pkinit and AD 2008

[Douglas E. Engert]

Long story short, I needed additional debugging to find out why
pkinit did not work in our testbed. I built pkinit.so with
debugging turned on, renamed the original pkinit.so to
pkinit.so.no.debug in /usr/lib/krb5/plugins/preauth.

Strace showed krb5 lib loaded both pkinit.so and pkinit.so.no.debug
and depending on the order, some of the debug lines produce output,
and some did not. Moral: Don't rename a plugin, move it out of the
plugin directory.

The debugging output showed that the original problem was a case mismatch
with the pkinit_kdc_hostsname and the name in the cert.

I have the pkinit_longhorn = 1 set, but this may not be needed.

Suggestions:
Please add a debug option to produce extended error messages in the
plugins to help find these configuration type problems.

Thanks to the UofM people for suggestions on how to get this to work.


The card was a HSPD-12 PIV card where the SAN does not match the
user or realm, but the AD account had a matching userPrincipalName
to the SAN. This works from kinit on Ubuntu to AD 2008 as the kdc.


Olga Kornievskaia wrote:
> 
> Can you post the debugging pkinit output that you do get?
> 
> I think there are several possibilities for the failure:
> 1. AS_REP coming back from windows is somehow broken and pkinit is 
> failing to decode it. We should be able to see such message if pkinit 
> debugging is on.
> 2. If we have pasted decoding AS_REP, we can fail if we didn't find an 
> acceptable SAN in KDC's certificate. I believe it is possible to turn 
> off KDC's SAN checking.
> 3. dnsName in the KDC's certificate doesn't match the hostname specified 
> in your krb5.conf. Since in you have pkinit_win2k =yes, you should have 
> pkinit_kdc_hostname.
> 
> I'm not sure if anybody ever tested pkinit with Windows AD. Who knows 
> what kind of bugs were introduced in that version.
> 
> 
> Douglas E. Engert wrote:
>> I am trying to use  krb5-pkinit krb5-1.6.dfsg.3~beta1-2ubuntu1 with
>> a Windows AD 2008 server as the KDC. When using kinit it appears that
>> all goes well and a AS-REP with pa-data-type (17) is returned by the
>> KDC as reported by wireshark,  but then kinit falls back to prompting
>> for a password. No error messages are produced.
>>
>> I have tried building the pkinit.so with debugging turned on, but this
>> does not show much either.
>>
>> The smart card being used works with XP and Vista client to AD 2008.
>> The card has a subjectAltName that does not match the user or realm,
>> but has something like <11 digit number>@FEDIDCARD.GOV for the UPN.
>>
>> Windows AD 2008 can handle this by changing the userPrincipalName
>> in user account.
>>
>> So has anyone tested pkinit clients against AD 2008, with the SAN
>> not matching the kerberos principal name?
>>
>> Is there any additional debugging to turn on for pkinit that could
>> show why it fails after receiving the AS-REP?
>>
>> The enc-part of the AS-REP is encrypted in aes256-cts-hmac-sha1-96 (18)
>>
>> A snippet of the krb5.conf:
>> [realms]
>>     ANL.GOV = {
>> # first two for testbed
>>         kdc = test2.anl.gov:88
>>         pkinit_kdc_hostname = TEST2.anl.gov
>>         pkinit_eku_checking = none
>> #        or kpKDC  for RFC 4556 will try none for now
>> # will assume the next 2 are not for 2008
>> #        pkinit_win2k = yes
>>         pkinit_win2k_require_binding = false
>>         pkinit_cert_match = <EKU>msScLogin
>>         pkinit_pool = DIR:/opt/smartcard/pool.certdir
>>         pkinit_anchors = DIR:/opt/smartcard/trusted.certdir
>>      }
>>
>>   
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444