Windows pkinit - failed to decode dhparams
Reinhard Kugler
rekuread at gmail.com
Fri Mar 22 12:26:37 EDT 2013
hello list,
I need your help!
I try to authenticate a Windows 7 client with Smartcard on the MIT
Kerberos server using PKINIT.
I get the error 0x41 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
setup:
- Windows 7 + Smartcard (+Certificate)
- CentOS 6.3 + MIT Kerberos krb5-1.11.1 (compiled from source +
#define DEBUG in pkinit)
I start the kerberos "/usr/local/sbin/krb5kdc -n"
on the Windows 7 I start "runas /smartcard cmd"
the right certificate is seleted and a AS REQ is sent
kdc responds with error_code KRB5KDC_ERR_PREAUTH_REQUIRED (25)
another AS REQ is passed to the server
I also tried it with a linux client using kinit
Server log:
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1c8d790 for realm
'kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1c8d790 for realm
'kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1c8d790 for realm
'kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1c8d790 for realm
'kerberos.3ve.bmlv.at'
pkinit_verify_padata: entered!
pkinit_find_realm_context: returning context at 0x1c8d790 for realm
'kerberos.3ve.bmlv.at'
pkinit_init_req_crypto: returning ctx at 0x1cbfe30
pkinit_init_kdc_req_context: returning reqctx at 0x1cc2880
processing KRB5_PADATA_PK_AS_REQ
CMS Verification successful
#0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130 at kerberos.3ve.bmlv.at
#1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
crypto_retrieve_X509_sans: looking for SANs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130 at kerberos.3ve.bmlv.at
crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
crypto_retrieve_X509_sans: SAN type = 1 expecting 0
verify_client_san: Checking pkinit sans
verify_client_san: no pkinit san match found
verify_client_san: Checking upn sans
verify_client_san: upn san match found
verify_client_san: returning retval 0, valid_san 1
crypto_check_cert_eku: looking for EKUs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130 at kerberos.3ve.bmlv.at
crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
failed to decode dhparams
bad dh parameters
More information about the Kerberos
mailing list