Question on Kerberos SSO with MS-PKCA (Microsoft's implementation of PKINIT) preauthentication

[GK]

I am working on enabling Kerberos based SSO (with PKI used for initial
authentication) in our test environment.

Domain controller is windows server 2008 R2, Access resources are few web
applications hosted on (IIS of a server 2008 R2 machine) and Resource client
is windows 7 machine, in which user access the web applications via browser.

Currently I have enabled user authentication based kerberos in IIS (where
the web applications are hosted) and it is working fine (I can see all the
kerberos transactions in network monitor).

However my actual requirement is to achieve the same using (x.509 (identity)
certificates installed iOS devices), when the user with identity certificate
installed in the device access these sites from within the device, should be
let in without being

prompted for user name and password. (Kerberos based authentication with
certificate (x.509) based pre-authentication)


I have been trying to configure this in my environment but with no success.
most searches on web ends up in integrating MIT kerberos (based on Linux)
with MS AD with PKINIT, but I looking for a way to achieve the same thing in
windows environment.

 

Recently I came across the below link ,

 

http://msdn.microsoft.com/en-in/library/cc238455.aspx

 

 

which clearly says this PKI based initial authentication is available with
MS-PKCA (Microsoft's implementation of PKINIT)

then again it's a developer document and it gives only technical details.

How do I implement MS-PKCA based kerberos in windows  environment ?
Is my scenario practically achievable in a complete windows environment?

Can anyoneplease help me with this ?



--
View this message in context: http://kerberos.996246.n3.nabble.com/Question-on-Kerberos-SSO-with-MS-PKCA-Microsoft-s-implementation-of-PKINIT-preauthentication-tp41721.html
Sent from the Kerberos - General mailing list archive at Nabble.com.