[32566] in Kerberos
Re: Microsoft Active Directory / PKINIT
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Thu Aug 12 15:36:34 2010
Message-ID: <4C644D3B.8050404@anl.gov>
Date: Thu, 12 Aug 2010 14:36:27 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <1A136DCE57F98F4B8BAB5FFC69C8E6DAD107466B43@exchange.cybersafe.local>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 8/12/2010 6:26 AM, Tim Alsop wrote:
> Hi,
>
> Does anybody know if/when Microsoft Active Directory will support PKINIT (RFC 4556). I understand that all versions of MS AD supports draft-9 of PKINIT, but not sure if the RFC is implemented/supported ?
>
> Also, I am interested to know about interoperability between the draft-9 implementation and the RFC 4556 implementation. For example, does the PKINIT included in the MIT code, which is RFC compliant interoperate with MS AD (draft-9) ?
>
> Any info you have on this is appreciated.
Have you looked at the Microsoft KILE document? It does list RFC 4556
and PA-PK-AS-REP [17] and refers to PA-PK-AS-REP_OLD (15)
http://msdn.microsoft.com/en-us/library/cc233964(v=PROT.13).aspx
In the KRB5-ERROR e-data, padata, I see what Wireshark refers to as
PA-PK-AS-REP (15), but not 17.
We have mixed 2008 and 2003 DC so for backwards compatibility it might
only present PA-PK-AS-REP (17) only if all the servers are 2008.
>
> Thanks,
> Tim
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
