[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PKINIT to Windows AD fails about half the time

To: Love Hörnquist Åstrand <lha@kth.se>
Subject: Re: PKINIT to Windows AD fails about half the time
From: "Douglas E. Engert" <deengert@anl.gov>
Date: Thu, 21 Apr 2005 13:46:19 -0500
Cc: heimdal-discuss@sics.se
In-Reply-To: <am8y3c86we.fsf@nutcracker.it.su.se>
References: <4266C70D.30701@anl.gov> <amoec8a57y.fsf@nutcracker.it.su.se> <4267BE5B.60709@anl.gov> <am8y3c86we.fsf@nutcracker.it.su.se>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040803



Love Hörnquist Åstrand wrote:

> Douglas,
> 
> 
>>Looks like two problems:
>>
>>(1) Windows wants the pk_nonce to have the first
>>bit zero, or it returns the KRB_ERROR 60 with no e-text.
> 
> 
> It might be us that made it wrong pk-init-09 say INTEGER, I assume they
> they secretly meant INTEGER (-2147483648..2147483647). I made it into a
> INTEGER (0..4294967295) when I wrote the asn1 spec file, that also need to
> be tested if that is the real problem.

If you have something, I can try it.

> 
> 
>>(2) Windows uses the pk_nonce in the ticket, so when
>>_krb5_extract_ticket is called from init_cred_loop
>>it needs to pass in the pk_nonce rather nonce.
>>
>>Draft 25 says the nonces may be different, and does not
>>require the ticket use the pk_nonce. I don't know what
>>draft 9 said.
>>
>>There are a number of ways to solve this, but they depend
>>to the win2k_compat flag to be known when the _krb5_extract_ticket
>>is called. Or better still, the compat flag used to create the
>>pa-data needs to be available to process the as-rep.
>>
>>Could the win2k_compat flag be save in the krb5_get_init_creds_ctx?
>>or in the krb5_pk_init_ctx?
> 
> 
> Or just the the nonce to the same thing as the nonce, as that is what the
> code did before I managed to break it.
> 

But is there some security reason to have two differnet nonces? Draft 25
allows for differnet ones, but I don't think it requires them to
be different.

> Thank for testing,
> Love
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

References:
- PKINIT to Windows AD fails about half the time
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: PKINIT to Windows AD fails about half the time
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: PKINIT to Windows AD fails about half the time
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: PKINIT to Windows AD fails about half the time
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: PKINIT to Windows AD fails about half the time
Next by Date: Re: PKINIT to Windows AD fails about half the time
Prev by thread: Re: PKINIT to Windows AD fails about half the time
Next by thread: heimdal 0.7pre2
Index(es):
- Date
- Thread