[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pkinit integration with smart card

To: malexander@kcp.com
Subject: Re: pkinit integration with smart card
From: "Douglas E. Engert" <deengert@anl.gov>
Date: Wed, 06 Sep 2006 11:05:12 -0500
Cc: Love Hörnquist Åstrand <lha@kth.se>, heimdal-discuss@sics.se
In-Reply-To: <OF695DD729.30DB4AD4-ON862571E1.00533478-862571E1.00539231@kcp.com>
References: <OF695DD729.30DB4AD4-ON862571E1.00533478-862571E1.00539231@kcp.com>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060414



malexander@kcp.com wrote:

> Progress!  Thanks, Love and Doug!  I get output from according to the p11 
> logs for the signature.  That's great!
> 
>  $ kinit -C PKCS11:/usr/lib/pkcs11-spy.so
> PIN code for ActivCard USB Reader 2.0 (60102D27) 00 00:
> ( Wrap Unwrap )
> ( Encrypt Decrypt Sign SigRecov Verify VerRecov Generate KeyPair Wrap 
> Unwrap )
> kinit: krb5_get_init_creds: Unknown error 569894
> 
> So that's a big hurdle gotten past.  I need to see where I'm hanging up on 
> now, but I ran a quick packet capture and packets are getting sent the the 
> domain controller.
> 

Did you get the CA certificate copied to the trusted cert directory?
and add the win2k_pkinit = yes and other pkinit_* options to the realm
section of the krb5.conf?

Also who generated the certificate on the card? I believe for Windows login,
the certificate has to have the Smartcard Login attribute, and the UPN. Thus it
must be a certificate generated by the Windows Enterprise CA.




> 
> 
> 
> 
> Love Hörnquist Åstrand <lha@kth.se> 
> Sent by: owner-heimdal-discuss@sics.se
> 09/06/2006 05:02 AM
> 
> To
> "Douglas E. Engert" <deengert@anl.gov>
> cc
> malexander@kcp.com, heimdal-discuss@sics.se
> Subject
> Re: pkinit integration with smart card
> 
> 
> 
> 
> 
> 
> 
> 6 sep 2006 kl. 00.04 skrev Douglas E. Engert:
> 
> 
>>Love Hörnquist Åstrand wrote:
>>
>>
>>>The standard say one login is enough for all session since they 
>>>all  share
>>>the same loginstate.
>>>That said, I can belive you that this is the case, I've commited 
>>>code  that should
>>>deal with by keeping the session around. See next snapshot 
>>>generated in
>>>a couple of hours.
>>
>>Version 2.01 C_CloseSesion says: "When a sesion is closed, all session
>>objects created by the sesion are destroyed automaticly, even if the
>>application has other sessions "using" the objects".
> 
> 
> I was more thinking about the login state, ever relised that closeing of
> session change the objects too.
> 
> 
>>I would infer that this may be the problem with the hKey object,
>>as it was found using one session then was trying to be used in the
>>other session, and the two sesisons where no open at the same time
>>either.
>>
>>Sounds like you change should address this problem, and I hope .
> 
> 
> I would guess so to, I changed the soft-pkcs11 to have
> the close-session-invalidates-object behavior and with the simple
> testing I did the new code worked.
> 
> Thanks,
> Love
> 
> 
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Follow-Ups:
- Re: pkinit integration with smart card
  - From: malexander@kcp.com

References:
- Re: pkinit integration with smart card
  - From: malexander@kcp.com

Prev by Date: Re: pkinit integration with smart card
Next by Date: Re: pkinit integration with smart card
Prev by thread: Re: pkinit integration with smart card
Next by thread: Re: pkinit integration with smart card
Index(es):
- Date
- Thread