[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PKINIT from Windows ?
Craig Huckabee wrote:
>>> 3) Win2K, removed from the AD domain:
>>> - sends over <certificate subject name>@REALM in the AS-REQ
>>> - Heimdal rejects this unknown user
>>> - changed pki-mapping file to:
>>> <user>@REALM:<certificate subject name>
>>> and restarted the kdc, same results.
>>> I'm guessing in case #3, the client isn't doing PKINIT or my
>>> pki-mapping file is wrong. If I can sniff the packets between the
>>> client and KDC, is there a clue I can look for to see if this the
>>> AS-REQ is a PKINIT type ?
More testing, more odd client behavior. After reconfiguring the CAC
card, I no longer see the behavior above - now the CAC/middleware is
using the right certificate.
The Win2K client is configured as standalone workstation, a trust
directly to the MIT/Heimdal realm FOO.NAVY.MIL, and is in our
LAB.FOO.NAVY.MIL test DNS subdomain.
Now the client issues a DNS SRV lookup:
This fails, and the client spits out a bogus error ("No account
So, looks like no matter what (at least with W2K) the client workstation
tries to authenticate against a DC despite any trust settings, even when
not in an AD domain.