On 8/12/2010 6:26 AM, Tim Alsop wrote: > Hi, > > Does anybody know if/when Microsoft Active Directory will support PKINIT (RFC > 4556). I understand that all versions of MS AD supports draft-9 of PKINIT, > but not sure if the RFC is implemented/supported ? > > Also, I am interested to know about interoperability between the draft-9 > implementation and the RFC 4556 implementation. For example, does the PKINIT > included in the MIT code, which is RFC compliant interoperate with MS AD > (draft-9) ? > > Any info you have on this is appreciated.
Have you looked at the Microsoft KILE document? It does list RFC 4556 and PA-PK-AS-REP [17] and refers to PA-PK-AS-REP_OLD (15) http://msdn.microsoft.com/en-us/library/cc233964(v=PROT.13).aspx In the KRB5-ERROR e-data, padata, I see what Wireshark refers to as PA-PK-AS-REP (15), but not 17. We have mixed 2008 and 2003 DC so for backwards compatibility it might only present PA-PK-AS-REP (17) only if all the servers are 2008. > > Thanks, > Tim > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
