[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PKINIT to Windows AD fails about half the time
Love Hörnquist Åstrand wrote:
>>Looks like two problems:
>>(1) Windows wants the pk_nonce to have the first
>>bit zero, or it returns the KRB_ERROR 60 with no e-text.
> It might be us that made it wrong pk-init-09 say INTEGER, I assume they
> they secretly meant INTEGER (-2147483648..2147483647). I made it into a
> INTEGER (0..4294967295) when I wrote the asn1 spec file, that also need to
> be tested if that is the real problem.
If you have something, I can try it.
>>(2) Windows uses the pk_nonce in the ticket, so when
>>_krb5_extract_ticket is called from init_cred_loop
>>it needs to pass in the pk_nonce rather nonce.
>>Draft 25 says the nonces may be different, and does not
>>require the ticket use the pk_nonce. I don't know what
>>draft 9 said.
>>There are a number of ways to solve this, but they depend
>>to the win2k_compat flag to be known when the _krb5_extract_ticket
>>is called. Or better still, the compat flag used to create the
>>pa-data needs to be available to process the as-rep.
>>Could the win2k_compat flag be save in the krb5_get_init_creds_ctx?
>>or in the krb5_pk_init_ctx?
> Or just the the nonce to the same thing as the nonce, as that is what the
> code did before I managed to break it.
But is there some security reason to have two differnet nonces? Draft 25
allows for differnet ones, but I don't think it requires them to
> Thank for testing,
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439