PA-PK-AS-REQ missing

Wed Feb 17 11:49:09 EST 2010

Hi all,

       I am implementing PKINIT, but i am not getting PA-DASS, PA-PK-AS-REQ,
PA-PK-AS-REP fields in the reply( KRB5KDC_ERR_PREAUTH_REQUIRED) from KDC.
Its asking password to authenticate and sending encrypted time-stamp in the
second AS_REQ to KDC, but i want to use certificate based authentication. So
the fields PA-DASS, PA-PK-AS-REQ, PA-PK-AS-REP are needed in the reply(
KRB5KDC_ERR_PREAUTH_REQUIRED) from KDC. My KDC's krb5.conf and kdc.conf are
as follows:
****************************krb5.conf************************************
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = GLOBALEDGESOFT.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 pkinit_anchors = DIR:/ca/
GLOBALEDGESOFT.COM={
       pkinit_require_eku = true
       pkinit_require_krbtgt_otherName = true
       pkinit_require_hostname_match = true
}

[realms]
 GLOBALEDGESOFT.COM = {
       kdc = 172.16.10.211
       admin_server = 172.16.10.211
       default_domain = globaledgesoft.com
 }

[domain_realm]
 .globaledgesoft.com = GLOBALEDGESOFT.COM
 globaledgesoft.com = GLOBALEDGESOFT.COM

[kdc]
 profile = /etc/kdc.conf
 pkinit_identity = FILE:/kdc/kdc.crt,/kdc/kdc.key
 require-preauth = yes

[kadmin]
 require-preauth = yes

[appdefaults]
 pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false
 }
****************************************************************************
***********************kdc.conf*******************************************
[kdcdefaults]
       kdc_ports = 750,88
       pkinit_anchors = DIR:/ca/
       pkinit_identity = DIR:/kdc/

[realms]
       GLOBALEDGESOFT.COM = {
               database_name = /usr/local/var/krb5kdc/principal
               admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
               acl_file = /usr/local/var/krb5kdc/kadm5.acl
               key_stash_file = /usr/local/var/krb5kdc/.
k5.GLOBALEDGESOFT.COM
               kdc_ports = 750,88
               max_life = 10h 0m 0s
               max_renewable_life = 7d 0h 0m 0s
               pkinit_identity = FILE:/client/client.crt,/client/client.key
               pkinit_anchors = DIR:/ca/
               default_principal_expiration = +preauth, -pwservice
       }

[kdc]
 require-preauth = yes
*************************************************************************
I have generated the certificates using openssl:
/ca contains ca.crt  ca.csr  ca.key
/kdc contains kdc.crt  kdc.csr  kdc.key
/client contains client.crt  client.csr  client.key
*************************************************************************
I have not used any intermediate certificates, so i have not included
PKINIT_POOL and PKINIT_REVOKE in the above kdc.conf files. kdc.crt and
client.crt are signed by ca.crt. ca.crt i have generated as follows:

*************  CA certificates ***********/
** openssl genrsa -out ca.key 2048
** openssl req -new -key ca.key -out ca.csr
** openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
**
** at the end of this i have ca.crt and ca.key which is self signed
**
** /************* END of CA crt **************/
*
Plz kindly check the above kdc.conf, krb5.conf files and guide me what are
modifications needed so as to get PA-DASS, PA-PK-AS-REQ, PA-PK-AS-REP fields
in the reply( KRB5KDC_ERR_PREAUTH_REQUIRED ) from KDC.

Regards,
Vinay