• Fwd: FW: kinit failing when AD user joining using smaercard PIN on

    From Ken Hornstein@21:1/5 to Vikram Yadav on Wed Mar 3 06:44:30 2021
    Copy: kerberos@mit.edu

    I rectified the pkinit_kdc_hostname = blrdhcdev-ad.blrdhcdev.com
    tested again but it throws error regarding "no acceptable EKU in KDC

    I read the link you sent in the below mail, it says setting >pkinit_eku_checking is not necessary.

    Well, hm, I am not the expert on how AD realms and their certificates
    are normally created. I was under the impression that normally the
    correct EKU is placed in the certificate, but maybe that didn't happen
    in this case. You COULD get a copy of the KDC certificate (just the
    public portion, of course) and examine it with the openssl command-line
    tools if you want to verify that.

    Anyway, you should be able to solve this with the pkinit_eku_checking
    client configuration option (it goes in the same section as pkinit_kdc_hostname). There are three possible values for this
    entry: kpKDC (the default), kpServerAuth, and none. So since kpKDC
    doesn't work for you, I'd try kpServerAuth. "none" is always an
    option, but is not recommended. With the PKI deployments I work
    with, we have to use kpServerAuth (in theory we can get a certificate
    with the correct EKU and the id-pkinit-san, but sadly there is a bug
    in the generated encoding they produce so it doesn't work).


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)