Hi Ken, Thanks for your response. This really helps.
*Our KDC-side PKINIT module will set HW-AUTH flag on the TGT _if_ a particular policy OID is found in the client certificate (in our case, the policy OID we check for is if the certificate comes from a smartcard, so the use of HW-AUTH is appropriate). * Does this mean the client certificate should have the policy : 1.3.6.1.4.1.311.20.2.2 (Smart Card Logon)? Is it only the client certificate or CA cert should also have this policy? On Tue, Jun 2, 2015 at 6:11 PM, Ken Hornstein <k...@cmf.nrl.navy.mil> wrote: > > Today we use password based authentication (kinit). And we want to > > introduce PKinit. But while validating ServiceTicket we would like to > know > > if the service ticket issued through Kinit to PKinit > > > > Is there a way to find this? > > We sort-of do this, but it may not directly be applicable. > > Our KDC-side PKINIT module will set HW-AUTH flag on the TGT _if_ a > particular > policy OID is found in the client certificate (in our case, the policy > OID we check for is if the certificate comes from a smartcard, so the > use of HW-AUTH is appropriate). Flags set in a TGT get propagated to > service tickets, so we have code on application servers that checks to see > if the HW-AUTH flag exists for service tickets to make authorization > decisions. > > So, you could do that (if your client-side certificates is issued from > a hardware device), or overload the HW-AUTH flag. Checking that on the > application server side is easy. > > But ... if you don't want to do that, you MAY be able to check the service > ticket for the AD_INITIAL_VERIFIED_CAS authorization data (although a quick > glance suggests to me that MIT Kerberos doesn't generate that data, but > I could be wrong about that). That would require further investigation. > > --Ken > -- Thanks & Regards, J.Aravind ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos