Re: PKINIT from Windows ?

[Craig Huckabee <huck@spawar.navy.mil>]

Craig Huckabee wrote:

>>> 3) Win2K, removed from the AD domain:
>>> - sends over <certificate subject name>@REALM in the AS-REQ
>>> - Heimdal rejects this unknown user
>>> - changed pki-mapping file to:
>>>     <user>@REALM:<certificate subject name>
>>> and restarted the kdc, same results.
>>>
>>> I'm guessing in case #3, the client isn't doing PKINIT or my
>>> pki-mapping file is wrong.  If I can sniff the packets between the
>>> client and KDC, is there a clue I can look for to see if this the
>>> AS-REQ is a PKINIT type ?

More testing, more odd client behavior.  After reconfiguring the CAC 
card, I no longer see the behavior above - now the CAC/middleware is 
using the right certificate.

The Win2K client is configured as standalone workstation, a trust 
directly to the MIT/Heimdal realm FOO.NAVY.MIL, and is in our 
LAB.FOO.NAVY.MIL test DNS subdomain.

Now the client issues a DNS SRV lookup:

_kerberos._tcp.dc._msdcs.mil

This fails, and the client spits out a bogus error ("No account 
mappings...")

So, looks like no matter what (at least with W2K) the client workstation 
tries to authenticate against a DC despite any trust settings, even when 
not in an AD domain.

--Craig