[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate format for PKINIT to Windows?

To: Geoffrey Elgey <geoffree@vintela.com>
Subject: Re: Certificate format for PKINIT to Windows?
From: "Douglas E. Engert" <deengert@anl.gov>
Date: Mon, 13 Jun 2005 08:43:43 -0500
Cc: heimdal-discuss@sics.se
In-Reply-To: <42AA0598.8000106@vintela.com>
References: <200506100847.j5A8lCQi061792@au.padl.com> <42A95594.4040202@vintela.com> <42AA0598.8000106@vintela.com>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040803



Geoffrey Elgey wrote:

> G'day,
> 
> Geoffrey Elgey wrote:
> 
>> I just figured that out a little while ago. I created a new 
>> certificate template based on Smart Card Logon, with private key 
>> marked as exportable, and including the UPN. This allowed me to 
>> perform a kinit:
>>
>> $ /usr/heimdal/bin/kinit -C FILE:geoffree.cert.pem,geoffree.key.pem
>>   geoffree@SC.VAS
> 
> 
> I specified the client principal explicitly above, as my /etc/krb5.conf 
> did not have SC.VAS as the default realm. If I modify the default realm 
> to SC.VAS, and perform a kinit while logged in as 'geoffree', then I do 
> not need to specify the client principal explicitly.
> 
> Howver, if I perform a kinit while logged in as a different user, then I 
> do need to specify the client principal explicitly. Otherwise, a client 
> name mismatch occurs. But shouldn't the client principal name be derived 
> from information in the certificate?

Maybe, but you would like to be able to use the same certificate
to login to multiple realms. For example with some government issued
smart card, which has know knowledge of the many Kerberos realms
it may be used with.

> 
> Windows adds a subjectAltName to the certificate, of the form 
> OtherName:PrincipalName=geoffree@sc.vas, which represents the UPN of the 
> user.

Yes, but this then limits the certificate to be usable with
the domain only. I would argue that any mapping needs to be done by the
host in its context, not placed in the certificate.

> 
> Although using the UPN may not always work for Windows authentication, 
> is there a configuration option or similar that will map the UPN to the 
> client principal name?

Not that I know of with straight Kerberos. If there was a directory
maybe the host could look up the certificate and see if it maps to
any known principals it is willing to accept.

> 
> -- Geoff
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Follow-Ups:
- Re: Certificate format for PKINIT to Windows?
  - From: Luke Howard <lukeh@PADL.COM>

References:
- Re: Certificate format for PKINIT to Windows?
  - From: Luke Howard <lukeh@PADL.COM>
- Re: Certificate format for PKINIT to Windows?
  - From: Geoffrey Elgey <geoffree@vintela.com>
- Re: Certificate format for PKINIT to Windows?
  - From: Geoffrey Elgey <geoffree@vintela.com>

Prev by Date: Re: Certificate format for PKINIT to Windows?
Next by Date: Re: Use of PKINIT from PAM
Prev by thread: Re: Certificate format for PKINIT to Windows?
Next by thread: Re: Certificate format for PKINIT to Windows?
Index(es):
- Date
- Thread