Office Action Predictor
Last updated: April 16, 2026
Application No. 18/791,498

System, Method, and Computer Program Product for Managing Computational Cluster Access to Multiple Domains

Non-Final OA §103§DP
Filed
Aug 01, 2024
Examiner
HARRIS, CHRISTOPHER C
Art Unit
2432
Tech Center
2400 — Computer Networks
Assignee
Visa International Service Association
OA Round
1 (Non-Final)
76%
Grant Probability
Favorable
1-2
OA Rounds
2y 10m
To Grant
99%
With Interview

Examiner Intelligence

Grants 76% — above average
76%
Career Allow Rate
275 granted / 362 resolved
+18.0% vs TC avg
Strong +26% interview lift
Without
With
+26.4%
Interview Lift
resolved cases with interview
Typical timeline
2y 10m
Avg Prosecution
21 currently pending
Career history
383
Total Applications
across all art units

Statute-Specific Performance

§101
14.2%
-25.8% vs TC avg
§103
38.2%
-1.8% vs TC avg
§102
14.5%
-25.5% vs TC avg
§112
24.5%
-15.5% vs TC avg
Black line = Tech Center average estimate • Based on career data from 362 resolved cases

Office Action

§103 §DP
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. DETAILED ACTION Information Disclosure Statement The information disclosure statement (IDS) submitted on 09/04/2024 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp. Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-14 of U.S. Patent No. 12088576B2. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application while broader are fully anticipated by the claims of the US Patent as they each are directed towards a node in cluster joining at least two domains, merging keys from each domain and permitting access based on the merged set of keys as indicated in the chart below. Instant Application 18791498 U.S. Patent No. 12088576B2 (Claim 1) - A system comprising: at least one processor configured to: join at least one node of a computational cluster to a primary domain, wherein joining the at least one node to the primary domain generates a primary key table, the primary key table associated with a first set of permissions for remotely accessing a computer resource of the primary domain; join the at least one node of the computational cluster to a secondary domain, wherein joining the at least one node to the secondary domain generates a secondary key table, the secondary key table associated with a second set of permissions for remotely accessing a computer resource of the secondary domain; merge the primary key table with the secondary key table to form a merged key table, wherein each key of the merged key table comprises an identifier of a domain account associated with an encryption key necessary to encrypt or decrypt a ticket of a ticket-based computer network authentication protocol; connect a remote computing device of the primary domain and a remote computing device of the secondary domain to the computational cluster; authenticate a first cluster access request and a second cluster access request via the ticket-based computer network authentication protocol; permit access by the computational cluster to perform a first action based on the first cluster access request, the first action requiring access to a first domain account associated with the remote computing device of the primary domain and being permissible based the merged key table; and permit access by the computational cluster to perform a second action based on the second cluster access request, the second action requiring access to a second domain account associated with the remote computing device of the secondary domain and being permissible based the merged key table. A system comprising: a server comprising at least one hardware processor and at least one physical storage device comprising non-transitory memory, wherein the server is programmed and/or configured to: generate, using a ticket-based computer network authentication protocol, a primary key table based on remote system access credentials for a primary domain and at least one secondary key table based on remote system access credentials for at least one secondary domain, wherein the primary key table is associated with a first set of permissions for remotely accessing a computer resource of the primary domain, wherein the at least one secondary key table is associated with at least one second set of permissions for remotely accessing a computer resource of the at least one secondary domain, and wherein the first set of permissions and the at least one second set of permissions are different sets of permissions associated with different permitted actions for remotely accessing computer resources; merge the primary key table with the at least one secondary key table to form a merged key table, wherein each key of the merged key table comprises an identifier of a domain account associated with an encryption key necessary to encrypt or decrypt a ticket of the ticket-based computer network authentication protocol; activate a system daemon; connect, using the ticket-based computer network authentication protocol via the system daemon, a remote computing device of the primary domain and a remote computing device of the at least one secondary domain to a computational cluster; receive a first cluster access request to access a first domain account associated with the remote computing device of the primary domain, wherein the first cluster access request comprises a request to perform a first action that is permissible based on the first set of permissions and is not permissible based on the at least one second set of permissions; authenticate the first cluster access request via the ticket-based computer network authentication protocol; receive a second cluster access request to access a second domain account associated with the remote computing device of the at least one secondary domain, wherein the second cluster access request comprises a request to perform a second action that is permissible based on the at least one second set of permissions and is not permissible based on the first set of permissions; authenticate the second cluster access request via the ticket-based computer network authentication protocol; and manage access by the computational cluster to the first domain account and the second domain account based on the merged key table, wherein, while managing access by the computational cluster, the server is programmed and/or configured to: permit, using the system daemon, access by the computational cluster to the first domain account to perform the first action, based on the first set of permissions of the primary key table in the merged key table; and permit, using the system daemon, access by the computational cluster to the second domain account to perform the second action, based on the at least one second set of permissions of the at least one secondary key table in the merged key table. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over US 20170048223 to Padmanaban (hereinafter “Padmanaban”) retrieved from IDS dated 09/04/2024 in view of NPL Network Security Enhancement in Hadoop Clusters to Gaikwad et al. (hereinafter “Gaikwad”) and further in view of NPL The MIT Kerberos Administrator’s How-to Guide Protocol, Installation and Single Sign On to Migeon Claim 1 Padmanaban teaches a system [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses a system.] comprising: at least one processor [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses a processor.] configured to: join at least one node of a computational cluster to a primary domain, wherein joining the at least one node to the primary domain generates a primary key table, the primary key table associated with a first set of permissions for remotely accessing a computer resource of the primary domain; [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses a node in a cluster may join a security domain such as Active Directory in a conventional fashion using Kerberos.] join the at least one node of the computational cluster to a secondary domain, wherein joining the at least one node to the secondary domain generates a secondary key table, the secondary key table associated with a second set of permissions for remotely accessing a computer resource of the secondary domain; [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses the same node in the same cluster may join a different security domain such as Active Directory in a conventional fashion using Kerberos.] connect a remote computing device of the primary domain and a remote computing device of the secondary domain to the computational cluster; [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses clients in different domains may connect to the node.] authenticate a first cluster access request and a second cluster access request via the ticket-based computer network authentication protocol; [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses Kerberos.] permit access by the computational cluster to perform a first action based on the first cluster access request, the first action requiring access to a first domain account associated with the remote computing device of the primary domain and being permissible based the merged key table; [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses a client accessing the node in a first domain.] and permit access by the computational cluster to perform a second action based on the second cluster access request, the second action requiring access to a second domain account associated with the remote computing device of the secondary domain and being permissible based the merged key table. [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses a different client accessing the node in a second domain.] While Padmanaban teaches the system of claim 1 and teaches conventional use of Kerberos for clusters Padmanaban fails to explicitly teach how the conventional use is implemented. However, Gaikwad discloses that the conventional use requires a Key Distribution Centers is formed from an Authentication Server and Ticket Granting Server and further discloses that a keytab (e.g. key table) file is provided storing passwords from clients for the domain (e.g. BOB.COM) it serves. See Abstract, Page 153-155 of Gaikwad. Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to include, the features above in the invention as disclosed by Padmanaban in order to provide the conventional standard regarding security for cluster based server that would be known by one of ordinary skill in the art. The combination teaches the system of claim 1 and establishes the security required to implement clusters and access of a single node onto multiple domains and association of keytab files per domain on the principal that is using the file, however the combination and in particular Padmanaban states for those file servers to be integrated in a conventional AD context the machines composing the cluster have to be domain joined. This creates an administrative complexity for the deployment, and can expose the cluster to group policy management, with the overhead and complexity that involves. It also creates difficulties in locking down the machines from console access through domain credentials, see paragraph 0064 of Padmanaban. However, Migeon teaches that multiple keytab files can be merged into a single file that the principal can access. More specifically, Migeon teaches: merge the primary key table with the secondary key table to form a merged key table, wherein each key of the merged key table comprises an identifier of a domain account associated with an encryption key necessary to encrypt or decrypt a ticket of a ticket-based computer network authentication protocol; [e.g. Migeon; Abstract, Page 5, 9, 12-17, 25, 29, 55, 59, 60– Migeon discloses merging two keytab (e.g. key tables) into a single file using the ktutil shell and the conventional components and set up of the Kerberos protocol.] Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to include, the features above in the invention as disclosed by Padmanaban and Gaikwad in order to simplify the administrative complexity by combining prior art elements (e.g. Migeon) according to known methods (e.g. Key Table Mergers) to yield predictable results (e.g. provide access to keys in a single file). Claim 2: Padmanaban teaches the system of claim 1, wherein the at least one processor is further configured to activate a system daemon operated on a node of the computational cluster. [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses conventional use of Kerberos.] Claim 3: Padmanaban and Migeon teaches the system of claim 2, wherein, when connecting the remote computing device of the primary domain and the remote computing device of the secondary domain to the computational cluster, the at least one processor is configured to: connect the remote computing device of the primary domain and the remote computing device of the secondary domain to the computational cluster using the ticket-based computer network authentication protocol via the system daemon. [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses clients in different domains may connect to the node using the conventionally using Kerberos.] [e.g. Migeon; Abstract, Page 5, 9, 12-17, 25, 29, 55, 59, 60– Migeon discloses merging two keytab (e.g. key tables) into a single file using the ktutil shell and the conventional components and set up of the Kerberos protocol.] Claim 4: Padmanaban and Migeon teaches the system of claim 3, wherein, when permitting access by the computational cluster to perform the first action, the at least one processor is configured to: permit, using the system daemon, access by the computational cluster to perform the first action; and wherein, when permitting access by the computational cluster to perform the second action, the at least one processor is configured to: permit, using the system daemon, access by the computational cluster to perform the second action. [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses conventional use of Kerberos.] [e.g. Migeon; Abstract, Page 5, 9, 12-17, 25, 29, 55, 59, 60– Migeon discloses merging two keytab (e.g. key tables) into a single file using the ktutil shell and the conventional components and set up of the Kerberos protocol.] Claim 5: Padmanaban and Migeon teaches the system of claim 1, wherein the at least one processor is further configured to configure the ticket-based computer network authentication protocol to communicate with the primary domain and the secondary domain. [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses conventional use of Kerberos.] [e.g. Migeon; Abstract, Page 5, 9, 12-17, 25, 29, 55, 59, 60– Migeon discloses merging two keytab (e.g. key tables) into a single file using the ktutil shell and the conventional components and set up of the Kerberos protocol.] Claim 6: Padmanaban and Migeon teaches the system of claim 5, wherein, when configuring the ticket-based computer network authentication protocol, the at least one processor is further configured to activate an authentication service and a ticket-granting service on a domain controller for each of the primary domain and the secondary domain. [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses conventional use of Kerberos.] [e.g. Migeon; Abstract, Page 5, 9, 12-17, 25, 29, 55, 59, 60– Migeon discloses merging two keytab (e.g. key tables) into a single file using the ktutil shell and the conventional components and set up of the Kerberos protocol.] Claim 7: Padmanaban and Migeon teaches the system of claim 1, wherein the at least one processor is further configured to: initiate a discovery scan for each domain associated with the primary key table and the secondary key table; install data packages required to join the computational cluster to each domain associated with the primary key table and the secondary key table; and create an account entry for the computational cluster for each domain associated with the primary key table and the secondary key table. [e.g. Padmanaban; Abstract, Para. 0063, 0064, 0072, 0074, 0081, 0093, 0095, 0102, 0108, 0120, 0121, 0124, 0127, 0128, 0137, 0161 – Padmanaban discloses conventional use of Kerberos.] [e.g. Migeon; Abstract, Page 5, 9, 12-17, 25, 29, 55, 59, 60– Migeon discloses merging two keytab (e.g. key tables) into a single file using the ktutil shell and the conventional components and set up of the Kerberos protocol.] Regarding claims 8-20 they are method and manufacture claims essentially corresponding to the above recitations, and they are rejected, at least, for the same reasons. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER C HARRIS whose telephone number is (571)270-7841. The examiner can normally be reached Monday through Friday between 8:00 AM to 4:00 PM CST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /CHRISTOPHER C HARRIS/Primary Examiner, Art Unit 2432
Read full office action

Prosecution Timeline

Aug 01, 2024
Application Filed
Nov 14, 2025
Non-Final Rejection — §103, §DP
Feb 24, 2026
Interview Requested
Mar 04, 2026
Applicant Interview (Telephonic)
Mar 17, 2026
Examiner Interview Summary
Mar 27, 2026
Response Filed

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12602467
In-memory scan for threat detection with binary instrumentation backed generic unpacking, decryption, and deobfuscation
2y 5m to grant Granted Apr 14, 2026
Patent 12585746
AUTHENTICATION SYSTEM, USER DEVICE, AND KEY INFORMATION TRANSMISSION METHOD
2y 5m to grant Granted Mar 24, 2026
Patent 12580915
SERVICE ACCESS METHOD AND APPARATUS
2y 5m to grant Granted Mar 17, 2026
Patent 12572668
DATA SECURITY USING REQUEST-SUPPLIED KEYS
2y 5m to grant Granted Mar 10, 2026
Patent 12561460
System And Method for Performing Security Analyses of Digital Assets
2y 5m to grant Granted Feb 24, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

1-2
Expected OA Rounds
76%
Grant Probability
99%
With Interview (+26.4%)
2y 10m
Median Time to Grant
Low
PTA Risk
Based on 362 resolved cases by this examiner. Grant probability derived from career allow rate.

Sign in for Full Analysis

Enter your email to receive a magic link. No password needed.

Free tier: 3 strategy analyses per month