Re: Smartcard logon using Heimdal KDC

["Henry B. Hotz" <hotz@jpl.nasa.gov>]

Are you doing it in accordance with 
draft-ietf-krb-wg-kerberos-sam-02?  That's how SecureID and 
CRYPTOcard are currently supported and the MIT 1.3.1 client supports 
it.

What kind of smart card are you trying to support?

At 1:41 PM +0100 1/26/04, Prágai Róbert wrote:
>Hi,
>
>   I try to arrange an environment, where users can logon to a 
>Kerberos realm from Windows 2000 workstations via smartcard logon.
>   I've already reached a point where normal password logon works 
>from Windows workstations to the Kerberos realm, and the smartcard 
>logon works from the Windows workstations to the Windows domain.
>   However when I tested the smartcard logon from a Windows 
>workstation to the Heimdal KDC, the workstation initiated a normal 
>password logon to the Unix KDC instead of smartcard logon according 
>to the network traffic. I initiated a logon using the smartcard 
>logon process, typed the PIN but the network flow between the 
>workstation and the Unix KDC was similar to the normal password 
>logon case.
>     Does anyone have enough experience with wiht Windows PKINIT to 
>answer whether it is the intentional working mechanism of the 
>Windows 2000 workstations that it initiates a normal password logon 
>to Unix KDC's? If it is intentional, however what part of the 
>security system is responsible for it: the GINA, the LSA, ths SSP, 
>maybe the corresponding CSP or other? What should I change in the 
>system to make this environment work?
>    All comments are welcome.
>
>thanks,
>Robert Pragai

-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu