DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 04/04/2022.
In the instant Amendment, claims 1, 4, 6, 8, 10, 13, 15, 17 and 19 have been amended; and claims 1, 10 and 19 are independent claims.  Claims 1-20 have been examined and are pending.  This Action is made FINAL.

Response to Arguments
Applicants’ arguments in the instant Amendment, filed on 04/04/2022, with respect to limitations listed below, have been fully considered but they are not persuasive.
Applicant’s arguments: “none of the cited references discloses determining, in the authentication request, an indicator indicating whether 7certificate-based authentication is enforced for the client as recited in claims 1, 10 and 19.” 
The Examiner disagrees with the Applicants. The Examiner respectfully submits that Innes discloses determining, in the authentication request, an indicator indicating whether 7certificate-based authentication is enforced for the client (Innes: ¶0109 at one or more points during the authentication, the resource 720 may request a signature, such as from a client certificate [] the proxy device 710 may request that the client device 705 sign or decrypt an authentication message using the client certificate (or a private key included therein), or return a list of available security certificates or a selection by the user of a particular security certificate; ¶0130 the client device 705 may send a request to the proxy device 710 for one or more resources, such as web resources, enterprise resources (e.g., from a network file server), or other resources, that can be accessed by the proxy device 710 but that may require user authentication based on a client certificate). More specifically, Innes discloses sending, from a client device to a proxy device, a request for a resource. The client device may receive, from the proxy device, a request for the client device to provide a signature [] in response to a request, sending, from the client device to the proxy device, a list comprising one or more security certificates available to the client device. The received request for the client device to provide the signature may include an identification of a security certificate selected from the list comprising one or more security certificates [0010] and another feature relates to the enablement of a client side certificate for certain applications 610 as secondary credentials (for the purpose of accessing PKI protected web resources via the MAMP micro VPN feature). For example, an application such as @WorkMail may utilize such a certificate. In this case, certificate-based authentication using ActiveSync protocol may be supported, wherein a certificate from the client agent 604 may be retrieved by the gateway server 606 and used in a keychain. Each managed application may have one associated client certificate, identified by a label that is defined in the gateway server [0098].  Therefore, as the metes and bounds of the limitation of been met as noted above; the examiner finds this argument not persuasive.

Applicant’s arguments: “none of the cited references discloses in response to determining that certificate-based authentication is enforced for the client, initiating certificate-based authentication for the remote device of the client as recited in claims 1, 10 and 19.” 
The Examiner disagrees with the Applicants. The Examiner respectfully submits that Innes discloses in response to determining that certificate-based authentication is enforced 9for the client, initiating certificate-based authentication for the remote device of the client (Innes: ¶0128 the client device 705 may use an enterprise client certificate for this authentication; ¶0140 in step 928, the proxy device 710 may generate a request for a signature corresponding to the selected certificate from the client device 705. The proxy device 710 may also generate a piece of data to be signed. For Kerberos authentication, the piece of data may comprise an authentication service request (AS_REQ) message using the selected certificate). More specifically, Innes discloses if the authentication session comprises Kerberos authentication, the proxy device 710 may need to obtain Kerberos tickets and can select the certificate suitable to obtain Kerberos tickets. If the client device 705 returned multiple certificates in step 924, the proxy device 710 may send a selection request to the client device seeking user input to select from a list of certificates [0138]. Therefore, as the metes and bounds of the limitation of been met as noted above; the examiner finds this argument not persuasive.

Applicant’s arguments: “none of the cited references discloses in response to determining that certificate-based authentication is not enforced for the client, sending information associated with a user interface to the client, wherein the user interface allows the client to select an authentication method from a set of authentication methods supported by the authentication system as recited in claims 1, 10 and 19.” 
The Examiner disagrees with the Applicants. The Examiner respectfully submits that Foley discloses in response to determining that certificate-based authentication is not 11enforced for the client, sending information associated with a user interface to the 12client, wherein the user interface allows the client to select an authentication 13method from a set of authentication methods supported by the authentication 14system (Foley: ¶0026 the user may select between using a standard user identification and password entry into a user dialog box (step 103) or using a smart card and PIN authentication method (step 105) as the minimum level of security for authentication; ¶0036 if the user does not have a digital certificate associated with the user's registration, then the smart card may be optionally registered to the user's registration (step 323)). More specifically, Foley discloses a system and method for selecting at least one authentication method for accessing a restricted service. The system allows a user to select a method of authentication for access to the restricted service, where the restricted service may require at least one of many methods of authentication in order to gain access to it [0010] and the user may also select an authentication method based on a particular service [] the user may access an authentication maintenance page (step 401). The user may choose an authentication method for each restricted service or access (step 403). In this way, one restricted service may be accessed via, for example, the user password and PIN authentication method while another restricted service may be accessed via, for example, the smart card and PIN authentication method. Any authentication method may be selected for any restricted service or access depending on the needs of the user [0038]. Therefore, as the metes and bounds of the limitation of been met as noted above; the examiner finds this argument not persuasive.

The amended claims 1, 10 and 19 have been addressed in rejection below.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person.


Claims 1, 5-10 and 14-19 are rejected under 35 U.S.C. 103 as being unpatentable over Innes et al. (“Innes,” US 2015/0365412) in view of Foley et al. (“Foley,” US 2002/008789).

Regarding claim 1: Innes discloses a method for facilitating an enhanced authentication system, 2comprising:
3obtaining, by the authentication system from a remote device of a client, 4an authentication request prior to exchange of application layer web traffic Innes: ¶0128 in step 904, the client device 705 may authenticate the proxy device 710. Additionally or alternatively, in step 906, the proxy device 710 may authenticate the client device 705. In other words, the client device 705 and proxy device may perform mutual authentication. To perform the authentication, the client device 705 may connect to the proxy device 710 using SSL with server authentication. The proxy device 710 may request the client device 705 and/or the user of the client device 705 to authenticate to the proxy device 710 before authorizing access to the proxy device 710; ¶0130 the request for a resource may be sent by the client device 705 over HTTP, HTTPS, [application layer] or any other access protocol supported by the client device);
6determining, in the authentication request, an indicator indicating whether 7certificate-based authentication is enforced for the client (Innes: ¶0109 at one or more points during the authentication, the resource 720 may request a signature, such as from a client certificate [] the proxy device 710 may request that the client device 705 sign or decrypt an authentication message using the client certificate (or a private key included therein), or return a list of available security certificates or a selection by the user of a particular security certificate; ¶0130 the client device 705 may send a request to the proxy device 710 for one or more resources, such as web resources, enterprise resources (e.g., from a network file server), or other resources, that can be accessed by the proxy device 710 but that may require user authentication based on a client certificate);
8in response to determining that certificate-based authentication is enforced 9for the client, initiating certificate-based authentication for the remote device of the client (Innes: ¶0128 the client device 705 may use an enterprise client certificate for this authentication; ¶0140 in step 928, the proxy device 710 may generate a request for a signature corresponding to the selected certificate from the client device 705. The proxy device 710 may also generate a piece of data to be signed. For Kerberos authentication, the piece of data may comprise an authentication service request (AS_REQ) message using the selected certificate).
Innes does disclose to provide the authentication may include an identification of a security certificate selected from the list comprising one or more security certificates but does not explicitly disclose in response to determining that certificate-based authentication is not 11enforced for the client, sending information associated with a user interface to the remote device of the 12client, wherein the user interface facilitates selection of an authentication 13method from a set of authentication methods supported by the authentication 14system.
However, Foley discloses 10in response to determining that certificate-based authentication is not 11enforced for the client, sending information associated with a user interface to the 12client, wherein the user interface allows the client to select an authentication 13method from a set of authentication methods supported by the authentication 14system (Foley: ¶0026 the user may select between using a standard user identification and password entry into a user dialog box (step 103) or using a smart card and PIN authentication method (step 105) as the minimum level of security for authentication; ¶0036 if the user does not have a digital certificate associated with the user's registration, then the smart card may be optionally registered to the user's registration (step 323)).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Foley with the system/method of Innes to include the user interface allows the client to select an authentication 13method from a set of authentication methods supported by the authentication 14system. One would have been motivated to facilitating the determination of an authentication method for accessing a restricted service related to transactions via a network (Foley: ¶0002).



1Regarding claim 5: Innes in view of Foley discloses the method of claim 1.
Innes further discloses wherein the application layer web traffic is 2based on Hypertext Transfer Protocol (HTTP) or a variation thereof (Innes: fig. 5; ¶0073 the virtual private network connections may carry Microsoft Exchange traffic, Microsoft Active Directory traffic, HTTP traffic, HTTPS traffic, application management traffic).
1
Regarding claim 6: Innes in view of Foley discloses the method of claim 1.
Foley further discloses 2determining selection certificate-based authentication in 3the user interface (Foley: ¶0036 a check is made to determine whether the user has a digital certificate (e.g., X.509 format) associated with the user's registration (e.g., a user Internet account) (step 321)); and
4redirecting the request for initiating certificate-based 5authentication for the remote device of client (Foley: ¶0036 if the user has a digital certificate associated with the user's registration, then a check is made to determine whether the smart card with the digital certificate is active (step 325)).
The motivation is the same that of claim 1 above.
1
Regarding claim 7: Innes in view of Foley discloses the method of claim 1.
Foley further discloses 2determining an authentication method selected at the user interface (Foley: ¶0038 the user may also select an authentication method based on a particular service); and
3sending, to the remote device, a request for authentication information that 4authenticates the client using the selected authentication method (Foley: ¶0031 the host may request the appropriate authentication information from the user. For example, if the cookie indicates that the user has selected to use the user identification and password authentication method (step 205), then a dialog box requesting a user identification and password is presented to the user via a web page (step 207)).
The motivation is the same that of claim 1 above.
1
Regarding claim 8: Innes in view of Foley discloses the method of claim 1.
Innes further discloses 3obtaining a certificate configured in a smart card of the client (Innes: ¶0010 the security certificate may be stored on a smart card connected to the client device); and
4validating the certificate and an identity of the client (Innes: ¶0092 SSL certificate validation may be operable so the application specifically validates the server SSL certificate; ¶0129 client device 705 may also authenticate the user of the client device 705 to the proxy device 710, for instance using the client certificate available to the device as part of the SSL handshake),
wherein validating the identity includes authenticating the client based on a piece of information provided by the client (Innes: ¶0073 allow a user to provide a single set of authentication credentials, which are then verified by an authentication service 558).  
27Attorney Docket No. NTNX-PAT-719Inventor: Agrawal
Regarding claim 9: Innes in view of Foley discloses the method of claim 8.
Innes further discloses wherein the smart card is a common access card (CAC), and wherein the certificate-based authentication includes CAC-based 3authentication (Innes: ¶0112 the certificate may be bound to a physical smart card having a cryptographic module [...] the user may authorize the client device 705 to access the smart card protected certificate).  
1
Regarding claim 10: Innes discloses a non-transitory computer-readable storage medium storing 2instructions that when executed by a computer cause the computer to perform a 3method for facilitating an enhanced authentication system, the method 4comprising:
5obtaining, by the authentication system from a remote device of a client, 6an authentication request prior to exchange of application layer web traffic Innes: ¶0128 in step 904, the client device 705 may authenticate the proxy device 710. Additionally or alternatively, in step 906, the proxy device 710 may authenticate the client device 705. In other words, the client device 705 and proxy device may perform mutual authentication. To perform the authentication, the client device 705 may connect to the proxy device 710 using SSL with server authentication. The proxy device 710 may request the client device 705 and/or the user of the client device 705 to authenticate to the proxy device 710 before authorizing access to the proxy device 710; ¶0130 the request for a resource may be sent by the client device 705 over HTTP, HTTPS, [application layer] or any other access protocol supported by the client device);
8determining, in the authentication request, an indicator indicating whether 9certificate-based authentication is enforced for the client (Innes: ¶0109 at one or more points during the authentication, the resource 720 may request a signature, such as from a client certificate [] the proxy device 710 may request that the client device 705 sign or decrypt an authentication message using the client certificate (or a private key included therein), or return a list of available security certificates or a selection by the user of a particular security certificate; ¶0130 the client device 705 may send a request to the proxy device 710 for one or more resources, such as web resources, enterprise resources (e.g., from a network file server), or other resources, that can be accessed by the proxy device 710 but that may require user authentication based on a client certificate);
10in response to determining that certificate-based authentication is enforced 11for the client, initiating certificate-based authentication for the remote device of the client (Innes: ¶0128 the client device 705 may use an enterprise client certificate for this authentication; ¶0140 in step 928, the proxy device 710 may generate a request for a signature corresponding to the selected certificate from the client device 705. The proxy device 710 may also generate a piece of data to be signed. For Kerberos authentication, the piece of data may comprise an authentication service request (AS_REQ) message using the selected certificate).
Innes does disclose to provide the authentication may include an identification of a security certificate selected from the list comprising one or more security certificates but does not explicitly disclose in response to determining that certificate-based authentication is not 13enforced for the client, sending information associated with a user interface to the remote device of the 14client, wherein the user interface facilitates selection an authentication 15method from a set of authentication methods supported by the authentication 16system.however, Foley discloses 12in response to determining that certificate-based authentication is not 13enforced for the client, sending information associated with a user interface to the 14client, wherein the user interface allows the client to select an authentication 15method from a set of authentication methods supported by the authentication 16system (Foley: ¶0026 the user may Select between using a standard user identification and password entry into a user dialog box (step 103) or using a smart card and PIN authentication method (step 105) as the minimum level of security for authentication; ¶0036 if the user does not have a digital certificate associated with the user's registration, then the Smart card may be optionally registered to the user's registration (step 323)).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Foley with the system/method of Innes to include the user interface allows the client to select an authentication 13method from a set of authentication methods supported by the authentication 14system.
One would have been motivated to facilitating the determination of an authentication method for accessing a restricted service related to transactions via a network (Foley: ¶0002).  

Regarding claims 14-18: Claims 14-18 are similar in scope to claims 5-9, respectively, and are therefore rejected under similar rationale.  
1
Regarding claim 19: Innes discloses a computer system, comprising:
2a processor (Innes: fig. 1 item 111);
3a storage device (Innes: fig. 4 item 404 storage devices); and
4a memory coupled to the processor and storing instructions (Innes: fig. 1 item 121), which when 5executed by the processor cause the processor to perform a method for facilitating 6an enhanced authentication system, the method comprising:
7obtaining, by the authentication system from a remote device of a 8client, an authentication request prior to exchange of application layer web 9traffic for accessing a piece of resource protected by the authentication 10system (Innes: ¶0128 in step 904, the client device 705 may authenticate the proxy device 710. Additionally or alternatively, in step 906, the proxy device 710 may authenticate the client device 705. In other words, the client device 705 and proxy device may perform mutual authentication. To perform the authentication, the client device 705 may connect to the proxy device 710 using SSL with server authentication. The proxy device 710 may request the client device 705 and/or the user of the client device 705 to authenticate to the proxy device 710 before authorizing access to the proxy device 710; ¶0130 the request for a resource may be sent by the client device 705 over HTTP, HTTPS, [application layer] or any other access protocol supported by the client device);
11determining, in the authentication request, an indicator indicating 12whether certificate-based authentication is enforced for the client (Innes: ¶0109 at one or more points during the authentication, the resource 720 may request a signature, such as from a client certificate [] the proxy device 710 may request that the client device 705 sign or decrypt an authentication message using the client certificate (or a private key included therein), or return a list of available security certificates or a selection by the user of a particular security certificate; ¶0130 the client device 705 may send a request to the proxy device 710 for one or more resources, such as web resources, enterprise resources (e.g., from a network file server), or other resources, that can be accessed by the proxy device 710 but that may require user authentication based on a client certificate);
13in response to determining that certificate-based authentication is Attorney Docket No. NTNX-PAT-719Inventor: Agrawalenforced for the client, initiating certificate-based authentication for the remote device of the 15client (Innes: ¶0128 the client device 705 may use an enterprise client certificate for this authentication; ¶0140 in step 928, the proxy device 710 may generate a request for a signature corresponding to the selected certificate from the client device 705. The proxy device 710 may also generate a piece of data to be signed. For Kerberos authentication, the piece of data may comprise an authentication service request (AS_REQ) message using the selected certificate).
Innes does disclose to provide the authentication may include an identification of a security certificate selected from the list comprising one or more security certificates but does not explicitly disclose in response to determining that certificate-based authentication is 17not enforced for the client, sending information associated with a user 18interface to the remote device of the client, wherein the user interface facilitates selection of 19an authentication method from a set of authentication methods supported 20by the authentication system.
However, Foley discloses 16in response to determining that certificate-based authentication is 17not enforced for the client, sending information associated with a user 18interface to the remote device of the client, wherein the user interface facilitates selection of 19an authentication method from a set of authentication methods supported 20by the authentication system (Foley: ¶0026 the user may Select between using a standard user identification and password entry into a user dialog box (step 103) or using a smart card and PIN authentication method (step 105) as the minimum level of security for authentication; ¶0036 if the user does not have a digital certificate associated with the user's registration, then the Smart card may be optionally registered to the user's registration (step 323)).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Foley with the system/method of Innes to include the user interface allows the client to select an authentication 13method from a set of authentication methods supported by the authentication 14system.
One would have been motivated to facilitating the determination of an authentication method for accessing a restricted service related to transactions via a network (Foley: ¶0002).  

Claims 2-4, 11-13 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Innes et al. (“Innes,” US 2015/0365412) in view of Foley et al. (“Foley,” US 2002/008789) and Wyatt et al. (“Wyatt,” US 2017 /0346853).

1 Regarding claim 2: Innes in view of Foley discloses the method of claim 1.
Innes in view of Foley does not explicitly disclose wherein the authentication request is based 2on a Transport Layer Security (TLS) protocol, and wherein the indicator 3comprises a domain name and included in server name indication (SNI) extension 4of the TLS protocol.
However, Wyatt discloses wherein the authentication request is based 2on a Transport Layer Security (TLS) protocol, and wherein the indicator 3comprises a domain name and included in server name indication (SNI) extension 4of the TLS protocol (Wyatt: ¶0264 the TLS protocol, at the beginning of the TLS handshake process, includes an extension in which a client includes the name of the host to which the client is attempting to connect [...] selectively targeting traffic for particular hosts or domains may inspect the TLS Server Name Indication (SNI) information).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Wyatt with the system/method of Innes and Foley to include the authentication request is based 2on a Transport Layer Security (TLS) protocol, and included in server name indication (SNI) extension 4of the TLS protocol.
One would have been motivated to detecting and preventing compromise of computing device network connections, including man-in-the-middle attacks (Wyatt: ¶0002).
1
Regarding claim 3: Innes in view of Foley and Wyatt discloses the method of claim 2.
Innes further discloses wherein the domain name is one of: 2a first domain name associated with the certificate-based authentication; 3and 4a second domain name associated with generic authentication indicated in 26the user interface (Innes: ¶0131 the resource may indicate the type of authentication to be performed (e.g., SSL, a domain-based authentication, such as Kerberos, etc.). Based on the type of authentication, the resource may send an authentication challenge (e.g., a 401 Negotiate message for Kerberos authentication or a client certificate challenge for SSL authentication)). 

Regarding claim 4: Innes in view of Foley and Wyatt discloses the method of claim 3.
Innes further discloses wherein the first and second domain names 2correspond to a same point of access for the remote device of the client, wherein the point of access is indicated by one or more of: wherein the first and second 4domain names are accessible via a same pinhole of a firewall of the authentication 5system (Innes: ¶0068 the policies may be implanted through a firewall or gateway in such a way that the mobile device may be identified, secured or security verified, and provided selective or full access to the enterprise resources).
Wyatt further discloses an Internet 3Protocol (IP) address and a port identifier (Wyatt: ¶0103 the Domain Name System (DNS) configuration (server IP addresses) of the network).
The motivation is the same that of claim 2 above.
 1
Regarding claims 11-13: Claims 11-13 are similar in scope to claims 2-4, respectively, and are therefore rejected under similar rationale.
28Attorney Docket No. NTNX-PAT-719Inventor: Agrawal
Regarding claim 20: Innes in view of Foley discloses the computer system of claim 19.
Innes further discloses wherein the domain name is one of: 5a first domain name associated with the certificate-based authentication; 6and 7a second domain name associated with generic authentication indicated in 8the user interface (Innes: ¶0131 the resource may indicate the type of authentication to be performed (e.g., SSL, a domain-based authentication, such as Kerberos, etc.). Based on the type of authentication, the resource may send an authentication challenge (e.g., a 401 Negotiate message for Kerberos authentication or a client certificate challenge for SSL authentication)).
Innes in view of Foley does not explicitly disclose wherein the authentication 2request is based on a Transport Layer Security (TLS) protocol, wherein the 3indicator comprises a domain name and included in server name indication (SNI) 4extension of the TLS protocol.
However, Wyatt discloses wherein the authentication 2request is based on a Transport Layer Security (TLS) protocol, wherein the 3indicator comprises a domain name and included in server name indication (SNI) 4extension of the TLS protocol (Wyatt: ¶0264 the TLS protocol, at the beginning of the TLS handshake process, includes an extension in which a client includes the name of the host to which the client is attempting to connect [...] selectively targeting traffic for particular hosts or domains may inspect the TLS Server Name Indication (SNI) information).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Wyatt with the system/method of Innes and Foley to include the authentication request is based 2on a Transport Layer Security (TLS) protocol, and included in server name indication (SNI) extension 4of the TLS protocol.
One would have been motivated to detecting and preventing compromise of computing device network connections, including man-in-the-middle attacks (Wyatt: ¶0002). 


Conclusion

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Fahimeh Mohammadi whose telephone number is (571)270-7857. The examiner can normally be reached Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 5712705002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/FAHIMEH MOHAMMADI/  Examiner, Art Unit 2439                                                                                                                                                                                                        


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439