pkinit and AD 2008

Jeffrey Hutzelman jhutz at
Mon Jun 30 14:54:22 EDT 2008

--On Friday, June 27, 2008 12:05:41 PM -0400 Olga Kornievskaia 
<aglo at> wrote:

> 3. dnsName in the KDC's certificate doesn't match the hostname specified
> in your krb5.conf

Um.  Why would you expect that?  PKINIT contains no requirement that the 
KDC's certificate contain a dnsName, nor that it match any particular 
hostname if it is present.  The only requirement is for an id-pkinit-san 
matching the name of the realm's TGS.

-- Jeff

More information about the krbdev mailing list