Never mind. I assume the flags is inside the ticket.
Thanks Jim > On Jun 3, 2015, at 3:52 PM, Jim Shi <hanmao_...@apple.com> wrote: > > Hi, Ken, > The TGS ticket flag is set on KDC server. When the client get TGS back from > the server, he/she is able to see the flag set by the KDC. Looks klist > commands will show flags. > > However if the client passes the ticket to some service for verification, , > the service will not be able see the these flags. Is that right? My > understanding is that these flags are not passed to service?? > > > > Thanks > Jim > > > > > >> On Jun 3, 2015, at 6:39 AM, Ken Hornstein <k...@cmf.nrl.navy.mil >> <mailto:k...@cmf.nrl.navy.mil>> wrote: >> >>> Does this mean the client certificate should have the policy : >>> 1.3.6.1.4.1.311.20.2.2 >>> (Smart Card Logon)? >>> >>> Is it only the client certificate or CA cert should also have this policy? >> >> Well, we don't use that particular OID; we use another one defined by our >> CA that indicates it comes from an approved Smart Card. But that's the >> basic idea. >> >> I don't want to get into a whole discussion about certificate policy; >> that's sort of outside of the scope of this thread. I will say that in >> our particlar case, it only matters that the client certificate has that >> policy OID on it and that's all our implementation checks for. >> >> And let me be clear; this is not something that exists in the supplied >> MIT Kerberos pkinit module. This is our own version of it. I've >> talked with MIT about incorporating our changes into their module, >> and they have been receptive; I just haven't had time recently to >> deal with it. >> >> --Ken >> ________________________________________________ >> Kerberos mailing list Kerberos@mit.edu <mailto:Kerberos@mit.edu> >> https://mailman.mit.edu/mailman/listinfo/kerberos >> <https://mailman.mit.edu/mailman/listinfo/kerberos> > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
