[13591] in Kerberos_V5_Development
Re: pkinit and AD 2008
daemon@ATHENA.MIT.EDU (Olga Kornievskaia)
Mon Jun 30 15:11:36 2008
Message-ID: <48692FC6.6080301@citi.umich.edu>
Date: Mon, 30 Jun 2008 15:11:02 -0400
From: Olga Kornievskaia <aglo@citi.umich.edu>
MIME-Version: 1.0
To: Jeffrey Hutzelman <jhutz@cmu.edu>
In-Reply-To: <853CB33D7EACF89ACD819503@sirius.fac.cs.cmu.edu>
Cc: "'krbdev@mit.edu'" <krbdev@mit.edu>,
"Douglas E. Engert" <deengert@anl.gov>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Jeffrey Hutzelman wrote:
> --On Friday, June 27, 2008 12:05:41 PM -0400 Olga Kornievskaia
> <aglo@citi.umich.edu> wrote:
>
>> 3. dnsName in the KDC's certificate doesn't match the hostname specified
>> in your krb5.conf
>
> Um. Why would you expect that? PKINIT contains no requirement that
> the KDC's certificate contain a dnsName, nor that it match any
> particular hostname if it is present. The only requirement is for an
> id-pkinit-san matching the name of the realm's TGS.
In RFC 4556 in *Appendix C. Miscellaneous Information about Microsoft
Windows PKINIT*
KDC certificates issued by Windows 2003 Enterprise CAs contain a dNSName SAN with the DNS <http://www.bind9.net/rfc> name
of the host running the KDC.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
