Smartcard logon using Heimdal KDC

[Prágai Róbert <pragai@rubin.hu>]

Hi,

   I try to arrange an environment, where users can logon to a Kerberos 
realm from Windows 2000 workstations via smartcard logon.
   I've already reached a point where normal password logon works from 
Windows workstations to the Kerberos realm, and the smartcard logon 
works from the Windows workstations to the Windows domain.
   However when I tested the smartcard logon from a Windows workstation 
to the Heimdal KDC, the workstation initiated a normal password logon to 
the Unix KDC instead of smartcard logon according to the network 
traffic. I initiated a logon using the smartcard logon process, typed 
the PIN but the network flow between the workstation and the Unix KDC 
was similar to the normal password logon case.
  
    Does anyone have enough experience with wiht Windows PKINIT to 
answer whether it is the intentional working mechanism of the Windows 
2000 workstations that it initiates a normal password logon to Unix 
KDC's? If it is intentional, however what part of the security system is 
responsible for it: the GINA, the LSA, ths SSP, maybe the corresponding 
CSP or other? What should I change in the system to make this 
environment work?
    All comments are welcome.

thanks,
Robert Pragai