Hello all, My aim is to use krb5-1.13 with its PKINIT capability to configure password-less authentication of mobile devices. Additionally, I intend my application servers running HTTP to use SPNEGO/Negotiate to verify authenticity of the aforementioned devices for service authorisation.
Despite deploying the right kind of client certificates on my mobile devices (iOS) and using the right type of certificate on the KDC, I am not sure if they are talking certificates at all. How do I debug if the certificate matching rules are actually being evaluated on the server on the server, assuming the client is using its cert in the first place? The krb5kdc.log file has no PKINIT events at all when a client request comes in. This is despite rebuilding the plugin with DEBUG macro on in the header file. Any pointers? Since all my users will be _new_ users, I wish to have no passwords at all while creating new user (device) principals, relying only on PKI. The PKINIT documentation (http://web.mit.edu/kerberos/krb5-latest/doc/admin/pkinit.html) suggests using -nokey argument for add_principal , but I still get errors issuing a new token. add_principal +requires_preauth -nokey 197...@domain.mobi AS_REQ (4 etypes {18 17 16 23}) 182.74.74.193: NEEDED_PREAUTH: 197...@domain.mobi for krbtgt/domain.m...@domain.mobi, Additional pre-authentication required When I create a principal _with_ a password, and use that on the iOS browser, the KDC does issue a ticket correctly, and the browser submits the Negotiation: <token> header to my application server, which suggests that DNS issues are not the issue any more. Thanks for any pointers on achieving password-less client accounts via PKINIT. Regards Siddharth ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
