Certificate format for PKINIT to Windows?

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Certificate format for PKINIT to Windows?

Geoffrey Elgey-2
G'day,

For those who have performed a successful PKINIT to a Windows server,
can you provide information on the certificate values that are required
for authentication?

For example, is an email address required? A UPN? What form does the
subjectAltName take, etc? I haven't found any documentation on what
certificate information is required for a successful PKINIT to a Windows
KDC.

I feel I'm close to a successful Heimdal PKINIT to a Windows 2003
server, if I can only create the appropriate certificate and assign the
correct policy settings on the Windows server.

Any help appreciated.

-- Geoff
Reply | Threaded
Open this post in threaded view
|

Re: Certificate format for PKINIT to Windows?

Luke Howard

Do you have the smartcard logon EKU in the certificate? Only the
Enterprise Edition of Windows 2003 supports modifying the CA
templates, which you need to do in order to create certificates
with exportable private keys _and_ the smartcard logon EKU.

Active Directory uses the UPN subjectAltName extension for mapping
certificates to accounts, although as I recall you can do it with
the altSecurityIdentities attribute in the directory.

-- Luke

>From: Geoffrey Elgey <[hidden email]>
>Subject: Certificate format for PKINIT to Windows?
>To: [hidden email]
>Date: Fri, 10 Jun 2005 01:38:42 -0600
>
>G'day,
>
>For those who have performed a successful PKINIT to a Windows server,
>can you provide information on the certificate values that are required
>for authentication?
>
>For example, is an email address required? A UPN? What form does the
>subjectAltName take, etc? I haven't found any documentation on what
>certificate information is required for a successful PKINIT to a Windows
>KDC.
>
>I feel I'm close to a successful Heimdal PKINIT to a Windows 2003
>server, if I can only create the appropriate certificate and assign the
>correct policy settings on the Windows server.
>
>Any help appreciated.
>
>-- Geoff

--
Reply | Threaded
Open this post in threaded view
|

Re: Certificate format for PKINIT to Windows?

Geoffrey Elgey-2
G'day,

Luke Howard wrote:
> Do you have the smartcard logon EKU in the certificate? Only the
> Enterprise Edition of Windows 2003 supports modifying the CA
> templates, which you need to do in order to create certificates
> with exportable private keys _and_ the smartcard logon EKU.
>
> Active Directory uses the UPN subjectAltName extension for mapping
> certificates to accounts, although as I recall you can do it with
> the altSecurityIdentities attribute in the directory.

I just figured that out a little while ago. I created a new certificate
template based on Smart Card Logon, with private key marked as
exportable, and including the UPN. This allowed me to perform a kinit:

$ /usr/heimdal/bin/kinit -C FILE:geoffree.cert.pem,geoffree.key.pem
   [hidden email]

$ klist

Credentials cache: /tmp/krb5cc_1060

Default principal: [hidden email], 1 entry found.

[1]  Service Principal:  krbtgt/[hidden email]
      Valid starting:  Jun 10, 2005 02:15
      Expires:         Jun 10, 2005 12:15


I'll try to write up some proper documentation for this and post it here
soon.

Thanks,
-- Geoff
Reply | Threaded
Open this post in threaded view
|

Re: Certificate format for PKINIT to Windows?

Geoffrey Elgey-2
G'day,

Geoffrey Elgey wrote:
> I just figured that out a little while ago. I created a new certificate
> template based on Smart Card Logon, with private key marked as
> exportable, and including the UPN. This allowed me to perform a kinit:
>
> $ /usr/heimdal/bin/kinit -C FILE:geoffree.cert.pem,geoffree.key.pem
>   [hidden email]

I specified the client principal explicitly above, as my /etc/krb5.conf
did not have SC.VAS as the default realm. If I modify the default realm
to SC.VAS, and perform a kinit while logged in as 'geoffree', then I do
not need to specify the client principal explicitly.

Howver, if I perform a kinit while logged in as a different user, then I
do need to specify the client principal explicitly. Otherwise, a client
name mismatch occurs. But shouldn't the client principal name be derived
from information in the certificate?

Windows adds a subjectAltName to the certificate, of the form
OtherName:PrincipalName=[hidden email], which represents the UPN of the
user.

Although using the UPN may not always work for Windows authentication,
is there a configuration option or similar that will map the UPN to the
client principal name?

-- Geoff
Reply | Threaded
Open this post in threaded view
|

Re: Certificate format for PKINIT to Windows?

"Prágai, Róbert"
In reply to this post by Geoffrey Elgey-2
Hi Geoff,

        sorry for this maybe offline question but which pkcs11 module do you
use for pkinit? I've tried the soft-pkcs11 module without luck, lately.

thanks,
Robert

> G'day,
>
> Luke Howard wrote:
>
>> Do you have the smartcard logon EKU in the certificate? Only the
>> Enterprise Edition of Windows 2003 supports modifying the CA
>> templates, which you need to do in order to create certificates
>> with exportable private keys _and_ the smartcard logon EKU.
>>
>> Active Directory uses the UPN subjectAltName extension for mapping
>> certificates to accounts, although as I recall you can do it with
>> the altSecurityIdentities attribute in the directory.
>
>
> I just figured that out a little while ago. I created a new certificate
> template based on Smart Card Logon, with private key marked as
> exportable, and including the UPN. This allowed me to perform a kinit:
>
> $ /usr/heimdal/bin/kinit -C FILE:geoffree.cert.pem,geoffree.key.pem
>   [hidden email]
>
> $ klist
>
> Credentials cache: /tmp/krb5cc_1060
>
> Default principal: [hidden email], 1 entry found.
>
> [1]  Service Principal:  krbtgt/[hidden email]
>      Valid starting:  Jun 10, 2005 02:15
>      Expires:         Jun 10, 2005 12:15
>
>
> I'll try to write up some proper documentation for this and post it here
> soon.
>
> Thanks,
> -- Geoff
>
>



Reply | Threaded
Open this post in threaded view
|

Re: Certificate format for PKINIT to Windows?

Douglas E. Engert
In reply to this post by Geoffrey Elgey-2


Geoffrey Elgey wrote:

> G'day,
>
> Geoffrey Elgey wrote:
>
>> I just figured that out a little while ago. I created a new
>> certificate template based on Smart Card Logon, with private key
>> marked as exportable, and including the UPN. This allowed me to
>> perform a kinit:
>>
>> $ /usr/heimdal/bin/kinit -C FILE:geoffree.cert.pem,geoffree.key.pem
>>   [hidden email]
>
>
> I specified the client principal explicitly above, as my /etc/krb5.conf
> did not have SC.VAS as the default realm. If I modify the default realm
> to SC.VAS, and perform a kinit while logged in as 'geoffree', then I do
> not need to specify the client principal explicitly.
>
> Howver, if I perform a kinit while logged in as a different user, then I
> do need to specify the client principal explicitly. Otherwise, a client
> name mismatch occurs. But shouldn't the client principal name be derived
> from information in the certificate?

Maybe, but you would like to be able to use the same certificate
to login to multiple realms. For example with some government issued
smart card, which has know knowledge of the many Kerberos realms
it may be used with.

>
> Windows adds a subjectAltName to the certificate, of the form
> OtherName:PrincipalName=[hidden email], which represents the UPN of the
> user.

Yes, but this then limits the certificate to be usable with
the domain only. I would argue that any mapping needs to be done by the
host in its context, not placed in the certificate.

>
> Although using the UPN may not always work for Windows authentication,
> is there a configuration option or similar that will map the UPN to the
> client principal name?

Not that I know of with straight Kerberos. If there was a directory
maybe the host could look up the certificate and see if it maps to
any known principals it is willing to accept.

>
> -- Geoff
>
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
Reply | Threaded
Open this post in threaded view
|

Re: Certificate format for PKINIT to Windows?

Luke Howard

>> Although using the UPN may not always work for Windows authentication,
>> is there a configuration option or similar that will map the UPN to the
>> client principal name?
>
>Not that I know of with straight Kerberos. If there was a directory
>maybe the host could look up the certificate and see if it maps to
>any known principals it is willing to accept.

If there is a UPN SAN in the certificate, you can extract it and use in
the AS-REQ (with the name type set to KRB-NT-ENTERPRISE-PRINCIPAL).

-- Luke

--
Reply | Threaded
Open this post in threaded view
|

Re: Certificate format for PKINIT to Windows?

Love Hörnquist Åstrand
In reply to this post by Geoffrey Elgey-2

Geoffrey Elgey <[hidden email]> writes:

> I specified the client principal explicitly above, as my
> /etc/krb5.conf did not have SC.VAS as the default realm. If I modify
> the default realm to SC.VAS, and perform a kinit while logged in as
> 'geoffree', then I do not need to specify the client principal
> explicitly.
>
> Howver, if I perform a kinit while logged in as a different user, then
> I do need to specify the client principal explicitly. Otherwise, a
> client name mismatch occurs. But shouldn't the client principal name
> be derived from information in the certificate?
>
> Windows adds a subjectAltName to the certificate, of the form
> OtherName:PrincipalName=[hidden email], which represents the UPN of
> the user.
>
> Although using the UPN may not always work for Windows authentication,
> is there a configuration option or similar that will map the UPN to
> the client principal name?
The the code should pick up the name from the certificate if its there. But
since it required me to reorganize the code in kinit and add support for
client principal in the libkrb5, so I ignored that for me. Something like
it is also needed for the PAM support.

Love


attachment0 (487 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Certificate format for PKINIT to Windows?

Love Hörnquist Åstrand
In reply to this post by "Prágai, Róbert"

"Prágai, Róbert" <[hidden email]> writes:

> Hi Geoff,
>
> sorry for this maybe offline question but which pkcs11 module do you
> use for pkinit? I've tried the soft-pkcs11 module without luck, lately.

What problems are you having with the module ?

Love



>
> thanks,
> Robert
>
>> G'day,
>>
>> Luke Howard wrote:
>>
>>> Do you have the smartcard logon EKU in the certificate? Only the
>>> Enterprise Edition of Windows 2003 supports modifying the CA
>>> templates, which you need to do in order to create certificates
>>> with exportable private keys _and_ the smartcard logon EKU.
>>>
>>> Active Directory uses the UPN subjectAltName extension for mapping
>>> certificates to accounts, although as I recall you can do it with
>>> the altSecurityIdentities attribute in the directory.
>>
>>
>> I just figured that out a little while ago. I created a new certificate
>> template based on Smart Card Logon, with private key marked as
>> exportable, and including the UPN. This allowed me to perform a kinit:
>>
>> $ /usr/heimdal/bin/kinit -C FILE:geoffree.cert.pem,geoffree.key.pem
>>   [hidden email]
>>
>> $ klist
>>
>> Credentials cache: /tmp/krb5cc_1060
>>
>> Default principal: [hidden email], 1 entry found.
>>
>> [1]  Service Principal:  krbtgt/[hidden email]
>>      Valid starting:  Jun 10, 2005 02:15
>>      Expires:         Jun 10, 2005 12:15
>>
>>
>> I'll try to write up some proper documentation for this and post it here
>> soon.
>>
>> Thanks,
>> -- Geoff
>>
>>

attachment0 (487 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

pkinit module problems

"Prágai, Róbert"
Hi,

the situation is:

# /usr/bin/kinit -C
FILE:/etc/ssl/certs/pragai.pem,/etc/ssl/keys/pragai.key pragai
Enter your private key passphrase:
kinit: krb5_get_init_creds: No ENC-TS found



krb5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
        default_realm = RUBIN.HU
        pkinit-openssl-engine =
ENGINE=dynamic,PRE=SO_PATH:/usr/local/lib/opensc/engine_pkcs11.so,PRE=ID:pkcs11,PRE=LIST_ADD:1,PRE=LOAD,PRE=MODULE_PATH:/usr/lib/soft-pkcs11.so

# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }

[realms]
        RUBIN.HU = {
                kdc = localhost
                admin_server = localhost
                win2k_pkinit = false
        }

[domain_realm]
        localhost = RUBIN.HU
        localhost.localdomain = RUBIN.HU

[appdefaults]
    pkinit-anchors = OPENSSL-ANCHOR-DIR:/etc/ssl/certs
    win2k_pkinit = false

[kdc]
    enable-pkinit = yes
    win2k_pkinit = false
    pki-identity = FILE:/etc/ssl/certs/kdc.pem,/etc/ssl/keys/kdc.key
    pki-anchors = OPENSSL-ANCHOR-DIR:/etc/ssl/certs


maybe I miss something?

thanks,
Robert

Love Hörnquist Åstrand wrote:

> "Prágai, Róbert" <[hidden email]> writes:
>
>
>>Hi Geoff,
>>
>> sorry for this maybe offline question but which pkcs11 module do you
>>use for pkinit? I've tried the soft-pkcs11 module without luck, lately.
>
>
> What problems are you having with the module ?
>
> Love
>
>
>
>


Reply | Threaded
Open this post in threaded view
|

Re: Certificate format for PKINIT to Windows?

"Prágai, Róbert"
In reply to this post by Love Hörnquist Åstrand
Hi,

 moreover if I try it without address:
# /usr/bin/kinit -C
FILE:/etc/ssl/certs/pragai.pem,/etc/ssl/keys/pragai.key -A pragai
Enter your private key passphrase:
kinit: krb5_get_init_creds: No usable pa data type


Robert

Love Hörnquist Åstrand wrote:

> "Prágai, Róbert" <[hidden email]> writes:
>
>
>>Hi Geoff,
>>
>> sorry for this maybe offline question but which pkcs11 module do you
>>use for pkinit? I've tried the soft-pkcs11 module without luck, lately.
>
>
> What problems are you having with the module ?
>
> Love
>
>
>
>
>>thanks,
>>