pkinit and AD 2008
Douglas E. Engert
deengert at anl.gov
Fri Jun 27 11:21:25 EDT 2008
I am trying to use krb5-pkinit krb5-1.6.dfsg.3~beta1-2ubuntu1 with
a Windows AD 2008 server as the KDC. When using kinit it appears that
all goes well and a AS-REP with pa-data-type (17) is returned by the
KDC as reported by wireshark, but then kinit falls back to prompting
for a password. No error messages are produced.
I have tried building the pkinit.so with debugging turned on, but this
does not show much either.
The smart card being used works with XP and Vista client to AD 2008.
The card has a subjectAltName that does not match the user or realm,
but has something like <11 digit number>@FEDIDCARD.GOV for the UPN.
Windows AD 2008 can handle this by changing the userPrincipalName
in user account.
So has anyone tested pkinit clients against AD 2008, with the SAN
not matching the kerberos principal name?
Is there any additional debugging to turn on for pkinit that could
show why it fails after receiving the AS-REP?
The enc-part of the AS-REP is encrypted in aes256-cts-hmac-sha1-96 (18)
A snippet of the krb5.conf:
[realms]
ANL.GOV = {
# first two for testbed
kdc = test2.anl.gov:88
pkinit_kdc_hostname = TEST2.anl.gov
pkinit_eku_checking = none
# or kpKDC for RFC 4556 will try none for now
# will assume the next 2 are not for 2008
# pkinit_win2k = yes
pkinit_win2k_require_binding = false
pkinit_cert_match = <EKU>msScLogin
pkinit_pool = DIR:/opt/smartcard/pool.certdir
pkinit_anchors = DIR:/opt/smartcard/trusted.certdir
}
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list