[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PKINIT to Windows AD fails about half the time

Love Hörnquist Åstrand wrote:

> Douglas,
>>Looks like two problems:
>>(1) Windows wants the pk_nonce to have the first
>>bit zero, or it returns the KRB_ERROR 60 with no e-text.
> It might be us that made it wrong pk-init-09 say INTEGER, I assume they
> they secretly meant INTEGER (-2147483648..2147483647). I made it into a
> INTEGER (0..4294967295) when I wrote the asn1 spec file, that also need to
> be tested if that is the real problem.

If you have something, I can try it.

>>(2) Windows uses the pk_nonce in the ticket, so when
>>_krb5_extract_ticket is called from init_cred_loop
>>it needs to pass in the pk_nonce rather nonce.
>>Draft 25 says the nonces may be different, and does not
>>require the ticket use the pk_nonce. I don't know what
>>draft 9 said.
>>There are a number of ways to solve this, but they depend
>>to the win2k_compat flag to be known when the _krb5_extract_ticket
>>is called. Or better still, the compat flag used to create the
>>pa-data needs to be available to process the as-rep.
>>Could the win2k_compat flag be save in the krb5_get_init_creds_ctx?
>>or in the krb5_pk_init_ctx?
> Or just the the nonce to the same thing as the nonce, as that is what the
> code did before I managed to break it.

But is there some security reason to have two differnet nonces? Draft 25
allows for differnet ones, but I don't think it requires them to
be different.

> Thank for testing,
> Love


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444