Windows pkinit - failed to decode dhparams

Tom Yu tlyu at MIT.EDU
Fri Mar 22 14:29:51 EDT 2013

Reinhard Kugler <rekuread at> writes:

> (continued...) - I accidentally sent the message while composing - sorry
> the pkinit authentication with the same certificates works fine with
> ubuntu 12.04 as a client.
> It seems Windows and Linux use different authentication schemes.
> It read in the RFC 4556 about a diffie-hellman and public key - key
> transport algorithm
> Have I overlooked something in the Windows configuration; is this a
> certificate issue?
> Can the choice of the "key transport algorithm" be influenced?
> Any other ideas?

I think we've seen this before; sometimes Windows omits the required
"q" value in the Diffie-Hellman parameters (even though it can be
trivially computed for certain well-known groups).


for more details.  I don't remember if anyone filed a bug about this,
but we would consider implementing a workaround if there is interest.

More information about the Kerberos mailing list