pkinit and AD 2008
aglo at citi.umich.edu
Mon Jun 30 15:11:02 EDT 2008
Jeffrey Hutzelman wrote:
> --On Friday, June 27, 2008 12:05:41 PM -0400 Olga Kornievskaia
> <aglo at citi.umich.edu> wrote:
>> 3. dnsName in the KDC's certificate doesn't match the hostname specified
>> in your krb5.conf
> Um. Why would you expect that? PKINIT contains no requirement that
> the KDC's certificate contain a dnsName, nor that it match any
> particular hostname if it is present. The only requirement is for an
> id-pkinit-san matching the name of the realm's TGS.
In RFC 4556 in *Appendix C. Miscellaneous Information about Microsoft
KDC certificates issued by Windows 2003 Enterprise CAs contain a dNSName SAN with the DNS <http://www.bind9.net/rfc> name
of the host running the KDC.
More information about the krbdev