[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Was a smartcard used to get the ticket?

To: Phil Fisher <philip_fisher@hotmail.co.uk>
Subject: Re: Was a smartcard used to get the ticket?
From: "Douglas E. Engert" <deengert@anl.gov>
Date: Fri, 17 Aug 2007 10:51:52 -0500
CC: lha@kth.se, heimdal-discuss@sics.se
In-Reply-To: <BAY119-F29F6D8F4A43CE6EDEF86EECAD80@phx.gbl>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <BAY119-F29F6D8F4A43CE6EDEF86EECAD80@phx.gbl>
Reply-To: heimdal-discuss@sics.se, "Douglas E. Engert" <deengert@anl.gov>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)



Phil Fisher wrote:
>>
>> I re-added back gss_krb5_get_tkt_flags that used to exists, it fell  
>> out with the mech-glue.
>>
>> Love
> 
> Thanks for that. Using release 1.0.1 I am able to call this function. 
> Unfortunately, I have not yet seen the hw_authent bit set.
> 
> I am running my application on a Linux machine which has a smartcard 
> reader attached. My KDC is a Windows 2003 Active Directory. 
> Authentication with kinit works fine, but 'klist -f' only shows the 
> flags 'IA'.
> 
> Douglas  Engert wrote elsewhere in this thread:
>> I know Windows AD will set the hw-authent bit, if you use a smart card,

Well, I tried it again with using a Smart card on XP to AD 2003, and it did
not set the bit. I could have sworn I have seen it set it the past.  Sorry
if I have mislead you.


>> but not sure if Heimdal KDC will set it, or if the Heimdal klist will 
>> show it.
>> (The hw-authent could also imply an OTP or other hardware device, and not
>> a smartcard.)
> 
>> But is is also not clear if the KDC will only set the hw-authent bit if
>> if the KDC has the requires-hw-auth set on the user entry. (I don't have
>> a heimdal KDC.)
> 
> I therefore set the 'Smart card is required for interactive login' 
> checkbox in the user's account properties, but this hasn't made any 
> difference.
> 
> Is there any other configuration that I need to do for Active Directory? 
> I've not been able to find any documentation on this.
> 
> Thanks again.
> 
> Phil
> 
> _________________________________________________________________
> Get Pimped! FREE emoticon packs from Windows Live -  
> http://www.pimpmylive.co.uk
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Prev by Date: love e-card
Next by Date: Re: MEMORY credential cache interop between Heimdal and MIT?
Prev by thread: Re: Was a smartcard used to get the ticket?
Next by thread: Heimdal 1.0.1
Index(es):
- Date
- Thread