pkinit and AD 2008

Douglas E. Engert deengert at
Fri Jun 27 11:21:25 EDT 2008

I am trying to use  krb5-pkinit krb5-1.6.dfsg.3~beta1-2ubuntu1 with
a Windows AD 2008 server as the KDC. When using kinit it appears that
all goes well and a AS-REP with pa-data-type (17) is returned by the
KDC as reported by wireshark,  but then kinit falls back to prompting
for a password. No error messages are produced.

I have tried building the with debugging turned on, but this
does not show much either.

The smart card being used works with XP and Vista client to AD 2008.
The card has a subjectAltName that does not match the user or realm,
but has something like <11 digit number>@FEDIDCARD.GOV for the UPN.

Windows AD 2008 can handle this by changing the userPrincipalName
in user account.

So has anyone tested pkinit clients against AD 2008, with the SAN
not matching the kerberos principal name?

Is there any additional debugging to turn on for pkinit that could
show why it fails after receiving the AS-REP?

The enc-part of the AS-REP is encrypted in aes256-cts-hmac-sha1-96 (18)

A snippet of the krb5.conf:
	ANL.GOV = {
# first two for testbed
		kdc =
		pkinit_kdc_hostname =
		pkinit_eku_checking = none
#		or kpKDC  for RFC 4556 will try none for now
# will assume the next 2 are not for 2008
#		pkinit_win2k = yes
		pkinit_win2k_require_binding = false
		pkinit_cert_match = <EKU>msScLogin
		pkinit_pool = DIR:/opt/smartcard/pool.certdir
		pkinit_anchors = DIR:/opt/smartcard/trusted.certdir


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list