pkinit and AD 2008

Olga Kornievskaia aglo at
Mon Jun 30 15:11:02 EDT 2008

Jeffrey Hutzelman wrote:
> --On Friday, June 27, 2008 12:05:41 PM -0400 Olga Kornievskaia 
> <aglo at> wrote:
>> 3. dnsName in the KDC's certificate doesn't match the hostname specified
>> in your krb5.conf
> Um.  Why would you expect that?  PKINIT contains no requirement that 
> the KDC's certificate contain a dnsName, nor that it match any 
> particular hostname if it is present.  The only requirement is for an 
> id-pkinit-san matching the name of the realm's TGS.
In RFC 4556 in *Appendix C. Miscellaneous Information about Microsoft 
Windows PKINIT*

KDC certificates issued by Windows 2003 Enterprise CAs contain a dNSName SAN with the DNS <> name 
of the host running the KDC.

More information about the krbdev mailing list