[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Smartcard logon using Heimdal KDC


    no we are on the Kerberos PKINIT way 
(draft-ietf-cat-kerberos-pk-init-16.txt). The basic plan is to support 
several smartcards (and tokens) with a mediate security layer that gives 
a standard interface to the PKINIT for any device in a pluggable way. 
But it seems that the Windows workstation assumes that if the logon is 
not a domain logon, then it cannot be a PKINIT logon neither. I'm not 
sure about this.


> Are you doing it in accordance with 
> draft-ietf-krb-wg-kerberos-sam-02?  That's how SecureID and CRYPTOcard 
> are currently supported and the MIT 1.3.1 client supports it.
> What kind of smart card are you trying to support?
> At 1:41 PM +0100 1/26/04, Prágai Róbert wrote:
>> Hi,
>>   I try to arrange an environment, where users can logon to a 
>> Kerberos realm from Windows 2000 workstations via smartcard logon.
>>   I've already reached a point where normal password logon works from 
>> Windows workstations to the Kerberos realm, and the smartcard logon 
>> works from the Windows workstations to the Windows domain.
>>   However when I tested the smartcard logon from a Windows 
>> workstation to the Heimdal KDC, the workstation initiated a normal 
>> password logon to the Unix KDC instead of smartcard logon according 
>> to the network traffic. I initiated a logon using the smartcard logon 
>> process, typed the PIN but the network flow between the workstation 
>> and the Unix KDC was similar to the normal password logon case.
>>     Does anyone have enough experience with wiht Windows PKINIT to 
>> answer whether it is the intentional working mechanism of the Windows 
>> 2000 workstations that it initiates a normal password logon to Unix 
>> KDC's? If it is intentional, however what part of the security system 
>> is responsible for it: the GINA, the LSA, ths SSP, maybe the 
>> corresponding CSP or other? What should I change in the system to 
>> make this environment work?
>>    All comments are welcome.
>> thanks,
>> Robert Pragai