[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Smartcard logon using Heimdal KDC
I cooperate with Daniel Kouril in this question. The problem is that
the client just does not send preauthentication data in the Windows Ws -
Heimdal KDC (PKINIT) case. Now it seems that the Windows Worstation just
does not use PKINIT if the logon is not a domain logon. The question
could only be solved by some changing in the logon mechanism (somewhere
in the GINA, LSA, SSP chain).
> Prágai Róbert <email@example.com> writes:
>> no we are on the Kerberos PKINIT way
>>(draft-ietf-cat-kerberos-pk-init-16.txt). The basic plan is to support
>>several smartcards (and tokens) with a mediate security layer that
>>gives a standard interface to the PKINIT for any device in a pluggable
>>way. But it seems that the Windows workstation assumes that if the
>>logon is not a domain logon, then it cannot be a PKINIT logon
>>neither. I'm not sure about this.
>You are aware the microsoft implements -11 (or was it -12) of the draft ?
>Daniel Kouril patch takes this into account.
>The client doens't look at the preauth reply from the kdc to descide if it
>wants to use PKINIT ?