Help in incorporating PKINIT

Greg Hudson ghudson at MIT.EDU
Tue May 21 10:58:31 EDT 2013

On 05/21/2013 03:19 AM, sasikumar bodathula wrote:
> 1. AS_REQ goes from client to KDC, where KDC replies with KRB2KDB_ERR_PREAUTH_REQUIRED
> 2. The next request AS_REQ from client to KDC goes with padata as PA-ENC-TIMESTAMP (Not PA-DASS with certificate value as expected)

Wireshark has the wrong name for padata type 16; it should be
PA-PK-AS_REQ.  But that isn't your problem.

> Please guide me if I am missing something in the API usage?

I'm not sure what is wrong.  If you are using a sufficiently recent
version of MIT krb5, you can get some additional information from the
library by setting the KRB5_TRACE environment variable to point to a
file, running your program, and then examining the file.  You can get
even more information by rebuilding the PKINIT sources with -DDEBUG, but
that takes a lot more work.

More information about the Kerberos mailing list