Microsoft Active Directory / PKINIT
Tim Alsop
Tim at cybersafe.com
Thu Aug 12 15:44:24 EDT 2010
Doug,
This is good information. No, we haven't looked at the KILE document, so thankyou for reminding us of this.
It looks like wireshark needs to be updated :-)
Take care,
Tim
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Douglas E. Engert
Sent: 12 August 2010 20:36
To: kerberos at mit.edu
Subject: Re: Microsoft Active Directory / PKINIT
On 8/12/2010 6:26 AM, Tim Alsop wrote:
> Hi,
>
> Does anybody know if/when Microsoft Active Directory will support PKINIT (RFC 4556). I understand that all versions of MS AD supports draft-9 of PKINIT, but not sure if the RFC is implemented/supported ?
>
> Also, I am interested to know about interoperability between the draft-9 implementation and the RFC 4556 implementation. For example, does the PKINIT included in the MIT code, which is RFC compliant interoperate with MS AD (draft-9) ?
>
> Any info you have on this is appreciated.
Have you looked at the Microsoft KILE document? It does list RFC 4556 and PA-PK-AS-REP [17] and refers to PA-PK-AS-REP_OLD (15)
http://msdn.microsoft.com/en-us/library/cc233964(v=PROT.13).aspx
In the KRB5-ERROR e-data, padata, I see what Wireshark refers to as PA-PK-AS-REP (15), but not 17.
We have mixed 2008 and 2003 DC so for backwards compatibility it might only present PA-PK-AS-REP (17) only if all the servers are 2008.
>
> Thanks,
> Tim
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list