pkinit and AD 2008

Olga Kornievskaia aglo at citi.umich.edu
Fri Jun 27 12:26:11 EDT 2008 

Kevin just told me that Window AD 2008 is Longhorn and we did test 
against early releases of it. Longhorn had bugs so we had a work around 
"pkinit_longhorn" config option that is off by default. Try setting 
pkinit_longhorn =1.

Olga Kornievskaia wrote:
> Can you post the debugging pkinit output that you do get?
>
> I think there are several possibilities for the failure:
> 1. AS_REP coming back from windows is somehow broken and pkinit is 
> failing to decode it. We should be able to see such message if pkinit 
> debugging is on.
> 2. If we have pasted decoding AS_REP, we can fail if we didn't find an 
> acceptable SAN in KDC's certificate. I believe it is possible to turn 
> off KDC's SAN checking.
> 3. dnsName in the KDC's certificate doesn't match the hostname specified 
> in your krb5.conf. Since in you have pkinit_win2k =yes, you should have 
> pkinit_kdc_hostname.
>
> I'm not sure if anybody ever tested pkinit with Windows AD. Who knows 
> what kind of bugs were introduced in that version.
>
>
> Douglas E. Engert wrote:
>   
>> I am trying to use  krb5-pkinit krb5-1.6.dfsg.3~beta1-2ubuntu1 with
>> a Windows AD 2008 server as the KDC. When using kinit it appears that
>> all goes well and a AS-REP with pa-data-type (17) is returned by the
>> KDC as reported by wireshark,  but then kinit falls back to prompting
>> for a password. No error messages are produced.
>>
>> I have tried building the pkinit.so with debugging turned on, but this
>> does not show much either.
>>
>> The smart card being used works with XP and Vista client to AD 2008.
>> The card has a subjectAltName that does not match the user or realm,
>> but has something like <11 digit number>@FEDIDCARD.GOV for the UPN.
>>
>> Windows AD 2008 can handle this by changing the userPrincipalName
>> in user account.
>>
>> So has anyone tested pkinit clients against AD 2008, with the SAN
>> not matching the kerberos principal name?
>>
>> Is there any additional debugging to turn on for pkinit that could
>> show why it fails after receiving the AS-REP?
>>
>> The enc-part of the AS-REP is encrypted in aes256-cts-hmac-sha1-96 (18)
>>
>> A snippet of the krb5.conf:
>> [realms]
>> 	ANL.GOV = {
>> # first two for testbed
>> 		kdc = test2.anl.gov:88
>> 		pkinit_kdc_hostname = TEST2.anl.gov
>> 		pkinit_eku_checking = none
>> #		or kpKDC  for RFC 4556 will try none for now
>> # will assume the next 2 are not for 2008
>> #		pkinit_win2k = yes
>> 		pkinit_win2k_require_binding = false
>> 		pkinit_cert_match = <EKU>msScLogin
>> 		pkinit_pool = DIR:/opt/smartcard/pool.certdir
>> 		pkinit_anchors = DIR:/opt/smartcard/trusted.certdir
>>      }
>>
>>   
>>     
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>

More information about the krbdev mailing list