DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant’s submission filed on 10/12/2022 has been entered.
As per instant Amendment, Claims 1, 10 and 19 are independent claims.  Claims 1-20 have been examined and are pending. This Action is made Non-FINAL.

Response to Arguments
In attempt to promote compact prosecution, the Examiner has contacted the Applicants for possible amendments to move the case forward. However the Applicants and the Examiner could not come up with an agreement.
Applicant’s arguments with respect to claims 1, 10 and 19 have been considered but are moot because the arguments do not apply to any of the references being used in the current rejection. The new reference Eatough et al. (US 8185945) used to address the limitations.
The amended claims 1, 10 and 19 have been addressed in rejection below.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person.


Claims 1, 5-10 and 14-19 are rejected under 35 U.S.C. 103 as being unpatentable over Eatough et al. (“Eatough,” US 8185945) in view of  Innes et al. (“Innes,” US 2015/0365412) and Foley et al. (“Foley,” US 2002/008789).

Regarding claim 1: Eatough discloses a method for facilitating an enhanced authentication system, 2comprising:
3obtaining, by the authentication system from a remote device of a client, 4an authentication request (Eatough: col. 3 lines 7-8 receiving from a client a request to initiate a secure communication session; col. 7 lines 14-16 in step 202A of the method 200A, the SSL server 128 receives 202A an SSL session request from an SSL client);
identifying,6 in the authentication request, an indicator value indicating enforcement of 7certificate-based authentication for the client (Eatough: col. 2 lines 50-52 the step of determining whether the client is going to use certificate-based authentication involves identifying a port at which the request was received; col. 7 lines 1-4 if the request was received at the certificate port 132, it may be inferred that the request was sent from an SSL client that is going to use certificate-based authentication, such as the SSL client 124 on the administrative system 102);
determining whether certificate-based authentication is enforced for the client based on the indicator value (Eatough: col. 7 lines 25-29 the SSL server 128 determines 208A whether the SSL client has presented a certificate. If the SSL client has presented a certificate, then the SSL server 128 determines 210A whether the certificate has been authenticated); 
8in response to determining that certificate-based authentication is enforced 9for the client, initiating certificate-based authentication for the remote device of the client (Eatough: col. 7 lines 28-31 the SSL server 128 determines 210A whether the certificate has been authenticated. If so, then the SSL server 128 proceeds 212A with an authenticated SSL session with the SSL client); and 
in response to determining that certificate-based authentication is not 11enforced for the client (Eatough: col. 7 lines 55-59 if in step 210A the certificate presented by the SSL client is 55 not authenticated, the SSL server 128 determines 214A whether the SSL session may be allowed to continue using another authentication mechanism, such as an operating system-specific authentication mechanism), wherein the information indicates a set of authentication methods supported by the authentication system (Eatough: col. 9 lines 48-51 the SSL session request 640 includes authentication information 644. The authentication information 644 indicates whether the SSL client 646 is going to authenticate by using a certificate or by using some other means of authentication; col. 5 lines 63-65 the SSL client 126 on the console system 116 authenticates using some other mechanism, such as providing a username and password).wherein 
Eatough does not explicitly disclose obtaining request prior to exchange of application layer web traffic 
However, Innes discloses obtaining request prior to exchange of application layer web traffic Innes: ¶0128 the client device 705 and proxy device may perform mutual authentication [] the proxy device 710 may request the client device 705 and/or the user of the client device 705 to authenticate to the proxy device 710 before authorizing access to the proxy device 710; ¶0130 the request for a resource may be sent by the client device 705 over HTTP, HTTPS, [application layer] or any other access protocol supported by the client device).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Innes with the system/method of Eatough to include obtaining request prior to exchange of application layer web traffic Innes: ¶0002).
Eatough in view of Innes does disclose the SSL client using some other authentication mechanism, such as providing a username and password but does not explicitly disclose sending information associated with a user interface to the remote device of the 12client, wherein the user interface facilitates selection of an authentication 13method from the set of authentication methods.
However, Foley discloses sending information associated with a user interface to the remote device of the 12client, wherein the user interface facilitates selection of an authentication 13method from the set of authentication methods (Foley: ¶0026 the user may select between using a standard user identification and password entry into a user dialog box (step 103) or using a smart card and PIN authentication method (step 105) as the minimum level of security for authentication).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Foley with the system/method of Eatough and Innes to include the user interface facilitates selection of an authentication 13method from the set of authentication methods. One would have been motivated to facilitating the determination of an authentication method for accessing a restricted service related to transactions via a network (Foley: ¶0002).

1Regarding claim 5: Eatough  in view of Innes and Foley discloses the method of claim 1.
Innes further discloses wherein the application layer web traffic is 2based on Hypertext Transfer Protocol (HTTP) or a variation thereof (Innes: fig. 5; ¶0073 the virtual private network connections may carry Microsoft Exchange traffic, Microsoft Active Directory traffic, HTTP traffic, HTTPS traffic, application management traffic).
The motivation is the same that of claim 1 above.
1
Regarding claim 6: Eatough  in view of Innes and Foley discloses the method of claim 1.
Foley further discloses 2determining selection certificate-based authentication in 3the user interface based on information from the remote device (Foley: ¶0036 a check is made to determine whether the user has a digital certificate (e.g., X.509 format) associated with the user's registration (e.g., a user Internet account) (step 321)); and
4redirecting the request for initiating certificate-based 5authentication for the remote device of client (Foley: ¶0036 if the user has a digital certificate associated with the user's registration, then a check is made to determine whether the smart card with the digital certificate is active (step 325)).
The motivation is the same that of claim 1 above.
Regarding claim 7: Eatough  in view of Innes and Foley discloses the method of claim 1.
Foley further discloses 2determining an authentication method selected at the user interface based on information from the remote device (Foley: ¶0038 the user may also select an authentication method based on a particular service); and
3sending, to the remote device, a request for authentication information that 4authenticates the client using the selected authentication method (Foley: ¶0031 the host may request the appropriate authentication information from the user. For example, if the cookie indicates that the user has selected to use the user identification and password authentication method (step 205), then a dialog box requesting a user identification and password is presented to the user via a web page (step 207)).
The motivation is the same that of claim 1 above.
1
Regarding claim 8: Eatough  in view of Innes and Foley discloses the method of claim 1.
Innes further discloses 3obtaining a certificate configured in a smart card of the client (Innes: ¶0010 the security certificate may be stored on a smart card connected to the client device); and
4validating the certificate and an identity of the client (Innes: ¶0092 SSL certificate validation may be operable so the application specifically validates the server SSL certificate; ¶0129 client device 705 may also authenticate the user of the client device 705 to the proxy device 710, for instance using the client certificate available to the device as part of the SSL handshake),
wherein validating the identity includes authenticating the client based on a piece of information provided by the client (Innes: ¶0073 allow a user to provide a single set of authentication credentials, which are then verified by an authentication service 558).
The motivation is the same that of claim 1 above.27Attorney Docket No. NTNX-PAT-719Inventor: Agrawal

Regarding claim 9: Eatough  in view of Innes and Foley discloses the method of claim 8.
Innes further discloses wherein the smart card is a common access card (CAC), and wherein the certificate-based authentication includes CAC-based 3authentication (Innes: ¶0112 the certificate may be bound to a physical smart card having a cryptographic module [...] the user may authorize the client device 705 to access the smart card protected certificate).
The motivation is the same that of claim 1 above.
1
Regarding claim 10: Eatough discloses a non-transitory computer-readable storage medium storing 2instructions that when executed by a computer cause the computer to perform a 3method for facilitating an enhanced authentication system, the method 4comprising:
3obtaining, by the authentication system from a remote device of a client, 4an authentication request (Eatough: col. 3 lines 7-8 receiving from a client a request to initiate a secure communication session; col. 7 lines 14-16 in step 202A of the method 200A, the SSL server 128 receives 202A an SSL session request from an SSL client);
identifying,6 in the authentication request, an indicator value indicating enforcement of 7certificate-based authentication for the client (Eatough: col. 2 lines 50-52 the step of determining whether the client is going to use certificate-based authentication involves identifying a port at which the request was received; col. 7 lines 1-4 if the request was received at the certificate port 132, it may be inferred that the request was sent from an SSL client that is going to use certificate-based authentication, such as the SSL client 124 on the administrative system 102);
determining whether certificate-based authentication is enforced for the client based on the indicator value (Eatough: col. 7 lines 25-29 the SSL server 128 determines 208A whether the SSL client has presented a certificate. If the SSL client has presented a certificate, then the SSL server 128 determines 210A whether the certificate has been authenticated); 
8in response to determining that certificate-based authentication is enforced 9for the client, initiating certificate-based authentication for the remote device of the client (Eatough: col. 7 lines 28-31 the SSL server 128 determines 210A whether the certificate has been authenticated. If so, then the SSL server 128 proceeds 212A with an authenticated SSL session with the SSL client); and 
in response to determining that certificate-based authentication is not 11enforced for the client (Eatough: col. 7 lines 55-59 if in step 210A the certificate presented by the SSL client is 55 not authenticated, the SSL server 128 determines 214A whether the SSL session may be allowed to continue using another authentication mechanism, such as an operating system-specific authentication mechanism), wherein the information indicates a set of authentication methods supported by the authentication system (Eatough: col. 9 lines 48-51 the SSL session request 640 includes authentication information 644. The authentication information 644 indicates whether the SSL client 646 is going to authenticate by using a certificate or by using some other means of authentication; col. 5 lines 63-65 the SSL client 126 on the console system 116 authenticates using some other mechanism, such as providing a username and password).wherein 
Eatough does not explicitly disclose obtaining request prior to exchange of application layer web traffic 
However, Innes discloses obtaining request prior to exchange of application layer web traffic Innes: ¶0128 the client device 705 and proxy device may perform mutual authentication [] the proxy device 710 may request the client device 705 and/or the user of the client device 705 to authenticate to the proxy device 710 before authorizing access to the proxy device 710; ¶0130 the request for a resource may be sent by the client device 705 over HTTP, HTTPS, [application layer] or any other access protocol supported by the client device).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Innes with the system/method of Eatough to include obtaining request prior to exchange of application layer web traffic Innes: ¶0002).
Eatough in view of Innes does disclose the SSL client using some other authentication mechanism, such as providing a username and password but does not explicitly disclose sending information associated with a user interface to the remote device of the 12client, wherein the user interface facilitates selection of an authentication 13method from the set of authentication methods.
However, Foley discloses sending information associated with a user interface to the remote device of the 12client, wherein the user interface facilitates selection of an authentication 13method from the set of authentication methods (Foley: ¶0026 the user may select between using a standard user identification and password entry into a user dialog box (step 103) or using a smart card and PIN authentication method (step 105) as the minimum level of security for authentication).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Foley with the system/method of Eatough and Innes to include the user interface facilitates selection of an authentication 13method from the set of authentication methods. One would have been motivated to facilitating the determination of an authentication method for accessing a restricted service related to transactions via a network (Foley: ¶0002).

Regarding claims 14-18: Claims 14-18 are similar in scope to claims 5-9, respectively, and are therefore rejected under similar rationale.  
1
Regarding claim 19: Eatough discloses a computer system, comprising:
2a processor (Eatough: fig. 8 item 801); and
4a memory coupled to the processor and storing instructions (Eatough: fig. 8 item 803), which when 5executed by the processor cause the processor to perform a method for facilitating 6an enhanced authentication system, the method comprising:
3obtaining, by the authentication system from a remote device of a client, 4an authentication request (Eatough: col. 3 lines 7-8 receiving from a client a request to initiate a secure communication session; col. 7 lines 14-16 in step 202A of the method 200A, the SSL server 128 receives 202A an SSL session request from an SSL client);
identifying,6 in the authentication request, an indicator value indicating enforcement of 7certificate-based authentication for the client (Eatough: col. 2 lines 50-52 the step of determining whether the client is going to use certificate-based authentication involves identifying a port at which the request was received; col. 7 lines 1-4 if the request was received at the certificate port 132, it may be inferred that the request was sent from an SSL client that is going to use certificate-based authentication, such as the SSL client 124 on the administrative system 102);
determining whether certificate-based authentication is enforced for the client based on the indicator value (Eatough: col. 7 lines 25-29 the SSL server 128 determines 208A whether the SSL client has presented a certificate. If the SSL client has presented a certificate, then the SSL server 128 determines 210A whether the certificate has been authenticated); 
8in response to determining that certificate-based authentication is enforced 9for the client, initiating certificate-based authentication for the remote device of the client (Eatough: col. 7 lines 28-31 the SSL server 128 determines 210A whether the certificate has been authenticated. If so, then the SSL server 128 proceeds 212A with an authenticated SSL session with the SSL client); and 
in response to determining that certificate-based authentication is not 11enforced for the client (Eatough: col. 7 lines 55-59 if in step 210A the certificate presented by the SSL client is 55 not authenticated, the SSL server 128 determines 214A whether the SSL session may be allowed to continue using another authentication mechanism, such as an operating system-specific authentication mechanism), wherein the information indicates a set of authentication methods supported by the authentication system (Eatough: col. 9 lines 48-51 the SSL session request 640 includes authentication information 644. The authentication information 644 indicates whether the SSL client 646 is going to authenticate by using a certificate or by using some other means of authentication; col. 5 lines 63-65 the SSL client 126 on the console system 116 authenticates using some other mechanism, such as providing a username and password).wherein 
Eatough does not explicitly disclose a storage device and obtaining request prior to exchange of application layer web traffic 
However, Innes discloses a device including 3a storage device (Innes: fig. 4 item 404 storage devices), that performs:
obtaining request prior to exchange of application layer web traffic Innes: ¶0128 the client device 705 and proxy device may perform mutual authentication [] the proxy device 710 may request the client device 705 and/or the user of the client device 705 to authenticate to the proxy device 710 before authorizing access to the proxy device 710; ¶0130 the request for a resource may be sent by the client device 705 over HTTP, HTTPS, [application layer] or any other access protocol supported by the client device).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Innes with the system/method of Eatough to include obtaining request prior to exchange of application layer web traffic Innes: ¶0002).
Eatough in view of Innes does disclose the SSL client using some other authentication mechanism, such as providing a username and password but does not explicitly disclose sending information associated with a user interface to the remote device of the 12client, wherein the user interface facilitates selection of an authentication 13method from the set of authentication methods.
However, Foley discloses sending information associated with a user interface to the remote device of the 12client, wherein the user interface facilitates selection of an authentication 13method from the set of authentication methods (Foley: ¶0026 the user may select between using a standard user identification and password entry into a user dialog box (step 103) or using a smart card and PIN authentication method (step 105) as the minimum level of security for authentication).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Foley with the system/method of Eatough and Innes to include the user interface facilitates selection of an authentication 13method from the set of authentication methods. One would have been motivated to facilitating the determination of an authentication method for accessing a restricted service related to transactions via a network (Foley: ¶0002).

Claims 2-4, 11-13 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Eatough et al. (“Eatough,” US 8185945) in view of  Innes et al. (“Innes,” US 2015/0365412), Foley et al. (“Foley,” US 2002/008789) and Wyatt et al. (“Wyatt,” US 2017 /0346853).

1 Regarding claim 2: Eatough  in view of Innes and Foley discloses the method of claim 1.
Eatough  in view of Innes and Foley discloses does not explicitly disclose wherein the authentication request is based 2on a Transport Layer Security (TLS) protocol, and wherein the indicator value 3comprises a domain name and included in server name indication (SNI) extension 4of the TLS protocol.
However, Wyatt discloses wherein the authentication request is based 2on a Transport Layer Security (TLS) protocol, and wherein the indicator value 3comprises a domain name and included in server name indication (SNI) extension 4of the TLS protocol (Wyatt: ¶0264 the TLS protocol, at the beginning of the TLS handshake process, includes an extension in which a client includes the name of the host to which the client is attempting to connect [...] selectively targeting traffic for particular hosts or domains may inspect the TLS Server Name Indication (SNI) information).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Wyatt with the system/method of Eatough, Innes and Foley to include the authentication request is based 2on a Transport Layer Security (TLS) protocol, and included in server name indication (SNI) extension 4of the TLS protocol. One would have been motivated to detecting and preventing compromise of computing device network connections, including man-in-the-middle attacks (Wyatt: ¶0002).
1
Regarding claim 3: Eatough  in view of Innes, Foley and Wyatt discloses the method of claim 2.
Innes further discloses wherein the domain name is one of: 2a first domain name associated with the certificate-based authentication; 3and 4a second domain name associated with generic authentication indicated in 26the user interface (Innes: ¶0131 the resource may indicate the type of authentication to be performed (e.g., SSL, a domain-based authentication, such as Kerberos, etc.). Based on the type of authentication, the resource may send an authentication challenge (e.g., a 401 Negotiate message for Kerberos authentication or a client certificate challenge for SSL authentication)).
The motivation is the same that of claim 1 above.

Regarding claim 4: Eatough  in view of Innes, Foley and Wyatt discloses the method of claim 3.
Innes further discloses wherein the first and second domain names associated with the indicator value 2correspond to a same point of access for the remote device of the client, wherein the point of access is indicated by one or more of: wherein the first and second 4domain names are accessible via a same pinhole of a firewall of the authentication 5system (Innes: ¶0068 the policies may be implanted through a firewall or gateway in such a way that the mobile device may be identified, secured or security verified, and provided selective or full access to the enterprise resources).
The motivation is the same that of claim 1 above.
Wyatt further discloses an Internet 3Protocol (IP) address and a port identifier (Wyatt: ¶0103 the Domain Name System (DNS) configuration (server IP addresses) of the network).
The motivation is the same that of claim 2 above.
 1
Regarding claims 11-13: Claims 11-13 are similar in scope to claims 2-4, respectively, and are therefore rejected under similar rationale.
28Attorney Docket No. NTNX-PAT-719Inventor: Agrawal
Regarding claim 20: Eatough  in view of Innes and Foley discloses the computer system of claim 19.
Innes further discloses wherein the domain name is one of: 5a first domain name associated with the certificate-based authentication; 6and 7a second domain name associated with generic authentication indicated in 8the user interface (Innes: ¶0131 the resource may indicate the type of authentication to be performed (e.g., SSL, a domain-based authentication, such as Kerberos, etc.). Based on the type of authentication, the resource may send an authentication challenge (e.g., a 401 Negotiate message for Kerberos authentication or a client certificate challenge for SSL authentication)).
Eatough  in view of Innes and Foley does not explicitly disclose wherein the authentication 2request is based on a Transport Layer Security (TLS) protocol, wherein the 3indicator comprises a domain name and included in server name indication (SNI) 4extension of the TLS protocol.
However, Wyatt discloses wherein the authentication 2request is based on a Transport Layer Security (TLS) protocol, wherein the 3indicator comprises a domain name and included in server name indication (SNI) 4extension of the TLS protocol (Wyatt: ¶0264 the TLS protocol, at the beginning of the TLS handshake process, includes an extension in which a client includes the name of the host to which the client is attempting to connect [...] selectively targeting traffic for particular hosts or domains may inspect the TLS Server Name Indication (SNI) information).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Wyatt with the system/method of Eatough, Innes and Foley to include the authentication request is based 2on a Transport Layer Security (TLS) protocol, and included in server name indication (SNI) extension 4of the TLS protocol.
One would have been motivated to detecting and preventing compromise of computing device network connections, including man-in-the-middle attacks (Wyatt: ¶0002). 


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Fahimeh Mohammadi whose telephone number is (571)270-7857. The examiner can normally be reached Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 5712705002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/FAHIMEH MOHAMMADI/ Examiner, Art Unit 2439 


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439