Windows pkinit - failed to decode dhparams
Tom Yu
tlyu at MIT.EDU
Fri Mar 22 14:29:51 EDT 2013
Reinhard Kugler <rekuread at gmail.com> writes:
> (continued...) - I accidentally sent the message while composing - sorry
>
> the pkinit authentication with the same certificates works fine with
> ubuntu 12.04 as a client.
> It seems Windows and Linux use different authentication schemes.
> It read in the RFC 4556 about a diffie-hellman and public key - key
> transport algorithm
> http://tools.ietf.org/html/rfc4556#section-3.2.3.1
>
> Have I overlooked something in the Windows configuration; is this a
> certificate issue?
> Can the choice of the "key transport algorithm" be influenced?
> Any other ideas?
I think we've seen this before; sometimes Windows omits the required
"q" value in the Diffie-Hellman parameters (even though it can be
trivially computed for certain well-known groups).
See
http://www.rfc-editor.org/errata_search.php?eid=3157
for more details. I don't remember if anyone filed a bug about this,
but we would consider implementing a workaround if there is interest.
More information about the Kerberos
mailing list