Differentiate the ServiceTicket issued from Kinit vs PKinit
Aravind Jerubandi
aravind.jerubandi at gmail.com
Wed Jun 3 02:20:23 EDT 2015
Hi Ken,
Thanks for your response. This really helps.
*Our KDC-side PKINIT module will set HW-AUTH flag on the TGT _if_ a
particular policy OID is found in the client certificate (in our
case, the policy OID we check for is if the certificate comes from
a smartcard, so the use of HW-AUTH is appropriate). *
Does this mean the client certificate should have the policy :
1.3.6.1.4.1.311.20.2.2
(Smart Card Logon)?
Is it only the client certificate or CA cert should also have this policy?
On Tue, Jun 2, 2015 at 6:11 PM, Ken Hornstein <kenh at cmf.nrl.navy.mil> wrote:
> > Today we use password based authentication (kinit). And we want to
> > introduce PKinit. But while validating ServiceTicket we would like to
> know
> > if the service ticket issued through Kinit to PKinit
> >
> > Is there a way to find this?
>
> We sort-of do this, but it may not directly be applicable.
>
> Our KDC-side PKINIT module will set HW-AUTH flag on the TGT _if_ a
> particular
> policy OID is found in the client certificate (in our case, the policy
> OID we check for is if the certificate comes from a smartcard, so the
> use of HW-AUTH is appropriate). Flags set in a TGT get propagated to
> service tickets, so we have code on application servers that checks to see
> if the HW-AUTH flag exists for service tickets to make authorization
> decisions.
>
> So, you could do that (if your client-side certificates is issued from
> a hardware device), or overload the HW-AUTH flag. Checking that on the
> application server side is easy.
>
> But ... if you don't want to do that, you MAY be able to check the service
> ticket for the AD_INITIAL_VERIFIED_CAS authorization data (although a quick
> glance suggests to me that MIT Kerberos doesn't generate that data, but
> I could be wrong about that). That would require further investigation.
>
> --Ken
>
--
Thanks & Regards,
J.Aravind
More information about the Kerberos
mailing list