[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Smartcard logon using Heimdal KDC

To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Subject: Re: Smartcard logon using Heimdal KDC
From: Prágai Róbert <pragai@rubin.hu>
Date: Tue, 27 Jan 2004 09:14:33 +0100
CC: heimdal-discuss@sics.se
In-Reply-To: <p05210605bc3b3b42e074@[137.78.212.225]>
References: <40150AF7.8020803@rubin.hu> <p05210605bc3b3b42e074@[137.78.212.225]>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; hu-HU; rv:1.4) Gecko/20030624

Hi,

    no we are on the Kerberos PKINIT way 
(draft-ietf-cat-kerberos-pk-init-16.txt). The basic plan is to support 
several smartcards (and tokens) with a mediate security layer that gives 
a standard interface to the PKINIT for any device in a pluggable way. 
But it seems that the Windows workstation assumes that if the logon is 
not a domain logon, then it cannot be a PKINIT logon neither. I'm not 
sure about this.

regards,
Robert

> Are you doing it in accordance with 
> draft-ietf-krb-wg-kerberos-sam-02?  That's how SecureID and CRYPTOcard 
> are currently supported and the MIT 1.3.1 client supports it.
>
> What kind of smart card are you trying to support?
>
> At 1:41 PM +0100 1/26/04, Prágai Róbert wrote:
>
>> Hi,
>>
>>   I try to arrange an environment, where users can logon to a 
>> Kerberos realm from Windows 2000 workstations via smartcard logon.
>>   I've already reached a point where normal password logon works from 
>> Windows workstations to the Kerberos realm, and the smartcard logon 
>> works from the Windows workstations to the Windows domain.
>>   However when I tested the smartcard logon from a Windows 
>> workstation to the Heimdal KDC, the workstation initiated a normal 
>> password logon to the Unix KDC instead of smartcard logon according 
>> to the network traffic. I initiated a logon using the smartcard logon 
>> process, typed the PIN but the network flow between the workstation 
>> and the Unix KDC was similar to the normal password logon case.
>>     Does anyone have enough experience with wiht Windows PKINIT to 
>> answer whether it is the intentional working mechanism of the Windows 
>> 2000 workstations that it initiates a normal password logon to Unix 
>> KDC's? If it is intentional, however what part of the security system 
>> is responsible for it: the GINA, the LSA, ths SSP, maybe the 
>> corresponding CSP or other? What should I change in the system to 
>> make this environment work?
>>    All comments are welcome.
>>
>> thanks,
>> Robert Pragai
>
>

Follow-Ups:
- Re: Smartcard logon using Heimdal KDC
  - From: Love <lha@stacken.kth.se>

References:
- Smartcard logon using Heimdal KDC
  - From: Prágai Róbert <pragai@rubin.hu>
- Re: Smartcard logon using Heimdal KDC
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

Prev by Date: Re: Smartcard logon using Heimdal KDC
Next by Date: Re: Smartcard logon using Heimdal KDC
Prev by thread: Re: Smartcard logon using Heimdal KDC
Next by thread: Re: Smartcard logon using Heimdal KDC
Index(es):
- Date
- Thread