Differentiate the ServiceTicket issued from Kinit vs PKinit
Ken Hornstein
kenh at cmf.nrl.navy.mil
Tue Jun 2 21:11:07 EDT 2015
> Today we use password based authentication (kinit). And we want to
> introduce PKinit. But while validating ServiceTicket we would like to know
> if the service ticket issued through Kinit to PKinit
>
> Is there a way to find this?
We sort-of do this, but it may not directly be applicable.
Our KDC-side PKINIT module will set HW-AUTH flag on the TGT _if_ a particular
policy OID is found in the client certificate (in our case, the policy
OID we check for is if the certificate comes from a smartcard, so the
use of HW-AUTH is appropriate). Flags set in a TGT get propagated to
service tickets, so we have code on application servers that checks to see
if the HW-AUTH flag exists for service tickets to make authorization
decisions.
So, you could do that (if your client-side certificates is issued from
a hardware device), or overload the HW-AUTH flag. Checking that on the
application server side is easy.
But ... if you don't want to do that, you MAY be able to check the service
ticket for the AD_INITIAL_VERIFIED_CAS authorization data (although a quick
glance suggests to me that MIT Kerberos doesn't generate that data, but
I could be wrong about that). That would require further investigation.
--Ken
More information about the Kerberos
mailing list