[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Smartcard logon using Heimdal KDC
no we are on the Kerberos PKINIT way
(draft-ietf-cat-kerberos-pk-init-16.txt). The basic plan is to support
several smartcards (and tokens) with a mediate security layer that gives
a standard interface to the PKINIT for any device in a pluggable way.
But it seems that the Windows workstation assumes that if the logon is
not a domain logon, then it cannot be a PKINIT logon neither. I'm not
sure about this.
> Are you doing it in accordance with
> draft-ietf-krb-wg-kerberos-sam-02? That's how SecureID and CRYPTOcard
> are currently supported and the MIT 1.3.1 client supports it.
> What kind of smart card are you trying to support?
> At 1:41 PM +0100 1/26/04, Prágai Róbert wrote:
>> I try to arrange an environment, where users can logon to a
>> Kerberos realm from Windows 2000 workstations via smartcard logon.
>> I've already reached a point where normal password logon works from
>> Windows workstations to the Kerberos realm, and the smartcard logon
>> works from the Windows workstations to the Windows domain.
>> However when I tested the smartcard logon from a Windows
>> workstation to the Heimdal KDC, the workstation initiated a normal
>> password logon to the Unix KDC instead of smartcard logon according
>> to the network traffic. I initiated a logon using the smartcard logon
>> process, typed the PIN but the network flow between the workstation
>> and the Unix KDC was similar to the normal password logon case.
>> Does anyone have enough experience with wiht Windows PKINIT to
>> answer whether it is the intentional working mechanism of the Windows
>> 2000 workstations that it initiates a normal password logon to Unix
>> KDC's? If it is intentional, however what part of the security system
>> is responsible for it: the GINA, the LSA, ths SSP, maybe the
>> corresponding CSP or other? What should I change in the system to
>> make this environment work?
>> All comments are welcome.
>> Robert Pragai