[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PKINIT to Windows AD fails about half the time

To: heimdal-discuss@sics.se
Subject: PKINIT to Windows AD fails about half the time
From: "Douglas E. Engert" <deengert@anl.gov>
Date: Wed, 20 Apr 2005 16:18:05 -0500
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040803

While testing the Heimdal-20050405 PKINIT client code with smart
cards and Windows AD, about half the time the AD would return
a KRB_ERROR with error code 60, (generic error) and no
e-text or e-data.

looking closer the difference appears to be that Win2K AD is
expecting the nonce to be a positive int32 or it can't parse the
asn1.

A temporary fix to init_creds_pw.c:

--- ./lib/krb5/,init_creds_pw.c	Wed Feb  2 01:30:25 2005
+++ ./lib/krb5/init_creds_pw.c	Wed Apr 20 13:57:00 2005
@@ -1199,7 +1207,7 @@

      /* Set a new nonce. */
      krb5_generate_random_block (&ctx->nonce, sizeof(ctx->nonce));
-    ctx->nonce &= 0xffffffff;
+    ctx->nonce &= 0x7fffffff; /* shot in dark that win2k wants positive */
      ctx->as_req.req_body.nonce = ctx->nonce;
  #if 0
      krb5_generate_random_block (&ctx->pk_nonce, sizeof(ctx->pk_nonce));


It looks like if the top bit is on, the AS_REQ is one byte larger
then if it is off. I suspect this is asn1 adding a zero byte.

Has this been seen before? There is some code to have a different
pk_nonce, but it is #if'ed out.

Or is this a ans1 encoding problem on the client side.

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Follow-Ups:
- Re: PKINIT to Windows AD fails about half the time
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: Problems with kpasswdd handling multiple realms...
Next by Date: heimdal 0.7pre2
Prev by thread: Re: heimdal PKINIT
Next by thread: Re: PKINIT to Windows AD fails about half the time
Index(es):
- Date
- Thread