[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Causes for KDC_ERR_CLIENT_NOT_TRUSTED

To: heimdal-discuss@sics.se, Thomas Harning <thomas.harning@trustbearer.com>
Subject: Re: Causes for KDC_ERR_CLIENT_NOT_TRUSTED
From: Olga Kornievskaia <aglo@citi.umich.edu>
Date: Wed, 30 Jan 2008 11:49:04 -0500
CC: ietf-krb-wg@lists.anl.gov
In-Reply-To: <47A09F22.7070608@trustbearer.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <47A09F22.7070608@trustbearer.com>
Reply-To: heimdal-discuss@sics.se, Olga Kornievskaia <aglo@citi.umich.edu>
User-Agent: Thunderbird 2.0.0.9 (X11/20071115)

This means that your Windows server is missing client's ca certificate.

Remember that windows 2003 server doesn't implement rfc pkinit, instead 
it implements draft-9 version of the pkinit rfc.

 From draft-9 (section 3.2):
"If the KDC has no certificate signed by any of the trustedCertifiers, 
then it returns
 an error of type KDC_ERR_KDC_NOT_TRUSTED"

-Olga

Thomas Harning wrote:
> Is there any definitive source of KDC_ERR_CLIENT_NOT_TRUSTED ... in 
> the documents it mentions these two vague ones (really, just 1 w/ an 
> example):
>  * Policy
>  * OID for Login not present
>
> I'm primarily interested in information related to using Hiemdal w/ 
> PKINIT to login into Windows 2003 Server.....
>

References:
- Causes for KDC_ERR_CLIENT_NOT_TRUSTED
  - From: Thomas Harning <thomas.harning@trustbearer.com>

Prev by Date: Causes for KDC_ERR_CLIENT_NOT_TRUSTED
Next by Date: Questions about LDAP, Heimdal and 2003 Server
Prev by thread: Causes for KDC_ERR_CLIENT_NOT_TRUSTED
Next by thread: Questions about LDAP, Heimdal and 2003 Server
Index(es):
- Date
- Thread