Greeting, I am trying to use PKINIT to authenticate a principal using KfW version 4.0.1. I have a client certificate, a plain text format of the private, and a directory containing self signed certificate of my local CA.
On a CentOS machine, I executed the following command, kinit -V -r 7d -l 24h -c my_krb5cc -X X509_user_identity=FILE:/path/to/client/cert.pem,/path/to/client/plaintext/private.key -X X509_anchors=DIR:/path/to/dir/CA/certs <my client id> "kinit -V -r 7d -l 24h -c kenny_krb5cc -X X509_user_identity=FILE:/pki/client.pem,/pki/private/client.key -X X509_anchors=DIR:/pki/anchors clt-12345" That works correctly and I was able to authenticate with my KDC. I tried to use the same command on Windows as follow: "kinit -V -r 7d -l 24h -c kenny_krb5cc -X X509_user_identity=FILE:C:\ProgramData\testapp\pki\client.pem,c:\ProgramData\testapp\pki\private\client.key -X X509_anchors=DIR:C:\ProgramData\testapp\pki\anchors clt-12345" However, kinit.exe did not present the client certificate to the KDC, and it prompted me for a password. Following is the KRB5_TRACE output. [1068] 1444338417.246001: Getting initial credentials for [email protected] [1068] 1444338417.246002: Sending request (224 bytes) to TESTKDC.LOCAL [1068] 1444338417.246003: Resolving hostname 172.16.145.8 [1068] 1444338417.246004: Sending initial UDP request to dgram 172.16.145.8:88 [1068] 1444338417.496000: Received answer from dgram 172.16.145.8:88 [1068] 1444338417.496001: Response was not from master KDC [1068] 1444338417.496002: Received error from KDC: -1765328359/Additional pre-authentication required [1068] 1444338417.496003: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133 [1068] 1444338417.496004: Selected etype info: etype aes256-cts, salt "TESTKDC.LOCALclt-12345", params "" [1068] 1444338417.496005: Received cookie: MIT I'm looking through the code of KfW but have not been able to make a concrete determination of the error. I am getting the impression the PKINIT is not supported in KfW so I want to confirm before spending too much time looking at the code. The code for PKINIT seems to be there in KfW source, but I'm not 100% sure. If PKINIT is not supported in KfW version 4.0.1, then does anyone know if there is any planning of adding support for it? Any pointer is appreciated. Thank you, ~Kenny _______________________________________________ kfwdev mailing list [email protected] http://mailman.mit.edu/mailman/listinfo/kfwdev
