[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PKINIT from Windows ?
Love Hörnquist Åstrand wrote:
> Craig Huckabee <email@example.com> writes:
>> I've seen some discussion of using Heimdal clients and Windows KDCs
>>with PKINIT, but is anyone else looking at the other direction
>>(Windows clients to a Heimdal KDC) ?
> I've implmented the funcationallity in the KDC it the last round of PK-INIT
> changes and have tested them with Heimdal as client, but I have not tried
> getting windows clients to use (no time).
I've done some testing today, with mixed results:
1) WinXP - could not test at all because our smart card middleware
(Activcard Gold) appears to be broken :/ The smart card services report
an error at boot and are not available for logon, although the cards
work after a user is logged in.
2) Win2K, in an AD domain:
- completely ignores any trusted domain settings, sends all pkinit
requests to the DC it is associated with
3) Win2K, removed from the AD domain:
- sends over <certificate subject name>@REALM in the AS-REQ
- Heimdal rejects this unknown user
- changed pki-mapping file to:
<user>@REALM:<certificate subject name>
and restarted the kdc, same results.
I'm guessing in case #3, the client isn't doing PKINIT or my pki-mapping
file is wrong. If I can sniff the packets between the client and KDC,
is there a clue I can look for to see if this the AS-REQ is a PKINIT type ?
My test KDC is built from the Heimdal 20050622 snapshots with one patch
to lib/hdb/mkey.c to make an MIT master key work.
Any help is greatly appreciated,