Microsoft Active Directory / PKINIT

Tim Alsop Tim at cybersafe.com
Thu Aug 12 15:44:24 EDT 2010


Doug,

This is good information. No, we haven't looked at the KILE document, so thankyou for reminding us of this.

It looks like wireshark needs to be updated :-)

Take care,
Tim

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Douglas E. Engert
Sent: 12 August 2010 20:36
To: kerberos at mit.edu
Subject: Re: Microsoft Active Directory / PKINIT



On 8/12/2010 6:26 AM, Tim Alsop wrote:
> Hi,
>
> Does anybody know if/when Microsoft Active Directory will support PKINIT (RFC 4556). I understand that all versions of MS AD supports draft-9 of PKINIT, but not sure if the RFC is implemented/supported ?
>
> Also, I am interested to know about interoperability between the draft-9 implementation and the RFC 4556 implementation. For example, does the PKINIT included in the MIT code, which is RFC compliant interoperate with MS AD (draft-9) ?
>
> Any info you have on this is appreciated.


Have you looked at the Microsoft KILE document? It does list RFC 4556 and PA-PK-AS-REP [17] and refers to PA-PK-AS-REP_OLD (15)

http://msdn.microsoft.com/en-us/library/cc233964(v=PROT.13).aspx

In the KRB5-ERROR e-data, padata, I see what Wireshark refers to as PA-PK-AS-REP (15), but not 17.

We have mixed 2008 and 2003 DC so for backwards compatibility it might only present PA-PK-AS-REP (17) only if all the servers are 2008.

>
> Thanks,
> Tim
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list