Preauthentication Error

vinay kumar winay.l at gmail.com
Fri Feb 19 05:57:32 EST 2010 

Hi all,

        I am implementing PKINIT. I have generated certificates using
openssl tool, but i am  not  getting PA-DASS, PA-PK-AS-REQ,
PA-PK-AS-REP fields in the reply                        (
KRB5KDC_ERR_PREAUTH_REQUIRED) from KDC. Its asking password to
authenticate and sending encrypted time-stamp in the second AS_REQ to
KDC, but i want to use certificate based authentication. So the fields
PA-DASS, PA-PK-AS-REQ, PA-PK-AS-REP are needed in the
reply(KRB5KDC_ERR_PREAUTH_REQUIRED) from KDC.
       I have compiled preauth pkinit plugin with '-DDEBUG' option,
following data displayed when i run kdc foreground:
***********************************************************************************************************

bash-3.1# /usr/local/sbin/krb5kdc -n
pkinit_server_plugin_init: processing realm 'GLOBALEDGESOFT.COM'
pkinit_server_plugin_init_realm: initializing context at 0x8065e98 for
realm 'GLOBALEDGESOFT.COM'
pkinit_init_plg_crypto: initializing openssl crypto context at 0x806ff28
pkinit_init_identity_crypto: returning ctx at 0x8070fa8
pkinit_init_kdc_profile: entered for realm GLOBALEDGESOFT.COM
pkinit_fini_identity_crypto: freeing   ctx at 0x8070fa8
pkinit_fini_plg_crypto: freeing context at 0x806ff28
pkinit_server_plugin_fini: freeing   context at 0x8064a58

**********************************************************************************************************
Nothing extra data displayed when i do kinit for a principal from the
client system.
The reply((KRB5KDC_ERR_PREAUTH_REQUIRED) from KDC captured on
wireshark contains following fields:
*********************************************************************************************************
e-text: NEEDED-PREAUTH
e-data
   padata: PA-ENC-TIMESTAMP Unknown:B6 PA-ENCTYPE-INFO2
PA-SAM-RESPONSE Unknown:133
Type: PA-ENC-TIMESTAMP(2)
Type: Unknown(136)
Type:PA-ENCTYPE-INFO2(19)
Type:PA-SAM-RESPONSE(13)
Type:Unknown(133)
*********************************************************************************************************

Plz  guide me what are modifications needed so as to get PA-DASS,
PA-PK-AS-REQ, PA-PK-AS-REP fields in the reply(
KRB5KDC_ERR_PREAUTH_REQUIRED ) from KDC.

Regards,
Vinay

More information about the Kerberos mailing list