Copy:
kerberos@mit.edu
I rectified the pkinit_kdc_hostname = blrdhcdev-ad.blrdhcdev.com
tested again but it throws error regarding "no acceptable EKU in KDC
cert"
I read the link you sent in the below mail, it says setting >pkinit_eku_checking is not necessary.
Well, hm, I am not the expert on how AD realms and their certificates
are normally created. I was under the impression that normally the
correct EKU is placed in the certificate, but maybe that didn't happen
in this case. You COULD get a copy of the KDC certificate (just the
public portion, of course) and examine it with the openssl command-line
tools if you want to verify that.
Anyway, you should be able to solve this with the pkinit_eku_checking
client configuration option (it goes in the same section as pkinit_kdc_hostname). There are three possible values for this
entry: kpKDC (the default), kpServerAuth, and none. So since kpKDC
doesn't work for you, I'd try kpServerAuth. "none" is always an
option, but is not recommended. With the PKI deployments I work
with, we have to use kpServerAuth (in theory we can get a certificate
with the correct EKU and the id-pkinit-san, but sadly there is a bug
in the generated encoding they produce so it doesn't work).
--Ken
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)