windows and smartcards

Ken Hornstein kenh at cmf.nrl.navy.mil
Thu May 5 10:41:41 EDT 2022


>gotcha, thank you very much for all the help.
>I guess just out of curiosity:
>- for windows: there are other tools such as heimdall and microsoft
>kerberos. with those I don't know if you ever played around with them or
>know if they support smartcard and pin authentication to get a ticket
>manually.
>manually meaning, get a ticket for a specified account with the use of
>kinit or similar tools..

Here's my limited, imperfect understanding of the situation.

- My understanding is that the Kerberos implementation supplied by Microsoft
  does implement PKINIT and works with smartcards.  But I am not sure if
  you can use it OUTSIDE of an Active Directory domain.

- It seems that Heimdal _does_ implement PKINIT.  But it's not clear to
  me that they support using PKCS#11 to sign the PKINIT request, which
  is the piece you need to make it work with Smartcards.  I mean, I see
  there is SOME PKCS#11 support, I just didn't see any calls to something
  like C_SignInit.  It's very possible I missed it.  You're going to have
  to investigate that on your own.

--Ken


More information about the Kerberos mailing list