Re: CAC authentication to @mil via subordinate domain w/ heimdal

[Love Hörnquist Åstrand <lha@kth.se>]

13 dec 2007 kl. 03.44 skrev Thomas Harning Jr:

> We are working with a customer to develop a solution to use smart-card
> authentication to Active Directory using Common Access Cards and
> Heimdal's PKINIT capabilities.
>
> We've run into a few problems...
>
> Namely:
> @mil in UPN needs to be mapped to a FQDN.
> Attempted fix: On the command line use --canonicalize to allow passing
> the given UPN to the test domain controller.
> Result: Authentication attempted, but results in an error:  
> "Inconsistent
> key purpose"
>  This error seems to be generated server-side, as I cannot find any
> generation of this error code in the Heimdal code base.

The "Inconsistent key purpose" sounds like a X509 certificate. Maybe  
heimdal picks an encryption certificate and tries to use it for  
signing ? Or the reverse, the KDC tries to use the wrong cert).

> Another issue would be 'trust', I assume.  So a mapping like so was
> added to the configuration file:
> [capaths]
>   TESTDOMAIN.LOCAL = {
>      MIL = .
>   }
>
> Is this correct...  I presume this means that Heimdal can authenticate
> to MIL through TESTDOMAIN.LOCAL

[capaths] is not that much used on the client side (only for routing)  
and I wouldn't worry about right now.

Love