Clear as mud: PKINIT and -nokey principal addition (krb5-1.13)

Siddharth Mathur smathur at
Mon Jan 5 03:24:51 EST 2015

Hello all,

My aim is to use krb5-1.13 with its PKINIT capability to configure
password-less authentication of mobile devices. Additionally, I intend
my application servers running HTTP to use SPNEGO/Negotiate to verify
authenticity of the aforementioned devices for service authorisation.

Despite deploying the right kind of client certificates on my mobile
devices (iOS) and using the right type of certificate on the KDC, I am
not sure if they are talking certificates at all. How do I debug if
the certificate matching rules are actually being evaluated on the
server on the server, assuming the client is using its cert in the
first place?

The krb5kdc.log file has no PKINIT events at all when a client request
comes in. This is despite rebuilding the plugin with DEBUG macro on in
the header file. Any pointers?

Since all my users will be _new_ users, I wish to have no passwords at
all while creating new user (device) principals, relying only on PKI.
The PKINIT documentation
suggests using -nokey argument for add_principal , but I still get
errors issuing a new token.

add_principal +requires_preauth -nokey 197f67 at DOMAIN.MOBI

AS_REQ (4 etypes {18 17 16 23}) NEEDED_PREAUTH:
197f67 at DOMAIN.MOBI for krbtgt/DOMAIN.MOBI at DOMAIN.MOBI, Additional
pre-authentication required

When I create a principal _with_ a password, and use that on the iOS
browser, the KDC does issue a ticket correctly, and the browser
submits the Negotiation: <token> header to my application server,
which suggests that DNS issues are not the issue any more.

Thanks for any pointers on achieving password-less client accounts via PKINIT.


More information about the Kerberos mailing list