Re: windows and smartcardsFrom: Ken HornsteinNewsgroups:
Thu, 5 May 2022 14:41 UTC
References: 1 2 3 4 5 6
View all headers
gotcha, thank you very much for all the help.
I guess just out of curiosity:
- for windows: there are other tools such as heimdall and microsoft
kerberos. with those I don't know if you ever played around with them or
know if they support smartcard and pin authentication to get a ticket
manually meaning, get a ticket for a specified account with the use of
kinit or similar tools..
Here's my limited, imperfect understanding of the situation.
- My understanding is that the Kerberos implementation supplied by Microsoft
does implement PKINIT and works with smartcards. But I am not sure if
you can use it OUTSIDE of an Active Directory domain.
- It seems that Heimdal _does_ implement PKINIT. But it's not clear to
me that they support using PKCS#11 to sign the PKINIT request, which
is the piece you need to make it work with Smartcards. I mean, I see
there is SOME PKCS#11 support, I just didn't see any calls to something
like C_SignInit. It's very possible I missed it. You're going to have
to investigate that on your own.