[krbdev.mit.edu #7596] PKINIT should allow missing DH param Q

Reinhard Kugler via RT rt-comment at krbdev.mit.edu
Sat Mar 30 06:09:28 EDT 2013 

The pkinit succeeds on the KDC, but Windows seems to get confused with
the "Key parameters not accepted" error.

Authentication with Windows 7 + Smartcard:

Mar 30 08:30:37 kerberos.example.org krb5kdc[2584](info): AS_REQ (7
etypes {18 17 23 3 1 24 -135}) 192.168.56.101: NEEDED_PREAUTH:
p130 at kerberos.3ve.bmlv.at for
krbtgt/kerberos.3ve.bmlv.at at kerberos.3ve.bmlv.at, Additional
pre-authentication required
Mar 30 08:30:39 kerberos.example.org krb5kdc[2584](info): preauth
(pkinit) verify failure: Key parameters not accepted
Mar 30 08:30:39 kerberos.example.org krb5kdc[2584](info): AS_REQ (9
etypes {12 15 18 17 23 3 1 24 -135}) 192.168.56.101: PREAUTH_FAILED:
p130 at kerberos.3ve.bmlv.at for
krbtgt/kerberos.3ve.bmlv.at at kerberos.3ve.bmlv.at, Key parameters not
accepted
Mar 30 08:30:40 kerberos.example.org krb5kdc[2584](info): AS_REQ (9
etypes {12 15 18 17 23 3 1 24 -135}) 192.168.56.101: ISSUE: authtime
1364628640, etypes {rep=18 tkt=18 ses=18}, p130 at kerberos.3ve.bmlv.at
for krbtgt/kerberos.3ve.bmlv.at at kerberos.3ve.bmlv.at
Mar 30 08:30:41 kerberos.example.org krb5kdc[2584](info): AS_REQ (9
etypes {12 15 18 17 23 3 1 24 -135}) 192.168.56.101: NEEDED_PREAUTH:
p130 at kerberos.3ve.bmlv.at for
krbtgt/kerberos.3ve.bmlv.at at kerberos.3ve.bmlv.at, Additional
pre-authentication required

Authentication of Linux + Certificate
kinit -V -X X509_user_identity=FILE:///home/catmin/Desktop/exampleca/client.pem,/home/catmin/Desktop/exampleca/clientkey.pem
p130 at kerberos.3ve.bmlv.at

Mar 30 08:31:31 kerberos.example.org krb5kdc[2584](info): AS_REQ (4
etypes {18 17 16 23}) 192.168.56.1: NEEDED_PREAUTH:
p130 at kerberos.3ve.bmlv.at for
krbtgt/kerberos.3ve.bmlv.at at kerberos.3ve.bmlv.at, Additional
pre-authentication required
Mar 30 08:31:31 kerberos.example.org krb5kdc[2584](info): AS_REQ (4
etypes {18 17 16 23}) 192.168.56.1: ISSUE: authtime 1364628691, etypes
{rep=18 tkt=18 ses=18}, p130 at kerberos.3ve.bmlv.at for
krbtgt/kerberos.3ve.bmlv.at at kerberos.3ve.bmlv.at
Mar 30 08:31:31 kerberos.example.org krb5kdc[2584](info): closing down fd 12

More information about the krb5-bugs mailing list