I included the krb5.conf file from my
client. I was trying to authenticate with an AD server. The
CA is from Entrust, not a Windows Enterprise CA. we have the SubjAltName
populated with the UPN, e.g. u60267@ad.kcp.com. I can use this Smart
Card to authenticate with Active Directory through a Windows client on
XP or 2000 with the ActivClient libraries loaded. I dumped the certificates
on the card from Entrust with what I think is the EKU for the Smart Card.
$ pkcs11-tool --module /usr/local/acgold/lib//libpkcs11.so
\ --read-object CKO_CERTIFICATE --type cert \ --label Certificate1 | openssl x509 -inform
DER -noout -text <snip certificate output> X509v3 Private
Key Usage Period:
Not Before: Aug 3 16:07:50 2006 GMT, Not After: Sep 8 20:37:50
2008 GMT X509v3 Extended
Key Usage:
TLS Web Client Authentication, Microsoft Smartcardlogin X509v3 Certificate
Policies:
Policy: 2.16.840.1.101.3.2.1.10.4 <snip certificate output>
The pkinit-anchors under appdefaults
points to the certificate for the CA, the CA that issues the certificates
on my Smart Card, other options win2k_pkini is yes, win2k_pkinit_require_binding
is no and the pkinit_require_eku and pkinit_require_krbtgt_otherName are
both set to false.
I'm going to reconfigure my client to
try to authenticate with a Heimdal KDC using pk-init through PKCS11 with
the Smart Card to see if it's the interaction between Windows and the pkinit
where the break down is occuring.
Love Hörnquist Åstrand <lha@kth.se>,
heimdal-discuss@sics.se
Subject
Re: pkinit integration with smart card
malexander@kcp.com wrote:
> Progress! Thanks, Love and Doug! I get output from according
to the p11
> logs for the signature. That's great!
>
> $ kinit -C PKCS11:/usr/lib/pkcs11-spy.so
> PIN code for ActivCard USB Reader 2.0 (60102D27) 00 00:
> ( Wrap Unwrap )
> ( Encrypt Decrypt Sign SigRecov Verify VerRecov Generate KeyPair Wrap
> Unwrap )
> kinit: krb5_get_init_creds: Unknown error 569894
>
> So that's a big hurdle gotten past. I need to see where I'm
hanging up on
> now, but I ran a quick packet capture and packets are getting sent
the the
> domain controller.
>
Did you get the CA certificate copied to the trusted cert directory?
and add the win2k_pkinit = yes and other pkinit_* options to the realm
section of the krb5.conf?
Also who generated the certificate on the card? I believe for Windows login,
the certificate has to have the Smartcard Login attribute, and the UPN.
Thus it
must be a certificate generated by the Windows Enterprise CA.
>
>
>
>
> Love Hörnquist Åstrand <lha@kth.se>
> Sent by: owner-heimdal-discuss@sics.se
> 09/06/2006 05:02 AM
>
> To
> "Douglas E. Engert" <deengert@anl.gov>
> cc
> malexander@kcp.com, heimdal-discuss@sics.se
> Subject
> Re: pkinit integration with smart card
>
>
>
>
>
>
>
> 6 sep 2006 kl. 00.04 skrev Douglas E. Engert:
>
>
>>Love Hörnquist Åstrand wrote:
>>
>>
>>>The standard say one login is enough for all session since
they
>>>all share
>>>the same loginstate.
>>>That said, I can belive you that this is the case, I've commited
>>>code that should
>>>deal with by keeping the session around. See next snapshot
>>>generated in
>>>a couple of hours.
>>
>>Version 2.01 C_CloseSesion says: "When a sesion is closed,
all session
>>objects created by the sesion are destroyed automaticly, even if
the
>>application has other sessions "using" the objects".
>
>
> I was more thinking about the login state, ever relised that closeing
of
> session change the objects too.
>
>
>>I would infer that this may be the problem with the hKey object,
>>as it was found using one session then was trying to be used in
the
>>other session, and the two sesisons where no open at the same time
>>either.
>>
>>Sounds like you change should address this problem, and I hope
.
>
>
> I would guess so to, I changed the soft-pkcs11 to have
> the close-session-invalidates-object behavior and with the simple
> testing I did the new code worked.
>
> Thanks,
> Love
>
>
>
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444