Hi, Ken, The TGS ticket flag is set on KDC server. When the client get TGS back from the server, he/she is able to see the flag set by the KDC. Looks klist commands will show flags.
However if the client passes the ticket to some service for verification, , the service will not be able see the these flags. Is that right? My understanding is that these flags are not passed to service?? Thanks Jim > On Jun 3, 2015, at 6:39 AM, Ken Hornstein <k...@cmf.nrl.navy.mil> wrote: > >> Does this mean the client certificate should have the policy : >> 1.3.6.1.4.1.311.20.2.2 >> (Smart Card Logon)? >> >> Is it only the client certificate or CA cert should also have this policy? > > Well, we don't use that particular OID; we use another one defined by our > CA that indicates it comes from an approved Smart Card. But that's the > basic idea. > > I don't want to get into a whole discussion about certificate policy; > that's sort of outside of the scope of this thread. I will say that in > our particlar case, it only matters that the client certificate has that > policy OID on it and that's all our implementation checks for. > > And let me be clear; this is not something that exists in the supplied > MIT Kerberos pkinit module. This is our own version of it. I've > talked with MIT about incorporating our changes into their module, > and they have been receptive; I just haven't had time recently to > deal with it. > > --Ken > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
