PKINIT with Active Directory
Arpit Srivastava
arpit.orb at gmail.com
Mon Apr 28 09:12:26 EDT 2014
Hi All,
I have Windows AD (2008) infrastructure. I created corresponding krb5.conf,
built the Krb source code, and now able to get TGT for that user on my
Linux machine using kinit.
My requirement is to setup PKINIT authentication on client-side (Linux)
with AD.
I have two choices:
1. Generate the certificates (as given at
http://web.mit.edu/kerberos/krb5-devel/doc/admin/pkinit.html) and map them
to user account and domain controller. I am not sure if AD would allow a
certificate to be mapped to domain controller.
2. Extract the certificate from AD certsrv utility. I extracted CA cert,
Client key and cert but what about its interoperability with MIT Kerberos
PKINIT because extension fields are missing ? I dont think the Windows has
any option where we can add extension field as in from extensions.client
while generating certificate. (How to make use of smart card certificate
enrollment here ?
Let me know what could be best way out for this usecase. Any help would be
highly appreciated.
Best,
Arpit
More information about the Kerberos
mailing list