[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Smartcard logon using Heimdal KDC




Prágai Róbert <pragai@rubin.hu> writes:

> Hi,
>
>     no we are on the Kerberos PKINIT way
> (draft-ietf-cat-kerberos-pk-init-16.txt). The basic plan is to support
> several smartcards (and tokens) with a mediate security layer that
> gives a standard interface to the PKINIT for any device in a pluggable
> way. But it seems that the Windows workstation assumes that if the
> logon is not a domain logon, then it cannot be a PKINIT logon
> neither. I'm not sure about this.

You are aware the microsoft implements -11 (or was it -12) of the draft ?
Daniel Kouril patch takes this into account.

The client doens't look at the preauth reply from the kdc to descide if it
wants to use PKINIT ?

Love

PGP signature