[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Inconsistent key purpose in Heimdal, but not Windows

In hooking up Heimdal in a MS Domain Controller environment with
PKINIT, I've found that Windows machines can successfully perform
SmartCard Login, but Heimdal bails with this error:


The certificate being used client-side is the one with the 
MS SC Login purpose... and since it worked on a Windows machine which
hopefully followed protocol (in at least a similar way), the
card and certificate are 'ok'.

Is there any influence on what certificates a KDC would choose to use
based on information sent in the authentication request?  From the
protocol AFAIK no such selection is made.

I assume that if the server sent back an unknown certificate, an
entirely different error would occur (especially since the error
isn't directly thrown anywhere in heimdal's codebase)... 

Thomas Harning @ TrustBearer Labs (http://www.trustbearer.com)
Secure OpenID: https://openid.trustbearer.com/harningt
3201 Stellhorn Road 260-399-1656
Fort Wayne, IN 46815