theclients108 memory (not shown). TheACR Service405 then deletes (step545) the key stored inmemory430.
• Once theclient108 receives the first key and the first SID from theintermediary node650 as described above in reference toFIG. 7A, the communication session can be re-established and re-authenticated, as shown inFIG. 7B, without requiring the user to reenter his or her authentication credentials. For example, there may be a disruption in the first communication session (step705) between theclient108 and theintermediary node650 from an abnormal termination.
• When theclient108 and theintermediary node650 re-establish a second communication session, theclient108 transmits the first key and the first SID (step555) to theintermediary node650. TheACR Service405 of theintermediary node650 uses the SID (step558) to locate and retrieve the encrypted authentication credentials in the server'smemory430 and uses the key (step560) to decrypt the retrieved authentication credentials. The key generator creates (step570) a second key for the authentication credentials and thekey encryptor440 then encrypts (step575) the authentication credentials using the second key. TheSID generator438 also creates (step580) a second SID to identify the second communication session and associates it with the maintained session between theintermediary node650 and theserver415. The encryptor440 stores the second encrypted authentication credentials with the second SID in the table455.
• In this embodiment, theserver415 then transmits (step585) the second key and the second SID to theclient108. Theclient108 then stores (step590) the second key and the second SID for future retrieval. Thekey destroyer445 then deletes (Step595) the second key from thememory430. Thus, theACR Service405 can only decrypt the second encrypted authentication upon obtaining the second key and the second SID from theclient108. TheACR Service405 has created a new key and a new SID for the second communication session that is used with the same authentication credentials that the user had transmitted during the first communication session. Therefore, a user's authentication credentials do not have to be retransmitted upon a second communication channel after an abnormal termination of the first communication session.
• In another embodiment, there may be a disruption or abnormal termination in the second communication session (step710) between theintermediary node650 and theserver415. As described inFIG. 7C, the second communication session can be re-established and re-authenticated without requiring the user to reenter his or her authentication credentials.
• When theintermediary node650 and theserver415 re-establish a second communication session, theintermediary node650 requests (step550) the first key and first SID from theclient108 to re-establish a session with theserver415 on the clients behalf. In response, theclient108 transmits the first key and the first SID (step555) to theintermediary node650. TheACR Service405 of theintermediary node650 uses the SID (step558) to locate and retrieve the encrypted authentication credentials in the server'smemory430 and uses the key (step560) to decrypt the retrieved authentication credentials. TheACR Service500 then re-establishes the clients session with the server (step565) using the decrypted authentication credentials to re-authenticate theclient108 to theserver415.
• In another embodiment, after re-establishing and re-authenticating the client over the second communication session, theACR Service405 of theintermediary node650 creates a replacement second SID and second key as previously described inFIG. 7B. In reference to the embodiment of the ACR Service illustrated inFIG. 4, the key generator creates (step570) a second key for the authentication credentials and thekey encryptor440 then encrypts (step575) the authentication credentials using the second key. TheSID generator438 also creates (step580) a second SID to identify the second communication session and associates it with the re-established session between theintermediary node650 and theserver415. The encryptor440 stores the second encrypted authentication credentials with the second SID in the table455. In this embodiment, the server then transmits (step585) the second key and the second SID to theclient108. Theclient108 then stores (step590) the second key and the second SID for future retrieval. Thekey destroyer445 then deletes (Step595) the second key from thememory430.
• In other embodiments, one or more of thefirst protocol service112 andACR Service405 can be distributed across any of the host service nodes. As such, the functionality of re-establishing and re-authenticating, or automatically reconnecting, aclient108 connect to a host service116 can be flexibly distributed in different system and deployment architectures across host services116 and/or host nodes118.
• In one embodiment of this aspect of the invention, anACR Service405 can be associated with each of the host services116a-116ninsystem100 to provide auto client reconnect services dedicated to each host service116, respectively. A singlefirst protocol service112 can be deployed to handle all of the host services116a-116n. As shown inFIG. 8A, each of themultiple ACR Services405a-405nis associated with each of the host services116a-116n, respectively. By way of example, aclient108 establishes a communication session with thehost service116ausing thefirst protocol service112. TheACR Service405aassociated withhost service116aprovides auto client reconnect services for the connection of theclient108 to thehost service116a. If there is a disruption in a network connection, thefirst protocol service112 will re-establish the connection with theclient108 and theACR Service405awill re-authenticate theclient108 to thehost service116a. Asecond client108′ may concurrently, with thefirst client108, establish a communication session with thehost service116busing thefirst protocol service112. TheACR Service405bprovides auto client reconnect services for the clients connection to thehost service116b. If there is a network disruption, thefirst protocol service112 in conjunction with theACR Service405bwill reconnect theclient108′ to thehost service116b.
• In another embodiment of this aspect of the invention, an ACR service can be associated with each of the multiple host services116a-116nrunning on each of the host nodes118a-118nof thesystem100. Afirst protocol service112 can be deployed on each host node118 to service each of the multiple host services116a-116nrunning on that host node118. As shown inFIG. 8B, eachACR service405a-405nis associated with each host service116a-116n, respectively. Each host node118 has a dedicatedfirst protocol service112 servicing each of its host services116 and eachACR Service405. For example, aclient108 establishes a communication session withhost service116aonhost node118aby using thefirst protocol service112a. TheACR Service405aonhost node118aprovides auto client reconnect services for the connection of theclient108 to thehost service116aonhost node118a.
• If a network disruption is detected, thefirst protocol service112are-establishes the clients connection to thehost service116aonhost node118aand theACR service405aonhost node118are-authenticates theclient108 to thehost service116aonhost node118a. Concurrently with thefirst client108, asecond client108′ establishes a communication session withhost service116bonhost node118ausing thefirst protocol service112aandACR Service405a. If there is a network disruption, thefirst protocol service112ain conjunction with theACR Service405areconnect theclient108′ withhost service116bonhost node118a. Concurrently with thefirst client108 and thesecond client108′, athird client108′ establishes a communication session withhost service116nonhost node118busing thefirst protocol service112bandACR Service405nonhost node118b. In a similar manner, thefirst protocol service112bandACR Service405ncan reconnect theclient108′ to thehost service116nofhost node118b.
• In other embodiments, one or more of theACR Services405 can be distributed with thefirst protocol services112 across any of the intermediary or first protocol services nodes. As such, the functionality of reconnecting aclient108 to a host service116 can be flexibly distributed in different system and deployment architectures associated with thefirst protocol service112.
• In one embodiment of this aspect of the invention, theACR Service405 can be associated with eachfirst protocol service112 to provide auto client reconnect services dedicated to thefirst protocol service112. A singlefirst protocol service112 andACR Service405 can be deployed to handle all of the host services116a-116n. As shown inFIG. 9A, theACR Service405 resides with thefirst protocol service112 on the same computing device to provide auto client reconnect services to host services116a-116n. For example, aclient108 establishes a communication session with any of the host services116a-116nby using thefirst protocol service112 andACR Service405. Thefirst protocol service112 andACR Service405 provide reconnecting functionality from aclient108 to any of the host services116a-116n.
• In another embodiment of this aspect of the invention, each of theACR Services405a-405ncan be associated with each of the multiple of first protocol services116a-116n. For example as shown inFIG. 9B, afirst protocol service112aand anACR Service405acan be deployed on ahost node118ato service each of the multiple host services116a-116nrunning on thathost node118a. As further shown inFIG. 9B, eachACR service405a-405nis associated with eachfirst protocol service112a-112nto provide dedicated auto client reconnect services to the multiple host services116a-116nof each host node118a-118n. By way of example,client108 establishes a communication session withhost service116aonhost node118aby using thefirst protocol service112aandACR Service405aon thesame host node118a. If there is a network disruption, thefirst protocol service112ain conjunction with theACR Service405areconnects theclient108 to thehost service116aon thehost node118a.
• Although the invention is discussed above in terms of various system and deployment architectures inFIGS. 8A-8B and9A-9B, any other system and/or deployment architecture that combines and/or distributes one or more of the first protocol service(s)112, ACR Service(s)405, and host service(s)116 across any of the host nodes118,intermediary nodes650 or other computing devices can be used.
• Furthermore, instead of using anACR Service405 to provide authentication and re-authentication services, aticket authority1036 service can be used. Aticket authority1036 generates and validates tickets for connection and authentication purposes. A ticket can comprise a session identifier and key. It can also comprise a random number, an application server certificate, a nonce, a constant or null value or any other type of identification, confidential or security based information that may be used for such purposes.
• In an embodiment of anetwork communication system1000 for reconnecting aclient108 to a host service116 as shown inFIG. 10A, aticket authority1036 can run on a node separate from theintermediary node1032,first protocol service112 or any of the host services116a-116n.FIG. 10A depicts anintermediary node1032 andticket authority1036, which could be a single computing device, as part of thesystem1000. In addition to thenetworks104 and104′, thesystem1000 includes aclient108,first protocol service112, and the host services116a-116n, all of which are described above. In one embodiment, theintermediary node1032 is a security gateway, such as, for example, a firewall and/or a router, through which messages between theclient108 and thefirst protocol service112 must pass due to the configuration of thenetwork104. Theticket authority1036 can be, for example, a stand-alone network component that is capable of communication and that has sufficient processor power and memory capacity to perform the operations described herein. Theticket authority1036 also can be a specific host service116 dedicated to providing ticket related services on aserver415.
• As shown in the illustrative embodiment ofFIG. 10A, theintermediary node1032 is configured to accept aconnection120ainitiated by theclient108 and to establish asecond connection120bwith thefirst protocol service112. Together, theconnection120aand thesecond connection120bconstitute theconnection120, described above, over which theclient108 and thefirst protocol service112 communicate using the first protocol.
• Theintermediary node1032, as shown, is also configured to communicate with theticket authority1036. In one embodiment, theticket authority1036 is configured to receive a request for a first reconnection ticket from theintermediate node1032 and to thereafter generate the first reconnection ticket. The first reconnection ticket can include, for example, a large random number. The first reconnection ticket allows theclient108 to automatically re-establish a connection with the host service after an abnormal disruption of service without requiring theclient108 to provide authentication credentials again.
• After generation of the first reconnection ticket, theticket authority1036 encrypts the authentication credentials supplied by theclient108 using the first reconnection ticket so that an attacker who gains access to theintermediary node1032 or theticket authority1036 cannot access the authentication credentials without the first reconnection ticket. Theticket authority1036 may also generate a SID to identify the communication session that is established between theclient108 and theintermediary node1032. Theticket authority1036 then stores the encrypted authentication credentials with the SID in memory and transmits the SID and the first reconnection ticket to theclient108 over thenetwork104. Upon the client's receipt of the SID and the first reconnection ticket, theticket authority1036 destroys (i.e., deletes) the ticket from its memory (not shown).
• In another embodiment, theticket authority1036 is configured to generate a handle. The handle can be, for example, a random number that is associated with (e.g., mapped to) the first reconnection ticket. In one embodiment, the handle is a smaller random number than the random number forming the first reconnection ticket. For example, the handle may be a 32-bit random number. Theticket authority1036 transmits the first reconnection ticket and the handle to theintermediary node1032, while keeping a copy of the first reconnection ticket and a copy of the handle. The copy of the first reconnection ticket can later be used by theticket authority1036 to validate the first reconnection ticket originally transmitted to theclient108 when it is later presented to theticket authority1036 during the process of reconnecting theclient108. In one embodiment, theticket authority1036 also keeps an address for thefirst protocol service112, which, as explained below, is associated with the first reconnection ticket and, upon validation of the first reconnection ticket, is transmitted to theintermediary node1032.
• In one embodiment, theintermediary node1032 is further configured to use the handle transmitted to it by theticket authority1036 to delete the copy of the first reconnection ticket kept at theticket authority1036. In another embodiment, as described below, theticket authority1036 is further configured to delete, during the process of reconnecting theclient108 to a host service116, the first reconnection ticket and thereafter generate a replacement first reconnection ticket. Additionally, in another embodiment, the first reconnection ticket is configured for automatic deletion after a pre-determined period of time.
• In another embodiment, thefirst protocol service112 is configured to generate a second reconnection ticket, which, as in the case of the first reconnection ticket, can include, for example, a large random number. Thefirst protocol service112 can also be configured to transmit the second reconnection ticket to theclient108, while keeping a copy of the second reconnection ticket and a session number. The copy of the second reconnection ticket can later be used by thefirst protocol service112 to validate the second reconnection ticket originally transmitted to theclient108 when it is later presented to thefirst protocol service112 during the process of reconnecting theclient108. In one embodiment, thefirst protocol service112 transmits the second reconnection ticket to theclient108 via theintermediary node1032. In another embodiment, thefirst protocol service112 transmits the second reconnection ticket to theclient108 directly. Moreover, as described in greater detail below, thefirst protocol service112 can be further configured to delete, during the process of reconnecting theclient108 to a host service116, the second reconnection ticket, and thereafter generate a replacement second reconnection ticket. Additionally, in another embodiment, the second reconnection ticket is configured for automatic deletion after a pre-determined period of time.
• In one embodiment, theintermediary node1032 serves as an intermediary for the first and second reconnection tickets. Theintermediary node1032 receives, for example, the first reconnection ticket generated by theticket authority1036 and the second reconnection ticket generated by thefirst protocol service112. Theintermediary node1032 can then transmit the first reconnection ticket and the second reconnection ticket to theclient108. Moreover, during the process of reconnecting theclient108 to a host service116, theintermediary node1032 can accept the first reconnection ticket and the second reconnection ticket from theclient108 and thereafter transmit the first reconnection ticket to theticket authority1036 and, if appropriate, the second reconnection ticket to thefirst protocol service112.
• If the first communication session between theclient108 and the host service116 terminates, for example abnormally, the new session can be re-established without requiring the user to reenter his or her authentication credentials. When theclient108 and the host service116 re-establish a second communication session, theclient108 retransmits the first and second reconnection tickets and the SID to theintermediary node1032. Theintermediary node1032 transmits the first and second reconnection tickets and the SID to theticket authority1036, which uses the SID to locate and retrieve the encrypted authentication credentials for the first connection and uses the first reconnection ticket to decrypt the retrieved authentication credentials. Theticket authority1036 then authenticates the client by validating the decrypted authentication credentials. After re-authentication, the second reconnection ticket is forwarded to thefirst protocol service112 to re-establish the second connection124 with the host service116.
• In another embodiment of anetwork communications system1000 as shown inFIG. 10B, anACR Service405 can be used instead of theticket authority1036 for reconnecting theclient108 to any of the host services116a-116n. In this embodiment, theACR Service405 can provide similar services as described above with regards to theticket authority1036. As previously described, theACR Service405 generates, validates and manages a SID and a key for connecting and reconnecting a client communication session. A SID and a key can form a ticket as in the type of ticket generated, validated and managed by theticket authority1036 as described above. As such, in another embodiment, a ticket may be used interchangeably for the combination of a session identifier and a key.
• Theintermediary node1032, as shown inFIG. 10B, is configured to communicate with theACR Service405. In one embodiment, theACR Service405 is configured to receive a request for a first SID and a first key from theintermediary node1032 and to thereafter generate the first SID and first key. TheACR Service405 uses the first SID to identify the communication session that is established between theclient108 and a host service116. The first SID and the first key allow theclient108 to automatically reconnect with the host service116 after an abnormal disruption of service without requiring theclient108 to provide authentication credentials again.
• After generation of the first SID and the first key, theACR Service405 encrypts the authentication credentials supplied by theclient108 using the first key so that an attacker who gains access to theintermediary node1032 or theACR Service405 cannot access the authentication credentials without the first key. TheACR Service405 then stores the encrypted authentication credentials with the SID inmemory430 and transmits the first SID and the first key to theclient108 over thenetwork104. Upon the client's receipt of the SID and the key, theACR Service405 destroys (i.e., deletes) the key from itsmemory430.
• In another embodiment, thefirst protocol service112 is configured to generate a second SID and second key. Thefirst protocol service112 can also be configured to transmit the second SID and second key to theclient108, while keeping a copy of the second SID and second key. The copy of the second SID and second key can later be used by thefirst protocol service112 to validate the second SID and second key originally transmitted to theclient108 when it is later presented to thefirst protocol service112 during the process of reconnecting theclient108. In one embodiment, thefirst protocol service112 transmits the second SID and second key to theclient108 via theintermediary node1032. In another embodiment, thefirst protocol service112 transmits the second SID and second key to theclient108 directly. Moreover, as described in greater detail below, thefirst protocol service112 can be further configured to delete, during the process of reconnecting theclient108 to a host service116, the second SID and second key, and thereafter generate a replacement second SID and second key. Additionally, in another embodiment, the second SID and second key is configured for automatic deletion after a pre-determined period of time.
• In one embodiment, theintermediary node1032 serves as an intermediary for the first and second SIDs and keys. Theintermediary node1032 receives, for example, the first SID and first key generated by theACR Service405 and the second SID and second key generated by thefirst protocol service112. Theintermediary node1032 can then transmit the first SID and first key and the SID and second key to theclient108. Moreover, during the process of reconnecting theclient108 to a host service116, theintermediary node1032 can accept the first SID and first key and the second SID and second key from theclient108 and thereafter transmit the first SID and first key to theACR Service405 and, if appropriate, the second SID and second key t to thefirst protocol service112.
• If the first communication session between theclient108 and the host service116 terminates, for example abnormally, the new session can be re-established without requiring the user to reenter his or her authentication credentials. When theclient108 and the host service116 re-establish a second communication session, theclient108 transmits the first and second SIDs and keys to theintermediary node1032. Theintermediary node1032 transmits the first SID and first key to theACR Service405, which uses the SID to locate and retrieve the encrypted authentication credentials for the first connection and uses the first key to decrypt the retrieved authentication credentials. TheACR Service405 then authenticates the client by validating the decrypted authentication credentials. After re-authentication, the second SID and second key is forwarded to thefirst protocol service112 to re-establish the second connection124 with the host service116.
• Referring toFIG. 11A, another embodiment of asystem1100 for network communications includes thenetworks104 and104′, theclient108, thefirst protocol service112, the host services116, theintermediary node1032, and theticket authority1036, as described above, and further depicts afirst computing node1140 and a second computing node144, both of which are used, in one embodiment, for initially connecting theclient108 to a host service116. Moreover, in the illustrative embodiment ofFIG. 11A, theclient108 further includes aweb browser148, such as, for example, the INTERNET EXPLORER program from Microsoft Corporation of Redmond, Wash., to connect to the World Wide Web.
• In one embodiment (not shown), thesystem1100 includes two or moreintermediary nodes1032 and/or two or more first protocol services112. Theintermediary node1032, through which messages between theclient108 and thefirst protocol service112 must pass, and/or thefirst protocol service112 can, as explained below, each be chosen based on, for example, a load balancing equation.
• Each of thefirst computing node1140 and thesecond computing node1144 can be any computing device that is capable of communication and that has sufficient processor power and memory capacity to perform the operations described herein. For example, in one embodiment, thefirst computing node1140 is a web server, providing one or more websites or web based applications. In another embodiment, thesecond computing node1144 provides an XML service or web service.
• In one embodiment, theclient108 and thenetwork104 form anexternal network1152, separated from the rest of thesystem1100 by afirst firewall1156, depicted as a dashed line. Theintermediary node1032 and thefirst computing node1140 can be located in a “demilitarized zone”1160 (i.e., a network region placed between a company's private network and the public network), separated from the rest of thesystem1100 by thefirst firewall1156 and a second firewall1164, also depicted by a dashed line. Then, as shown, thenetwork104′, thefirst protocol service112, the host services116a-116n, theticket authority1036, and thesecond computing node1144, form aninternal network1168, separated from the rest of thesystem1100 by the second firewall1164.
• Alternatively, in another embodiment not shown inFIG. 11A, thesystem1100 further includes a third computing node1146 positioned, in the demilitarizedzone1160, between thenetwork104 and theintermediary node1032. The third computing node1146 can be any computing device that is capable of networked communication and that has sufficient processor power and memory capacity to perform the operations described herein. As described below, the third computing node1146 is used, in some embodiments, during the process of initially connecting theclient108 to a host service116 and/or during the process of reconnecting theclient108 to a host service116. More specifically, as described below, where thesystem1100 includes two or moreintermediary nodes1032, the third computing node1146 can, based on a load balancing equation for example, choose theintermediary node1032 through with communications between theclient agent128 of theclient108 and thefirst protocol service112 must pass.
• Moreover, referring toFIG. 11A, theintermediary node1032, in an alternative embodiment, can be replaced by two or more levels “a”-“n” ofintermediary nodes1032. As illustrated, each level “a”-“n” can include two or moreintermediary nodes1032a-1032n. As described below, theclient agent128 of theclient108 can be routed through any combination of theintermediary nodes1032 based on, for example, load balancing equations. For example, as illustrated, theclient agent128 can be routed through theintermediary nodes1032 viaconnection120. Other configurations of thesystem1100, as would be readily apparent to one skilled in the art, are also possible.
• Referring again toFIG. 11A, in one embodiment, the web browser1148 communicates over thenetwork104 with thefirst computing node1140, which itself interfaces with thesecond computing node1144 and theticket authority1036. More specifically, thefirst computing node1140 is configured with the address of thesecond computing node1144 and theticket authority1036. In one embodiment, as explained further below, thefirst computing node1140 is configured to relay information between, and thereby prevent direct communication between, the web browser1148 of theclient108, thesecond computing node1144, and theticket authority1036. By preventing such direct communication, thefirst computing node1140 adds an additional level of security to thesystem1100. Thefirst computing node1140 can also be configured with the address of theintermediary node1032, or, alternatively, with the address of two or moreintermediary nodes1032.
• For its part, thesecond computing node1144 is configured to determine which of the application programs running on the host services116 are available to a user of theclient108. In other words, thesecond computing node1144 is configured to determine which of the application programs the user is authorized to access. In one embodiment, after the user selects his desired application program, as described further below, thesecond computing node1144 is further configured to determine which of the host services116 will be used to run the users desired application for purposes of load balancing. Thesecond computing node1144 returns the address of that host service116 to thefirst computing node1140. Thesecond computing node1144 also returns the address of thefirst protocol service112, which can also be selected from amongst a plurality offirst protocol services112 through the use of a load balancing equation, to thefirst computing node1140. In turn, thefirst computing node1140 transmits the address of the chosenfirst protocol service112 and the chosen host service116 to theticket authority1036.
• For its part, theticket authority1036 generates connection tickets. In one embodiment, theticket authority1036 transmits an initial connection ticket to thefirst computing node1140 for transmission to theclient108. In another embodiment, the ticket authority transmits a first reconnection ticket to theintermediary node1032.
• In another embodiment of anetwork communication system1100 as shown inFIG. 11B, theACR Service405 can be used instead of theticket authority1036 to reconnect aclient108 to a host service116. Instead of using tickets as with theticket authority1036, theACR Service405 generates, validates and manages SIDs and keys for connecting and reconnecting client communication sessions. TheACR Service405 authenticates and re-authenticates the client to a host service116 orserver415 using a SID and key, or a ticket, associated with theclient108. As previously mentioned, a ticket can be used to refer to the combination of a SID and key or a ticket can comprise a SID and a key.
• Thesystem1100 ofFIG. 11B includes thenetworks104 and104′, theclient108, thefirst protocol service112, the host services116, theintermediary node1032, and theACR Service405, as described above, and further depicts afirst computing node1140 and a second computing node144, both of which are used, in one embodiment, for initially connecting theclient108 to a host service116. Moreover, theclient108 further includes aweb browser148 to connect to the World Wide Web.
• In one embodiment (not shown), thesystem1100 includes two or moreintermediary nodes1032 and/or two or morefirst protocol services112 or two ormore ACR Services405. Theintermediary node1032, through which messages between theclient108 and thefirst protocol service112 must pass, and/or thefirst protocol service112 can and/or theACR Service405, as explained below, each be chosen based on, for example, a load balancing equation.
• In another embodiment, thesystem1100 ofFIG. 11B can include anexternal network1152, separated from a “demilitarized zone”160 by afirst firewall1156 which in turn is separated from aninternal network1168 by a second firewall1164. Although the invention is discussed above in terms of various network topologies inFIGS. 11A and 11B, any other network topologies can be used, such as for example, a topology including combinations of internal networks, external networks, sub-networks, intranets, firewalls, security zones, single servers, a server network or server farms.
• Alternatively, in another embodiment not shown inFIG. 11B, thesystem1100 further includes a third computing node1146 positioned, in the demilitarizedzone1160, between thenetwork104 and theintermediary node1032. The third computing node1146 is used, in some embodiments, during the process of initially connecting theclient108 to a host service116 and/or during the process of reconnecting theclient108 to a host service116.
• In another embodiment of thesystem1100 inFIG. 11B, theintermediary node1032, can be replaced by two or more levels “a”-“n” ofintermediary nodes1032a-1032n. Theclient agent128 of theclient108 can be routed through any combination of theintermediary nodes1032 based on, for example, load balancing equations.
• In one embodiment, the web browser1148 communicates over thenetwork104 with thefirst computing node1140, which itself interfaces with thesecond computing node1144 and theACR Service405. Thefirst computing node1140 is configured with the address of thesecond computing node1144 and theACR Service405. In another embodiment to provide an additional level of security in thesystem1100, thefirst computing node1140 is configured to relay information between, and thereby prevent direct communication between, the web browser1148 of theclient108, thesecond computing node1144, and theACR Service405. Thefirst computing node1140 can also be configured with the address of any of theintermediary nodes1032a-1032n.
• For its part, thesecond computing node1144 is configured to determine which of the application programs running on the host services116 are available to a user of theclient108 and to provide the address of the host service116 selected by the user to thefirst computing node1140. Thesecond computing node1144 also provides the address of one of the multiplefirst protocol service112, through the use of a load balancing equation, to thefirst computing node1140. In turn, thefirst computing node1140 transmits the address of the chosenfirst protocol service112 and the chosen host service116 to theACR Service405.
• For its part, theACR Service405 generates, validates and manages connection SIDs and key to provide authentication and re-authentications services to re-establish a clients communication session with a host service116 orserver415, as described herein. In one embodiment, theACR Service405 transmits a first SID and first key to thefirst computing node1140 for transmission to theclient108. In another embodiment, theACR Service405 transmits a first SID and first key to one of theintermediary nodes1032.
• In another aspect, this invention relates to methods for network communications and reconnecting aclient108 to a host service116 using a plurality of secondary protocols encapsulated within a first protocol. The method includes establishing a first connection between aclient108 and afirst protocol service112 using a first protocol and communicating between theclient108 and thefirst protocol service112 via a plurality of second protocols encapsulated within the first protocol. Moreover, at least one of the second protocols includes a plurality of virtual channels.
• In one embodiment of this aspect of the invention, a second connection is established between thefirst protocol service112 and a host service116 using one of the secondary protocols. Communication between thefirst protocol service112 and the host service116 occurs via one of the secondary protocols. Specifically, each of the plurality of second connections is established between thefirst protocol service112 and a different host service116 and each of the plurality of second connections is established using one of the plurality of secondary protocols. In yet another embodiment, the first connection between theclient108 and the first protocol service116 is established through one or moreintermediary nodes1032.
• Referring now toFIG. 12A, one embodiment of amethod1200 for reconnecting a client to a host service after a network failure is illustrated. Atstep1204, theclient108 initially connects to one of a plurality of host services116 by employing, for example. Generally, theclient108 is required to transmit authentication credentials to the host service116 to initiate the communication session. After theclient108 is connected to the host service116, theclient108 and the host service116 communicate, through thefirst protocol service112, and atstep1208, via a plurality of secondary protocols encapsulated within the first protocol as discussed above in reference toFIGS. 2A-2B andFIG. 3. In one embodiment, thefirst protocol service112 encrypts, prior to the transmission of any first protocol packets, communications at the level of thefirst protocol204, thereby securing the communications. In another embodiment, thefirst protocol service112 compresses, prior to the transmission of any first protocol packets, the communications at the level of the first protocol, thereby improving communication efficiency.
• Atstep1212, theclient agent128 determines whether theconnection120 between theclient agent128 and thefirst protocol service112 has failed. For example, theconnection120abetween theclient agent128 and theintermediary node1032 may have failed, theconnection120bbetween theintermediary node1032 and thefirst protocol service112 may have failed, or both theconnection120aand theconnection120bmay have failed. If theclient agent128 determines that theconnection120 has not failed, themethod1200 proceeds to step1220. If, on the other hand, theclient agent128 determines that theconnection120 has failed, theclient108 is, atstep1216, reconnected to the host service116.
• The step of reconnecting instep1216 after a first communication session ends abnormally, can comprise in asystem1100 deploying aticket authority1036 and theclient108 transmitting the SID and the first and second reconnection tickets to theintermediary node1032. Theintermediary node1032 uses the first reconnection ticket to authenticate theclient108 and re-establish theconnection120 between theclient108 and theintermediate node1032. Theintermediary node1032 then transmits the second reconnection ticket to thefirst protocol service112, which uses the second reconnection ticket to authenticate re-establish the connection124 to the host service116. The reconnection tickets thus allow theclient108 to automatically establish a second communication session to the host service116 without retransmitting the authentication credentials a second time.
• In another embodiment, the step of reconnecting, instep1216, can also comprise asystem1100 deploying anACR Service405. In such an embodiment, theclient108 transmits a first SID and first key to theintermediary node1032 to authenticate theclient108 and reestablish the connection of theclient108 to the host service116.
• It is determined, atstep1220, whether theclient108 wishes to cleanly terminate itsconnection120 with thefirst protocol service112 and, consequently, its connections124a-124nwith the host services116a-116n. If not, communication between theclient108 and thefirst protocol service112, via the plurality of secondary protocols encapsulated within the first protocol, continues atstep1208. If so, then, atstep1224, allconnections120a,120b, and124a-124nare broken and all reconnection tickets are deleted. In another embodiment using anACR Service405, atstep1224, allconnections120a,120b, and124a-124nare broken and all SIDS and keys are deleted. In one embodiment, theintermediary node1032 uses a handle it receives from theticket authority1036 to delete a copy of a first reconnection ticket kept at the ticket authority136. In another embodiment deploying aticket authority1036, thefirst protocol service112 deletes a copy of a second reconnection ticket kept at thefirst protocol service112. In yet another embodiment deploying theACR Service405, thefirst protocol service112 deletes a copy of a second SID and second key kept at thefirst protocol service112.
• In a further embodiment using aticket authority1036, if for some reason a secondary protocol connection124 fails, a copy of the second reconnection ticket associated therewith and kept at thefirst protocol service112 is deleted by thefirst protocol service112. In yet another embodiment, a first reconnection ticket and/or a second reconnection ticket is automatically deleted after a pre-determined period of time following a failure in theconnection120, as atstep1212, and/or following a clean termination of theconnection120, as atstep1220.
• In another aspect, this invention relates to methods for reconnecting theclient108 to the host service116 using theACR Service405. Referring now toFIG. 12B, one embodiment of themethod1216 to reconnect aclient108 to a host service116 is illustrated. Theclient108 transmits the first SID and the first key to theACR Service405 to reconnect to the host service (step1255). TheACR Service405 uses the SID (step1258) to locate and retrieve the encrypted authentication credentials and uses the key (step1260) to decrypt the retrieved authentication credentials. In one embodiment (not shown), theACR Service405 uses the decrypted authentication credentials to re-authenticate theclient108 to the maintained session between the first protocol service113 and the host service116. After re-authenticating, the reestablished connection of theclient108 to the first protocol service116 is re-linked to the maintained session between thefirst protocol service112 and the host service116.
• In another embodiment, during the second communication session, theACR Service405 generates (step1270) a second key for the authentication credentials and then encrypts (step1275) the authentication credentials using the second key. TheACR Service405 creates a second SID (step1280). Then the decrypted authentication credentials are re-authenticated with the host service116 and the second SID is associated with the maintained communication session with the host service116 (step1280a). TheACR Service405 then transmits the second SID and second key to the client108 (step1285). In one embodiment, theACR Service405 may transmit the second SID and second key through anintermediary node1032. Theclient108 stores the second SID and second key (step1290). TheACR Service405 then deletes the second key (step1295).
• Referring toFIGS. 13A-13B, one embodiment of amethod1300 for initially connecting theclient108 to the host service116 using anACR Service405 is illustrated. Atstep1304, theclient108, using thebrowser148, sends a request, such as, for example, an HTTP request, to thefirst computing node1140. Thefirst computing node1140 returns a web page, such as, for example, an HTML form requesting authentication information (e.g., a username and a password). A user of theclient108 enters his authentication credentials and transmits the completed form to thefirst computing node1140.
• Thefirst computing node1140, atstep1308, then informs the user of theclient108 of applications available for execution. In one embodiment, thefirst computing node1140 extracts the user's credentials from the login page and transmits them to thesecond computing node1144, together with a request for thesecond computing node1144 to enumerate the applications available to the user. Based on the user's credentials, thesecond computing node1144 returns a list of specific applications available to thefirst computing node1140, which then forwards the list, in the form of a web page for example, to the user of theclient108.
• Atstep1312, the user selects the desired application and a request for that application is sent to thefirst computing node1140. For example, in one embodiment, the user clicks on a desired application listed in the web page presented to him by thefirst computing node1140 and an HTTP request for that application is forwarded to thefirst computing node1140. The request is processed by the first computing node140 and forwarded to thesecond computing node1144.
• Atstep1316, the second computing node144 determines the host service116 on which the desired application will be executed. Thesecond computing node1144 can make that determination based, for example, on a load balancing equation. In one embodiment, thesecond computing node1144 also determines afirst protocol service112 from amongst a plurality offirst protocol services112 that will be used to communicate with the host service116 via a connection124. Again, thesecond computing node1144 can make that determination based, for example, on a load balancing equation. Thesecond computing node1144 returns the address of the chosen host service116 and the chosenfirst protocol service112 to thefirst computing node1140.
• Theclient108, atstep1320, is then provided with an initial connection session id and key, a first SID and first key, and an address for the intermediary node1032 (which is either its actual address or its virtual address, as described below). In one embodiment, thefirst computing node1140 provides the address for the chosen host service116 and the chosenfirst protocol service112 to theACR Service405, together with a request for the initial connection session id and key. TheACR Service405 generates the initial session id and key, and transmits the session id and key to thefirst computing node1140, while keeping a copy for itself.
• Thefirst computing node1140, configured, in one embodiment, with the actual address of theintermediary node1032, then transmits the actual address of theintermediary node1032 and the initial connection session id and key to the browser1148 of theclient108. Thefirst computing node1140 can, for example, first create a file containing both the actual address of theintermediary node1032 and the initial connection ticket and then transmitting the file to the browser1148 of theclient108. Optionally, in another embodiment, thefirst computing node1140 is configured with the actual address of two or moreintermediary nodes1032. In such an embodiment, thefirst computing node1140 first determines theintermediary node1032 through which messages between theclient108 and thefirst protocol service112 will have to pass. Thefirst computing node1140 then transmits the actual address of that chosenintermediary node1032 and the initial connection ticket to the browser1148 of theclient108 using, for example, the file described above. In one embodiment, thefirst computing node1140 chooses theintermediary node1032 using a load balancing equation. Theclient agent128 of theclient108 is then launched and uses the address of theintermediary node1032, to establish, atstep1324, afirst protocol connection120abetween theclient agent128 of theclient108 and theintermediary node1032.
• Alternatively, in another embodiment, thefirst computing node1140 is configured with an actual address of the third computing node1146, which serves as a virtual address of anintermediary node1032. In such an embodiment, thefirst computing node1140 transmits, atstep1320, the actual address of the third computing node1146 and the initial connection session id and key to the browser1148 of theclient108 using, for example, the file described above. Theclient agent128 of theclient108 is then launched and uses the actual address of the third computing node1146 to establish, atstep1324, a first protocol connection between theclient agent128 of theclient108 and the third computing node1146. The third computing node1146 then determines theintermediary node1032 through which messages between theclient108 and thefirst protocol service112 will have to pass. In one embodiment, the third computing node1146 chooses theintermediary node1032 using a load balancing equation. Having chosen theintermediary node1032, the third computing node1146 establishes a first protocol connection to theintermediary node1032. Afirst protocol connection120atherefore exists, through the third computing node1146, between theclient agent128 of theclient108 and theintermediary node1032. The actual address of the third computing node1146 is therefore mapped to the actual address of theintermediary node1032. To theclient agent128 of theclient108, the actual address of the third computing node146 therefore serves as a virtual address of theintermediary node1032.
• In one embodiment, where more than one level ofintermediary nodes1032a-1032nexist, as described above, thefirst computing node1140 or the third computing node1146, respectively, only choose theintermediary node1032 to which theclient agent128 will connect at level “a.” In such an embodiment, at each of the levels “a”-“n−1”, theintermediary node1032 through which theclient agent128 is routed at that level thereafter determines, based on a load balancing equation for example, theintermediary node1032 to which it will connect at the next level. Alternatively, in other embodiments, thefirst computing node1140 or the third computing node1146, respectively, determine, for more than one or all of the levels “a”-“n” theintermediary nodes1032 through which theclient agent128 will be routed.
• Having established thefirst protocol connection120abetween theclient agent128 of theclient108 and theintermediary node1032, for example theintermediate node1032 at level “n” (hereinafter referred to inmethod1300 as the intermediary node1032), theclient agent128 then transmits the initial connection ticket to theintermediary node1032.
• It is then determined, atstep1328, whether the initial connection SID and key is valid. In one embodiment, theintermediary node1032 transmits the initial connection SID and key to theACR Service405 for validation. In one embodiment, theACR Service405 validates the SID and key by comparing it to the copy of the SID and encrypted authentication credentials it kept atstep1320. If theACR Service405 determines the SID and key to be valid, theACR Service405 transmits, atstep1332, the address of thefirst protocol service112 and the address of the chosen host service116 to theintermediary node1032. Thefirst protocol service112 can also delete the SID and key and any copy thereof. If, on the other hand, theACR Service405 determines the SID and key to be invalid, theclient108 is, atstep1330, refused connection to thefirst protocol service112 and, consequently, connection to the host service116.
• Followingstep1332, theintermediary node1032 uses the address of the chosenfirst protocol service112 to establish, atstep1336, afirst protocol connection120bbetween theintermediary node1032 and thefirst protocol service112. Afirst protocol connection120 therefore now exists, through theintermediary node1032, between theclient agent128 of theclient108 and thefirst protocol service112. Theintermediary node1032 can also pass the address of the chosen host service116 to thefirst protocol service112.
• In one embodiment, atstep1340, thefirst protocol service112 uses the address of the chosen host service116 to establish a secondary protocol connection124 between thefirst protocol service112 and the chosen host service116. For example, the chosen host service116 is in fact thehost service116aand asecondary protocol connection124ais established between thefirst protocol service112 and thehost service116a.
• In one embodiment, followingstep1340, the user chooses, atstep1344, a second application to be executed and thesecond computing node1144 determines, atstep1348, the host service116 on which the second application is to be executed. For example, by calculating a load balancing equation, thesecond computing node1144 may choose thehost service116bto execute the second application program. Thesecond computing node1144 then transmits the address of the chosenhost service116bto thefirst protocol service112. In one embodiment, thesecond computing node1144 is in direct communication with thefirst protocol service112 and directly transmits the address thereto. In another embodiment, the address of the chosenhost service116bis indirectly transmitted to thefirst protocol service112. For example, the address can be transmitted to thefirst protocol service112 through any combination of thefirst computing node1140, theACR Service405, theintermediary node1032, and thefirst protocol service112. Having received the address of the chosenhost service116b, thefirst protocol service112 establishes, atstep1352, asecondary protocol connection124bbetween thefirst protocol service112 and the chosenhost service116b.
• Steps1344,1348, and1352 can be repeated any number of times. As such, any number of application programs can be executed on any number of host services116a-116n, the outputs of which can be communicated to thefirst protocol service112 over the connections124a-124nusing any number of secondary protocols.
• Turning now to step1356, thefirst protocol service112 can, as described above, encapsulate the plurality of secondary protocols within the first protocol. As such, theclient108 is connected to, and simultaneously communicates with, a plurality of host services116.
• In another embodiment, prior to performingsteps1344,1348, and1352 to execute a new application program on a host service116, such as, for example, thehost service116b, a user of theclient108 ends execution of another application program, such as, for example, an application program executing onhost service116a. In such a case, thefirst protocol service112 disrupts theconnection124abetween thefirst protocol service112 and thehost service116a. Thefirst protocol service112 then establishes, by implementingsteps1344,1348, and1352, theconnection124bbetween thefirst protocol service112 and thehost service116b, without interrupting theconnection120 between theclient108 and thefirst protocol service112.
• In one embodiment, a first SID and key is generated atstep1360. For example, theintermediary node1032 requests a first SID and key from theACR Service405. Upon receiving the request, theACR Service405 generates the first SID and key, and can also generate a handle, which is, for example, a random number. TheACR Service405 can then transmit, at step1364, the first SID and key and the handle to theintermediary node1032, while keeping a copy of the first SID and key and a copy of the handle. TheACR Service405 continues to maintain the address of thefirst protocol service112 that was transmitted to it by thefirst computing node1140 atstep1320. Theintermediary node1032 then transmits, at step1368, the first reconnection ticket to theclient108.
• At step1372, a second SID and key is then generated. In one embodiment, thefirst protocol service112 generates the second SID and key. Thefirst protocol service112, at step1376, then transmits the second SID and key, through theintermediary node1032, to theclient108. In doing so, thefirst protocol service112 keeps a copy of the key and a session number associated therewith for identifying the session to be reconnected following a disruption of theconnection120. In one embodiment, for example, thefirst protocol service112 maintains, for a particular session number, a table listing the secondary protocol connections124a-124nassociated with that session number. Accordingly, following re-establishment of thefirst protocol connection120 and validation of the second SID and key at thefirst protocol service112, as described below, thefirst protocol service112 can identify the secondary protocol connections124 to be encapsulated within the re-establishedfirst protocol connection120 for communication to theclient108.
• In an embodiment not shown inFIGS. 13A-13C, a ticket authority1136 can be used instead of theACR Service405 to provide for reconnecting aclient108 to a host service116. In themethod1300, the ticket authority1326 would generate and transmit reconnection tickets instead of SIDs and keys as with theACR Service405. For example, atsteps1320, aticket authority1036 would provide theclient108 with an initial connection ticket and an address for theintermediary node1032. Also, instep1328, theticket authority1036 would determine if the initial connection ticket is valid and atstep1360, would generate a first reconnection ticket. Additionally, at steps1364,1368,1372 and1378 the ticket authority would generate and transmit the first and second reconnection tickets in accordance withmethod1300. As such, theticket authority1036 facilitated the reconnecting of theclient108 to the host service116.
• Referring now toFIG. 14, one embodiment of amethod1400 for providing aclient108 with a persistent and reliable connection to one or more host services116 and for reconnecting theclient108 to the host services116 (for example atstep1216 ofFIG. 12A) is illustrated. In particular, atstep1404, the secondary protocol connection124 between thefirst protocol service112 and each of the one or more host services116 is maintained. Moreover, atstep1408, a queue of data packets most recently transmitted between theclient agent128 of theclient108 and thefirst protocol service112, via theconnection120 that was determined to have broken, for example, atstep1216 ofFIG. 12, is maintained. In one embodiment, the data packets are queued and maintained both before and upon failure of theconnection120. The queued data packets can be maintained, for example, in a buffer by theclient agent128. Alternatively, thefirst protocol service112 can maintain in a buffer the queued data packets. In yet another embodiment, both theclient agent128 and thefirst protocol service112 maintain the queued data packets in a buffer.
• Atstep1412, a newfirst protocol connection120 is established between theclient agent128 of theclient108 and thefirst protocol service112 and linked to the maintained secondary protocol connection124 between thefirst protocol service112 and each of the one or more host services116, thereby reconnecting theclient108 to the host services116. After theclient108 is reconnected, the queued data packets maintained atstep1408 can be transmitted, atstep1416, via the newly establishedfirst protocol connection120. As such, the communication session between the host services116 and theclient108, through thefirst protocol service112, is persistent and proceeds without any loss of data. In one embodiment, theACR Service405 authenticates theclient108 to the host service116 before reconnecting theclient108 to a host service116. In another embodiment, thefirst protocol service112 validates a reconnection ticket with theticket authority1036 before reconnecting theclient108 to a host service116.
• FIGS. 15A-15B, illustrate one embodiment of amethod1500 for reconnecting theclient108 to the one or more host services116 using anACR Service405 as in the embodiment of thesystem1100 depicted inFIG. 11B.
• Atstep1504, any remaining connections between theclient108 and thefirst protocol service112 are broken. For example, where theconnection120ahas failed, but theconnection120bhas not, theconnection120bis broken. Alternatively, where theconnection120bhas failed, but theconnection120ahas not, theconnection120ais broken.
• In one embodiment, using the actual address of theintermediary node1032 provided to theclient108, theclient agent128 of theclient108 then re-establishes, atstep1508, thefirst protocol connection120abetween theclient agent128 and theintermediary node1032. Alternatively, in another embodiment, using the actual address of the third computing node1146 provided to theclient108, theclient agent128 of theclient108 then re-establishes, atstep1508, a first protocol connection between theclient agent128 and the third computing node1146. The third computing node1146 then determines theintermediary node1032 through which messages between theclient108 and thefirst protocol service112 will have to pass. In one embodiment, the third computing node1146 chooses theintermediary node1032 using a load balancing equation. Theintermediary node1032 chosen by the third computing node1146 in reconnecting theclient108 to the one or more host services116 can be different from that chosen to initially connect theclient108 to the one or more host services116. Having chosen theintermediary node1032, the third computing node1146 re-establishes a first protocol connection to theintermediary node1032. Afirst protocol connection120ais therefore re-established, through the third computing node1146, between theclient agent128 of theclient108 and theintermediary node1032.
• In one embodiment, where more than one level ofintermediary nodes1032 exist, theintermediary node1032 through which theclient agent128 is routed at each of the levels.
• “a”-“n−1” thereafter determines, based on a load balancing equation for example, theintermediary node1032 to which it will connect at the next level. Alternatively, in another embodiment, the third computing node1146 determines, for more than one or all of the levels “a”-“n”, theintermediary nodes1032 through which theclient agent128 will be routed.
• Having re-established thefirst protocol connection120abetween theclient agent128 of theclient108 and theintermediary node1032, for example theintermediate node1032 at level “n” (hereinafter referred to inmethod1500 as the intermediary node1032), theclient agent128 then transmits, atstep1512, the first SID and key and the second SID and key to theintermediary node1032.
• It is then determined, atstep1516, whether the first SID and key is valid. In one embodiment, the validity of the first SID and key is determined by using theACR Service405. For example, theintermediary node1032 transmits the first SID and key to theACR Service405. In one embodiment, theACR Service405 determines the validity of the first SID and key by comparing it to a copy of the first SID stored inmemory430. If theACR Service405 determines the first SID and key to be valid, theACR Service405 re-authenticates theclient108 to the host service116 and transmits, atstep1520, the address of thefirst protocol service112 to theintermediary node1032. Otherwise, if theACR Service405 determines the first SID and key to be invalid, theclient108 is, atstep1524, refused reconnection to thefirst protocol service112 and, consequently, reconnection to the host services116.
• Atstep1528, the first SID and key is deleted by, for example, theACR Service405 and a replacement second SID and key is generated by theACR Service405. In some such embodiments, theACR Service405 transmits the second SID and key to theintermediary node1032. In some embodiments, theACR Service405 waits for theclient108 to acknowledge that it has received the second SID and key before it proceeds to delete the first SID and key.
• After the first SID and key is validated, theintermediary node1032, using the address of thefirst protocol service112, re-establishes, atstep1532, thefirst protocol connection120bbetween theintermediary node1032 and thefirst protocol service112. Having re-established thefirst protocol connection120bbetween theintermediary node1032 and thefirst protocol service112, it is then determined, at step1536, whether the second SID and key is valid. In one embodiment, the validity of the second SID and key is determined by using thefirst protocol service112. For example, theintermediary node1032 transmits the second SID and key to thefirst protocol service112. In one embodiment, thefirst protocol service112 determines the validity of the second SID and key by comparing it to a previously kept copy of the second SID and encrypted authentication credentials. If thefirst protocol service112 determines the second SID and key to be valid, the re-establishedfirst protocol connection120bbetween the firstintermediary node1032 and thefirst protocol service112 is linked, atstep1540, to the maintained secondary protocol connection124 between thefirst protocol service112 and each of the one or more host services116. Otherwise, if thefirst protocol service112 determines the second SID and key to be invalid, the re-establishedfirst protocol connection120bis not linked to the one or more maintained secondary protocol connections124 and theclient108 is, at step1544, refused reconnection to the one or more host services116.
• Atstep1548, the second SID and key is deleted by, for example, thefirst protocol service112 and a replacement second SID and key is generated by, for example, thefirst protocol service112 for transmission to theclient108. In such an embodiment, thefirst protocol service112 keeps a copy of the replacement second SID and key. In some embodiments, thefirst protocol service112 waits for theclient108 to acknowledge that it has received the replacement second SID and key before it proceeds to delete the second session id and key.
• Atstep1552, the replacement second SID and key are transmitted to the client. For example, theACR Service405 can transmit, through theintermediary node1032, the replacement second SID and key to theclient108. Moreover, in one embodiment, thefirst protocol service112 transmits, through theintermediary node1032, the replacement second SID and key to theclient108.
• In an embodiment not shown inFIGS. 15A-15C, aticket authority1036 could also be used instead of theACR Service405 for reconnecting aclient108 to a host service116. In themethod1500, theticket authority1036 would generate and transmit reconnection tickets instead of SIDs and keys as with theACR Service405. For example, atsteps1512, aticket authority1036 would determine instep1516 if a first reconnect ticket received from theintermediary node1032 instep1512 is valid. Atstep1528 theticket authority1036 would delete the first reconnection ticket and generates a second reconnection ticket with a handle. As such, theticket authority1036 facilitates re-establishing and re-authenticating the communication session of theclient108 to the host service116.
• Many alterations and modifications may be made by those having ordinary skill in the art without departing from the spirit and scope of the invention. Therefore, it must be expressly understood that the illustrated embodiments have been shown only for the purposes of example and should not be taken as limiting the invention, which is defined by the following claims. These claims are to be read as including what they set forth literally and also those equivalent elements which are insubstantially different, even though not identical in other respects to what is shown and described in the above illustrations.

Claims (24)

1. A method for reconnecting a client to a host service, the method comprising the steps of:

(a) providing a first connection between a client and a first protocol service, and a second connection between the first protocol service and a host service;

(b) detecting a disruption in the first connection;

(c) re-establishing the first connection between the client and the first protocol service while maintaining the second connection between the first protocol service and the host service;

(d) receiving at the first protocol service a ticket associated with the client;

(e) validating the ticket; and

(f) linking, after the ticket is validated, the re-established first connection to the maintained second connection.

2. The method ofclaim 1 wherein step (a) further comprises authenticating the client with the host service during a first communication session between the client and the host service.

3. The method ofclaim 1 wherein step (e) further comprises obtaining, from the ticket, a key and session id.

4. The method ofclaim 3 wherein step (e) further comprises using the session id from the ticket to retrieve encrypted authentication credentials.

5. The method ofclaim 4 wherein step (e) further comprises using the key from the ticket to decrypt the retrieved authentication credentials.

6. The method ofclaim 5 wherein step (e) further comprises re-authenticating the client with the host service using the decrypted authentication credentials.

7. The method ofclaim 1 wherein step (f) further comprises deleting, after the ticket is validated, the ticket.

8. The method ofclaim 2 wherein step (f) further comprises generating, after the ticket is deleted, a replacement ticket.

9. The method ofclaim 1 wherein step (a) further comprises generating a ticket at the first protocol service.

10. The method ofclaim 9 wherein step (a) further comprises saving, at the first protocol service, a copy of the ticket.

11. The method ofclaim 4 wherein step (a) further comprises transmitting the ticket from the first protocol service to the client.

12. The method ofclaim 1 wherein step (a) further comprises deleting the ticket automatically after a pre-determined period of time.

13. A system for reconnecting a client to a host service, the system comprising:

a client configured to maintain a first connection with a first protocol service; and

the first protocol service configured to maintain the first connection with the client and a second connection with the host service, wherein:

a disruption is detected in the first connection;

the first connection is re-established between the client and the first protocol service while the second connection between the first protocol service and the host service is maintained;

a ticket associated with the client is transmitted from the client to the first protocol service;

the ticket is validated; and

after the ticket is validated, the re-established first connection is linked to the maintained second connection.

14. The system ofclaim 13 wherein the client is authenticated with the host service during a first communication session between the client and the host service.

15. The system ofclaim 13 wherein the ticket comprises a key and session id.

16. The system ofclaim 15 wherein the ticket is validated by the first protocol service using the session id to retrieve encrypted authentication credentials.

17. The system ofclaim 16 wherein the ticket is further validated by decrypting the retrieved authentication credentials with the key from the ticket.

18. The system ofclaim 17 wherein the client is re-authenticated with the host service using the decrypted authentication credentials.

19. The system ofclaim 13 wherein the first protocol service is further configured to delete, after the ticket is validated, the ticket.

20. The system ofclaim 19 wherein the first protocol service is further configured to generate, after the ticket is deleted, a replacement ticket.

21. The system ofclaim 13 wherein the first protocol service is further configured to generate the ticket.

22. The system ofclaim 12 wherein the first protocol service is further configured to save a copy of the ticket.

23. The system ofclaim 13 wherein the first protocol service is further configured to transmit the ticket to the client.

24. The system ofclaim 13 wherein the first protocol service is further configured to automatically delete the ticket after a pre-determined period of time.

Images