Re: PKINIT from Windows ?

[Craig Huckabee <huck@spawar.navy.mil>]

Love Hörnquist Åstrand wrote:

> Craig Huckabee <huck@spawar.navy.mil> writes:
> 
> 
>>Hi all,
>>
>>   I've seen some discussion of using Heimdal clients and Windows KDCs
>>with PKINIT, but is anyone else looking at the other direction
>>(Windows clients to a Heimdal KDC) ?
> 
> 
> I've implmented the funcationallity in the KDC it the last round of PK-INIT
> changes and have tested them with Heimdal as client, but I have not tried
> getting windows clients to use (no time).
> 

I've done some testing today, with mixed results:

1) WinXP - could not test at all because our smart card middleware 
(Activcard Gold) appears to be broken :/  The smart card services report 
an error at boot and are not available for logon, although the cards 
work after a user is logged in.

2) Win2K, in an AD domain:
- completely ignores any trusted domain settings, sends all pkinit 
requests to the DC it is associated with

3) Win2K, removed from the AD domain:
- sends over <certificate subject name>@REALM in the AS-REQ
- Heimdal rejects this unknown user
- changed pki-mapping file to:
	<user>@REALM:<certificate subject name>
and restarted the kdc, same results.

I'm guessing in case #3, the client isn't doing PKINIT or my pki-mapping 
file is wrong.  If I can sniff the packets between the client and KDC, 
is there a clue I can look for to see if this the AS-REQ is a PKINIT type ?

My test KDC is built from the Heimdal 20050622 snapshots with one patch 
to lib/hdb/mkey.c to make an MIT master key work.

Any help is greatly appreciated,
Craig