[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Was a smartcard used to get the ticket?
Phil Fisher wrote:
>> I re-added back gss_krb5_get_tkt_flags that used to exists, it fell
>> out with the mech-glue.
> Thanks for that. Using release 1.0.1 I am able to call this function.
> Unfortunately, I have not yet seen the hw_authent bit set.
> I am running my application on a Linux machine which has a smartcard
> reader attached. My KDC is a Windows 2003 Active Directory.
> Authentication with kinit works fine, but 'klist -f' only shows the
> flags 'IA'.
> Douglas Engert wrote elsewhere in this thread:
>> I know Windows AD will set the hw-authent bit, if you use a smart card,
Well, I tried it again with using a Smart card on XP to AD 2003, and it did
not set the bit. I could have sworn I have seen it set it the past. Sorry
if I have mislead you.
>> but not sure if Heimdal KDC will set it, or if the Heimdal klist will
>> show it.
>> (The hw-authent could also imply an OTP or other hardware device, and not
>> a smartcard.)
>> But is is also not clear if the KDC will only set the hw-authent bit if
>> if the KDC has the requires-hw-auth set on the user entry. (I don't have
>> a heimdal KDC.)
> I therefore set the 'Smart card is required for interactive login'
> checkbox in the user's account properties, but this hasn't made any
> Is there any other configuration that I need to do for Active Directory?
> I've not been able to find any documentation on this.
> Thanks again.
> Get Pimped! FREE emoticon packs from Windows Live -
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439