Inconsistent key purpose in Heimdal, but not Windows

[Thomas Harning <thomas.harning@trustbearer.com>]

In hooking up Heimdal in a MS Domain Controller environment with
PKINIT, I've found that Windows machines can successfully perform
SmartCard Login, but Heimdal bails with this error:

KDC_ERR_INCONSISTENT_KEY_PURPOSE

The certificate being used client-side is the one with the 
MS SC Login purpose... and since it worked on a Windows machine which
hopefully followed protocol (in at least a similar way), the
card and certificate are 'ok'.

Is there any influence on what certificates a KDC would choose to use
based on information sent in the authentication request?  From the
protocol AFAIK no such selection is made.

I assume that if the server sent back an unknown certificate, an
entirely different error would occur (especially since the error
isn't directly thrown anywhere in heimdal's codebase)... 

-- 
Thomas Harning @ TrustBearer Labs (http://www.trustbearer.com)
Secure OpenID: https://openid.trustbearer.com/harningt
3201 Stellhorn Road 260-399-1656
Fort Wayne, IN 46815