PKINIT with Active Directory

Wilper, Ross A rwilper at stanford.edu
Mon Apr 28 11:49:49 EDT 2014


Is your requirement to have the same certificate valid for two Kerberos realms that are "equivalent" (An AD and a MIT/Heimdahl Kerberos realm)?

I worked with this a while ago (2010) issuing certificates from an AD-integrated AD-CS certificate server:
	Active Directory and MIT Kerberos use different certificate SAN "OtherName" extensions to map the certificate to the user.	
	MIT and Heimdahl Kerberos use id-pkinit-san (OID 1.3.6.1.5.2.2) with a principal name structure for contents
	AD uses OID 1.3.6.1.4.1.311.20.2.3  with userPrincipalName for contents

I wrote some custom code to inject pkinit-san into a request for an AD-CS certificate while we were testing. We managed to get a single smartcard certificate to PKINIT against both realms, but we never went anywhere beyond that.

--------

If you only want the Linux client to be able to use the certificate against AD (Without the above complexity), then all you really need is:
1) The certificates must have smartcard logon EKU
2) The domain controllers need to have an certificate which contains the EKU for KDC authentication or strict kdc validation needs to be disabled
3) The CA issuing the certificates must be in the Domain's list of "Authentication CAs" or you have to map the certificate to the user in the altSecurityIdentities property

All of the above are automatic if using an AD-CS CA in "enterprise" mode and you use the correct certificate templates (Kerberos Authentication for the DC, Smart Card Logon for the smartcard), so I may be missing some steps.

-Ross

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Arpit Srivastava
Sent: Monday, April 28, 2014 6:12 AM
To: kerberos
Subject: PKINIT with Active Directory

Hi All,

I have Windows AD (2008) infrastructure. I created corresponding krb5.conf,
built the Krb source code, and now able to get TGT for that user on my
Linux machine using kinit.
My requirement is to setup PKINIT authentication on client-side (Linux)
with AD.

I have two choices:
1. Generate the certificates (as given at
http://web.mit.edu/kerberos/krb5-devel/doc/admin/pkinit.html) and map them
to user account and domain controller. I am not sure if AD would allow a
certificate to be mapped to domain controller.
2. Extract the certificate from AD certsrv utility. I extracted CA cert,
Client key and cert but what about its interoperability with MIT Kerberos
PKINIT because extension fields are missing ? I dont think the Windows has
any option where we can add extension field as in from extensions.client
while generating certificate. (How to make use of smart card certificate
enrollment here ?
Let me know what could be best way out for this usecase. Any help would be
highly appreciated.

Best,
Arpit
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list