BACKGROUND

[0001 ] Provisioning refers to the process of providing users with access to data and technology resources. For example, with respect to enterprise-level resource management, users may be (1 ) given access to data repositories or granted authorization to systems, applications and databases based on a unique user identity, and (2) appropriated hardware resources, such as computers, mobile phones and pagers.

BRIEF DESCRIPTION OF THE DRAWINGS

[0002] The following detailed description references the drawings, wherein:

[0003] FIG. 1 is an example block diagram of a system to communicate with a server using a credential;

[0004] FIGS. 2A and 2B are example timing diagrams of the system of FIG. 1 ;

[0005] FIG. 3 is an example block diagram of a computing device including instructions for communicating with a server using a credential; and

[0006] FIG. 4 is an example flowchart of a method for communicating with a server using a credential.

DETAILED DESCRIPTION

[0(307] Specific details are given in the following description to provide a thorough understanding of embodiments. However, it will be understood that embodiments may be practiced without these specific details. For example, systems may be shown in block diagrams in order not to obscure embodiments in unnecessary detail. In other instances, well-known processes, structures and techniques may be shown without unnecessary detail in order to avoid obscuring embodiments.

[0(308] Before a client machine joins a distributed client-server system, the client machine is provisioned. During provisioning, the server may authenticate the new client machine as legitimate and may give the client a set of credentials to be used for future communication with other components in the system. This is usually done manually using the credentials of a human user. However, requiring human intervention can be inefficient and can potentially expose the credentials of the human user to theft. Furthermore, the client machine can then become associated with the identity and credentials of the human user, which may pose a problem when the client machine is used by multiple users at once.

[0009] Examples provide a technique that for provisioning a client machine without exposing the credentials of the human user. In one example, a request is sent to a server to provision a client machine. A provisioning key is received from the server. A client key is requested from the server. The request for the client key includes the provisioning key. A credential is requested from the server if the server returns the client key. The request for the credential includes the client key. The credential is received from the server if the server approves the credential request. The client machine is to communicate with the server using the credential for authentication.

[0010] Thus, examples may enhance security due to credentials of a human user not being exposed on the client machine. Further, example may enhance security due to the client machine being given its own set of credentials. Also, examples may improve efficiency by reducing or eliminating the need for manuai intervention during provisioning and by providing a way to provision several client machines at once.

[0(31 1 ] Referring now to the drawings, FIG. 1 is an example block diagram of a system to communicate with a server using a credential. The system 100 may include or be part of a microprocessor, a controller, a memory module or device, a notebook computer, a desktop computer, an all-in-one system, a server, a client device, a network device, a wireless device, and the like. The system 100 may, for example, be a client-server system. Here, the system 100 is shown to include a server 1 10 and a client machine 120.

[0012] The system 100 may be a network through which the client machine 120 communicates with the server 1 10. The system 100 may consist of one or more servers 1 10 and may be a distributed system. The system 100 may provide secure communication between its servers 1 10 and the client machine 120 through standard security practices, including but not limited to cryptography and enforcement of proper network protocols.

[0013] The client machine 120 may include any type of device capable of accessing a service made available by a server, such as desktop, mobile device, and the like. The server 1 10 may be any type of device capable of serving a request of the client machine 120. The request may be to share data, information or hardware and software resources. Example types of servers 1 10 may include database servers, file servers, mail servers, print servers, web servers, gaming servers, application servers, and the like. [0014] The term provisioning relates to the process of authenticating a new client machine 120 as legitimate and giving the client machine 120 a set of credentials to be used for future communication. If the provisioning process fails at any point, the client machine 120 may gracefully return to a state where the provisioning process can be restarted. The server 1 10 may authenticate a client machine 120 without exposing a credential of a user, as part of the provisioning process.

[0015] The server 1 10 is shown to include a provisioning unit 1 12 and a validation unit 1 14. The provisioning and validation units 1 12 and 1 14 may include, for example, a hardware device including electronic circuitry for implementing the functionality described below, such as control logic and/or memory. In addition or as an alternative, the provisioning and validation units 1 12 and 1 14 may be implemented as a series of instructions encoded on a machine-readable storage medium and executable by a processor.

[0016] The provisioning unit 1 12 may generate a provisioning key 132. The provisioning unit 1 12 may receive a request to provision the client machine 120 from an administrator 130 and may return the provisioning key 132 to the administrator 130. Examples of the administrator 130 may be human or a non-human, such as software and/or hardware. The provisioning key 132 may be a computer- generated piece of information that is used to identify the client machine(s) that are to be provisioned.

[0017] The validation unit 1 14 may validate the provisioning key 132 and a client key 126. The validation unit 1 14 may receive a request for the client key 122 that includes the provisioning key 132 from the client machine 120. Further, the validation unit 1 12 may validate and return the client key 126 to the client machine 120. The client key 126 may be a computer-generated piece of information that is used to identify a single client machine 120 that is being provisioned.

[0(318] The validation unit 1 14 may receive a request for a credential 124 that includes the client key 126 from the client machine 120. Further, the validation unit 1 14 may return the credential 128 to the client machine 120 if the administrator 130 approves the request for the credential 124.

[0019] The credential 128 may be a computer-generated piece of information that is used to uniquely identify a machine account, such as a security token. The credential 128 may be used by the client machine 120 to identify itself during communication with the server 1 10 for authentication. The credential 128 used by the client machine 120 to communicate with the server 1 10 may be separate from a credential of a user to use the client machine 120.

[0020] The system 100 may include a plurality of the client machines 120-1 to 120-n, where n is a natural number. Here, the request of the administrator 130 to provision may include a request to provision the plurality of client machinesl 20-1 to 120-n. Also, the administrator 130 may distribute the provisioning key 132 to the plurality of client machinesl 20-1 to 120-n.

[0021 ] The provisioning key 132 may be used a limited of number of times to identify at least some the plurality of client machinesl 20-1 to 120-n, such as two or more of the client machines 120-1 to 120-n. This limited number of uses may be determined by the administrator 130. Conversely, the client key 126 may be used by only one of the plurality of client machines 120-1 to 120-n, such as the first client machine 120-1. Both the client key 126 and the provisioning key 132 may expire (become unusable) after a certain amount of time. Further, both the client key 126 and the provisioning key 132 may be implemented as an encrypted key, security token, code, or through other mechanisms.

[0(322] FIGS. 2A and 2B are example timing diagrams of the system of FIG. 1 . While FIGS. 2A and 2B only show the timing diagrams with respect to a single server 1 10 and a single client machine 120, examples of the system 100 may include a plurality of servers 1 10 and/or client machines 120.

[0023] As shown in FIG. 2A, the administrator 130 of the system specifies the number of client machines 120 that will be provisioned, such as through a user interface. This setting is stored by the server 1 10. Then, the server 1 10 generates and stores the provisioning key 132, and associates it with the provisioning request from the administrator 130. Next, the server 1 10 sends the provisioning key 132 to the administrator 130.

[0024] The provisioning key 132 is distributed to the client machines 120-1 to 120-n as appropriate by the administrator 130. Afterward, the client machine 120 sends the provisioning key 132 along with other uniquely identifying information to the server 1 10. The server 1 10 validates the provisioning key 132 and saves the information of the client machine 120. The server 1 10 then sends the client key 126 to the client machine 120.

[0025] The client machine 120 begins to periodically send the server 1 10 requests 124 with the client key 126 to obtain a credential 128 that it can use for further communication. The server 1 10 receives the request 122 from the client machine 120, but does not respond with the credential 128 until it receives approval from the administrator 130. [0026] The administrator 130 approves, such as through a user interface, the client machines 120 that have contacted the server 1 10 for provisioning. Next, the server 1 10 records that the client machines 120 were approved for provisioning. Once a client machine 120 is approved, the server 1 10 creates a machine account for the client machine 120. Then, the credential 128 may be generated for the machine account, such as a next time the client machine 120 sends the server 1 10 the request 124, which includes the client key 128.

[0027] The machine account may be an identity for the client machine 120 that is created by the server 120. The process of creating the machine account does not require human interaction and the credentials of the client machine 120 in the machine account are not directly accessible by a human user. Then, the server 1 10 replies to the request 124 of the client machine 120 and the credential 128 is sent to the client machine 120.

[0028] At this point, the provisioning process is complete and the client machine 120 may now communicate with the server 120 using the credential 128 to authenticate itself. Moreover, the above process may be repeated for a plurality of the client machines 120-1 to 120-n.

[0029] As shown in FIG. 2B, there may also a process for revoking the credential 128 of the client machine 120. The administrator 130 may initiate this process, for example, if the client machine 120 becomes compromised or if the client machine 120 should no longer communicate with the server 1 10 or the system 100.

[0(330] First, the administrator 130 specifies the client machines 120 that should have their credentials 128 revoked. Then, the server 1 10 invalidates the credential 128 associated with each machine account of the client machines 120. Next, when the client machine 120 communicates with the server 1 10, the server 1 10 will recognize that the client machine 120 is presenting a credential 128 that has been revoked, and the server 1 10 will reject communication with client machine 120.

[0031 ] FiG. 3 is an example block diagram of a computing device 300 including instructions for communicating with a server using a credential, in the embodiment of FiG. 3, the computing device 300 includes a processor 310 and a machine-readable storage medium 320. The machine-readable storage medium 320 further includes instructions 322 and 324 for communicating with a server using a credential.

[0032] The computing device 300 may be included in or part of, for example, a microprocessor, a controller, a memory module or device, a notebook computer, a desktop computer, an ail-in-one system, a server, a network device, a wireless device, or any other type of device capable of executing the instructions 322 and 324. In certain examples, the computing device 300 may include or be connected to additional components such as memories, controllers, etc.

[0033] The processor 310 may be, at least one central processing unit (CPU), at least one semiconductor-based microprocessor, at least one graphics processing unit (GPU), a microcontroller, special purpose logic hardware controlled by microcode or other hardware devices suitable for retrieval and execution of instructions stored in the machine-readable storage medium 320, or combinations thereof. The processor 210 may fetch, decode, and execute instructions 322 and 324 to implement communicating with the server using the credential. As an alternative or in addition to retrieving and executing instructions, the processor 310 may include at ieast one integrated circuit (!C), other control logic, other electronic circuits, or combinations thereof that include a number of electronic components for performing the functionality of instructions 322 and 324.

[0034] The machine-readable storage medium 320 may be any electronic, magnetic, optical, or other physical storage device that contains or stores executable instructions. Thus, the machine-readable storage medium 320 may be, for example, Random Access Memory (RAM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a storage drive, a Compact Disc Read Only Memory (CD-ROM), and the like. As such, the machine-readable storage medium 220 can be non-transitory. As described in detail below, machine- readable storage medium 320 may be encoded with a series of executable instructions for communicating with the server using the credential.

[0035] Moreover, the instructions 322 and 324, when executed by a processor (e.g., via one processing element or multiple processing elements of the processor) can cause the processor to perform processes, such as, the process of FIG. 4. For example, the return client key instructions 322 may be executed by the processor 310 to return, from a server, a client key in response to a request for a client key that includes a provisioning key. A request to provision the client machine and an approval to the request for the credential are received from an administrator. The provisioning key is returned to the administrator. The administrator is to distribute the provisioning key to a client machine.

[0(336] The return credential instructions 324 may be executed by the processor 310 to return, from the server, a credential if a request for the credential is approved. The request for the credential includes the client key. The requests for the client key and the credential are received from the client machine. The client key and credential are returned to the client machine. The client key is returned if the provisioning key is validated. A client machine may communicate with the server using the credential for authentication.

[0037] FIG. 4 is an example flowchart of a method 400 for communicating with a server using a credential. Although execution of the method 400 is described below with reference to the system 100, other suitable components for execution of the method 400 can be utilized. Additionally, the components for executing the method 400 may be spread among multiple devices (e.g., a processing device in communication with input and output devices), in certain scenarios, multiple devices acting in coordination can be considered a single device to perform the method 400. The method 400 may be implemented in the form of executable instructions stored on a machine-readable storage medium, such as storage medium 320, and/or in the form of electronic circuitry.

[0038] At block 410, an administrator 130 requests to a server 1 10 to provision a client machine 120. The server 1 10 generates and stores the provisioning key 132 in response to the request to provision the client machine 120. At block 420, the administrator 130 receives a provisioning key 132 from the server 1 10. The administrator 130 distributes the provisioning key 132 to the client machine 120, such as manually or remotely over a network.

[0039] At block 430, a client machine 120 requests a client key 122 from the server 1 10. The request for the client key 122 includes the provisioning key 132. The server 1 10 validates the provisioning key 132 and stores information of the client machine 120, in response to the request for the client key 122 by the client machine 120.

[0040] At block 440, the client machine 120 requests a credential 124 from the server 1 10 if the server 1 10 returns the client key 126. The request for the credential 124 includes the client key 126. The server 1 10 returns the client key 126 to the client machine 120, if the provisioning key 132 is validated. The server 1 10 is to await approval from the administrator 130 before responding to the credential request 124. Further, the server 1 10 is to store the approval from the administrator 130.

[0041 ] At block 450, the client machine 120 receives the credential 128 from the server 1 10, if the server 1 10 approves the credential request 124. Also, the server 1 10 is to validate the client key 126, create a machine account associated with the client machine 120, and generate the credential for machine account, if the administrator 130 approves the credential request 124.

[0042] The client machine 120 communicates with the server 1 10 using the credential 128 for authentication. The server 1 10 invalidates the credential 128 of the client machine 120, if the administrator 130 indicates to the server to revoke the credential 128. The server 1 10 rejects a communication of the client machine 120, if the credential 128 of the client machine 120 is invalid.