I use Heimdal KDC, which has a PKINIT extension. Although it works just in the Kerberos client - Windows KDC way with Windows, we plan (with Daniel Kouril) to extend its functionalities to work in the opposite direction, too. But the basic problem is that the Windows workstation assumes that if the logon is not a domain logon, then it cannot be a PKINIT logon as well. Maybe I should change the Kerberos SSP... (You probably have the right answer at Cybersafe :-)
thanks,
Robert
Robert,
For this to work, the UNIX KDC needs to support the PKINIT standard at the same draft level as Microsoft (I believe this is draft 9). Do you know if your KDC supports PKINIT ?
Thanks, Tim.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 26 January 2004 08:58 To: [EMAIL PROTECTED] Subject: Smartcard logon using Unix KDC
Hi,
I try to arrange an environment, where users can logon to a Kerberos realm from Windows 2000 workstations via smartcard logon.
I've already reached a point where normal password logon works from Windows workstations to the Kerberos realm, and the smartcard logon works from the Windows workstations to the Windows domain.
However when I tested the smartcard logon from a Windows workstation to the Kerberos KDC, the workstation initiated a normal password logon to the Unix KDC instead of smartcard logon (according to the network traffic). I repeat: I initiated a logon using the smartcard logon process, typed the PIN but the network flow between the workstation and the Unix KDC was similar to the normal password logon case.
My questions: is it the intentional working mechanism of the Windows 2000 workstations that it initiates a normal password logon to Unix KDC's or I have missed something? If it is intentional, however what part of the security system is responsible for it: the GINA, the LSA, ths SSP, maybe the corresponding CSP or other? What should I change in the system to make this environment work?
Has anyone have any experience with such an environment?
thanks, Robert Pragai ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
