[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Certificate format for PKINIT to Windows?
G'day,
Geoffrey Elgey wrote:
> I just figured that out a little while ago. I created a new certificate
> template based on Smart Card Logon, with private key marked as
> exportable, and including the UPN. This allowed me to perform a kinit:
>
> $ /usr/heimdal/bin/kinit -C FILE:geoffree.cert.pem,geoffree.key.pem
> geoffree@SC.VAS
I specified the client principal explicitly above, as my /etc/krb5.conf
did not have SC.VAS as the default realm. If I modify the default realm
to SC.VAS, and perform a kinit while logged in as 'geoffree', then I do
not need to specify the client principal explicitly.
Howver, if I perform a kinit while logged in as a different user, then I
do need to specify the client principal explicitly. Otherwise, a client
name mismatch occurs. But shouldn't the client principal name be derived
from information in the certificate?
Windows adds a subjectAltName to the certificate, of the form
OtherName:PrincipalName=geoffree@sc.vas, which represents the UPN of the
user.
Although using the UPN may not always work for Windows authentication,
is there a configuration option or similar that will map the UPN to the
client principal name?
-- Geoff