Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
The IDS of 8/1/2019 was received and considered.
Claims 1-20 are pending.
	
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 8, 10-13, 18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over US 10,855,674 B1 to Geusz et al. (Geusz), in view of US 8,001,587 B2 to Lovat et al. (Lovat).
Regarding claim 1, Geusz discloses operating a client information handling system in a pre-boot environment before any operating system (OS) is booted (user powers on computing device and verification is provided prior to booting, col. 7, lines 22-24) to authenticate a local user of the client information handling system (computing device 110, col. 7, lines 43-44) across a network with a first 
Regarding claims 2 and 12, Geusz discloses where the first network device comprises an authentication server (verification server 120, col. 7, lines 60-61), and where the method further comprises operating the client information handling system in the pre-boot environment to execute a basic input/output system (BIOS) on the client information handling system (col. 5, lines 62-65, col. 15, lines 6-8) to:  receive user credentials provided to the BIOS by the local user (receive password, col. 8, lines 31-38), and use the provided user credentials to authenticate the user on the client information 
Regarding claims 3 and 13, Geusz disclose where the request for service/s comprises local user identification information for the current local user (verification request comprises a user identifier (col. 8, lines 9-17, col. 9, lines 23-29); and where the method further comprises: checking the provided local user identification information versus a user identification database on the authentication server to verify that the local user is included in the identification database as being authorized to access the requested one or more service/s (server looks up a certificate record by user identifier associated with the verification request, col. 9, lines 23-29); and then providing the authentication token across the network from the authentication server to the client information handling system only if the local user is determined to be included in the identification database as being authorized to access the requested one or more service/s (server provides authentication data in response to successful verification, col. 10, lines 17-23). 
Regarding claims 8 and 18, Geusz discloses where the one or more services of the network service device comprise at least one of print services, file-sharing services, media-streaming services, cloud storage services, data processing services, virtual machine services, or computer gaming services (authentication data can include Kerberos ticket, Open Authorization tokens, etc., col. 12, lines 25-32, and can be used by local SSO agent, col. 12, lines 63-66 and for proof of identity, including providing 
Regarding claims 10 and 20, Geusz discloses where the network comprises the Internet or a corporate intranet (col. 24, lines 24-29).
Regarding claim 11, the claim is similar in scope to claim 1 and is therefore rejected using a similar rationale.  

Claims 4-7, 9, 14-17 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Geusz and Lovat, as applied to claims 2 and 12 above, in view of “Kerberos (protocol)” by Wikipedia (Applicant’s IDS, reference dated 7/6/2019).  
Regarding claims 4-5 and 14-15, Geusz discloses further comprising then booting the OS on the client information handling system and using the booted OS to perform the following without re-authenticating the local user on the client information handling system (boot OS, col. 12, lines 15-21) and discloses that the received authentication data can be a Kerberos ticket (col. 12, lines 25-32), but lacks retrieving the stored authentication token from the non-volatile system storage and provide the retrieved authentication token across the network from the client information handling system to the same or the different authentication server; receiving a service ticket from the same or the different authentication server to access one or more services of the network service device without re-authenticating the local user; and storing the received service ticket in OS cache memory on the client information handling system.  However, Wikipedia1 teaches the Kerberos protocol, where a user device sends a stored TGT to a TGS (p. 4, Client Service Authorization, step 1), where the TGS returns a Client-to-server ticket in response (p. 4, Client Service Authorization, step 2).  Therefore, it would have been 
Regarding claims 6 and 16, Geusz discloses that the received authentication data can be a Kerberos ticket (col. 12, lines 25-32), but lacks where the first remote network device is a Kerberos authentication server; where the authentication token is a Kerberos ticket-granting ticket (TGT); and where the service ticket is a temporary service ticket that includes an expiration time.  However, Wikipedia teaches the Kerberos protocol, where a user device authenticates itself to an authentication server (AS) (p. 3, Client Authentication), the client receives a token (TGT) (p. 3, Client Authentication) and exchanges the TGT for a service ticket (Client-to-server ticket) where the service ticket is a temporary service ticket that includes an expiration time (Client-to-server ticket, including validity period, p. 4, Client Service Authorization, steps 1 and 2).  Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Geusz, as modified above, such that the first remote network device is a Kerberos authentication server; where the authentication token is a Kerberos ticket-granting ticket (TGT); and where the service ticket is a 
Regarding claims 7 and 17, Geusz discloses that the received authentication data can be a Kerberos ticket (col. 12, lines 25-32) and then booting the OS on the client information handling system and using the booted OS to perform the following without re-authenticating the local user on the client information handling system (boot OS, col. 12, lines 15-21), but lacks retrieving the service ticket from the OS cache memory on the client information handling system; providing the retrieved service ticket across the network to the network service device; and obtaining access to the one or more services from the network service device in response to the service ticket provided to the network service device.  However, Wikipedia teaches the Kerberos protocol, including retrieving the service ticket (Client-to-server ticket), providing the retrieved service ticket across the network to the network service device (sending the Client-to-server ticket to the Service Server (SS), p. 4, Client Service Request, step 1); and obtaining access to the one or more services from the network service device in response to the service ticket provided to the network service device (p. 4, Client Service Request, step 4).  Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Geusz, as modified above, to include retrieving the service ticket from the OS cache memory on the client information handling system (obvious to a skilled artisan, as the Kerberos ticket in Geusz is being used by the OS operating at post-boot); providing the retrieved service ticket across the network to the network service device; and obtaining access to the one or more services from the network service device in response to the service ticket provided to the network service device.  
Regarding claims 9 and 19, Geusz discloses that the received authentication data can be a Kerberos ticket (col. 12, lines 25-32), but lacks where the first remote network device is a Kerberos authentication server; and where the authentication token is a Kerberos ticket-granting ticket (TGT).  .

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
“An Innovative Model (HS) to Enhance the Security in Windows Operating System - A Case Study” is cited for teaching UEFI/pre-boot security.  
The references to Von Bokern et al. are cited for teaching directly using a single token to authenticate to a provider.  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL J SIMITOSKI whose telephone number is (571)272-3841.  The examiner can normally be reached on Monday - Friday, 7:00-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/Michael Simitoski/               Primary Examiner, Art Unit 2493                                                                                                                                                                                         
March 9, 2021


    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 The Examiner notes that the cited references to Smith et al. also teach integrating Kerberos with pre-boot authentication.