I included the krb5.conf file from my
client. I was trying to authenticate with an AD server. The
CA is from Entrust, not a Windows Enterprise CA. we have the SubjAltName
populated with the UPN, e.g. email@example.com. I can use this Smart
Card to authenticate with Active Directory through a Windows client on
XP or 2000 with the ActivClient libraries loaded. I dumped the certificates
on the card from Entrust with what I think is the EKU for the Smart Card.
$ pkcs11-tool --module /usr/local/acgold/lib//libpkcs11.so
\ --read-object CKO_CERTIFICATE --type cert \ --label Certificate1 | openssl x509 -inform
DER -noout -text <snip certificate output> X509v3 Private
Key Usage Period:
Not Before: Aug 3 16:07:50 2006 GMT, Not After: Sep 8 20:37:50
2008 GMT X509v3 Extended
TLS Web Client Authentication, Microsoft Smartcardlogin X509v3 Certificate
Policy: 2.16.8126.96.36.199.188.8.131.52 <snip certificate output>
The pkinit-anchors under appdefaults
points to the certificate for the CA, the CA that issues the certificates
on my Smart Card, other options win2k_pkini is yes, win2k_pkinit_require_binding
is no and the pkinit_require_eku and pkinit_require_krbtgt_otherName are
both set to false.
I'm going to reconfigure my client to
try to authenticate with a Heimdal KDC using pk-init through PKCS11 with
the Smart Card to see if it's the interaction between Windows and the pkinit
where the break down is occuring.
Love Hörnquist Åstrand <firstname.lastname@example.org>,
Re: pkinit integration with smart card
> Progress! Thanks, Love and Doug! I get output from according
to the p11
> logs for the signature. That's great!
> $ kinit -C PKCS11:/usr/lib/pkcs11-spy.so
> PIN code for ActivCard USB Reader 2.0 (60102D27) 00 00:
> ( Wrap Unwrap )
> ( Encrypt Decrypt Sign SigRecov Verify VerRecov Generate KeyPair Wrap
> Unwrap )
> kinit: krb5_get_init_creds: Unknown error 569894
> So that's a big hurdle gotten past. I need to see where I'm
hanging up on
> now, but I ran a quick packet capture and packets are getting sent
> domain controller.
Did you get the CA certificate copied to the trusted cert directory?
and add the win2k_pkinit = yes and other pkinit_* options to the realm
section of the krb5.conf?
Also who generated the certificate on the card? I believe for Windows login,
the certificate has to have the Smartcard Login attribute, and the UPN.
must be a certificate generated by the Windows Enterprise CA.
> Love Hörnquist Åstrand <email@example.com>
> Sent by: firstname.lastname@example.org
> 09/06/2006 05:02 AM
> "Douglas E. Engert" <email@example.com>
> firstname.lastname@example.org, email@example.com
> Re: pkinit integration with smart card
> 6 sep 2006 kl. 00.04 skrev Douglas E. Engert:
>>Love Hörnquist Åstrand wrote:
>>>The standard say one login is enough for all session since
>>>the same loginstate.
>>>That said, I can belive you that this is the case, I've commited
>>>code that should
>>>deal with by keeping the session around. See next snapshot
>>>a couple of hours.
>>Version 2.01 C_CloseSesion says: "When a sesion is closed,
>>objects created by the sesion are destroyed automaticly, even if
>>application has other sessions "using" the objects".
> I was more thinking about the login state, ever relised that closeing
> session change the objects too.
>>I would infer that this may be the problem with the hKey object,
>>as it was found using one session then was trying to be used in
>>other session, and the two sesisons where no open at the same time
>>Sounds like you change should address this problem, and I hope
> I would guess so to, I changed the soft-pkcs11 to have
> the close-session-invalidates-object behavior and with the simple
> testing I did the new code worked.
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439