Stateless PKINIT?

[Yoann Gini]

Hello,

I'm trying to achieve a deployment of Kerberos and PKINIT as some sort of authentication proxy. I'm working for an IDP startup.

Is there a way when using PKINIT to not need any internal list of principals but to rely on the validity of the certificate to proxy the certificate identity into the Kerberos ticket?

Here is the schema:
— the PKI issue a certificate for someone and maintain a CRL
— the IDP require SP NEGO for some route
— the KDC need to issue the needed TGT then TGS based on the identity in the certificate if CRL is OK
— IDP will then check information collected during SP NEGO to get the identity of the user and continue its work

In that context, the Kerberos realm is used only as some kind of protocolar authentication proxy that just need to convert an authenticated identity coming from a certificate intro a Kerberos ticket.

Is there a way to configure a KDC to behave like that?

Best regards
Yoann