[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate format for PKINIT to Windows?

To: deengert@anl.gov
Subject: Re: Certificate format for PKINIT to Windows?
From: Luke Howard <lukeh@PADL.COM>
Date: Tue, 14 Jun 2005 08:57:16 +1000
Cc: geoffree@vintela.com, heimdal-discuss@sics.se
Organization: PADL Software Pty Ltd
References: <200506100847.j5A8lCQi061792@au.padl.com> <42A95594.4040202@vintela.com> <42AA0598.8000106@vintela.com> <42AD8D8F.3050604@anl.gov>
Reply-To: lukeh@PADL.COM
Sender: owner-heimdal-discuss@sics.se
Versions: dmail (bsd44) 2.6d/makemail 2.10


>> Although using the UPN may not always work for Windows authentication, 
>> is there a configuration option or similar that will map the UPN to the 
>> client principal name?
>
>Not that I know of with straight Kerberos. If there was a directory
>maybe the host could look up the certificate and see if it maps to
>any known principals it is willing to accept.

If there is a UPN SAN in the certificate, you can extract it and use in
the AS-REQ (with the name type set to KRB-NT-ENTERPRISE-PRINCIPAL).

-- Luke

--

References:
- Re: Certificate format for PKINIT to Windows?
  - From: Luke Howard <lukeh@PADL.COM>
- Re: Certificate format for PKINIT to Windows?
  - From: Geoffrey Elgey <geoffree@vintela.com>
- Re: Certificate format for PKINIT to Windows?
  - From: Geoffrey Elgey <geoffree@vintela.com>
- Re: Certificate format for PKINIT to Windows?
  - From: "Douglas E. Engert" <deengert@anl.gov>

Prev by Date: Re: Use of PKINIT from PAM
Next by Date: Migrating MIT - Heimdal
Prev by thread: Re: Certificate format for PKINIT to Windows?
Next by thread: Re: Certificate format for PKINIT to Windows?
Index(es):
- Date
- Thread