Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This Final Office Action is in response to amendment filed on 03/03/2022.
Amended claims 1-22  filed on 03/03/2022 are being considered on the merits. Claims 1-22  remain pending in the application. 

Response to Amendment 
Applicant’s amendments to the Specification has overcome the objection previously set forth in the Non-Final Office Action mailed on 12/07/2021.
Applicant’s amendments to the claims have overcome the objection previously set forth in the Non-Final Office Action mailed on 12/07/2021. 
Applicant’s amendments to the claims have overcome the USC 112(b) rejection previously set forth in the Non-Final Office Action mailed on 12/07/2021. 

Response to Arguments 
Applicant stated “Claim 1-3, 7-11, 21, and 22 were rejected under 35 U.S.C. § 102 over U.S. Patent Publication Number 20200106766 to Suraparaju at al. (hereinafter "Suraparaju"). This rejection is respectfully traversed. Applicant respectfully submits that each of the independent claims has been amended to include the use of ( or a system comprising) a service account. Applicant respectfully submits that Suraparaju does not teach, suggest, or disclose a service account of any type. As understood by a person of ordinary skill in the art, "A service account is a user account that is created explicitly to provide a security context for services running on Windows Server operating systems. The  security context determines the service's ability to access local and network resources. The Windows operating systems rely on services to run various features." (See https://docs.microsoft.com/enus/ windows/ security/identity-protection/ access-control/service-accounts). Applicant respectfully submits that the Office Action has not established that the authentication server 130 of Suraparaju is configured to determine "the service's ability to access local and network resources," and therefore does not disclose a service account. Therefore, Applicant respectfully submits that Suraparaju does not teach, suggest, or disclose each and every feature of the present embodiments, and thus does not form a proper reference under 35 U.S.C. § 102. Accordingly, Applicant respectfully requests withdrawal of the rejection of 1-3, 7-11, 21, and 22 under 35 U.S.C. § 102 over Suraparaju. Indication of allowability of these claims is respectfully solicited… Applicant respectfully submits that Tan, Lonni, SCHMIDT, Wang, and/or Amdahl do not teach, suggest, or disclose a service account of any type, and thus do not overcome the above noted deficiencies of Suraparaju. Therefore, Suraparaju, Tan, Lonni, Schmidt, Wang, and/or Amdahl do not form a proper combination under 35 U.S.C. § 103. Accordingly, Applicant respectfully requests withdrawal of the rejection of claims 4-6 and 12-20 under 35 U.S.C. § 103 over Suraparaju, Tan, Lonni, Schmidt, Wang, and/or Amdahl. Indication of allowability of these claims is respectfully solicited”
Examiner respectfully submits that while Suraparaju does not explicitly teach the above argued limitations, however, the previously cited prior art, SCHMIDT, the above argued limitations. Particularly, SCHMIDT teaches 
“service account” where a service account is a user account that provides services, as disclosed by SCHMIDT in [¶0104] ” WS is in a Windows 2000™ domain then the WebSSO”.
SCHMIDT further teaches …as disclosed in SCHMIDT, [¶0011, FIG. 5]” a method of utilizing tokens to access extranet resources”,  [¶0057, FIG. 5]” FS-R receives the SAML token and validates it 510”
Please see detailed rejection below. 
With respect the claim amendments in claims 9, 10, 19, 21, and 22, newly found prior arts are relied upon to teach the amendment limitations in the above claims. 

 
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claim(s) (1-3, 7, 8, 11-16, and 18 ) is/are rejected under 35 U.S.C. 102(a)(1) and (a)(1) as being anticipated by SCHMIDT et al. (US-20060123234-A1, SCHMIDT referred to as " SCHMIDT”)    
Referring to claim 1 (Currently Amended), SCHMIDT teaches: a method of authenticating a user comprising: logging into a first token-based authentication system, the first token-based authentication system comprising a token-based authentication system (TBAS) (SCHMIDT, [¶0011, FIG. 5]” a method of utilizing tokens to access extranet resources“, [¶0057, FIG. 5]” FS-R receives the SAML token and validates it 510)”); 
creating, at the TBAS, a cookie based on a token from the TBAS (SCHMIDT, [¶0057, FIG. 5]” writes the generated SAML token as a cookie to the client and redirects the client to WS 613.”);
requesting access, by the user, to a second system, the second system comprising at least one -based application ,wherein the web-based application uses a service account comprising a first authentication tier and a second authentication tier, the first authentication tier retrieving the cookie from the TBAS (SCHMIDT, [¶0104]” WS is in a Windows 2000™ domain then the WebSSO”, [¶0057, FIG. 5]"writes the generated SAML token as a cookie to the client and redirects the client to WS 613.”, [¶0020]” At the application this means getting a Windows™ token that includes Windows™ Security Identifier (“SIDs”) (user SIDs and group SIDs) such that access checks may be made with this token against Windows™ based Access Control Lists (“ACLs”) that use SIDs “, [¶0055]” FS-A validates the user credentials. After credentials are validated, FS-A has a 
collection of user SIDs from the local NT access token 504.“, (SCHMIDT, [¶0059]” locks 615-618 show that for security reasons a NT service and an LSA Authentication Package are used to verify the WebSSO token and then turn the SIDs from that token into an NT access token 619. The SID collection is cached in the authentication package and keyed with the hash of the incoming account SIDs 620 for future use.“), (SCHMIDT, [¶0059]" the WebSSO ISAPI extension on WS receives the token as a cookie and passes it to the WebSSO service for validation 615.”); and
decoding and validating the token, thereby granting access to the second system based only on the user logging into the first  token-based authentication system ([¶0059, FIG. 6]" The WebSSO ISAPI extension on WS receives the token as a cookie and passes it to the WebSSO service for validation 615. The service validates the token, obtains SIDs, and passes the SIDs to the WebSSO authentication package 616 ").

Referring to claim 2, SCHMIDT teaches (Currently Amended) The method of claim 1, wherein at least one of the first token-based authentication system and the second system comprises a non-web-based authentication application. (SCHMIDT, [¶0059, FIG. 6]" The WebSSO ISAPI extension on WS receives the token as a cookie and passes it to the WebSSO service for validation 615. The service validates the token, obtains SIDs, and passes the SIDs to the WebSSO authentication package 616 ").

Referring to claim 3, SCHMIDT teaches (Currently Amended) The method of claim 2, wherein the web-based application second web application hosted on the second system (SCHMIDT, [¶0059, FIG. 6]" The WebSSO ISAPI extension on WS receives the token as a cookie and passes it to the WebSSO service for validation 615. The service validates the token, obtains SIDs, and passes the SIDs to the WebSSO authentication package 616 ").

Referring to claim 7, SCHMIDT teaches (Currently Amended) the method of claim 1, further comprising determining if a connection between the TBAS and the web-based application the service account (SCHMIDT, [¶0024]” A general description of the method is that for corporate accounts, SIDs from a corporate account forest are put into the ADFS token by a Federation Server (“FS”) in the corporate network “ , [¶0104]”  the WS is in a Windows(TM)2000 (Microsoft Trademark(TM) domain").

Referring to claim 8, SCHMIDT teaches (Currently Amended) the method of claim 7, wherein determining if a connection between the TBAS and the web-based application the service account further comprises querying a configuration manager for service account credentials, (SCHMIDT, par. [0055]” the client is located on the Internet, LS-A-EXT collects the user credentials (username&password or the client certificate) and sends them to FS-A for credential validation or verification 503. FS-A validates the user credentials. After credentials are validated, FS-A has a collection of user SIDs from the local NT access token 504 “), (SCHMIDT, [0056]”  FS-A obtains account group SIDs for the user 506. Then FS-A issues a SAML token carrying the transformed WebSSO claims as attributes and account group “ ).

	Referring to claim 11, SCHMIDT teaches (Currently Amended) A system comprising: an intranet; 
 at least one extranet portal forming an interface between the intranet and an extranet (SCHMIDT, [¶0035, FIG. 2]” Business to Enterprise (“B2E”) 217 typically allows employees from the site's own business 211 to access the web site 212, using their employee identities from the business's account store 207. Employees can access the site from their intranet or out on the web without requiring a vpn “); 
and at least one application-specific host environment within the intranet 
(SCHMIDT, [¶0035, FIG. 2]” Business to Enterprise (“B2E”) 217 typically allows employees from the site's own business 211 to access the web site 212, using their employee identities from the business's account store 207. Employees can access the site from their intranet“); 
wherein a user accesses at least one authentication application hosted within the application-specific host environment and at least one (SCHMIDT, [¶0104]” WS is in a Windows 2000™ domain then the WebSSO”), (SCHMIDT,  [¶0057, FIG. 5]” FS-R receives the SAML token and validates it 510)”),  (SCHMIDT, [¶0059]" the WebSSO ISAPI extension on WS receives the token as a cookie and passes it to the WebSSO service for validation 615)”, and
wherein authentication is established at a second interface connection between the extranet portal and the application-specific host environment via a service account, in addition to the single login (SCHMIDT, [¶0035, FIG. 2]” FIG. 4 is a block diagram showing overall processing flow for extranet access. The extranet DMZ active directory (“AD”) 404 has a one way Windows™ trust to the corpnet active directory 402. A LogonSever/FederationServer (“LS-R/FS-R”) 403 is deployed in the Extranet Resource realm and a LogonSever/FederationServer (“LS-A/FS-A”) 404 is deployed in the Corpnet Account realm or intranet 401. Federation trust between the Extranet Resource realm and the Corpnet Account realm is flagged on both sides as the “WindowsRealmTrust”trust which means that the Extranet realm has applications using traditional Windows™ authentication and authorization for users from the Corpnet realm AD store. The trusting application running on the web server (“WS”) is flagged as “WindowsRealmTrust”on federation server (“FS-R”) which means that the application is accepting user SIDs for the purposes of building the local NT access token.”).

Referring to claim 12, SCHMIDT teaches (Currently Amended) the system of claim 11, further comprising at least one web dispatcher communicatively coupled between the extranet and the extranet C, (SCHMIDT, [¶0043, FIG.3]” The Active Directory 305 stays in the intranet 313, protected by proxied services 309 in the DMZ 314. A web server (“WS”) 320 is deployed in the DMZ to make applications available to a client or web client, 311.”), (SCHMIDT, [¶0045]” SSO Agents Process Security Tokens for Web Applications 303—These agents (ISAPI extension and token/claims libraries) may convert security tokens into a Windows™ NT (Microsoft Corporation Trademark) Impersonation context or ASP.Net roles utilized by IIS applications for access control “), wherein [[the ]]at least one web dispatcher communicates with the extranet portal via a hypertext transfer protocol secure (HTTPS) connection, and wherein at least one web dispatcher coordinates all calls to the extranet (SCHMIDT, [¶0067]” The WebSSO package will in turn pass the cert to the Windows TLS/SSL Security Service Provider™for verification via the internal LsalCallPackage call.”).

Referring to claim 13, SCHMIDT teaches (Currently Amended) The system of claim 12, further comprising at least one reverse proxy(SCHMIDT[¶0035, FIG. 2]”  the site's own business 211 to access the web site 212, using their employee identities from the business's account store 207“).

Referring to claim 14 (Currently Amended) The system of claim 13, further comprising: a first firewall   (SCHMIDT, [0041]“Typically a firewall stands between the LAN and DMZ.”); and
a first demilitarized zone (SCHMIDT [¶0043, FIG.3]” The Active Directory 305 stays in the intranet 313, protected by proxied services 309 in the DMZ 314. A web server (“WS”) 320 is deployed in the DMZ to make applications available to a client or web client, 311.”);
wherein the reverse proxy is configured to intercept user calls to external websites  (SCHMIDT, [0041]“ A web server (“WS”) 320 is deployed in the DMZ to make applications available to a client or web client, 311. Deploying the WS in the DMZ typically calls for deploying the FSR 309 in the DMZ so that trust is established between the WS and FSR without causing security issues by crossing the DMZ, Intranet boundary. FSP-A 321 is the proxy server of FS A 308.”).

Referring to claim 15, SCHMIDT  teaches the system of claim 14, further comprising:
a second firewall disposed between the reverse proxy (SCHMIDT, [¶0032]” The second component is the Web Site (Resource Owner) 212 which is typically a service containing resources the user accesses. Examples may include various applications, web pages, or web sites that a user may access. In a SSO situation an organization such as a corporation may wish to deploy the web site 212 in the DMZ so that a client on the internet 210 may access the application. “); and
a second demilitarized zone (SCHMIDT, [¶0033]” Finally there is the Account Store (Account Administrator) 204-207 component which is typically a service that defines identities and attributes for controlling user access to web site resources. Examples may include LDAP-based directories, SQL-based databases, and the like. The resources may reside on the intranet 201, the DMZ 202 or the internet 218.”);
wherein the reverse proxy (SCHMIDT, [¶0041]”  A demilitarized zone (“DMZ”) may refer to a perimeter security network typically established at a boundary between a local area network (“LAN”) and the internet. Such a DMZ serves to protect servers on the LAN from malicious users on the internet. Typically a firewall stands between the LAN and DMZ. A DMZ may include proxy servers, web servers, and virtual private network (“VPN”) servers.”, SCHMIDT, [¶0032]” In a SSO situation an organization such as a corporation may wish to deploy the web site 212 in the DMZ so that a client on the internet 210 may access the application.”).

Referring to claim 16, SCHMIDT  teaches (Currently Amended) the system of claim [[11]].15., further comprising at least one application-specific server disposed within the application-specific host environment (SCHMIDT, par. [0043]” A web server (“WS”) 320 is deployed in the DMZ to make applications available to a client or web client” “).

Referring to claim 18, SCHMIDIT teaches (Currently Amended) The system of claim 11, further comprising (SCHMIDT, [¶022]” Active Directory Federation Services (“ADFS”)™ is an example of an authentication system that provides ADFS tokens, for authentication and authorization to applications in a DMZ to exchange data.”).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims (4, 5, and 17) is/are rejected under 35 U.S.C. 103 as being unpatentable over SCHMIDT et al. (US-20060123234-A1, SCHMIDT referred to as " SCHMIDT”) and in view of TAN et al. (US-20010045451-A1, TAN referred to as " TAN”)

Referring to claim 4, SCHMIDT teaches (Currently Amended) The method of claim 3, wherein decoding and validating the token is performed by the second web application, and wherein the second web application [saves the token as a text file] (SHMIDT, [¶0059, FIG. 6]" The WebSSO ISAPI extension on WS receives the token as a cookie and passes it to the WebSSO service for validation 615. The service validates the token, obtains SIDs, and passes the SIDs to the WebSSO authentication package 616 ").
However, SCHMIDT does not teach explicitly application [saves the token as a text file.]
Wherein, TAN teaches application saves the token as a text file  (TAN, [¶0049]” StrClear is a String with no minimum or maximum length that is sent into the method (presumed to be empty) and returns with the value of the clear text token to be utilized by the parent application”).
Motivation statement
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified SCHMIDT to incorporate the teaching of TAN to utilize the above feature, with the motivation of using the clear text token by the parent application, as recognized by (TAN [0049]).


Referring to claim 5, (SCHMIDT in view of TAN) teaches (Currently Amended) the method of claim 4.
Wherein SCHMIDT further teaches further comprising determining if the user is authenticated, wherein the web-based application (SCHMIDT, [¶0022]“ Tokens are typically used to authenticate users. Active Directory Federation Services (“ADFS”)™ is an example of an authentication system that provides ADFS tokens, for authentication and authorization to applications in a DMZ to exchange data” , [¶0059, FIG. 6]" The WebSSO ISAPI extension on WS receives the token as a cookie and passes it to the WebSSO service for validation 615. The service validates the token, obtains SIDs, and passes the SIDs to the WebSSO authentication package 616 ", {i.e., examiner interprets validation as authentication}, ).
However, SCHMIDT does not teach explicitly [reads the text file to determine an identity of the user].
Wherein, TAN teaches reads the text file to determine an identity of the user (TAN, [0053]” The returned value identifies which profile originated the token and the contents of the token in clear text”).
Motivation statement
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified SCHMIDT to incorporate the teaching of TAN to utilize the above feature, with the motivation of using the authentication with applications, to enhance the scalability, availability, and extensibility for authorization implementation, as recognized by (TAN [0030]).


Referring to claim 17, SCHMIDIT teaches (Currently Amended) The system of claim 16. 
However, SCHMIDT does not teach further comprising:
at least one web farm; and multiple windows internet information services (IIS) web servers hosted on [[the ]]at least one web farm, wherein [[the ]]at least one application-specific server is coupled to [[the ]]at least one web farm via an[[a]] HTTPS connection, and
wherein each of the multiple internet information services (IIS) web servers is coupled
to at least one other web server of the multiple internet information services (IIS) web servers.
Wherein TAN teaches at least one web farm (TAN, par. [0013]” The access Server Sends the authentication cookie or cookies to the browser of the client workstation and redirects the browser at the client WorkStation to one or more additional Servers, Such as the online banking System Server [i.e., a web farm]. The additional Server or Servers verifies the authentication cookie for access for the user to the additional Server or Servers, Such as the online home banking System Server.”);
and multiple windows internet information services (IIS) web servers hosted on [[the ]]at least one web farm (TAN, [¶0041]” Aspects of an embodiment of the present invention involve, for example, enabling the online banking System home page to read authentication cookies, the online banking System trusted logon, implementing the Smart card logon page, incorporating authentication cookie management to the IIS ASP page”, (TAN, [0013]” The access Server Sends the authentication cookie or cookies to the browser of the client workstation and redirects the browser at the client WorkStation to one or more additional Servers, Such as the online banking System Server [i.e., a web farm].”),
wherein [[the ]]at least one application-specific server is coupled to [[the ]]at least one web farm via an[[a]] HTTPS connection (TAN, par. [0041]” enabling the online banking System home page to read authentication cookies, the online banking System trusted logon, implementing the Smart card logon page, incorporating authentication cookie management to the IIS ASP page, redirecting the browser of the user's PC 16 to the online banking System home page, incorporating IIS ASP routine into the access server 14, and mapping Logical Card-ID to the online banking System user ID.”, (TAN, [0032]” The Smart card logon page is a Secure web site via Secure Hypertext Transfer Protocol (HTTPS).”), and
wherein each of the multiple internet information services (IIS) web servers is coupled to at least one other web server of the multiple internet information services (IIS) web servers (TAN, [¶0051]” The application specific server 144 may be communicatively coupled to the web farm 142 via a second HTTPS connection 146 and each of the multiple windows IIS web servers 150 within the web farm 142 may also be coupled to one another “).


Claim (6) is/are rejected under 35 U.S.C. 103 as being unpatentable over SCHMIDT et al. (US-20060123234-A1, SCHMIDT referred to as " SCHMIDT”) and in view of TAN et al. (US-20010045451-A1, TAN referred to as " TAN”) and further view of FAN et al. (CN-107819610-A, FAN referred to as " FAN”).

Referring to claim 6, (SCHMIDT in view of TAN) teaches (Currently Amended) the method of claim 5.
Wherein, SHCMIDT further teaches wherein the web-based Application (SHMIDT,  [0059] “the WebSSO ISAPI extension on WS receives the token as a cookie and passes it to the WebSSO service for validation 615.), and
However, SCHMIDT does not explicitly teach wherein if the user is not authenticated, the method further comprises prompting the user for login credentials for the TBAS.
	Wherein, FAN teaches wherein if the user is not authenticated, the method further comprises prompting the user for login credentials for the TBAS ([FAN, Page 2-3]” the URL of the user using application program accessing the application program, the user is redirected to the uniform login URL provided by the SSO server uses HTTPS connection, service name of the request as a parameter which is transmitted to the user display a user name/password dialog box; (2), the user inputs the ID and password, SSO server performs identity authentication, if authentication fails, SSO server transmits the login request, (3) if the identity authentication is successful, the SSO server to redirect the user back to the target application program, and is a parameter in the URL has a ticket, then the SSO server creating a ticket-granting cookie memory cookie”).
Motivation statement
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified (SCHMIDT in view of TAN) to incorporate the teaching of FAN to utilize the above feature, with the motivation of using the cookie for automatically re-authentication, as recognized by (FAN [Page 3]).



Claims (9) is/are rejected under 35 U.S.C. 103 as being unpatentable over SCHMIDT et al. (US-20060123234-A1, SCHMIDT referred to as " SCHMIDT”) and in view of KAN et al. (US- 20190171584 -A, KAN referred to as " KAN”) and further 
view of OON et al. (US- 6408266-B1, OON referred to as " OON”) and  DEVANEY et al. (US-20180139205-A1, DEVANEY referred to as " DEVANEY”).

Referring to claim 9, SCHMIDT teaches (Currently Amended) The method of claim 1, wherein decoding and validating the token further comprises:
creating at least one hash file name, (SCHMIDT, par. [0061]” The WebSSO ISAPI extension will search the cached NT token in its cache (by hashing the SAML token sent in the cookie and finding corresponding cache entry with that hash)”);
However, SCHMIDT does not teach explicitly retrieving an address of the current directory.
Wherein, KAN teaches retrieving an address of the current directory (KAN, [¶0051] “receives a file path of an access destination”)
Motivation statement
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified SCHMIDT to incorporate the teaching of KAN to utilize the above feature, with the motivation of  providing an access control unit, as recognized by (KAN [0019]).

However, (SCHMIDT in view of KAN) does not teach explicitly creating a machine name string
checking the machine name string against a library of credentials from the TBAS.
Wherein, OON teaches creating a machine name string (OON, [¶0067]” Each of the computer generated key is a string of characters that is the name of a computer text file stored on disk”);
Motivation statement
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified (SCHMIDT in view of KAN) to incorporate the teaching of OON to utilize the above feature, with the motivation of helping the user in the creation of higher quality word processed content in an iterative process., as recognized by (OON [Col. 5 line 32-33]).

However, (SCHMIDT in view of KAN in further view of OON) does not teach explicitly checking the machine name string against a library of credentials from the TBAS.
Wherein, DEVANEY teaches checking the machine name string against a library of credentials from the TBAS (DEVANEY [0047]” checks Keylogging & Multifactor requires Single sign-on (SSO + Password + Credential Theft Certificate + Device) Token cross-checks and expiration Virtual Machine “)
Motivation statement
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified (SCHMIDT in view of KAN in further view of OON) to incorporate the teaching of DEVANEY to utilize the above feature, with the motivation of providing a cost-effective, transparent enhanced security layer for remote access authentication with repeated security., as recognized by (DEVANEY [¶0003]).

Claims (10, 21 and 22) is/are rejected under 35 U.S.C. 103 as being unpatentable over SCHMIDT et al. (US-20060123234-A1, SCHMIDT referred to as " SCHMIDT”) and in view of TAN et al. (US-20160255067-A1, TAN referred to as " TAN”) in further view of KEROMYTIS et al. (US-20010045451-A1, KEROMYTIS referred to as " KEROMYTIS”)

Referring to claim 10, (SCHMIDT in view of TAN in further view of KEROMYTIS)  teaches: (Currently Amended) The method of claim 5[[1]]
further comprising invalidating, the token after the expiration of a predetermined time-out period. 
wherein if the user is authenticated, the method further comprises:
setting, at the first authentication tier (SCHMIDT, [¶0057]” FS-R receives the SAML token and validates it 510. Upon successful token validation, FS-R performs normal claim transformation for the claims obtained from the token“), the identity of the user to an authenticated, identify of the user using the cookie (SCHMIDT, [¶0059]” The WebSSO ISAPI extension on WS receives the token as a cookie and passes it to the WebSSO service for validation 615. The service validates the token, obtains SIDs, and passes the SIDs to the WebSSO authentication package 616. The package expands the SIDs to add resource group SIDs for the domain WS is joined to 617 (see the section “Group Expansion” below)“);
receiving, at the second authentication tier, the authenticated identity of the user
from the first authentication tier (SCHMIDT, [0059]” the WebSSO ISAPI extension on WS receives the token as a cookie and passes it to the WebSSO service for validation 615. The service validates the token, obtains SIDs, and passes the SIDs to the WebSSO authentication package 616. “).; and
However (SCHMIDT in view of TAN)  does not teach explicitly, querying, by the second authentication tier, a configuration manager for service account credentials.
Wherein, KEROMYTIS teaches , querying, by the second authentication tier, a configuration manager for service account credentials.( KEROMYTIS, [0087]” the authentication credentials can be obtained in response to receiving one or more suitable user inputs of the authentication credentials. As another example, the client device can retrieve the authentication credentials for the vouching service account that have been stored by the client device (e.g., using one or more browser cookies that can store user names, passwords, authentication tokens and/or any other suitable authentication credentials)“). 
Motivation statement
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified (SCHMIDT in view of TAN) to incorporate the teaching of KEROMYTIS  to utilize the above feature, with the motivation of authenticate a user account using one or more vouching service, as recognized by (KEROMYTIS  [0033]).

Referring to claim 21, SCHMIDT teaches  (Currently Amended) A method of authenticating a user comprising:
logging into a first system, the first system comprising a token-based authentication system (TBAS) (SCHMIDT, [¶0011, FIG. 5]” a method of utilizing tokens to access extranet resources“, [¶0057, FIG. 5]” FS-R receives the SAML token and validates it 510)”);
creating, at the TBAS, a cookie based on a token from the TBAS (SCHMIDT, [¶0057, FIG. 5]” writes the generated SAML token as a cookie to the client and redirects the client to WS 613.”), the cookie comprising one or more parameters relating to an authenticated environment of the TBAS (SCHMIDT, [¶0058]” The WebSSO ISAPI extension on WS receives the token and redirects to the original URL 614 that the client was trying to access. In this redirect the ISAPI extension writes the WebSSO token as a cookie.“);
upon requesting access to a second system by the user, sending the cookie to the second system (SCHMIDT, [¶0104]” WS is in a Windows 2000™ domain then the WebSSO”, [¶0057, FIG. 5]"writes the generated SAML token as a cookie to the client and redirects the client to WS 613.”) ; and
using a first web-based application to decode and validate the
cookie if the connection between the first system and the second system uses a service account  ( (SCHMIDT, [¶0104]” WS is in a Windows 2000™ domain then the WebSSO”, [¶0057, FIG. 5]"writes the generated SAML token as a cookie to the client and redirects the client to WS 613.”, (SCHMIDT, [¶0059, FIG. 6]" The WebSSO ISAPI extension on WS receives the token as a cookie and passes it to the WebSSO service for validation 615. The service validates the token, obtains SIDs, and passes the SIDs to the WebSSO authentication package 616 "),( SCHMIDT, [0060]” Cookies written to the client are used to achieving single sign-on experience and to avoiding repetitive and typically expensive operations. The cookie written in 508 …to find an entry with the key equal to the hash of the incoming SIDs, so that the resource group SID expansion can be avoided.“).,
the service account comprising a first authentication tier and a second authentication tier, the second authentication tier comprising (SCHMIDT, [¶0104]” WS is in a Windows 2000™ domain then the WebSSO”, [¶0057, FIG. 5]"writes the generated SAML token as a cookie to the client and redirects the client to WS 613.”, [¶0020]” At the application this means getting a Windows™ token that includes Windows™ Security Identifier (“SIDs”) (user SIDs and group SIDs) such that access checks may be made with this token against Windows™ based Access Control Lists (“ACLs”) that use SIDs “, [¶0055]” FS-A validates the user credentials. After credentials are validated, FS-A has a collection of user SIDs from the local NT access token 504.“, [¶0059]” locks 615-618 show that for security reasons a NT service and an LSA Authentication Package are used to verify the WebSSO token and then turn the SIDs from that token into an NT access token 619. The SID collection is cached in the authentication package and keyed with the hash of the incoming account SIDs 620 for future use.“,  [¶0059]" the WebSSO ISAPI extension on WS receives the token as a cookie and passes it to the WebSSO service for validation 615.”):
	However, SCHMIDT does not teach explicitly receiving an authenticated user ID from the first authentication tier; and
wherein Tan teaches receiving an authenticated user ID from the first authentication tier; and (Tan, [¶ 0013]” Verification of the authentication cookie involves, for example, reading the authentication cookie by the home page of the online banking system server, retrieving the online banking system user ID, and performing a trusted logon on behalf of the user. “)
receiving an authenticated user ID from the first authentication tier (Tan, [¶ 0013]”retrieving the online banking system user ID, and performing a trusted logon on behalf of the user. “); and
Motivation statement
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified SCHMIDT to incorporate the teaching of TAN to utilize the above feature, with the motivation of improving the security, through using the certificate in logging in according to an embodiment of the present invention is far more secure in the virtual world, as recognized by (TAN [0023]).

However, (SCHMIDT in view of TAN) does not teach explicitly teaches querying a configuration manager for service account credentials  
wherein, KEROMYTIS  teaches querying a configuration manager for service account credentials  ( KEROMYTIS, [0087]” the authentication credentials can be obtained in response to receiving one or more suitable user inputs of the authentication credentials. As another example, the client device can retrieve the authentication credentials for the vouching service account that have been stored by the client device (e.g., using one or more browser cookies that can store user names, passwords, authentication tokens and/or any other suitable authentication credentials)“). 
Motivation statement
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified (SCHMIDT in view of TAN) to incorporate the teaching of KEROMYTIS  to utilize the above feature, with the motivation of authenticate a user account using one or more vouching service, as recognized by (KEROMYTIS  [0033]).


Referring to claim 22, (SCHMIDT in view of TAN in further view of KEROMYTIS) teaches (Currently Amended) The method of claim 21.
Wherein, SCHMIDT further teach wherein the second system comprises second web-based application ( (SCHMIDT, [¶0059, FIG. 6]" The WebSSO ISAPI extension on WS receives the token as a cookie and passes it to the WebSSO service for validation 615. The service validates the token, obtains SIDs, and passes the SIDs to the WebSSO authentication package 616 ").

Claims (19) is/are rejected under 35 U.S.C. 103 as being unpatentable over SCHMIDT et al. (US-20060123234-A1, SCHMIDT referred to as " SCHMIDT”) and in view of WANG et al. (US-20180288150-A1, WANG referred to as " WANG”) in further view of BENTZ et al. (US- 20060195877 -A1, BENTZ referred to as " BENTZ”) and VICK et al. (US- 7082532-B1, VICK referred to as " VICK”) and  further view of BROWN et al. (US- 20040010724 -A1, BROWN referred to as " BROWN”) 

Referring to claim 19, SCHMIDT teaches (Currently Amended) The system of claim 11.
However , SCHMIDT does not teach explicitly  further comprising:
at least one exchange server communicatively coupled via a first simple mail transfer protocol (SMTP) connection to the application-specific host environment comprising a web farm comprising multiple internet information services (IIS) web servers; and
	at least one client communicatively coupled to the at least one exchange server via a second simple mail transfer protocol (SMTP) connection, and communicatively coupled to the application-specific host environment via an HTTPS connection
wherein, WANG teaches protocol (SMTP) connection to the application-specific host environment comprising a web farm comprising multiple internet information services (IIS) web servers (WANG, par. [0017], FIG. 1 “such as Exchange servers, via a Simple Mail Transfer Protocol (SMTP) interface are described. For example, the systems and methods may provide an SMTP server between one or more Exchange servers and a media agent”); and
at least one client communicatively coupled to the at least one exchange server via a
second simple mail transfer protocol (SMTP) connection, and communicatively coupled to the application-specific host environment via an HTTPS connection (WANG, par. [0053], FIG. 1C “System 100 includes computing devices and computing technologies. For instance, system 100 can include one or more client computing devices 102 and secondary storage computing devices 106, as well as storage manager 140 or a host computing device for it”, (WANG [0107]) “Management agent 154 can provide storage manager 140 with the ability to communicate with other components within system 100 and/or with other information management cells via network protocols and application programming interfaces (APIs) including, e.g., HTTP, HTTPS, FTP, REST, virtualization software APIs, cloud service provider APIs, and hosted service provider APIs, without limitation, Management agent 154 also allows multiple information management cells to communicate with one another.”, (WANG, [0060]) ”Each client computing device 102 may have application(s) 110 executing thereon which generate and manipulate the data that is to be protected from loss and managed in system 100. Applications 110 generally facilitate the operations of an organization, and can include, without limitation, mail server applications (e.g., Microsoft Exchange Server), file system applications, mail client applications (e.g., Microsoft Exchange Client), database applications or database management systems (e.g., SQL, Oracle, SAP, Lotus Notes Database), word processing applications (e.g., Microsoft Word)”).
Motivation statement
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified SCHMIDT to incorporate the teaching of WANG to utilize the above feature, with the motivation of delivering high performance and enhance scalability, as recognized by (WANG [0075]).

However, (SCHMIDT and WANG) does not teach wherein requests from the at [least one extranet portal are passed to at least one of the multiple internet information services (IIS) web servers ]with an encrypted cookies that is verified within the web farm using a dynamic link library (DLL).
Wherein, BENTZ teaches 	least one extranet portal are passed to at least one of the multiple internet information services (IIS) web servers (BENTZ, [0029]” least one extranet portal are passed to at least one of the multiple internet information services (IIS) web servers”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified (SCHMIDT and WANG) to incorporate the teaching of BENTZ to utilize the above feature, with the motivation of enhancing the availability for the resources and services, as recognized by (BENTZ [0030]).

However, (SCHMIDT in view of WANG in further view of BENTZ) does not teach explicitly encrypted cookies that is verified within the web farm using a dynamic link library (DLL).
Wherein, VICK teaches cookies that is verified within the web farm using a dynamic link library (DLL) (VICK, [¶0009]” , the web server creates an encrypted password cookie containing user information”).
Motivation statement
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified (SCHMIDT and WANG and BENTZ) to incorporate the teaching of VICK to utilize the above feature, with the motivation of federate group of sites which support the same cookie key, as recognized by (VICK [Col4 line 25-26]).

However, (SCHMIDT in view of WANG in further view of BENTZ and VICK) verified within the web farm using a dynamic link library (DLL).
Wherein, BROWN teaches verified within the web farm using a dynamic link library (DLL) (BROWN,[¶0035] If the verification server 222 verifies that the user is authorized to log on, the server will retrieve the user's password from the database 221 and send the user's password back to the workstation where the log-on will be completed, at step 319, via the GINA DLL 255.)
Motivation statement
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified (SCHMIDT in view of WANG in further view of BENTZ and VICK) to incorporate the teaching of BROWN to utilize the above feature, with the motivation of authenticates the user biometric according to the authentication rule associated with the user, as recognized by (BROWN [0013]).


Claim (20) is/are rejected under 35 U.S.C. 103 as being unpatentable over (US-20060123234-A1, SCHMIDT referred to as " SCHMIDT”) and in view of WANG et al. (US-20180288150-A1, WANG referred to as " WANG”) in further view of BENTZ et al. (US- 20060195877-A1, BENTZ referred to as " BENTZ”) and further view of VICK et al. (US- 7082532-B1, VICK referred to as " VICK”) and  further view of BROWN et al. (US- 20040010724 -A1, BROWN referred to as " BROWN”) and in further view of AMDAHL et al. (US-9491157-b1, AMDAHL referred to as " AMDAHL”).

 	Referring to claim 20, (SCHMIDT in view of WANG in further view of BENTZ, VICK, and BROWN) teaches (Currently Amended) The system of claim 19.[[11]].
However (SCHMIDT in view of WANG in further view of BENTZ, VICK, and BROWN) does not teach explicitly wherein at least one connection between one or more components of the system comprises at least one of a secure sockets layer (SSL) connection, a transport layer security (TLS) connection, and a new technology LAN manager (NTLM) connection.
Where in AMDAHL teaches wherein at least one connection between one or more components of the system comprises at least one of a secure sockets layer (SSL) connection, a transport layer security (TLS) connection, and a new technology LAN manager (NTLM) connection . (AMDAHL, col. [003], line. [0036-0046]” If the server receives a communication that includes a response message, it may perform one or more actions to validate the response message. If the response message is validated, the connection between the client and server may be considered authenticated. In some embodiments, the challenge-response authentication protocol may be operative in addition to encryption protocols such as Secured Socket Layer (SSL), Transport Layer Security (TLS), or the like. For example, NT LAN Manager (NTLM) authentication may be considered a challenge-response authentication protocol.”)
Motivation statement
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified  SCHMIDT to incorporate the teaching of AMDAHL to utilize the above feature, with the motivation of using authenticated cookie to secure the connection, as recognized by (AMDAHL [Col 17 line 16-18]).




Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's Disclosure. FAUSAK et al. (US-9407725-B2, FAUSAK referred to as " FAUSAK”) suggests ([col. 42, line. 1-6] “The HTML client receives (via standard HTML-method compatible code, such as JavaScript) data streams to use for interpreting transcoded data. The HTML client may extract all input streams and apply this to localized functions and devices. The HTML client may encode all output streams as specified in the Script (JavaScript) and applies it to remote
functions and devices.”)
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AHMED HUMADI whose telephone number is (571)272-2066. The examiner can normally be reached (7:30 am - 4:00 pm) Monday-Thursday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.  

/AHMED HUMADI/Examiner, Art Unit 2497                                                                                                                                                                                                        
/CHENG-FENG HUANG/Primary Examiner, Art Unit 2497