Differentiate the ServiceTicket issued from Kinit vs PKinit

[Aravind Jerubandi]

Hi Ken,

Thanks for your response. This really helps.




*Our KDC-side PKINIT module will set HW-AUTH flag on the TGT _if_ a
particular          policy OID is found in the client certificate (in our
case, the policy          OID we check for is if the certificate comes from
a smartcard, so the          use of HW-AUTH is appropriate). *

Does this mean the client certificate should have the policy :
1.3.6.1.4.1.311.20.2.2
 (Smart Card Logon)?

Is it only the client certificate or CA cert should also have this policy?


On Tue, Jun 2, 2015 at 6:11 PM, Ken Hornstein <kenh at cmf.nrl.navy.mil> wrote:

> > Today we use password based authentication (kinit). And we want to
> > introduce PKinit. But while validating ServiceTicket we would like to
> know
> > if the service ticket issued through Kinit to PKinit
> >
> > Is there a way to find this?
>
> We sort-of do this, but it may not directly be applicable.
>
> Our KDC-side PKINIT module will set HW-AUTH flag on the TGT _if_ a
> particular
> policy OID is found in the client certificate (in our case, the policy
> OID we check for is if the certificate comes from a smartcard, so the
> use of HW-AUTH is appropriate).  Flags set in a TGT get propagated to
> service tickets, so we have code on application servers that checks to see
> if the HW-AUTH flag exists for service tickets to make authorization
> decisions.
>
> So, you could do that (if your client-side certificates is issued from
> a hardware device), or overload the HW-AUTH flag.  Checking that on the
> application server side is easy.
>
> But ... if you don't want to do that, you MAY be able to check the service
> ticket for the AD_INITIAL_VERIFIED_CAS authorization data (although a quick
> glance suggests to me that MIT Kerberos doesn't generate that data, but
> I could be wrong about that).  That would require further investigation.
>
> --Ken
>



-- 
Thanks & Regards,
J.Aravind