Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
The response of 7/16/2021 was received and considered.
Claims 1-22 are pending.

Response to Arguments
Applicant's arguments filed 7/16/2021 have been fully considered but they are not persuasive.
Applicant’s remarks (§A) argue that Geusz uses authentication factors when the OS boots, which teaches away from the claimed “without exchanging authentication factors with the OS”.  However, the specification does not define “authentication factors”.  The specification, ¶30, ¶34, describes that SSO data (authentication factors) are stored for later reuse by the OS (exchanged).  The specification does not support exchanging no authentication-related data with the OS.  Therefore, based on the invention as described in the specification, Geusz discloses am embodiment where no user authentication is performed within the OS, only the passing of the received session token, col. 10, lines 49-64, col. 11, lines 1-4 and lines 17-19.  Therefore, as no user-provided authentication factors are exchanged with the OS, the Examiner respectfully maintains that the prior art teaches the limitations of the independent claims.
Regarding claims 21-22, Geusz discloses where the first network device comprises an authentication server (verification sent to server, col. 7, lines 60-61), and where the programmable integrated circuit is programmed to operate in the pre-boot environment to receive the authentication token from the authentication server session token provided from .

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-22 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the enablement requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to enable one skilled in the art to which it pertains, or with which it is most nearly connected, to make and/or use the invention.	
Claims 1 and 11 recite “without exchanging authentication factors with the OS”.  However, the specification does not enable a skilled artisan to make and/or use the invention without exchanging authentication factors, i.e. without exchanging data related to the authentication with the OS (note that the specification does not define “authentication factors”).  The specification, ¶30, ¶34, describes that SSO data (authentication factors) are stored for later reuse by the OS (exchanged).  As such, the specification does not enable a skilled .  

The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 22 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Regarding claim 22, claim 22 is directed to a method, but depends on claim 11, which is directed to an information handling system.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the 

Claims 1-3, 8, 10-13, 18 and 20-22 are rejected under 35 U.S.C. 103 as being unpatentable over US 10,855,674 B1 to Geusz et al. (Geusz), in view of US 8,001,587 B2 to Lovat et al. (Lovat).
Regarding claim 1, Geusz discloses operating a client information handling system in a pre-boot environment before any operating system (OS) is booted (user powers on computing device and verification is provided prior to booting, col. 7, lines 22-24) to authenticate a local user of the client information handling system (computing device 110, col. 7, lines 43-44) across a network with a first remote network device (verification sent to server, col. 7, lines 60-61), and to store an authentication token received across the network in the client information handling system from the first remote network device in response to the authentication of the local user (computing device receives authentication data from server in response to authentication, col. 10, lines 17-23, lines 52-57, lines 61-64); and then booting an OS on the client information handling system without exchanging authentication factors with the OS (no user authentication is performed within the OS, only the passing of the received session token, col. 10, lines 49-64) without re-authenticating the local user (boot OS, col. 12, lines 15-21) to retrieve and provide authentication data across the network from the client information handling system to at least one network service device to obtain access to one or more services of the network service device (authentication data can include Kerberos ticket, Open Authorization tokens, etc., col. 12, lines 25-32, and can be used by local SSO agent, col. 12, lines 63-66 and for proof of identity, including providing authentication data to an application such as a web browser, col. 22, lines 24-34).  Geusz is silent regarding sending the authentication token itself.  However, Lovat teaches a known authentication configuration for single sign-on (Fig. 13A) where a local device (130) authenticates with a server application (132) and receives a token that is then used by the device to propagate proof of identity to a remote provider server (131A).  Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to 
Regarding claims 2 and 12, Geusz discloses where the first network device comprises an authentication server (verification server 120, col. 7, lines 60-61), and where the method further comprises operating the client information handling system in the pre-boot environment to execute a basic input/output system (BIOS) on the client information handling system (col. 5, lines 62-65, col. 15, lines 6-8) to:  receive user credentials provided to the BIOS by the local user (receive password, col. 8, lines 31-38), and use the provided user credentials to authenticate the user on the client information handling system (col. 8, lines 36-41); then transmit a request for service/s across the network to the authentication server only if the user is authenticated on the client information handling system by the BIOS (col. 8, lines 36-41); and then receive the authentication token from the authentication server, and store the received authentication token on non-volatile system storage of the client information handling system (computing device receives authentication data from server in response to authentication, col. 10, lines 17-23, lines 52-57, lines 61-64); and then booting an OS on the client information handling system without re-authenticating the local user (boot OS, col. 12, lines 15-21; see also, as modified above by Lovat, Fig. 13A).
Regarding claims 3 and 13, Geusz disclose where the request for service/s comprises local user identification information for the current local user (verification request comprises a user identifier (col. 8, lines 9-17, col. 9, lines 23-29); and where the method further comprises: checking the provided local user identification information versus a user identification database on the authentication server to verify that the local user is included in the identification database as being authorized to access the requested one or more service/s (server looks up a certificate record by user identifier associated with 
Regarding claims 8 and 18, Geusz discloses where the one or more services of the network service device comprise at least one of print services, file-sharing services, media-streaming services, cloud storage services, data processing services, virtual machine services, or computer gaming services (authentication data can include Kerberos ticket, Open Authorization tokens, etc., col. 12, lines 25-32, and can be used by local SSO agent, col. 12, lines 63-66 and for proof of identity, including providing authentication data to an application such as a web browser, col. 22, lines 24-34;  see also, as modified above by Lovat, Fig. 13A).
Regarding claims 10 and 20, Geusz discloses where the network comprises the Internet or a corporate intranet (col. 24, lines 24-29).
Regarding claim 11, the claim is similar in scope to claim 1 and is therefore rejected using a similar rationale.  
Regarding claims 21-22, Geusz discloses where the first network device comprises an authentication server (verification sent to server, col. 7, lines 60-61), and where the programmable integrated circuit is programmed to operate in the pre-boot environment to receive the authentication token from the authentication server session token provided from server, col. 10, lines 61-65) prior to OS booting and to insert the received authentication token into OS cache memory on the client information handling system prior to OS booting (session token is inserted into the TPM, which is available to the OS, col. 10, line 61 – col. 11, line 4, col. 11, lines 15-19 and col. 14, lines 50-52).

Claims 4-7, 9, 14-17 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Geusz and Lovat, as applied to claims 2 and 12 above, in view of “Kerberos (protocol)” by Wikipedia (Applicant’s IDS, reference dated 7/6/2019).  
Regarding claims 4-5 and 14-15, Geusz discloses further comprising then booting the OS on the client information handling system and using the booted OS to perform the following without re-authenticating the local user on the client information handling system (boot OS, col. 12, lines 15-21) and discloses that the received authentication data can be a Kerberos ticket (col. 12, lines 25-32), but lacks retrieving the stored authentication token from the non-volatile system storage and provide the retrieved authentication token across the network from the client information handling system to the same or the different authentication server; receiving a service ticket from the same or the different authentication server to access one or more services of the network service device without re-authenticating the local user; and storing the received service ticket in OS cache memory on the client information handling system.  However, Wikipedia1 teaches the Kerberos protocol, where a user device sends a stored TGT to a TGS (p. 4, Client Service Authorization, step 1), where the TGS returns a Client-to-server ticket in response (p. 4, Client Service Authorization, step 2).  Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Geusz to include retrieving the stored authentication token (Kerberos TGT/ticket) from the non-volatile system storage and provide the retrieved authentication token across the network from the client information handling system to the same or the different authentication server (provide TGT to Kerberos TGS); receiving a service ticket (Client-to-server ticket provided in response to successful decryption and comparison of ID, Wikipedia, p. 4, Client Service Authorization, step 2) from the same or the different authentication server to access one or more services of the network service device without 
Regarding claims 6 and 16, Geusz discloses that the received authentication data can be a Kerberos ticket (col. 12, lines 25-32), but lacks where the first remote network device is a Kerberos authentication server; where the authentication token is a Kerberos ticket-granting ticket (TGT); and where the service ticket is a temporary service ticket that includes an expiration time.  However, Wikipedia teaches the Kerberos protocol, where a user device authenticates itself to an authentication server (AS) (p. 3, Client Authentication), the client receives a token (TGT) (p. 3, Client Authentication) and exchanges the TGT for a service ticket (Client-to-server ticket) where the service ticket is a temporary service ticket that includes an expiration time (Client-to-server ticket, including validity period, p. 4, Client Service Authorization, steps 1 and 2).  Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Geusz, as modified above, such that the first remote network device is a Kerberos authentication server; where the authentication token is a Kerberos ticket-granting ticket (TGT); and where the service ticket is a temporary service ticket that includes an expiration time.  One of ordinary skill in the art would have been motivated to perform such a modification to utilize the disclosed Kerberos ticket embodiment according to the Kerberos protocol, as taught by Wikipedia.
Regarding claims 7 and 17, Geusz discloses that the received authentication data can be a Kerberos ticket (col. 12, lines 25-32) and then booting the OS on the client information handling system and using the booted OS to perform the following without re-authenticating the local user on the client information handling system (boot OS, col. 12, lines 15-21), but lacks retrieving the service ticket from 
Regarding claims 9 and 19, Geusz discloses that the received authentication data can be a Kerberos ticket (col. 12, lines 25-32), but lacks where the first remote network device is a Kerberos authentication server; and where the authentication token is a Kerberos ticket-granting ticket (TGT).  However, Wikipedia teaches the Kerberos protocol, where a user device authenticates itself to an authentication server (AS), where the Kerberos system returns a TGT in response (p. 3).  Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Geusz such that the first remote network device is a Kerberos authentication server; and where the authentication token is a Kerberos ticket-granting ticket (TGT).  One of ordinary skill in the art would have been motivated to perform such a modification to utilize the disclosed Kerberos ticket embodiment according to the Kerberos protocol, as taught by Wikipedia.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 2009/0319806 A1 to Smith et al. teaches performing a pre-boot authentication (¶17) and stores the result in an OS cache (¶20, ¶28).
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL J SIMITOSKI whose telephone number is (571)272-3841.  The examiner can normally be reached on Monday - Friday, 7:00-3:00.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-38623862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/Michael Simitoski/               Primary Examiner, Art Unit 2493                                                                                                                                                                                         
September 14, 2021





    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 The Examiner notes that the cited references to Smith et al. also teach integrating Kerberos with pre-boot authentication.