Help in incorporating PKINIT
Greg Hudson
ghudson at MIT.EDU
Tue May 21 10:58:31 EDT 2013
On 05/21/2013 03:19 AM, sasikumar bodathula wrote:
> 1. AS_REQ goes from client to KDC, where KDC replies with KRB2KDB_ERR_PREAUTH_REQUIRED
> 2. The next request AS_REQ from client to KDC goes with padata as PA-ENC-TIMESTAMP (Not PA-DASS with certificate value as expected)
Wireshark has the wrong name for padata type 16; it should be
PA-PK-AS_REQ. But that isn't your problem.
> Please guide me if I am missing something in the API usage?
I'm not sure what is wrong. If you are using a sufficiently recent
version of MIT krb5, you can get some additional information from the
library by setting the KRB5_TRACE environment variable to point to a
file, running your program, and then examining the file. You can get
even more information by rebuilding the PKINIT sources with -DDEBUG, but
that takes a lot more work.
More information about the Kerberos
mailing list