On 02/01/2017 11:26 AM, Jacques Henry wrote: > I am using kinit (krb5-1.15) from an Ubuntu 14.04 64bits using a smartcard > in a PINPAD reader. > > The KDC is an Active Directory Windows 2012 R2. > > If I enter the PIN code correctly the first time, it works like a charm.
I'm glad to hear that, since we don't do frequent PKINIT interoperability testing between MIT krb5 and Active Directory. > However if I try again (after a kdestroy) by entering a wrong PIN the first > time it is asked and then then if I use the correct PIN the second time it > fails with the following error: ASN1_CHECK_TLEN:wrong tag There are two problems here: 1. The old draft9 support isn't intended to be used as a wrong-PIN fallback; it is only there for interoperability with old PKINIT implementations. It might be time to remove that support, since Windows Server 2003 hit the end of its extended support life in 2015. 2. We can't decode the Windows PKINIT reply due to some ASN.1 tagging issue. To debug the second problem, I would need a packet capture of the AS-REP from the Windows KDC. But it's also not likely to be a high priority for me because of the first issue, so if it isn't convenient to get that information, it probably isn't worth a lot of effort. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
