pkinit and AD 2008

Olga Kornievskaia aglo at citi.umich.edu
Fri Jun 27 12:05:41 EDT 2008 

Can you post the debugging pkinit output that you do get?

I think there are several possibilities for the failure:
1. AS_REP coming back from windows is somehow broken and pkinit is 
failing to decode it. We should be able to see such message if pkinit 
debugging is on.
2. If we have pasted decoding AS_REP, we can fail if we didn't find an 
acceptable SAN in KDC's certificate. I believe it is possible to turn 
off KDC's SAN checking.
3. dnsName in the KDC's certificate doesn't match the hostname specified 
in your krb5.conf. Since in you have pkinit_win2k =yes, you should have 
pkinit_kdc_hostname.

I'm not sure if anybody ever tested pkinit with Windows AD. Who knows 
what kind of bugs were introduced in that version.


Douglas E. Engert wrote:
> I am trying to use  krb5-pkinit krb5-1.6.dfsg.3~beta1-2ubuntu1 with
> a Windows AD 2008 server as the KDC. When using kinit it appears that
> all goes well and a AS-REP with pa-data-type (17) is returned by the
> KDC as reported by wireshark,  but then kinit falls back to prompting
> for a password. No error messages are produced.
>
> I have tried building the pkinit.so with debugging turned on, but this
> does not show much either.
>
> The smart card being used works with XP and Vista client to AD 2008.
> The card has a subjectAltName that does not match the user or realm,
> but has something like <11 digit number>@FEDIDCARD.GOV for the UPN.
>
> Windows AD 2008 can handle this by changing the userPrincipalName
> in user account.
>
> So has anyone tested pkinit clients against AD 2008, with the SAN
> not matching the kerberos principal name?
>
> Is there any additional debugging to turn on for pkinit that could
> show why it fails after receiving the AS-REP?
>
> The enc-part of the AS-REP is encrypted in aes256-cts-hmac-sha1-96 (18)
>
> A snippet of the krb5.conf:
> [realms]
> 	ANL.GOV = {
> # first two for testbed
> 		kdc = test2.anl.gov:88
> 		pkinit_kdc_hostname = TEST2.anl.gov
> 		pkinit_eku_checking = none
> #		or kpKDC  for RFC 4556 will try none for now
> # will assume the next 2 are not for 2008
> #		pkinit_win2k = yes
> 		pkinit_win2k_require_binding = false
> 		pkinit_cert_match = <EKU>msScLogin
> 		pkinit_pool = DIR:/opt/smartcard/pool.certdir
> 		pkinit_anchors = DIR:/opt/smartcard/trusted.certdir
>      }
>
>

More information about the krbdev mailing list