[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CAC authentication to @mil via subordinate domain w/ heimdal

We are working with a customer to develop a solution to use smart-card
authentication to Active Directory using Common Access Cards and
Heimdal's PKINIT capabilities.

We've run into a few problems...

@mil in UPN needs to be mapped to a FQDN.
Attempted fix: On the command line use --canonicalize to allow passing
the given UPN to the test domain controller.
Result: Authentication attempted, but results in an error: "Inconsistent
key purpose"
   This error seems to be generated server-side, as I cannot find any
generation of this error code in the Heimdal code base.

Another issue would be 'trust', I assume.  So a mapping like so was
added to the configuration file:
       MIL = .

Is this correct...  I presume this means that Heimdal can authenticate

Has anybody else dealt with this authentication scenario and figured out
the proper configuration?

    Linux box w/ Heimdal 1.0
    Windows 2003 Domain Controller (TESTDOMAIN.LOCAL) w/ access to
ID@mil mappings