Setting up PKINIT in Kerberos

[Roland Kloeters]

Hi folks,

I am new to using Kerberos. I am trying to set up KDC to work with PKINIT.
I barely found information how to set up the system to work with smartcards on the Internet so I post my question here.

I read the Admin Guide up and down but found no clarification.

What did I do:
I set up a Kerberos 1.7 Server and configured the system.
Login with kinit works properly.

Then I configured the server to accept smartcards with setting +requires_hwauth on my principal.

Using kinit on the client results in "Looping detected while..."
So I brought in wireshark to see what happens.
Wireshark gives me a bunch of "NEEDED_HW_PREAUTH" messages that all fail.

Now my questions:
Is there a guide that tells me what to do to setup PKINIT on server and client?
What certificates do I have to provide and what options have to be set in the certificates and the krb5.conf files on client and server?

I have a CA with a root certificate so I can set whatever I need.

Any help is welcome.

Best regards,
Roland




*** XCOM AG Legal Disclaimer ***

Diese E-Mail einschliesslich ihrer Anhaenge ist vertraulich und ist allein für den Gebrauch durch den vorgesehenen Empfaenger bestimmt. Dritten ist das Lesen, Verteilen oder Weiterleiten dieser E-Mail untersagt. Wir bitten, eine fehlgeleitete E-Mail unverzueglich vollstaendig zu loeschen und uns eine Nachricht zukommen zu lassen.

This email may contain material that is confidential and for the sole use of the intended recipient. Any review, distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies.

Hauptsitz: Bahnstrasse 37, D-47877 Willich, USt-IdNr.: DE 812 885 664
Kommunikation: Telefon +49 2154 9209-70, Telefax +49 2154 9209-900, www.xcom.de
Handelsregister: Amtsgericht Krefeld, HRB 10340
Vorstand: Matthias Albrecht, Marco Marty, Dr. Rainer Fuchs, Dirk Werner
Vorsitzender des Aufsichtsrates: Stefan H. Tarach