Re: PKINIT to Windows AD fails about half the time

[Love Hörnquist Åstrand <lha@kth.se>]

Douglas,

> Looks like two problems:
>
> (1) Windows wants the pk_nonce to have the first
> bit zero, or it returns the KRB_ERROR 60 with no e-text.

It might be us that made it wrong pk-init-09 say INTEGER, I assume they
they secretly meant INTEGER (-2147483648..2147483647). I made it into a
INTEGER (0..4294967295) when I wrote the asn1 spec file, that also need to
be tested if that is the real problem.

> (2) Windows uses the pk_nonce in the ticket, so when
> _krb5_extract_ticket is called from init_cred_loop
> it needs to pass in the pk_nonce rather nonce.
>
> Draft 25 says the nonces may be different, and does not
> require the ticket use the pk_nonce. I don't know what
> draft 9 said.
>
> There are a number of ways to solve this, but they depend
> to the win2k_compat flag to be known when the _krb5_extract_ticket
> is called. Or better still, the compat flag used to create the
> pa-data needs to be available to process the as-rep.
>
> Could the win2k_compat flag be save in the krb5_get_init_creds_ctx?
> or in the krb5_pk_init_ctx?

Or just the the nonce to the same thing as the nonce, as that is what the
code did before I managed to break it.

Thank for testing,
Love

PGP signature