Patent Grant
9576140
The disclosure of each application identified in the domestic benefit, national stage information, or foreign priority sections of any Application Data Sheet or Supplemental Application Data Sheet filed in this application is hereby incorporated by reference, in its entirety, into this application.
Many companies take advantage of virtualization solutions to consolidate several specialized physical servers and workstations into fewer servers running virtual machines. Each virtual machine can be configured with its own set of virtual hardware (e.g., processor, memory, ports, and the like) such that specialized services that each of the previous physical machines performed can be run in their native operating system. In particular, a virtualization layer, or hypervisor, allocates the computing resources of one or more host servers into one or more virtual machines and further provides for isolation between such virtual machines. In such a manner, the virtual machine is a representation of a physical machine by software.
Virtualization solutions can be adapted to provide virtual desktop computing (VDC). In VDC systems, each virtual machine can represent a virtual desktop, which can be accessed remotely by a client machine. By providing virtual desktops, VDC systems can allow users to access their applications and data from any remote computing device. VDC systems also centralize and streamline desktop administration for IT administrators.
Terminal Services is a MICROSOFT WINDOWS component that provides benefits similar to the benefits of VDC systems. A machine running Terminal Services is a Terminal Server, which can act like a mainframe multi-user operating system. As such, the Terminal Server can allow multiple concurrent users to start a remote interactive Windows session. Like VDC systems, Terminal Servers centralize user application and data, allowing remote access and efficient IT administration.
Authentication to a virtual desktop or Terminal Server can be performed using single sign-on authentication. Single sign-on authentication is a technique that can reduce or eliminate credentials re-prompting each time a user accesses a computing resource, such as a virtual desktop, Terminal Server session, or application.
Systems and methods for enhancing security of single sign-on are described. These systems and methods can reduce the amount of sensitive information stored on a client device while still providing single sign-on access to shared resources such as virtual desktops or Terminal Servers. For example, storage of authentication information on client devices can be avoided while still allowing client devices to connect to the shared resources. Instead, such information can be stored at a broker server that brokers connections from client devices to the shared resources. The broker server can facilitate more secure single sign-on by providing a single-use ticket to a client device that authenticates with the broker server. The client device can use this single-use ticket to authenticate with a shared resource.
For purposes of summarizing the disclosure, certain aspects, advantages and novel features of the inventions have been described herein. It is to be understood that not necessarily all such advantages can be achieved in accordance with any particular embodiment of the inventions disclosed herein. Thus, the inventions disclosed herein can be embodied or carried out in a manner that achieves or optimizes one advantage or group of advantages as taught herein without necessarily achieving other advantages as can be taught or suggested herein.
Throughout the drawings, reference numbers are re-used to indicate correspondence between referenced elements. The drawings are provided to illustrate embodiments of the inventions described herein and not to limit the scope thereof.
In a server-based computing environment, shared resources such as virtual desktops and/or Terminal Servers can be pooled in a centralized data center. Client devices can initiate network connections with the shared resources using a remote protocol, allowing these clients to establish interactive computing sessions.
Prior to establishing a connection, a client can be authenticated and provided with an authorized list of named resources. These named resources represent shared resources that the client is eligible to access. A network service, referred to as a broker, can be responsible for authenticating the client and providing it with an authorized list of named resources based at least partly on the client's identity and other network and security attributes. Upon requesting connectivity to a particular named resource, the broker can also be responsible for resolving the named resource to an actual network address that the client can use to establish a connection.
Single sign-on (“SSO”) authentication to shared resources can be implemented by storing a user's credentials (e.g., username and password) and shared resource connectivity information in a launch file on a client device. Once a client has authenticated with a broker, the client can use the launch file to access a shared resource without resubmitting the credentials. A downside of this approach is that even if the launch file is encrypted, the launch file can be hijacked. Malicious users can use the launch file to gain unauthorized access to the shared resources.
This disclosure therefore describes systems and methods for enhancing SSO security in shared resource environments, such as virtual desktop and Terminal Server environments. In certain embodiments, these systems and methods can reduce the amount of sensitive information stored on a client device while still providing SSO access. For example, in some embodiments, storage of credentials and/or connectivity information on client devices can be avoided altogether. Instead, such information can be stored at a broker server. In one embodiment, the broker server provides a single-use ticket to a client device that authenticates with the broker server. The client device can then use this single-use ticket to authenticate with a shared resource. Advantageously, in certain embodiments, security in shared resource environments is therefore enhanced.
The shared resources system 110 can be implemented by one or more physical computing devices, such as servers. These computing devices can be distributed geographically or can be co-located. The client systems 102 can include, for example, desktop computers, workstations, personal digital assistants (PDAs), mobile phones, other wireless handheld devices, laptop computers, tablets, and the like.
The client systems 102 can further include various software applications for accessing the shared resources system 110, such as browser software applications, stand-alone software applications, plug-ins, interfaces, combinations of the same, and the like. The client systems 102 can access the shared resources system 110 over a network 108, which can include a local or wide area network (LAN or WAN), such as an organization's intranet, the Internet, combinations of the same, and the like.
In the depicted embodiment, the shared resources system 110 includes a broker server 120, the shared resources 130 described above, an authentication server 140, and a data store 150. Each of these components can be implemented in software and/or hardware. For example, in one embodiment, the broker server 120 represents a physical computing device. In another embodiment, the broker server 120 represents a software service executing on a physical computing device. Although the various components of the shared resources system 110 are illustrated separately, some or all of them can be implemented together in one or more of the same computing devices.
The broker server 120 can allow the client systems 102 to communicate with the broker server 120 to obtain access to the shared resources 130. The example broker server 120 shown includes a resource allocator 122 and an authentication module 124. The resource allocator 122 can perform load balancing in certain embodiments by allocating shared resources 130 to client systems 102 in a manner that reduces the load on any given resource 130. The authentication module 124 can provide SSO access for the client systems 102 to the shared resources 130. The features of the authentication module 124 are described in greater detail below. In certain embodiments, the broker server 120 can also implement certain features of the broker described in U.S. patent application Ser. No. 12/078,174, filed Mar. 27, 2008, titled “System for Provisioning, Allocating, and Managing Virtual and Physical Desktop Computers in a Network Computing Environment,” (the “'174 application”) the disclosure of which is hereby incorporated by reference in its entirety.
As described above, the shared resources 130 can include virtual desktops, Terminal Servers, and blade computers (such as blade PCs), applications, combinations of the same, and the like. The shared resources 130 can be implemented using any of the features described in the '174 application referred to above. Further, in embodiments where the shared resources 130 include virtual desktops, the shared resources 130 can include virtual machines implemented on a hypervisor. The hypervisor can allow multiple virtual desktops having possibly different operating systems to run on a host computer at the same time.
For instance, the hypervisor can include a thin piece of software that runs directly on top of a hardware platform of a host computer and that virtualizes resources of the computer (e.g., a native or “bare-metal” hypervisor). In such embodiments, the virtual desktops can run, with their respective operating systems, on the hypervisor without the need for a host operating system. Examples of such bare-metal hypervisors can include, but are not limited to, ESX SERVER by VMware, Inc. (Palo Alto, Calif.), XEN and XENSERVER by Citrix Systems, Inc. (Fort Lauderdale, Fla.), ORACLE VM by Oracle Corporation (Redwood City, Calif.), HYPER-V by Microsoft Corporation (Redmond, Wash.), VIRTUOZZO by Parallels, Inc. (Switzerland), and the like.
In yet other embodiments, the virtual desktops can have a hosted architecture in which the hypervisor runs within a host operating system environment. In such embodiments, the hypervisor can rely on the host operating system for device support and/or physical resource management. Examples of such hosted hypervisors can include, but are not limited to, VMWARE WORKSTATION and VMWARE SERVER by VMware, Inc., VIRTUAL SERVER by Microsoft Corporation, PARALLELS WORKSTATION by Parallels, Inc., or the like.
In certain embodiments, each virtual desktop includes a guest operating system and associated applications. In such embodiments, the virtual desktop accesses the resources (e.g., privileged resources) of the host computer through the hypervisor. Many other variations in virtualization technology are possible.
As described above, the authentication module 124 of the broker server 120 can provide users with SSO access to the shared resources 130. In one embodiment, the authentication module 124 receives initial client system 102 requests to access the broker server 120. For example, a user of a client system 102 can log into the broker server 120 with credentials. Credentials can include a user name and password. In addition, in some network environments, credentials can further include a domain name to which a client system 102 belongs, among other identifying information. As will be described in detail below under the section entitled “Additional Embodiments,” authentication information other than credentials can be used by the client system 102 in some implementations.
The authentication module 124 can receive the user credentials and access the authentication server 140 to determine whether the user credentials match any credentials stored by the authentication server 140. If the credentials match, the authentication module 124 can then provide the client system 102 with access to one or more of the shared resources 130 without re-prompting the user for the credentials.
One mechanism that the authentication module 124 can use to provide client systems 102 with access to shared resources 130 is to provide tickets to the client systems 102. A ticket can include any piece of data, such as metadata. A client system 102 in possession of a valid ticket received from the authentication module 124 can provide the ticket to a shared resource 130. The shared resource 130 can then send the ticket (or some other data derived therefrom) to the authentication module 124 to verify that the user of the client system 102 can access the shared resource 130. The authentication module 124 can perform this verification in some embodiments by sending the user credentials to the shared resource 130. The authentication module 124 can store user credentials and tickets in the data store 150 or in memory.
In some embodiments, the ticket provided by the authentication module 124 is a single-use ticket. The client system 102 can use this single-use ticket to connect to a single shared resource 130. A benefit of single-use tickets, in certain embodiments, is that subsequent use of the ticket by a malicious user can result in denial of access to the shared resource 130. In some embodiments, the authentication module 124 can also establish an expiration period or time to live (TTL) for the ticket, such as 30 seconds, 60 seconds, several minutes, or some other time. If a client system 102 does not attempt to connect or does not actually connect with a shared resource 130 before the ticket expires, the client system 102 can be denied access to the shared resource 130. Further, the ticket can be encrypted with a single or multi-level encryption algorithm.
Advantageously, in certain embodiments, the ticket-based authentication performed by the authentication module 124 can increase the security of the shared resources system 110. Instead of storing credentials and/or shared resource 130 connectivity information on the client systems 102 where this information can be hijacked, in certain embodiments a single-use ticket is stored at the client systems 102.
Additionally, in certain embodiments, the SSO features of the authentication module 124 can be used with any client system 102, including client systems 102 that are outside of the shared resources system's 110 domain. Thus, the SSO features described herein can be used in place of Kerberos-based authentication and similar such schemes when Kerberos authentication is not available. The SSO features described herein can also be used for client systems 102 that do not have Kerberos capability within the domain of the shared resources system 110.
In the depicted embodiment, the client system 202 includes a client SSO application 204. This application 204 can be implemented in the hardware of the client system 202. In one embodiment, the client SSO application 204 receives user credentials from a login user interface provided by the application 204 or by an operating system of the client system 202. The SSO application 204 can provide these credentials and other attributes to the broker server 220. In one embodiment, the client SSO application 204 provides a user interface for the user to enter credentials so as to access the broker server 220. In another embodiment, the user provides credentials when logging on to the client system 202 (e.g., through an operating system prompt). The client SSO application 204 obtains these credentials from an operating system service and passes the credentials to the broker server 220.
The broker server 220, like the broker server 120, includes a resource allocator 222 and an authentication module 224. In the depicted embodiment, the authentication module 224 is shown having three modules: a credential manager 225, a resource manager 226, and a ticket manager 228. In certain embodiments, the credential manager 225 receives the credentials from the application 204 of the client system 202. The credential manager 225 can store the credentials in a security cookie or the like. In addition to having its ordinary meaning, as used herein the term “security cookie” can represent contextual information that is maintained by a server. The contextual information maintained by the broker server 220 in the security cookie can include the user's credentials, among other things. In one embodiment, the credential manager 225 stores the security cookie in the data store 250 or in a memory.
The credential manager 225 can authenticate an identity of a user of the client system 202 with an authentication server 240 using the credentials. In one embodiment, the authentication server 240 is a MICROSOFT Active Directory server, such as a domain controller or the like. The authentication server 240 can also or instead include LDAP (Lightweight Directory Access Protocol) functionality. More generally, the authentication server 240 can be a directory server that stores directory data 242, including user credentials and other user information. In response to receiving an authentication request from the credential manager 225, the authentication server 240 can confirm to the credential manager 225 whether the user has valid credentials.
If the user has valid credentials, the resource manager 226 can select one or more shared resources that are available for access by the client system 202. The resource manager 226 can obtain information regarding which resources are available from the resource allocator 222. For example, the resource allocator 222 can apply a load balancing algorithm to determine which shared resources are available and can provide this availability information to the resource manager 226. The resource manager 226 can communicate to the client system 202 a list of one or more authorized resources that the client system 202 is permitted to access.
In response to receiving such a list, the client SSO application 204 can select a target resource (e.g., the target resource 230) to which the client system 202 would like to connect. The application 204 can communicate this request to the authentication module 224. The ticket manager 228 of the authentication module 224 can receive this request. The ticket manager 228 can create a ticket having a reference to the security cookie previously generated by the credential manager 225 in response to receiving the request. The ticket manager 228 can also store the ticket in the data repository 250 or in a memory. The ticket manager 228 can provide the ticket to the application 204 of the client system 202. This ticket can enable the application 204 of the client system 202 to authenticate to the target resource 230 without storing the user credentials and connection information on the client system 202.
The target resource 230 includes, in the depicted embodiment, an operating system 232 (such as a guest operating system), a target security application 234, and other applications 236. In response to receiving a ticket from the client SSO application 204, the target security application 234 can provide the ticket to the ticket manager 228 of the broker server 220. In response, in one embodiment, the ticket manager 228 provides the user credentials stored in the data repository 250 to the target security application 234.
The target resource 230 can include its own authentication mechanism, which may be provided by the operating system 232. The target security application 234 can provide the credentials to the authentication mechanism of the target resource 230 to authenticate the user. In another embodiment, the target security application 234 directly authenticates the user without using any services of the operating system 232. Once authenticated, the client system 202 can access the applications 236 of the target resource 230.
To enhance security, in certain embodiments the ticket manager 228 can destroy the ticket so that a subsequent access to the target resource 230 with the ticket does not successfully authenticate. The ticket manager 228 can destroy the ticket, for example, by deleting the ticket from the data repository 250.
Turning to
Referring specifically to
At block 302, credentials are received from a client system of a user. A security cookie is generated at block 303, which stores the credentials. An identity of the user is authenticated with the credentials at block 304, for example, with the authentication server 140 or 240. If the user identity is authenticated at block 304, a list of authorized resources is communicated to the client system at block 306. This list can be communicated to the client system by the resource manager 226.
At block 308, a request is received from the client system to access a target one of the authorized resources. In response, a ticket is provided to the client system at block 312. The ticket identifies the security cookie to the client system. For example, in one embodiment, the security cookie is assigned a global unique identifier by the broker system 120 or 220. The ticket can include this global unique identifier as a reference to identify the security cookie. This identification information can enable the client system to authenticate to the target resource.
At block 402, access is requested to a shared resource from a broker server. The access request may or may not specify a particular shared resource. The access request can include a submission of credentials. A list of authorized shared resources is received from the broker at block 404, for example, if the broker authenticates the credentials as described above.
At block 406, access is further requested to a specific target one of the authorized shared resources. The client system can select this target from the list of named resources. A ticket is received from the broker at block 408. The ticket contains an authentication file identifier. This identifier can refer to a security cookie generated by the broker server (see
A launch file is used to initiate a connection with the broker server at block 410 to obtain connectivity information for the target resource. The client system can create the launch file by storing the ticket in computer storage. The connection initiated with the broker server can be a secure connection in certain embodiments. At block 412, in response to receiving the connectivity information from the broker, the ticket is communicated to the target resource to obtain access to the target resource. In one embodiment, upon submitting the ticket, the client can receive access to the target resource. However, the target resource can perform additional authentication steps, as described below with respect to
At block 502, a target resource receives a ticket (including, e.g., an authentication file identifier) from a client system. In response, at block 504, the target resource sends the ticket to the broker server and requests user credentials stored in the security cookie (see
If the ticket is not valid, the broker and/or target resource can deny access to the target resource at block 508. The client system therefore cannot access the target resource at block 508. Otherwise, the broker sends user credentials to the target resource at block 510. The target resource uses the credentials to authenticate the client system at block 512.
As illustrated, at state 1, the client system 602 sends credentials and optionally other attributes to the broker server 620. These attributes can include a variety of information, such as source IP address, client name, graphics information (e.g., to enable proper video processing by the target resource 630) and the like. This information can be used by the broker server 620 and/or the target resource 630 for a variety of purposes, including further qualifying the list of authorized resources delivered to the client system 602 and enabling proper rendering of icons and graphics on the client system's 602 display. Upon receiving the credentials and optionally other attributes, at state 2 the broker server 620 authenticates the user's identity. The broker server 620 can authenticate the user's identity with the authentication server 640, as described above.
At state 3, the broker server 620 stores the user's credentials in a security cookie, for example, in the data store 660 or in memory. At state 4, the broker server 620 sends a list of authorized named resources to the client system 602. The client system 602 requests one of the named resources (the target resource 630) at state 5. In response, the broker server 620 generates a ticket at state 6. The ticket can include an identifier of or reference to the security cookie. The ticket can be valid for one-time use and/or can expire after a set time period.
In some embodiments, the ticket can also include connectivity information for the broker server 620. This connectivity information can be useful, for example, in embodiments where multiple broker servers 620 are provided for failover purposes. This connectivity information can include a Uniform Resource Locator (URL) or Uniform Resource Indicator (URI), a server and port number, combinations of the same, or the like.
The broker server 620 sends the ticket to the client at state 7. At state 8, the client system 602 creates a mini-launch file that can include the ticket. Advantageously, in certain embodiments, the mini-launch file does not include any credentials or connectivity information, thereby improving security. It should be understood, however, that the client system 602 need not create a launch file in some implementations. Instead, the client system 602 can store the ticket in memory. An advantage to creating a mini-launch file over storing the ticket in memory in some systems (such as WINDOWS) is that separate processes can access the launch file without using cumbersome inter-process communication mechanisms.
At state 9, the client system 602 uses the mini-launch file to initiate a secure connection with the broker server 620. For example, the client system 602 can establish a connection with the broker at the specified URL. The broker server 620 replies with connectivity information for the target resource 630 at state 10. In one embodiment, the broker server 620 encrypts the connectivity information to reduce the likelihood of the connectivity information being compromised. The client system 602 does not persist this connectivity information on disk in certain implementations. The client system 602 initiates a connection with the target resource 630 at state 11 using this connectivity information. The client sends the ticket to the target resource 630 at state 12.
At state 13, the target resource 630 negotiates a secure connection with the broker server 620. Once connected, the target resource 630 sends the ticket to the broker server 620 at state 14, requesting the user's credentials. At state 15, the broker server 620 sends the credentials to the target resource 630. At state 16, the broker server 620 destroys the ticket. At state 17, the target resource 630 authenticates the client system 602.
Although the preceding description primarily describes authentication with user credentials, other authentication schemes are possible. In general, the client systems described above can authenticate to broker servers and/or target resources using any form of authentication information. Authentication information can include the credentials described above, Kerberos tickets, smart card data, one-time passwords, NT Lan Manager (NTLM) authentication information, encrypted credentials, security keys, combinations of the same, and the like.
For example, in one embodiment, a user of a client system can obtain a Kerberos ticket from a Kerberos key distribution server. The user can submit the Kerberos ticket to the broker server. The broker server can authenticate the user's identity with the authorization server using the Kerberos ticket. In response, the broker server can provide a ticket to the client system that includes connectivity information for accessing a target resource. The client system can obtain a second Kerberos ticket for the target resource. Then, the client can provide the Kerberos ticket and the broker-provided ticket to the target resource. Upon receiving the Kerberos ticket and the broker ticket, the target resource can authenticate the user. Thus, the systems and processes described above can be adapted to authenticate users with authentication information other than username and password credentials.
In another embodiment, the user uses a smart card (sometimes called a security token) to authenticate to the broker system. Typically, a user connects the smart card to an appropriate input device in communication with the client system. In the case of wireless smart cards, the user can bring the smart card into proximity with the input device. The user can then enter a personal identification number (PIN) into the client system, smart card, or input device. Software installed on the client system can then perform challenge-response authentication with the broker server.
For example, in one embodiment, the authentication information from the smart card, including optionally the PIN, can be stored in a security cookie. The broker server can use this security cookie in the manner detailed above to provide a ticket to the client system and ultimately to provide the authentication information to a target resource. In embodiments where the PIN is stored in the security cookie, the target resource may not request the user to re-enter the user's PIN. In other embodiments, the security cookie does not include the PIN, and the user is prompted to re-enter the PIN at the target resource.
In another embodiment, the broker server can perform deferred authentication for users having expired authentication information. A user with an expired password, for instance, can access the broker server. The broker server, upon determining from the authentication server that the password is expired, can force the user to change his or her password at the target resource. For example, the broker server can store the user's expired credentials in a security cookie and pass these expired credentials to the target resource. The target resource can then prompt the user to change his or her password. This pass-through authentication mechanism can be beneficial in situations where the target resource has built-in functionality for detecting expired passwords, changing passwords, and so forth. Code for this functionality would therefore not need to be implemented on the broker server in such embodiments.
Further, in some implementations, the broker server does not directly pass authentication information (such as credentials) to the target resource. Instead, the broker server can obtain an authentication token from a third party server, which the broker server (or the third party server) passes to the target resource. The target resource can then provide the client system with access to the target resource without performing its own authentication. In other words, the target resource can trust the broker server and/or third party server. The broker server and/or third party server can send the authentication token to the target resource before or after sending the list of authorized resources to the client system.
Many other variations than those described herein will be apparent from this disclosure.
Depending on the embodiment, certain acts, events, or functions of any of the algorithms described herein can be performed in a different sequence, can be added, merged, or left out all together (e.g., not all described acts or events are necessary for the practice of the algorithm). Moreover, in certain embodiments, acts or events can be performed concurrently, e.g., through multi-threaded processing, interrupt processing, or multiple processors or processor cores or on other parallel architectures, rather than sequentially.
The various illustrative logical blocks, modules, and algorithm steps described in connection with the embodiments disclosed herein can be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. The described functionality can be implemented in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the disclosure.
The various illustrative logical blocks and modules described in connection with the embodiments disclosed herein can be implemented or performed by a machine, such as a general purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a field programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general purpose processor can be a microprocessor, but in the alternative, the processor can be a controller, microcontroller, or state machine, combinations of the same, or the like. A processor can also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.
The steps of a method, process, or algorithm described in connection with the embodiments disclosed herein can be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module can reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of computer-readable storage medium known in the art. An exemplary storage medium can be coupled to the processor such that the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium can be integral to the processor. The processor and the storage medium can reside in an ASIC. The ASIC can reside in a user terminal. In the alternative, the processor and the storage medium can reside as discrete components in a user terminal.
Conditional language used herein, such as, among others, “can,” “might,” “may,” “e.g.,” and the like, unless specifically stated otherwise, or otherwise understood within the context as used, is generally intended to convey that certain embodiments include, while other embodiments do not include, certain features, elements and/or states. Thus, such conditional language is not generally intended to imply that features, elements and/or states are in any way required for one or more embodiments or that one or more embodiments necessarily include logic for deciding, with or without author input or prompting, whether these features, elements and/or states are included or are to be performed in any particular embodiment.
While the above detailed description has shown, described, and pointed out novel features as applied to various embodiments, it will be understood that various omissions, substitutions, and changes in the form and details of the devices or algorithms illustrated can be made without departing from the spirit of the disclosure. As will be recognized, certain embodiments of the inventions described herein can be embodied within a form that does not provide all of the features and benefits set forth herein, as some features can be used or practiced separately from others. The scope of certain inventions disclosed herein is indicated by the appended claims rather than by the foregoing description. All changes which come within the meaning and range of equivalency of the claims are to be embraced within their scope.
| Number | Name | Date | Kind |
|---|---|---|---|
| 4109237 | Hill | Aug 1978 | A |
| 4370707 | Phillips et al. | Jan 1983 | A |
| 4694397 | Grant | Sep 1987 | A |
| 5222018 | Sharpe et al. | Jun 1993 | A |
| 5267865 | Lee et al. | Dec 1993 | A |
| 5302132 | Corder | Apr 1994 | A |
| 5310349 | Daniels et al. | May 1994 | A |
| 5313465 | Perlman et al. | May 1994 | A |
| 5333302 | Hensley et al. | Jul 1994 | A |
| 5339435 | Lubkin et al. | Aug 1994 | A |
| 5367698 | Webber et al. | Nov 1994 | A |
| 5371852 | Attanasio et al. | Dec 1994 | A |
| 5387104 | Corder | Feb 1995 | A |
| 5410703 | Nilsson et al. | Apr 1995 | A |
| 5423032 | Byrd et al. | Jun 1995 | A |
| 5437027 | Bannon et al. | Jul 1995 | A |
| 5437555 | Ziv-el | Aug 1995 | A |
| 5440719 | Hanes et al. | Aug 1995 | A |
| 5441415 | Lee et al. | Aug 1995 | A |
| 5497486 | Stolfo et al. | Mar 1996 | A |
| 5497492 | Zbikowski et al. | Mar 1996 | A |
| 5499379 | Tanaka et al. | Mar 1996 | A |
| 5530829 | Beardsley et al. | Jun 1996 | A |
| 5550968 | Miller et al. | Aug 1996 | A |
| 5550976 | Henderson et al. | Aug 1996 | A |
| 5553291 | Tanaka et al. | Sep 1996 | A |
| 5586304 | Stupek, Jr. et al. | Dec 1996 | A |
| 5590360 | Edwards | Dec 1996 | A |
| 5600833 | Senn et al. | Feb 1997 | A |
| 5608874 | Ogawa et al. | Mar 1997 | A |
| 5608903 | Prasad et al. | Mar 1997 | A |
| 5613090 | Willems | Mar 1997 | A |
| 5623601 | Vu | Apr 1997 | A |
| 5630069 | Flores et al. | May 1997 | A |
| 5630131 | Palevich et al. | May 1997 | A |
| 5659735 | Parrish et al. | Aug 1997 | A |
| 5659736 | Hasegawa et al. | Aug 1997 | A |
| 5666502 | Capps et al. | Sep 1997 | A |
| 5671428 | Muranaga et al. | Sep 1997 | A |
| 5673386 | Batra | Sep 1997 | A |
| 5673387 | Chen et al. | Sep 1997 | A |
| 5675782 | Montague et al. | Oct 1997 | A |
| 5677997 | Talatik | Oct 1997 | A |
| 5680586 | Elkins et al. | Oct 1997 | A |
| 5684950 | Dare et al. | Nov 1997 | A |
| 5692132 | Hogan | Nov 1997 | A |
| 5692902 | Aeby | Dec 1997 | A |
| 5694540 | Humelsine et al. | Dec 1997 | A |
| 5706502 | Foley et al. | Jan 1998 | A |
| 5708812 | Van Dyke et al. | Jan 1998 | A |
| 5708828 | Coleman | Jan 1998 | A |
| 5710884 | Dedrick | Jan 1998 | A |
| 5711671 | Geeslin et al. | Jan 1998 | A |
| 5724521 | Dedrick | Mar 1998 | A |
| 5727145 | Nessett et al. | Mar 1998 | A |
| 5727951 | Ho et al. | Mar 1998 | A |
| 5740427 | Stoller et al. | Apr 1998 | A |
| 5743746 | Ho et al. | Apr 1998 | A |
| 5745113 | Jordan et al. | Apr 1998 | A |
| 5745902 | Miller et al. | Apr 1998 | A |
| 5752042 | Cole et al. | May 1998 | A |
| 5754173 | Hiura et al. | May 1998 | A |
| 5754938 | Herz et al. | May 1998 | A |
| 5758062 | Mcmahon et al. | May 1998 | A |
| 5758074 | Marlin et al. | May 1998 | A |
| 5758344 | Prasad et al. | May 1998 | A |
| 5764897 | Khalidi | Jun 1998 | A |
| 5765140 | Knudson et al. | Jun 1998 | A |
| 5768519 | Swift et al. | Jun 1998 | A |
| 5774551 | Wu et al. | Jun 1998 | A |
| 5778169 | Reinhardt | Jul 1998 | A |
| 5784553 | Kolawa et al. | Jul 1998 | A |
| 5784643 | Shields | Jul 1998 | A |
| 5790801 | Funato | Aug 1998 | A |
| 5796393 | Macnaughton et al. | Aug 1998 | A |
| 5806075 | Jain et al. | Sep 1998 | A |
| 5812669 | Jenkins et al. | Sep 1998 | A |
| 5812865 | Theimer et al. | Sep 1998 | A |
| 5815657 | Williams et al. | Sep 1998 | A |
| 5815665 | Teper et al. | Sep 1998 | A |
| 5819265 | Ravin et al. | Oct 1998 | A |
| 5819281 | Cummins | Oct 1998 | A |
| 5819295 | Nakagawa et al. | Oct 1998 | A |
| 5822518 | Ooki et al. | Oct 1998 | A |
| 5835087 | Herz et al. | Nov 1998 | A |
| 5835911 | Nakagawa et al. | Nov 1998 | A |
| 5838918 | Prager et al. | Nov 1998 | A |
| 5844508 | Murashita et al. | Dec 1998 | A |
| 5848396 | Gerace | Dec 1998 | A |
| 5859972 | Subramaniam et al. | Jan 1999 | A |
| 5872928 | Lewis et al. | Feb 1999 | A |
| 5872973 | Mitchell et al. | Feb 1999 | A |
| 5878432 | Misheski et al. | Mar 1999 | A |
| 5889520 | Glaser | Mar 1999 | A |
| 5890161 | Helland et al. | Mar 1999 | A |
| 5890175 | Wong et al. | Mar 1999 | A |
| 5892898 | Fujii et al. | Apr 1999 | A |
| 5893074 | Hughes et al. | Apr 1999 | A |
| 5893076 | Hafner et al. | Apr 1999 | A |
| 5893916 | Dooley | Apr 1999 | A |
| 5930512 | Boden et al. | Jul 1999 | A |
| 5937165 | Schwaller et al. | Aug 1999 | A |
| 5948064 | Bertram et al. | Sep 1999 | A |
| 5949419 | Domine et al. | Sep 1999 | A |
| 5956732 | Tsuchida | Sep 1999 | A |
| 5956736 | Hanson et al. | Sep 1999 | A |
| 5960200 | Eager et al. | Sep 1999 | A |
| 5968176 | Nessett et al. | Oct 1999 | A |
| 5987247 | Lau | Nov 1999 | A |
| 5995114 | Wegman et al. | Nov 1999 | A |
| 6002868 | Jenkins et al. | Dec 1999 | A |
| 6003047 | Osmond et al. | Dec 1999 | A |
| 6014669 | Slaughter et al. | Jan 2000 | A |
| 6014712 | Islam et al. | Jan 2000 | A |
| 6016495 | Mckeehan et al. | Jan 2000 | A |
| 6016501 | Martin et al. | Jan 2000 | A |
| 6021496 | Dutcher et al. | Feb 2000 | A |
| 6029178 | Martin et al. | Feb 2000 | A |
| 6029195 | Herz | Feb 2000 | A |
| 6029247 | Ferguson | Feb 2000 | A |
| 6035323 | Narayen et al. | Mar 2000 | A |
| 6041344 | Bodamer et al. | Mar 2000 | A |
| 6044368 | Powers | Mar 2000 | A |
| 6044465 | Dutcher et al. | Mar 2000 | A |
| 6049822 | Mittal | Apr 2000 | A |
| 6052512 | Peterson et al. | Apr 2000 | A |
| 6055538 | Kessenich et al. | Apr 2000 | A |
| 6058260 | Brockel et al. | May 2000 | A |
| 6058379 | Odom et al. | May 2000 | A |
| 6061643 | Walker et al. | May 2000 | A |
| 6061650 | Malking et al. | May 2000 | A |
| 6067568 | Li et al. | May 2000 | A |
| 6070184 | Blount et al. | May 2000 | A |
| 6076166 | Moshfeghi et al. | Jun 2000 | A |
| 6079020 | Liu | Jun 2000 | A |
| 6092199 | Dutcher et al. | Jul 2000 | A |
| 6101481 | Miller | Aug 2000 | A |
| 6101503 | Cooper et al. | Aug 2000 | A |
| 6108649 | Young et al. | Aug 2000 | A |
| 6108670 | Weida et al. | Aug 2000 | A |
| 6112228 | Earl et al. | Aug 2000 | A |
| 6112240 | Pogue et al. | Aug 2000 | A |
| 6115040 | Bladow et al. | Sep 2000 | A |
| 6115544 | Mueller | Sep 2000 | A |
| 6134548 | Gottsman et al. | Oct 2000 | A |
| 6137869 | Voit et al. | Oct 2000 | A |
| 6138086 | Rose et al. | Oct 2000 | A |
| 6141006 | Knowlton et al. | Oct 2000 | A |
| 6141010 | Hoyle | Oct 2000 | A |
| 6141647 | Meijer et al. | Oct 2000 | A |
| 6151600 | Dedrick | Nov 2000 | A |
| 6151610 | Senn et al. | Nov 2000 | A |
| 6161176 | Hunter et al. | Dec 2000 | A |
| 6167445 | Gai et al. | Dec 2000 | A |
| 6167564 | Fontana et al. | Dec 2000 | A |
| 6170009 | Mandal et al. | Jan 2001 | B1 |
| 6182212 | Atkins et al. | Jan 2001 | B1 |
| 6182226 | Reid et al. | Jan 2001 | B1 |
| 6185625 | Tso et al. | Feb 2001 | B1 |
| 6195794 | Buxton | Feb 2001 | B1 |
| 6199068 | Carpenter | Mar 2001 | B1 |
| 6199079 | Gupta et al. | Mar 2001 | B1 |
| 6202051 | Woolston | Mar 2001 | B1 |
| 6205480 | Broadhurst et al. | Mar 2001 | B1 |
| 6208345 | Sheard et al. | Mar 2001 | B1 |
| 6209000 | Klein et al. | Mar 2001 | B1 |
| 6209033 | Datta et al. | Mar 2001 | B1 |
| 6222535 | Hurd, II | Apr 2001 | B1 |
| 6223221 | Kunz | Apr 2001 | B1 |
| 6226649 | Bodamer et al. | May 2001 | B1 |
| 6230160 | Chan et al. | May 2001 | B1 |
| 6230194 | Chen et al. | May 2001 | B1 |
| 6230309 | Turner et al. | May 2001 | B1 |
| 6233584 | Purcell | May 2001 | B1 |
| 6237114 | Wookey et al. | May 2001 | B1 |
| 6246410 | Bergeron et al. | Jun 2001 | B1 |
| 6249905 | Yoshida et al. | Jun 2001 | B1 |
| 6256637 | Venkatesh et al. | Jul 2001 | B1 |
| 6256659 | Mclain, Jr. et al. | Jul 2001 | B1 |
| 6256678 | Traughber et al. | Jul 2001 | B1 |
| 6260068 | Zalewski et al. | Jul 2001 | B1 |
| 6263352 | Cohen | Jul 2001 | B1 |
| 6266666 | Ireland et al. | Jul 2001 | B1 |
| 6269405 | Dutcher et al. | Jul 2001 | B1 |
| 6269406 | Dutcher et al. | Jul 2001 | B1 |
| 6272673 | Dale et al. | Aug 2001 | B1 |
| 6272678 | Imachi et al. | Aug 2001 | B1 |
| 6279030 | Britton et al. | Aug 2001 | B1 |
| 6282576 | Lane | Aug 2001 | B1 |
| 6282605 | Moore | Aug 2001 | B1 |
| 6286028 | Cohen et al. | Sep 2001 | B1 |
| 6286104 | Buhle et al. | Sep 2001 | B1 |
| 6301601 | Helland et al. | Oct 2001 | B1 |
| 6304893 | Gish | Oct 2001 | B1 |
| 6308164 | Nummelin et al. | Oct 2001 | B1 |
| 6308188 | Bernardo et al. | Oct 2001 | B1 |
| 6308273 | Goertzel et al. | Oct 2001 | B1 |
| 6313835 | Gever et al. | Nov 2001 | B1 |
| 6314434 | Shigemi et al. | Nov 2001 | B1 |
| 6327677 | Garg et al. | Dec 2001 | B1 |
| 6330566 | Durham | Dec 2001 | B1 |
| 6336118 | Hammond | Jan 2002 | B1 |
| 6341287 | Sziklai et al. | Jan 2002 | B1 |
| 6345239 | Bowman-amuah | Feb 2002 | B1 |
| 6349287 | Hayashi | Feb 2002 | B1 |
| 6363398 | Andersen | Mar 2002 | B1 |
| 6370573 | Bowman Amuah | Apr 2002 | B1 |
| 6370646 | Goodman et al. | Apr 2002 | B1 |
| 6381579 | Gervais et al. | Apr 2002 | B1 |
| 6389589 | Mishra et al. | May 2002 | B1 |
| 6401085 | Gershman et al. | Jun 2002 | B1 |
| 6401211 | Brezak et al. | Jun 2002 | B1 |
| 6405364 | Bowman-amuah | Jun 2002 | B1 |
| 6430556 | Goldberg et al. | Aug 2002 | B1 |
| 6438514 | Hill et al. | Aug 2002 | B1 |
| 6442620 | Thatte et al. | Aug 2002 | B1 |
| 6446096 | Holland et al. | Sep 2002 | B1 |
| 6453317 | Lacost et al. | Sep 2002 | B1 |
| 6457130 | Hitz et al. | Sep 2002 | B2 |
| 6466932 | Dennis et al. | Oct 2002 | B1 |
| 6469713 | Hetherington et al. | Oct 2002 | B2 |
| 6473794 | Guheen et al. | Oct 2002 | B1 |
| 6496847 | Bugnion et al. | Dec 2002 | B1 |
| 6567818 | Frey et al. | May 2003 | B1 |
| 6587876 | Mahon et al. | Jul 2003 | B1 |
| 6606663 | Liao et al. | Aug 2003 | B1 |
| 6615258 | Barry et al. | Sep 2003 | B1 |
| 6625622 | Henrickson et al. | Sep 2003 | B1 |
| 6658625 | Allen | Dec 2003 | B1 |
| 6678714 | Olapurath et al. | Jan 2004 | B1 |
| 6715128 | Hirashima et al. | Mar 2004 | B1 |
| 6728877 | Mackin et al. | Apr 2004 | B2 |
| 6735691 | Capps et al. | May 2004 | B1 |
| 6757696 | Multer et al. | Jun 2004 | B2 |
| 6760761 | Sciacca | Jul 2004 | B1 |
| 6795835 | Ricart et al. | Sep 2004 | B2 |
| 6801946 | Child et al. | Oct 2004 | B1 |
| 6817017 | Goodman | Nov 2004 | B2 |
| 6839766 | Parnafes et al. | Jan 2005 | B1 |
| 6880005 | Bell et al. | Apr 2005 | B1 |
| 6925477 | Champagne et al. | Aug 2005 | B1 |
| 6938158 | Azuma | Aug 2005 | B2 |
| 6941465 | Palekar et al. | Sep 2005 | B1 |
| 6944183 | Iyer et al. | Sep 2005 | B1 |
| 6950818 | Dennis et al. | Sep 2005 | B2 |
| 6950935 | Allavarpu et al. | Sep 2005 | B1 |
| 6968370 | Wu | Nov 2005 | B2 |
| 6973488 | Yavatkar et al. | Dec 2005 | B1 |
| 6976090 | Ben-Shaul et al. | Dec 2005 | B2 |
| 7028079 | Mastrianni et al. | Apr 2006 | B2 |
| 7062781 | Shambroom | Jun 2006 | B2 |
| 7080077 | Ramamurthy et al. | Jul 2006 | B2 |
| 7089584 | Sharma | Aug 2006 | B1 |
| 7100195 | Underwood | Aug 2006 | B1 |
| 7117486 | Wong et al. | Oct 2006 | B2 |
| 7133984 | Dickensheets | Nov 2006 | B1 |
| 7136927 | Traversat et al. | Nov 2006 | B2 |
| 7139973 | Kirkwood et al. | Nov 2006 | B1 |
| 7143095 | Barrett et al. | Nov 2006 | B2 |
| 7162640 | Heath et al. | Jan 2007 | B2 |
| 7171458 | Brown et al. | Jan 2007 | B2 |
| 7185073 | Gai et al. | Feb 2007 | B1 |
| 7209970 | Everson et al. | Apr 2007 | B1 |
| 7213266 | Maher et al. | May 2007 | B1 |
| 7216181 | Jannu et al. | May 2007 | B1 |
| 7231460 | Sullivan et al. | Jun 2007 | B2 |
| 7243370 | Bobde et al. | Jul 2007 | B2 |
| 7284043 | Feinleib et al. | Oct 2007 | B2 |
| 7299504 | Tiller et al. | Nov 2007 | B1 |
| 7346766 | Mackin et al. | Mar 2008 | B2 |
| 7356601 | Clymer et al. | Apr 2008 | B1 |
| 7356816 | Goodman et al. | Apr 2008 | B2 |
| 7379996 | Papatla et al. | May 2008 | B2 |
| 7418597 | Thornton et al. | Aug 2008 | B2 |
| 7421555 | Dorey | Sep 2008 | B2 |
| 7426642 | Aupperle et al. | Sep 2008 | B2 |
| 7428583 | Lortz et al. | Sep 2008 | B1 |
| 7440962 | Wong et al. | Oct 2008 | B1 |
| 7444401 | Keyghobad et al. | Oct 2008 | B1 |
| 7467141 | Steele et al. | Dec 2008 | B1 |
| 7478418 | Supramaniam et al. | Jan 2009 | B2 |
| 7483979 | Prager | Jan 2009 | B1 |
| 7487535 | Isaacson et al. | Feb 2009 | B1 |
| 7519813 | Cox et al. | Apr 2009 | B1 |
| 7584502 | Alkove et al. | Sep 2009 | B2 |
| 7591005 | Moore | Sep 2009 | B1 |
| 7617501 | Peterson et al. | Nov 2009 | B2 |
| 7650497 | Thornton et al. | Jan 2010 | B2 |
| 7653794 | Michael et al. | Jan 2010 | B2 |
| 7661027 | Langen et al. | Feb 2010 | B2 |
| 7673323 | Moriconi | Mar 2010 | B1 |
| 7690025 | Grewal et al. | Mar 2010 | B2 |
| 7765187 | Bergant et al. | Jul 2010 | B2 |
| 7805721 | Feinleib et al. | Sep 2010 | B2 |
| 7895332 | Vanyukhin et al. | Feb 2011 | B2 |
| 7904949 | Bowers et al. | Mar 2011 | B2 |
| 7987455 | Senner et al. | Jul 2011 | B1 |
| 8024360 | Moore | Sep 2011 | B2 |
| 8086710 | Vanyukhin et al. | Dec 2011 | B2 |
| 8087075 | Peterson et al. | Dec 2011 | B2 |
| 8141138 | Bhatia et al. | Mar 2012 | B2 |
| 8245242 | Peterson et al. | Aug 2012 | B2 |
| 8346908 | Vanyukhin et al. | Jan 2013 | B1 |
| 8346929 | Lai | Jan 2013 | B1 |
| 8560593 | Ghostine | Oct 2013 | B2 |
| 20010034733 | Prompt et al. | Oct 2001 | A1 |
| 20020055949 | Shiomi et al. | May 2002 | A1 |
| 20020069174 | Fox et al. | Jun 2002 | A1 |
| 20020078005 | Shi et al. | Jun 2002 | A1 |
| 20020112178 | Scherr | Aug 2002 | A1 |
| 20020129274 | Baskey et al. | Sep 2002 | A1 |
| 20020133723 | Tait | Sep 2002 | A1 |
| 20020138572 | Delany et al. | Sep 2002 | A1 |
| 20020169986 | Lortz | Nov 2002 | A1 |
| 20020169988 | Vandergeest et al. | Nov 2002 | A1 |
| 20020174366 | Peterka et al. | Nov 2002 | A1 |
| 20020178377 | Hemsath et al. | Nov 2002 | A1 |
| 20020184536 | Flavin | Dec 2002 | A1 |
| 20030009487 | Prabakaran et al. | Jan 2003 | A1 |
| 20030018913 | Brezak et al. | Jan 2003 | A1 |
| 20030023587 | Dennis et al. | Jan 2003 | A1 |
| 20030028611 | Kenny et al. | Feb 2003 | A1 |
| 20030033535 | Fisher et al. | Feb 2003 | A1 |
| 20030065731 | Mohammed | Apr 2003 | A1 |
| 20030065940 | Brezak et al. | Apr 2003 | A1 |
| 20030065942 | Lineman et al. | Apr 2003 | A1 |
| 20030110397 | Supramaniam et al. | Jun 2003 | A1 |
| 20030115186 | Wilkinson et al. | Jun 2003 | A1 |
| 20030115313 | Kanada et al. | Jun 2003 | A1 |
| 20030115439 | Mahalingam et al. | Jun 2003 | A1 |
| 20030149662 | Shore | Aug 2003 | A1 |
| 20030149781 | Yared et al. | Aug 2003 | A1 |
| 20030177388 | Botz et al. | Sep 2003 | A1 |
| 20030188036 | Chen et al. | Oct 2003 | A1 |
| 20030229783 | Hardt | Dec 2003 | A1 |
| 20040010519 | Sinn et al. | Jan 2004 | A1 |
| 20040059953 | Purnell | Mar 2004 | A1 |
| 20040078341 | Steichen | Apr 2004 | A1 |
| 20040078569 | Hotti | Apr 2004 | A1 |
| 20040088385 | Blanchet | May 2004 | A1 |
| 20040088543 | Garg et al. | May 2004 | A1 |
| 20040098595 | Aupperle et al. | May 2004 | A1 |
| 20040098615 | Mowers et al. | May 2004 | A1 |
| 20040111515 | Manion et al. | Jun 2004 | A1 |
| 20040111643 | Farmer | Jun 2004 | A1 |
| 20040117382 | Houseknecht et al. | Jun 2004 | A1 |
| 20040123146 | Himmel et al. | Jun 2004 | A1 |
| 20040128542 | Blakley et al. | Jul 2004 | A1 |
| 20040139050 | Barrett et al. | Jul 2004 | A1 |
| 20040139081 | Barrett et al. | Jul 2004 | A1 |
| 20040199795 | Grewal et al. | Oct 2004 | A1 |
| 20040226027 | Winter | Nov 2004 | A1 |
| 20040260565 | Zimniewicz et al. | Dec 2004 | A1 |
| 20040260651 | Chan et al. | Dec 2004 | A1 |
| 20050010547 | Carinci et al. | Jan 2005 | A1 |
| 20050044409 | Betz et al. | Feb 2005 | A1 |
| 20050055357 | Campbell | Mar 2005 | A1 |
| 20050055577 | Wesemann | Mar 2005 | A1 |
| 20050060397 | Barthram et al. | Mar 2005 | A1 |
| 20050086457 | Hohman | Apr 2005 | A1 |
| 20050091068 | Ramamoorthy et al. | Apr 2005 | A1 |
| 20050091213 | Schutz et al. | Apr 2005 | A1 |
| 20050091250 | Dunn et al. | Apr 2005 | A1 |
| 20050091284 | Weissman et al. | Apr 2005 | A1 |
| 20050091290 | Cameron et al. | Apr 2005 | A1 |
| 20050097441 | Herbach | May 2005 | A1 |
| 20050108579 | Isaacson et al. | May 2005 | A1 |
| 20050114701 | Atkins et al. | May 2005 | A1 |
| 20050125798 | Peterson | Jun 2005 | A1 |
| 20050144463 | Rossebo et al. | Jun 2005 | A1 |
| 20050193181 | Kaneda et al. | Sep 2005 | A1 |
| 20050198303 | Knauerhase et al. | Sep 2005 | A1 |
| 20050204143 | Ellington | Sep 2005 | A1 |
| 20050223216 | Chan et al. | Oct 2005 | A1 |
| 20050223217 | Howard et al. | Oct 2005 | A1 |
| 20050246554 | Batson | Nov 2005 | A1 |
| 20050267938 | Czeczulin | Dec 2005 | A1 |
| 20050268309 | Krishnaswamy et al. | Dec 2005 | A1 |
| 20050283443 | Hardt | Dec 2005 | A1 |
| 20050283614 | Hardt | Dec 2005 | A1 |
| 20060004794 | Pizzo et al. | Jan 2006 | A1 |
| 20060005229 | Palekar et al. | Jan 2006 | A1 |
| 20060010445 | Peterson et al. | Jan 2006 | A1 |
| 20060015353 | Reese | Jan 2006 | A1 |
| 20060020783 | Fisher | Jan 2006 | A1 |
| 20060021017 | Hinton et al. | Jan 2006 | A1 |
| 20060026195 | Gu et al. | Feb 2006 | A1 |
| 20060034494 | Holloran | Feb 2006 | A1 |
| 20060085483 | Mooney et al. | Apr 2006 | A1 |
| 20060116949 | Wehunt et al. | Jun 2006 | A1 |
| 20060130065 | Chin et al. | Jun 2006 | A1 |
| 20060161435 | Atef et al. | Jul 2006 | A1 |
| 20060174350 | Roever et al. | Aug 2006 | A1 |
| 20060184401 | DelGaudio et al. | Aug 2006 | A1 |
| 20060200424 | Cameron et al. | Sep 2006 | A1 |
| 20060200504 | Lo | Sep 2006 | A1 |
| 20060224611 | Dunn et al. | Oct 2006 | A1 |
| 20060248099 | Barrett et al. | Nov 2006 | A1 |
| 20060265740 | Clark et al. | Nov 2006 | A1 |
| 20060282360 | Kahn et al. | Dec 2006 | A1 |
| 20060282461 | Marinescu | Dec 2006 | A1 |
| 20060294151 | Wong et al. | Dec 2006 | A1 |
| 20070011136 | Haskin et al. | Jan 2007 | A1 |
| 20070038596 | Pizzo et al. | Feb 2007 | A1 |
| 20070083917 | Peterson et al. | Apr 2007 | A1 |
| 20070100980 | Kataoka et al. | May 2007 | A1 |
| 20070101415 | Masui | May 2007 | A1 |
| 20070143430 | Johnson et al. | Jun 2007 | A1 |
| 20070143836 | Bowers et al. | Jun 2007 | A1 |
| 20070150448 | Patnode | Jun 2007 | A1 |
| 20070156766 | Hoang et al. | Jul 2007 | A1 |
| 20070156767 | Hoang et al. | Jul 2007 | A1 |
| 20070180448 | Low et al. | Aug 2007 | A1 |
| 20070180493 | Croft et al. | Aug 2007 | A1 |
| 20070192843 | Peterson | Aug 2007 | A1 |
| 20070255814 | Green et al. | Nov 2007 | A1 |
| 20070288992 | Robinson et al. | Dec 2007 | A1 |
| 20080021866 | Hinton et al. | Jan 2008 | A1 |
| 20080104220 | Vanyukhin | May 2008 | A1 |
| 20080104250 | Vanyukhin | May 2008 | A1 |
| 20080133533 | Ganugapati et al. | Jun 2008 | A1 |
| 20080162604 | Soulet et al. | Jul 2008 | A1 |
| 20080215867 | Mackin et al. | Sep 2008 | A1 |
| 20090006537 | Palekar et al. | Jan 2009 | A1 |
| 20090063667 | Smith | Mar 2009 | A1 |
| 20090106834 | Borzycki | Apr 2009 | A1 |
| 20090210934 | Innes | Aug 2009 | A1 |
| 20090216975 | Halperin et al. | Aug 2009 | A1 |
| 20100050232 | Peterson | Feb 2010 | A1 |
| 20110093570 | Mackin et al. | Apr 2011 | A1 |
| 20110282977 | Peterson | Nov 2011 | A1 |
| 20110283273 | Peterson | Nov 2011 | A1 |
| 20120192256 | Peterson et al. | Jul 2012 | A1 |
| 20120215899 | Peterson | Aug 2012 | A1 |
| 20120297035 | Peterson | Nov 2012 | A1 |
| 20130212707 | Donahue et al. | Aug 2013 | A1 |
| Number | Date | Country |
|---|---|---|
| 05728119.1 | Mar 2005 | EP |
| 1 932 279 | Jun 2008 | EP |
| WO 2006016900 | Feb 2006 | WO |
| WO 2007044613 | Apr 2007 | WO |
| Entry |
|---|
| U.S. Appl. No. 12/200,814, filed Aug. 28, 2008, Eyes et al. |
| “Description of Digital Certificates”, Jan. 23, 2007, http://www.support.microsoft.com/kb/195724. |
| “Directory Administrator”, http://diradmin.open-it.org/indexlphp, p. 1-3. Dec. 15, 2004. |
| “Innovation Report—Windows Group Policy Protocols”. Jul. 31, 2006. |
| “LDAP Linux HOWTO”, http://tldp/org/HOWTO/LDAP-HOWTO/, p. 1-2. Mar. 5, 2004. |
| “Lnux Authentication Against Active Directory”, http://laaad/sourceforge.netlen/home/htm, p. 1-2. Dec. 15, 2004. |
| “NegotiateAuth”, http://negotiateauth,mozdev.org/ Jul. 8, 2010. |
| “Optimization Techniques for Trusted Semantic Interoperation”, Final Technical Report, Air Force Research Laboratory. Published May 1998. |
| “Project: AD4Unix: Summary”, http://sourceforge.net|projects/adunixl, p. 1-3. Dec. 15, 2004. |
| “Replacing NIS with Kerberos and LDAP”, http://ofb.netHhess/krbldap/, p. 1-2. Dec. 15, 2004. |
| “Sadma”, http://sadmas.sourceforge.netlen/indexlhtml. p. 1-2. Dec. 15, 2004. |
| “Sun Enterprise Authentication Mechanism Data Sheet”, http://wwws.sun.com/jsp—utils/Printpage.jsp?url, pp. 1-4. Dec. 15, 2004. |
| Vintela Extends the Reach of Microsoft Group Policy to Unix and Linux; Vintela Group Policy (VGP) Provides a Framework for Unix and Linux Policy-Based Management Through the Popular Windows Group Policy System., PR Newswire, Sep. 13, 2004. |
| A. Leonard, “Embrace, extend, censor”, Originally published May 11, 2000 on salon.com, http://archive.salon.com/tech/log/2000/05/11/slashdot—censor/. |
| Aelita Software Domain Migration Wizard 6.0 User's Guide, Aug. 21, 2003. |
| AIX 5L Differences Guide Version 5.2 Edition Published Dec. 24, 2002, Excerpt http://proquest.safaribooksonline.com/073842704 7/ch091ev1sec13. |
| Akhgar et al., Secure ICT Services for Mobile and Wireless Communications: A Federated Global Identity Management Framework, 2006 IEEE. |
| Alan H. Harbitter et al., “Performance of Public-Key-Enabled Kerberos Authentication in Large Networks”, Proceedings of the IEEE symposium on Security and Privacy. 2001. |
| Antti Tikkanen, “Active Directory and nss—idap for Linux: Centralized er Management,” printed from http://www.hut.fi/cc/docskerberos/nss—ldap/htm, pp. 1-11, 2004. |
| Apurva Kumar, “The OpenLDAP Proxy Cache,” IBM, India Research Lab, at least as early as May 2003. |
| Authentication, from Pieces of the Puzzle, Chapter 2, p. 12. (Exhibit IV to U.S. Appl. No. 95/001,872, Inter Partes Reexamination Renewed Petition (Third Party Requester to Response to Mar. 1, 2012 Office Action), dated Aug. 9, 2012. |
| Buell, D.A. et al., “Identity management”, Internet Computing, IEEEvol. 7, Issue 6, Nov.-Dec. 2003 pp. 26-28. |
| Centrify DirectControl Administrator's Guide Version 2.0, Aug. 15, 2005. |
| Chapter 9 Authentication Protocols, Distributed System & Network Security Lab, Department of Computer Science & Information Engineering, National Chiao Tung University, pp. 21-22. 1991. |
| COSuser—Identity management and user provisioning for Unix, Linux and Microsoft Windows® http://www.cosuser.com/ May 24, 2010. |
| Damiani, E., et al, “Managing multiple and dependable identities” Internet Computing, IEEEvol. 7, Issue 6, Nov.-Dec. 2003 pp. 29-37. |
| David “Del” Elson, “Active Directory and Linux,” printed from http://www.securityfoc.com/printable/infoc /1563, pp. 1-11, 2002. |
| David F. Carr, “What's Federated Identity Management?”, eWeek, Nov. 10, 2003, http://www.eweek.com/printarticle/O,1761.a-111811,00.asp. |
| Dennis, Disconnect Login (Was: FC3 Bug Week—Help Wanted) (Sep. 24, 2004). |
| Description of Digital Certificates, Jan. 23, 2007, available at http://www.support.microsoft.com/kb/195724. |
| Designing Network Security Published May 7, 1999. Excerpt http://proquest.safaribooksonline.com/1578700434/ch02lev1sec1. |
| Documentation for Kerberos V5 release krb5-1.3, Copyright 1985-2002, Installation Guide: http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6/doc/krb5-install.html. |
| Documentation for Kerberos V5 release krb5-1.3, Copyright 1985-2002, Installation Guide: http://web.mit.edu/Kerberoslkrb5-1.3/krb5-1.3/doc/krb5-install.html—System Administrator's Guide: http://web.mit.edu/Kerberos/krb5-1.3/krb5-1.3/doc/krb5-admin.html—UNIX User's Guide: http://web.mit.edu/Kerberos/krb5-1.3/krb5-1.3/doc/krb5- er.html. |
| Documentation for Kerberos V5 release krb5-1.3, Copyright 1985-2002, System Administrator's Guide: http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6/doc/krb5-admin.html. |
| Documentation for Kerberos V5 release krb5-1.3, Copyright 1985-2002, UNIX User's Guide: http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/user-guide.html. |
| Fabini et al., “IMS in a Bottle: Initial Experiences from an OpenSER-based Prototype Implementation of the 3GPP IP Multimedia Subsystem” Mobile Business, 2006. ICMB '06. International Conference on Publication Date: 2006; On pp. 13-13. |
| Garman, “Kerberos—The Definitive Guide,” Aug. 2003, O'Reilly & Associates, Inc. |
| Get to One Options for moving from multiple, Unix identities to a single, AD-based authentication infrastructure with Vintela Authentication Serviceshttp://www.quest.com/Vintela—Authentication—Services/migration—options—VAS.aspx May 24, 2010. |
| Hank Simon, “SAML:The Secret to Centralized Identity Management”, Dec. 2004, http://intelligententerprise.com/showArticle.jhtml?articleID=54200324. |
| IBM SecureWay Policy Director, 1999. (4 pages). |
| IBM z/OS V1R1.0-V1R12.0 DCE Application Development Reference: dce—ace—is—cient—authorized API call: URL: http://publib.boulder.ibm.com/infocenter/zos/v1r12/topic/com.ibm.zos.r12.euvmd00/euva6a00646.htm, Copyright IBM Corporation 1990,2010, (2 pages). |
| Identity Management for UNIX http://technet2.microsoft.com/WindowsServer/en/library/ab66b7d2-9cfb-4d76-b707-30a5e0dd84f31033.mspx?mfr=true Aug. 22, 2005. |
| Implementing Registry-Based Group Policy for Applications, Microsoft Windows 2000 Server. White Paper. 2000. |
| Introduction to Group Policy in Windows Server 2003, Microsoft Corporation, Published Apr. 2003. |
| J. Barr, “The Gates of Hades: Microsoft attempts to co-opt Kerberos”, Published Apr. 2000 as verified by the Internet Archive, http://web.archive.org/web/20000619011652/http://www.linuxworld.com/linuxworld/lw-2000-04/lw-04-vcontrol—3.html. |
| J. Brezak, “HTTP Authentication: SPNEGO Access Authentication as Implemented in Microsoft Windows 2000,” http://Meta.cesnet.cz/cms/opencms/en/docs/software/devel/draft-brezek-spnego-http-04.xt, pp. 1-6. 2002. |
| J. Kohl et al. “RFC 1510: The Kerberos Network Authentication Service (V5)”, Published Sep. 1993, http://ietfreport.isoc.org/rfc/PDF/rfc1510.pdf. |
| Jan De Clercq, “Win.NET Server Kerberos”, http://www.winnetmag.com/WindowsSecurity/ Articles|ArticleID/26450/pg/3/3.html. Sep. 17, 2002. |
| John Brezak, “Interoperability with Microsoft Windows 2000 Active Directory and Kerberos Services,” printed from http://msdn.microsft.com/library/en- /dnactdir/html/kerberossamp.asp?frame=true, pp. 1-4, 2000. |
| Kerberos, PACs, and Microsoft's Dirty Tricks Originally posted to slashdot.org on May 2, 2000, http://slashdot.org/comments.pl?sid=5268&threshold=1&commentsort=O&mode=thread&cid=1096250. |
| Langella, S. et al., “Dorian: Grid Service Infrastructure for Identity Management and Federation”, Computer-Based Medical Systems, 2006. CBMS 2006. 19th IEEE International Symposium on Jun. 22-23, 2006 pp. 756-761. |
| Li, M., et al., “Identity management in vertical handovers for UMTS-WLAN networks”, Mobile Business, 2005. ICMB 2005. International Conference on Jul. 11-13, 2005 pp. 479-484. |
| LinuX® and Windows® Interoperability Guide, Published Dec. 14, 2001, Excerpt http://proquest.safaribooksonline.com/0130324779/ch 18/lev1sec3. |
| Lowe-Norris, Alistair G., Windows 2000 Active Directory, Chapters 8 and 9, pp. 177-245, Jan. 2000. |
| Matsunaga et al, “Secure Authentication System for Public WLAN Roaming, Proceedings of the 1st ACM international workshop on Wireless mobile applications and services on WLAN hotspots,” San Diego, CA, A, Year of Publication: 2003, p. 113-121. |
| Matthew Hur, “Session Code: ARC241 architecture & infrastructure”, Microsoft Corporation. Oct. 26, 2003. |
| MCSE in a Nutshell: The Windows 2000 Exams Published Feb. 2001. Excerpt http://proquest.safaribooksonline.com/0596000308/mcseian-CHP-13-SECT-1. |
| Microsoft Corp., Implementing Registry-Based Group Policy for Applications, 2000. |
| Microsoft Corp., Introduction to Group Policy in Windows Server 2003, 2003. |
| Microsoft: CATIA Migration from UNIX to Windows, Overview, Jul. 18, 2003. (3 pages). |
| Microsoft: CATIA Migration from UNIX to Windows, Overview, Jul. 18, 2003, Microsoft, Chapter 8, Windows-Unix Interoperability and Data Sharing. (21 pages). |
| Mikkonen, H. et al., “Federated Identity Management for Grids” Networking and Services, 2006. ICNS '06. International conference onJul. 16-18, 2006 pp. 69-69. |
| Mont, M.C. et al., “Towards accountable management of identity and privacy: sticky policies and enforceable tracing services”, Database and Expert Systems Applications, 2003. Proceedings. 14th International Workshop on Sep. 1-5, 2003 pp. 377-382. |
| NCSA Introduction to Kerberos 5, All right reserved Board of Trustees of the University of Illinois Page last updated May 21, 2002 http://www.ncsa.uiuc.edu/UserInfo/Resources/Sofiware/kerberosold/introduction.html. |
| Neuman et al., “RFC 4120—The Kerberos Network Authentication Service V5,” Network Working Group, Jul. 2005. |
| Neuman, et al.: “Kerberos: An Authentication Service for Computer Networks”, IEEE Communications Magazine, vol. 32, Issue 9, Pub. Date Sep. 1994, relevant pp. 33-38. |
| O'Reily publications “Unix & Internet Security”, Apr. 1996. (3 pages). |
| PADL Software Pty Ltd., http://www.padl.com/productsIXAD.html, pp. 1-3. Dec. 15, 2004. |
| PADL Software Pty Ltd., Pam—ccreds readme, (Apr. 11, 2004) (pan—crreds). |
| Phiri, J. et al., “Modelling and Information Fusion in Digital Identity Management Systems” Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies, 2006. ICN/ICONS/MCL 2006. International Conference on Apr. 23-29, 2006 pp. 181-181. |
| Quest Software; “UNIX Identity Migration Wizard User Guide”, 2006. |
| Quest Vintela Authentication Services Administrator's Guide Version 3.1, Sep. 2006. |
| Radeke, E., et al. “Framework for object migration in federated database systems”, Cooperation Univ. of Paderborn, Germany, Parallel and Distributed Information Systems, 1994., Proceedings of the Third International Conference on Publication Date: Sep. 28-30, 1994, On pp. 187-194. |
| RFC 4120—“The Kerberos Network Authentication Service V5,” Neuman et al., Network Working Group, Jul. 2005. |
| Sandrasegaran, Hsang, Identity Management in Vertical Handovers for UMTS-WLAN Networks, 2005 IEEE. |
| Search Security, “Search Security.com Definitions”, Jun. 4, 2007, http://searchsecurity.techtarget.com/sDefinition/0,,sid14—gci212437,00.html. |
| Shim, S.S.Y et al., “Federated identity management” Computer; vol. 38, Issue 12, Dec. 2005 pp. 120-122. |
| Shin, D. et al “Ensuring information assurance in federated identity management”, Performance, Computing, and Communications, 2004 IEEE International Conference on 2004 pp. 821-826. |
| Siddiqi, J. et al., “Secure ICT Services for Mobile and Wireless Communications: A Federated Global Identity Management Framework”, Information Technology: New Generations, 2006. ITNG 2006. Third International Conference on Apr. 10-12, 2006 pp. 351-357. |
| Sixto Ortiz, Jr., “One-Time Password Technology”, vol. 29, Issue 15, Apr. 13, 2007, http://www.processor.com/editorial/article.asp?article=articles%2Fp2915%2F30p15%2F30p15.asp. |
| Subject 2.15. What do I need to do to setup cross-realm authentication?, http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-fag. html. Jul. 8, 2010. |
| The SLAPD and SLURPD Administrator's Guide, University of Michigan Release 3.3 Apr. 30, 1996, available at http://www.umich.edu/˜dirsvcs/ldap/doc/guides/slapd/guide.pdf. |
| Turbo Fredriksson, “LDAPv3.” printed from http://www.bayour.com/LDAPv3-HOWTO.html, pp. 2-65, 2001. |
| Ventuneac et al., A policy-based security framework for Web-enabled applications, Proceeding ISICT '03, Proceedings of the 1st International Symposium on Information and Communication Technologies, pp. 487-492. |
| Vintela Group Policy Technology Preview, “Extending the Power of Group Policy and Windonws Active Directory to configuration of Unix and Linux users and systems”, Version 0.1, May 2004. |
| Wedgetail Communications; “Security Assertion Markup Language (SAML)”, 2004. |
| Weitzner, D.J., “In Search of Manageable Identity Systems”, IEEE Internet Computing, vol. 10, Issue 6, Nov.-Dec. 2006 pp. 84-86. |
| Windows 2000 Kerberos Authentication White Paper, Microsoft Windows 2000 Server, pp. 1-5 and 41-42. Jul. 12, 2010. |
| Withers, Integrating Windows 2000 and UNIX Using Kerberos, The Journal for UNIX Systems Administrators, vol. 10, No. 12, Dec. 2001. http://seann.herdejurgen.com/resume/samag.com/html/v10/il2/a5.htm. |
| “Kerberos Module for Apache”; http://modauthkerb.sourceforge.net/; as accessed on Dec. 15, 2004; 1 page. |
| Number | Date | Country | |
|---|---|---|---|
| 61222446 | Jul 2009 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 12829239 | Jul 2010 | US |
| Child | 13594273 | US |
