Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 09/10/2021 has been entered. This action is made Non-Final.
 
Status of claims
This office action is in response to communication filed on 09/10/2021;
Claims 1-20 are pending and rejected; claims 1, 10 and 19 are independent claims

Response to Arguments
Applicant's arguments filed on 09/10/2021 have been fully considered but they are not persuasive. 
With respect to applicant’s argument: Neither Hochmuth nor Innes teaches or suggests that the authentication for logging in or unlocking the client terminal can be performed on a virtual appliance  while the client terminal is not logged in or is locked. 
Examiner respectfully disagrees with applicant’s argument for the following reasons: Innes teaches (see Innes ¶119, virtual agent 823 may also determine whether the client agent 803 provided the virtual agent 823 with automatic logon credentials… the client device 801 may have authenticated with another (e.g., authentication) server, and the user may have provided a password, PIN, biometrics, or other credentials…, brokering step and smartcard unlock step may occur during the negotiation session .


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Hochmuth et al US Pub. No.: 2011/0315763 A1 (hereinafter Hochmuth) in view of Innes et al. US Pub. No.: 2018/0007059 A1 (hereinafter Innes).

Hochmuth teaches:
implemented by a reverse authentication client that is executing on a client terminal in a virtual desktop infrastructure environment, for performing reverse authentication (see Hochmuth ¶13, a local system can access a remote desktop or other remotely-run application which is displayed on the local system, embodiments of the disclosure can employ smart card authentication for access to the local system as well as the remote system) the method comprising: 
receiving user input while the client terminal is not logged in or is locked (see Hochmuth Fig. 4, box 220, local authentication engine receives user credentials from locally attached peripheral device); 
in response to receiving the user input and while the client terminal is not logged in or is locked, redirecting an authentication device that is connected to the client terminal to a virtual appliance (see Hochmuth Fig. 4, box 235, remote access client establishes connection to remote access server); 
in conjunction with redirecting the authentication device to the virtual appliance and while the client terminal is not logged in or is locked, sending user input credentials which include the user input to a reverse authentication server executing on the virtual appliance to thereby enable authentication to be performed on the virtual appliance (see Hochmuth Figs. 4-6, ¶¶23, 28, In block 250, the remote access server 132 establishes a server based remote peripheral session 133 (FIG. 3) based upon a remote session 121 created for a user. The smart card reader 110 is now available to the remote access server 132 and a remote authentication engine 134 (FIG. 3). The user may then authenticate himself to the remote access server 132); 
ceasing the redirection of the authentication device to the virtual appliance (see Hochmuth ¶35, the smart card reader 110 is unbound from the remote system 104 upon authentication of a user as noted above, as the remote system 104 can terminate the server based remote peripheral session 133, and the remote access client can terminate the remote peripheral session 128)
Hochmuth does not explicitly teach but the related art Innes teaches:
While the client terminal is not logged in or is locked, receiving authentication results from the reverse authentication server (see Innes ¶119, virtual agent 823 may also determine whether the client agent 803 provided the virtual agent 823 with automatic logon credentials); 
in response to receiving the authentication results, logging in or unlocking the client terminal (see Innes ¶124, The smartcard 817 may have been used during the brokering step, and the smartcard 817 may have been unlocked if the authentication with the first server was successful). 
Therefore, it would have been obvious to one with ordinary skill in the art at the time the invention was filed to modify the dynamic remote peripheral binding system disclosed by Hochmuth to include the Dynamic access control to network resources using federated full domain login as thought by Innes, in order to revers authenticate the client device. It would have been obvious to a person with ordinary skill in the art include automatically authenticate the secured resources including the client device, once the credentials on the smart card is being authenticated in order to enhance security.

As to claim 2, the combination of Hochmuth and Innes teaches the method of claim 1, wherein the authentication device comprises a smart card (see Hochmuth Fig. 2, smartcard authentication). 

As to claim 3, the combination of Hochmuth and Innes teaches the method of claim 2, wherein the user input comprises a PIN (see Hochmuth ¶30, the user can be prompted for a personal identification number (PIN)). 

As to claim 4, the combination of Hochmuth and Innes teaches the method of claim 3, wherein the user input credentials comprise a domain name, a username and the PIN (see Innes ¶134, Table, user input including domain name, username, and PIN). 

As to claim 5, the combination of Hochmuth and Innes teaches the method of claim 1, further comprising: employing the authentication results to establish a remote session on a server (see Hochmuth ¶35, authenticated to compute resources of the remote system 104). 

As to claim 6, the combination of Hochmuth and Innes teaches the method of claim 5, wherein the authentication results include a ticket granting ticket, and wherein employing the authentication results to establish the remote session on the server comprises employing the ticket granting ticket to perform single sign-on (¶¶160-162, single sign-on service using access ticket). 

As to claim 7, the combination of Hochmuth and Innes teaches the method of claim 5, further comprising: redirecting the authentication device to the server to enable the authentication device to be accessed within the remote session see Hochmuth Fig. 4, box 235, remote access client establishes connection to remote access server). 

As to claim 8, the combination of Hochmuth and Innes teaches the method of claim 1, wherein the authentication device comprises a smart card and the authentication results include one of more of: a Kerberos ticket; an NTLM hash; a username; a PIN; or a container name and reader name of the smart card (see Innes ¶¶134, 160-162, Authentication include Kerberos ticket, NTLM hash, username, PIN). 

As to 9, the combination of Hochmuth and Innes teaches the method of claim 1, wherein the authentication device is a biometric reader (Innes ¶118, 122, biometric smart card).

Hochmuth teaches:
As to claim 10, a method, implemented on a virtual appliance, 
for performing reverse authentication in a virtual desktop infrastructure environment (see Hochmuth ¶13, a local system can access a remote desktop or other remotely-run application which is displayed on the local system, embodiments of the disclosure can employ smart card authentication for access to the local system as well as the remote system), the method comprising: 
receiving user input credentials from a reverse authentication client executing on a client terminal (see Hochmuth Fig. 4, box 220, local authentication engine receives user credentials from locally attached peripheral device); 
in conjunction with receiving the user input credentials, redirecting an authentication device that is connected to the client terminal to the virtual appliance to thereby enable the authentication device to be accessed on the virtual appliance (see Hochmuth Figs. 4-6, ¶¶23, 28, In block 250, the remote access server 132 establishes a server based remote peripheral session 133 (FIG. 3) based upon a remote session 121 created for a user. The smart card reader 110 is now available to the remote access server 132 and a remote authentication engine 134 (FIG. 3). The user may then authenticate himself to the remote access server 132); 
employing the received user input credentials to cause an authentication subsystem on the virtual appliance to authenticate a user of the client terminal using the redirected authentication device (see Hochmuth ¶34, the local authentication engine can transmit the security certificate to the remote system 104, which can employ the remote authentication engine for user authentication); 
ceasing the redirection of the authentication device see Hochmuth ¶35, the smart card reader 110 is unbound from the remote system 104 upon authentication of a user as noted above, as the remote system 104 can terminate the server based remote peripheral session 133, and the remote access client can terminate the remote peripheral session 128).
Hochmuth does not explicitly teach but the related art Innes teaches:
receiving authentication results from the authentication subsystem (see Innes ¶124, virtual agent 823 may also determine whether the client agent 803 provided the virtual agent 823 with automatic logon credentials); 
sending the authentication results to the reverse authentication client (see Innes ¶124, The smartcard 817 may have been used during the brokering step, and the smartcard 817 may have been unlocked if the authentication with the first server was successful). 
Therefore, it would have been obvious to one with ordinary skill in the art at the time the invention was filed to modify the dynamic remote peripheral binding system disclosed by Hochmuth to include the Dynamic access control to network resources using federated full domain login as thought by Innes, in order to revers authenticate the client device. It would have been obvious to a person with ordinary skill in the art include automatically authenticate the secured resources including the client device, once the credentials on the smart card is being authenticated in order to enhance security.

As to 11, the combination of Hochmuth and Innes teaches the method of claim 10, wherein the authentication device comprises a smart card (see Hochmuth Fig. 2, smartcard authentication).

As to claim 12, the combination of Hochmuth and Innes teaches the method of claim 11, wherein the user input credentials comprise a domain name, a username and a PIN (see Innes ¶134, Table, user input including domain name, username, and PIN).

As to claim 13, the combination of Hochmuth and Innes teaches the method of claim 10, wherein the authentication results sent to the reverse authentication client include a ticket granting ticket (¶¶160-162, single sign-on service using access ticket)..

As to claim 14, the combination of Hochmuth and Innes teaches the method of claim 13, wherein the authentication results sent to the reverse authentication client also include an NTLM hash (see Innes ¶¶134, 160-162, Authentication include Kerberos ticket, NTLM hash, username, PIN).

As to claim 15, the combination of Hochmuth and Innes teaches the method of claim 10, further comprising: caching the authentication results on the virtual appliance (see Innes ¶151, authentication manager 1008 may communicate with a smart card 1017 and/or a single sign-on device 1019, such as a secure PIN caching service and/or device. The authentication manager 1008 may store a PIN or other credential provided by the user during authentication).

As to claim 16, the combination of Hochmuth and Innes teaches the method of claim 10, wherein the authentication device is a biometric reader (Innes ¶118, 122, biometric smart card).

As to claim 17, the combination of Hochmuth and Innes teaches the method of claim 10, wherein the authentication device comprises a smart card and wherein employing the received user input credentials to cause the authentication subsystem on the virtual appliance to authenticate the user of the client terminal using the redirected authentication device comprises submitting a logon request to the authentication subsystem, the logon request including a domain name, a username, and a PIN of the user which were received as the user input credentials, the logon request also including a container name and reader name of the smart card (see Innes ¶134, Table, user input including domain name, username, and PIN).

As to claim 18, the combination of Hochmuth and Innes teaches the method of claim 17, wherein the logon request comprises a Kerberos logon request (see Innes ¶¶134, 160-162, Authentication include Kerberos ticket, NTLM hash, username, PIN).

Hochmuth teaches:
As to claim 19, one or more computer storage media storing computer executable instructions which when executed in a virtual desktop infrastructure environment implement a method for performing reverse authentication (see Hochmuth ¶13, a local system can access a remote desktop or other remotely-run application which is displayed on the local system, embodiments of the disclosure can employ smart card authentication for access to the local system as well as the remote system), 
the method comprising: receiving, by a reverse authentication client that executes on a client terminal, user input while the client terminal is not logged in or is locked (see Hochmuth Fig. 4, box 220, local authentication engine receives user credentials from locally attached peripheral device); 
in response to receiving the user input, redirecting an authentication device that is connected to the client terminal to a virtual appliance (see Hochmuth Fig. 4, box 235, remote access client establishes connection to remote access server); 
in conjunction with redirecting the authentication device to the virtual appliance, sending user input credentials which include the user input to a reverse authentication server executing on the virtual appliance (see Hochmuth Figs. 4-6, ¶¶23, 28, In block 250, the remote access server 132 establishes a server based remote peripheral session 133 (FIG. 3) based upon a remote session 121 created for a user. The smart card reader 110 is now available to the remote access server 132 and a remote authentication engine 134 (FIG. 3). The user may then authenticate himself to the remote access server 132); 
ceasing the redirection of the authentication device (see Hochmuth ¶35, the smart card reader 110 is unbound from the remote system 104 upon authentication of a user as noted above, as the remote system 104 can terminate the server based remote peripheral session 133, and the remote access client can terminate the remote peripheral session 128)
Hochmuth does not explicitly teach but the related art Innes teaches:
obtaining, by a reverse authentication credential provider that executes on the virtual appliance, the user input credentials from the reverse authentication server (see Innes ¶134, Table, user input including domain name, username, and PIN); 
obtaining, by the reverse authentication credential provider a container name and reader name of the authentication device that has been redirected to the virtual appliance (see Innes ¶134, Table, user input including domain name, username, and PIN); 
submitting, by the reverse authentication credential provider, a logon request that includes the user input credentials, the container name and the reader name to thereby receive authentication results see Innes ¶134, Table, user input including domain name, username, and PIN); 
sending, to the reverse authentication client, the authentication results (see Innes ¶124, virtual agent 823 may also determine whether the client agent 803 provided the virtual agent 823 with automatic logon credentials).
Therefore, it would have been obvious to one with ordinary skill in the art at the time the invention was filed to modify the dynamic remote peripheral binding system disclosed by Hochmuth to include the Dynamic access control to network resources using federated full domain login as thought by Innes, in order to revers authenticate the client device. It would have been obvious to a person with ordinary skill in the art include automatically authenticate the secured resources including the client device, once the credentials on the smart card is being authenticated in order to enhance security.

As to claim 20, the combination of Hochmuth and Innes teaches the computer storage media of claim 19, wherein the method further comprises: employing, by the client terminal, the authentication results to establish a remote session on a server; and redirecting the authentication device to the server (see Hochmuth Figs. 4-6, ¶¶23, 28, In block 250, the remote access server 132 establishes a server based remote peripheral session 133 (FIG. 3) based upon a remote session 121 created for a user. The smart card reader 110 is now available to the remote access server 132 and a remote authentication engine 134 (FIG. 3). The user may then authenticate himself to the remote access server 132).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NEGA WOLDEMARIAM whose telephone number is (571)270-7478. The examiner can normally be reached Monday to Friday, 8am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 5712726798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/NEGA WOLDEMARIAM/Examiner, Art Unit 2433                 

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433