guidance

Kevin Coffman kwc at umich.edu
Fri Jun 27 09:40:15 EDT 2008


Are you aware that there are two different flavors of pkinit?  There
is the original protocol deployed by Microsoft in Windows 2000
(sometimes referred to as the "Draft 9 version" because it was
basically the version defined by draft 9 of the RFC) and then the
finalized RFC version (which was something like draft number 24).

Do you know which version your client uses?  The code in MIT 1.6.3
supports both versions of the protocol.  It would be up to your client
to make sure that it correctly identifies the protocol version it is
using.  (There are different preauth padata types for each version.)

#define KRB5_PADATA_PK_AS_REQ_OLD       14 /* PKINIT */
#define KRB5_PADATA_PK_AS_REP_OLD       15 /* PKINIT */
#define KRB5_PADATA_PK_AS_REQ           16 /* PKINIT */
#define KRB5_PADATA_PK_AS_REP           17 /* PKINIT */

Beyond that, you would probably need to compile the KDC code to
support debugging and trace through to find the portion of the
client's request that the server code does not like.  You might start
looking at the code in src/lib/krb5/asn.1/asn1_k_decode.c.

K.C.

On Fri, Jun 27, 2008 at 8:42 AM, naveen.bn <naveen.bn at globaledgesoft.com> wrote:
>
> Hi Kevin,
>
> I am facing a problem and would like to get suggestion from you regarding it
> .
>
> My seniors had come up with a kerberos client which took the reference from
> krb5-1.2.2, which was with out PKINIT support and they
> had added the PKINIT support for it.  I have no contact with them , I have
> no idea what server they had used.
> But, now that the  krb5-1.6.3 supports PKINIT, I am trying to use it as
> Server .  My client works without PKINIT, but with PKINIT
> support the server (krb5-1.6.3)  is not able to decode AS_REQ  packet and
> the kdc log says
> preauth (pkinit) verify failure: ASN.1 identifier doesn't match expected
> value.
>
> I tested the AS_REQ with the tool dumpasn1.c, I found no problem in pkinit
> asn1 dump.
>
> Kindly help me in solving this problem
> Thank you
>
> naveen
>
>
>
>
>
>
> This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely
> for the use of the addressee(s). If you are not the intended recipient,
> please notify the sender by e-mail and delete the original message.Global
> Edge Software Ltd has taken every reasonable precaution to minimize this
> risk, but is not liable for any damage you may sustain as a result of any
> virus in this e-mail. You should carry out your own virus checks before
> opening the e-mail or attachment. Global Edge Software Ltd reserves the
> right to monitor and review the content of all messages sent to or from this
> e-mail address
>
> This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely
> for the use of the addressee(s). If you are not the intended recipient,
> please notify the sender by e-mail and delete the original message.Global
> Edge Software Ltd has taken every reasonable precaution to minimize this
> risk, but is not liable for any damage you may sustain as a result of any
> virus in this e-mail. You should carry out your own virus checks before
> opening the e-mail or attachment. Global Edge Software Ltd reserves the
> right to monitor and review the content of all messages sent to or from this
> e-mail address
>
>



More information about the Kerberos mailing list