On May 22, 11:03am, Aravind Jerubandi wrote: } Subject: Differentiate the ServiceTicket issued from Kinit vs PKinit
> Hello, Hi, I hope your weekend is going well. > Today we use password based authentication (kinit). And we want to > introduce PKinit. But while validating ServiceTicket we would like to know > if the service ticket issued through Kinit to PKinit > > Is there a way to find this? > > If not, the other solution is to use different realms for Kinit and Pkinit. > But then we will have duplicate all the user and service principals for the > two realms. Is there any other easier solution? > > Any help would be much appreciated. We approach this situation by establishing a second, pkinit only realm, which is populated only with 'nokey' pkinit authenticated principals. A one way trust relationship is established between the realms so the realm with the service principals 'trusts' the pkinit authenticating realm. We typically create the second realm with PREAUTH prefixed before the realm name. For example if your standard realm is REALM.COM the pre-authentication realm would be PREAUTH.REALM.COM. On the application side you can key authorization or access decisions based on whether or not the principal is from the 'PREAUTH' realm. If you are moving down the path toward using PKINIT there is a fair amount of process and infrastructure you will need to implement. Populating the second realm with 'PREAUTH' variants of the user principals isn't ornerous. > Thanks, > Aravind Good luck with your project. Greg }-- End of excerpt from Aravind Jerubandi As always, Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC. 4206 N. 19th Ave. Specializing in information infra-structure Fargo, ND 58102 development. PH: 701-281-1686 FAX: 701-281-3949 EMAIL: g...@enjellic.com ------------------------------------------------------------------------------ "I am returning this otherwise good typing paper to you because someone has printed gibberish all over it and put your name at the top. -- English Professor, Ohio University ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos