hello list, I need your help! I try to authenticate a Windows 7 client with Smartcard on the MIT Kerberos server using PKINIT. I get the error 0x41 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
setup: - Windows 7 + Smartcard (+Certificate) - CentOS 6.3 + MIT Kerberos krb5-1.11.1 (compiled from source + #define DEBUG in pkinit) I start the kerberos "/usr/local/sbin/krb5kdc -n" on the Windows 7 I start "runas /smartcard cmd" the right certificate is seleted and a AS REQ is sent kdc responds with error_code KRB5KDC_ERR_PREAUTH_REQUIRED (25) another AS REQ is passed to the server I also tried it with a linux client using kinit Server log: pkinit_server_get_edata: entered! pkinit_find_realm_context: returning context at 0x1c8d790 for realm 'kerberos.3ve.bmlv.at' pkinit_server_get_edata: entered! pkinit_find_realm_context: returning context at 0x1c8d790 for realm 'kerberos.3ve.bmlv.at' pkinit_server_get_edata: entered! pkinit_find_realm_context: returning context at 0x1c8d790 for realm 'kerberos.3ve.bmlv.at' pkinit_server_get_edata: entered! pkinit_find_realm_context: returning context at 0x1c8d790 for realm 'kerberos.3ve.bmlv.at' pkinit_verify_padata: entered! pkinit_find_realm_context: returning context at 0x1c8d790 for realm 'kerberos.3ve.bmlv.at' pkinit_init_req_crypto: returning ctx at 0x1cbfe30 pkinit_init_kdc_req_context: returning reqctx at 0x1cc2880 processing KRB5_PADATA_PK_AS_REQ CMS Verification successful #0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/[email protected] #1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA crypto_retrieve_X509_sans: looking for SANs in cert = /C=AT/ST=Austria/L=Vienna/O=kerberos/[email protected] crypto_retrieve_X509_sans: found 2 subject alt name extension(s) crypto_retrieve_X509_sans: SAN type = 1 expecting 0 verify_client_san: Checking pkinit sans verify_client_san: no pkinit san match found verify_client_san: Checking upn sans verify_client_san: upn san match found verify_client_san: returning retval 0, valid_san 1 crypto_check_cert_eku: looking for EKUs in cert = /C=AT/ST=Austria/L=Vienna/O=kerberos/[email protected] crypto_check_cert_eku: found eku info in the cert crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0 crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature crypto_check_cert_eku: found digitalSignature KU crypto_check_cert_eku: returning retval 0, valid_eku 1 verify_client_eku: returning retval 0, eku_accepted 1 failed to decode dhparams bad dh parameters ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
