Clear as mud: PKINIT and -nokey principal addition (krb5-1.13)

Greg Hudson ghudson at
Mon Jan 5 12:26:21 EST 2015

On 01/05/2015 03:24 AM, Siddharth Mathur wrote:
> Despite deploying the right kind of client certificates on my mobile
> devices (iOS) and using the right type of certificate on the KDC, I am
> not sure if they are talking certificates at all. How do I debug if
> the certificate matching rules are actually being evaluated on the
> server on the server, assuming the client is using its cert in the
> first place?

With a desktop client it's easy to see what's going on using KRB5_TRACE
on the client, but with a mobile app that's not so easy.  wireshark or
another network-tracing tool can help, although interpreting the output
can be tricky.

> The krb5kdc.log file has no PKINIT events at all when a client request
> comes in. This is despite rebuilding the plugin with DEBUG macro on in
> the header file. Any pointers?

PKINIT DEBUG output just goes to stdout, so you need to run krb5kdc -n
and look at the terminal output to see it.

> Since all my users will be _new_ users, I wish to have no passwords at
> all while creating new user (device) principals, relying only on PKI.
> The PKINIT documentation
> (
> suggests using -nokey argument for add_principal , but I still get
> errors issuing a new token.
> add_principal +requires_preauth -nokey 197f67 at DOMAIN.MOBI
> AS_REQ (4 etypes {18 17 16 23}) NEEDED_PREAUTH:
> 197f67 at DOMAIN.MOBI for krbtgt/DOMAIN.MOBI at DOMAIN.MOBI, Additional
> pre-authentication required

A NEEDED_PREAUTH error is a normal part of a preauthentication scenario,
so I'll need more information to be able to help with this.

It might help to try deploying to a regular Unix client, to help
distinguish between client-side issues with the iOS Kerberos
implementation (which I'm not very familiar with) and server-side issues.

More information about the Kerberos mailing list