On Thu, May 21, 2015 at 05:35:23PM +0000, Nordgren, Bryce L -FS wrote: > "Cannot create cert chain: unable to get local issuer certificate"
What from? > Again, there is a single AS_REQ/KRB_ERROR pair to request preauthentication, > with no attempts to contact the KDC after I provide my PIN. > Questions: > > 1] Does my KDC cert have to chain back to the same anchor as my smart card > certificates? In principle, no. In a PKI each relying party can have distinct trust anchor sets for authenticating peers, and each node can have root CAs for its own certificate that are not in the local trust anchor set. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos