windows and smartcards

Ken Hornstein kenh at cmf.nrl.navy.mil
Wed May 4 22:00:45 EDT 2022


>for more information on this"
>- People I work with have adapted the stock MIT Kerberos PKINIT plugin
>  to work on Windows.
>
>Do you have any sort of documentation that you can point me to on how to
>make this work with windows. And also Mac as, we also have Mac users.

Unfortunately, no (at least, not on Windows).

We compile our own Kerberos kit for Windows, which have the changes in
it to build the PKINIT plugin.  Actually, I believe it's worse than
that; from memory I believe we have a separate PKINIT plugin directory.
And ... the build environment is a huge mess there.  I don't recall that
the code changes are large (I didn't do them), but you do need to source
a windows-compatible regular expression library.  One of my long term
goals is to get us using as much stock MIT code as possible, but I never
did work out getting our changes to PKINIT to make it functional on Windows
into stock MIT Kerberos.  So, I can't really help you there.

>Currently, my main focus is on windows machines, so, the steps I have done
>to try to authenticate with a smartcard:
>1. install MIT kerberos
>2. Install opensc-pkcs11
>3. use the following commands in the hope that it will use smartcard:
>kinit -X x509_user_identity=PKCS11:path_to_PKCS11.dill

Right, I think you'll have more success with this on MacOS X.  The code
for Windows simply doesn't exist, at least in vanilla MIT Kerberos.  There
are a lot of pieces you need to make PKINIT work, so I'd start with a
platform where it at least is known to work.

--Ken


More information about the Kerberos mailing list