[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Inconsistent key purpose in Heimdal, but not Windows
In hooking up Heimdal in a MS Domain Controller environment with
PKINIT, I've found that Windows machines can successfully perform
SmartCard Login, but Heimdal bails with this error:
The certificate being used client-side is the one with the
MS SC Login purpose... and since it worked on a Windows machine which
hopefully followed protocol (in at least a similar way), the
card and certificate are 'ok'.
Is there any influence on what certificates a KDC would choose to use
based on information sent in the authentication request? From the
protocol AFAIK no such selection is made.
I assume that if the server sent back an unknown certificate, an
entirely different error would occur (especially since the error
isn't directly thrown anywhere in heimdal's codebase)...
Thomas Harning @ TrustBearer Labs (http://www.trustbearer.com)
Secure OpenID: https://openid.trustbearer.com/harningt
3201 Stellhorn Road 260-399-1656
Fort Wayne, IN 46815