[13583] in Kerberos_V5_Development
Re: pkinit and AD 2008
daemon@ATHENA.MIT.EDU (Olga Kornievskaia)
Fri Jun 27 12:27:08 2008
Message-ID: <486514A3.3040104@citi.umich.edu>
Date: Fri, 27 Jun 2008 12:26:11 -0400
From: Olga Kornievskaia <aglo@citi.umich.edu>
MIME-Version: 1.0
To: "Douglas E. Engert" <deengert@anl.gov>
In-Reply-To: <48650FD5.7020501@citi.umich.edu>
Cc: "'krbdev@mit.edu'" <krbdev@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Kevin just told me that Window AD 2008 is Longhorn and we did test against early releases of it. Longhorn had bugs so we had a work around "pkinit_longhorn" config option that is off by default. Try setting pkinit_longhorn =1.
Olga Kornievskaia wrote:> Can you post the debugging pkinit output that you do get?>> I think there are several possibilities for the failure:> 1. AS_REP coming back from windows is somehow broken and pkinit is > failing to decode it. We should be able to see such message if pkinit > debugging is on.> 2. If we have pasted decoding AS_REP, we can fail if we didn't find an > acceptable SAN in KDC's certificate. I believe it is possible to turn > off KDC's SAN checking.> 3. dnsName in the KDC's certificate doesn't match the hostname specified > in your krb5.conf. Since in you have pkinit_win2k =yes, you should have > pkinit_kdc_hostname.>> I'm not sure if anybody ever tested pkinit with Windows AD. Who knows > what kind of bugs were introduced in that version.>>> Douglas E. Engert wrote:> >> I am trying to use krb5-pkinit krb5-1.6.dfsg.3~beta1-2ubuntu1 with>> a Windows AD 2008 server as the KDC. When using kinit it appears that>> all goes well and a AS-REP with pa-data-type (17) is returned by the>> KDC as reported by wireshark, but then kinit falls back to prompting>> for a password. No error messages are produced.>>>> I have tried building the pkinit.so with debugging turned on, but this>> does not show much either.>>>> The smart card being used works with XP and Vista client to AD 2008.>> The card has a subjectAltName that does not match the user or realm,>> but has something like <11 digit number>@FEDIDCARD.GOV for the UPN.>>>> Windows AD 2008 can handle this by changing the userPrincipalName>> in user account.>>>> So has anyone tested pkinit clients against AD 2008, with the SAN>> not matching the kerberos principal name?>>>> Is there any additional debugging to turn on for pkinit that could>> show why it fails after receiving the AS-REP?>>>> The enc-part of the AS-REP is encrypted in aes256-cts-hmac-sha1-96 (18)>>>> A snippet of the krb5.conf:>> [realms]>> ANL.GOV = {>> # first two for testbed>> kdc = test2.anl.gov:88>> pkinit_kdc_hostname = TEST2.anl.gov>> pkinit_eku_checking = none>> # or kpKDC for RFC 4556 will try none for now>> # will assume the next 2 are not for 2008>> # pkinit_win2k = yes>> pkinit_win2k_require_binding = false>> pkinit_cert_match = <EKU>msScLogin>> pkinit_pool = DIR:/opt/smartcard/pool.certdir>> pkinit_anchors = DIR:/opt/smartcard/trusted.certdir>> }>>>> >> > _______________________________________________> krbdev mailing list krbdev@mit.edu> https://mailman.mit.edu/mailman/listinfo/krbdev>> _______________________________________________krbdev mailing list krbdev@mit.eduhttps://mailman.mit.edu/mailman/listinfo/krbdev
