Differentiate the ServiceTicket issued from Kinit vs PKinit

Dr. Greg Wettstein greg at wind.enjellic.com
Sat May 30 08:59:18 EDT 2015

On May 22, 11:03am, Aravind Jerubandi wrote:
} Subject: Differentiate the ServiceTicket issued from Kinit vs PKinit

> Hello,

Hi, I hope your weekend is going well.

> Today we use password based authentication (kinit). And we want to
> introduce PKinit. But while validating ServiceTicket we would like to know
> if the service ticket issued through Kinit to PKinit
> Is there a way to find this?
> If not, the other solution is to use different realms for Kinit and Pkinit.
> But then we will have duplicate all the user and service principals for the
> two realms. Is there any other easier solution?
> Any help would be much appreciated.

We approach this situation by establishing a second, pkinit only
realm, which is populated only with 'nokey' pkinit authenticated
principals.  A one way trust relationship is established between the
realms so the realm with the service principals 'trusts' the pkinit
authenticating realm.

We typically create the second realm with PREAUTH prefixed before the
realm name.  For example if your standard realm is REALM.COM the
pre-authentication realm would be PREAUTH.REALM.COM.  On the
application side you can key authorization or access decisions based
on whether or not the principal is from the 'PREAUTH' realm.

If you are moving down the path toward using PKINIT there is a fair
amount of process and infrastructure you will need to implement.
Populating the second realm with 'PREAUTH' variants of the user
principals isn't ornerous.

> Thanks,
> Aravind

Good luck with your project.


}-- End of excerpt from Aravind Jerubandi

As always,
Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
4206 N. 19th Ave.           Specializing in information infra-structure
Fargo, ND  58102            development.
PH: 701-281-1686
FAX: 701-281-3949           EMAIL: greg at enjellic.com
"I am returning this otherwise good typing paper to you because
 someone has printed gibberish all over it and put your name at the
                                -- English Professor, Ohio University

More information about the Kerberos mailing list