[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Certificate format for PKINIT to Windows?
Geoffrey Elgey wrote:
> Geoffrey Elgey wrote:
>> I just figured that out a little while ago. I created a new
>> certificate template based on Smart Card Logon, with private key
>> marked as exportable, and including the UPN. This allowed me to
>> perform a kinit:
>> $ /usr/heimdal/bin/kinit -C FILE:geoffree.cert.pem,geoffree.key.pem
> I specified the client principal explicitly above, as my /etc/krb5.conf
> did not have SC.VAS as the default realm. If I modify the default realm
> to SC.VAS, and perform a kinit while logged in as 'geoffree', then I do
> not need to specify the client principal explicitly.
> Howver, if I perform a kinit while logged in as a different user, then I
> do need to specify the client principal explicitly. Otherwise, a client
> name mismatch occurs. But shouldn't the client principal name be derived
> from information in the certificate?
Maybe, but you would like to be able to use the same certificate
to login to multiple realms. For example with some government issued
smart card, which has know knowledge of the many Kerberos realms
it may be used with.
> Windows adds a subjectAltName to the certificate, of the form
> OtherName:PrincipalNamefirstname.lastname@example.org, which represents the UPN of the
Yes, but this then limits the certificate to be usable with
the domain only. I would argue that any mapping needs to be done by the
host in its context, not placed in the certificate.
> Although using the UPN may not always work for Windows authentication,
> is there a configuration option or similar that will map the UPN to the
> client principal name?
Not that I know of with straight Kerberos. If there was a directory
maybe the host could look up the certificate and see if it maps to
any known principals it is willing to accept.
> -- Geoff
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439