>I rectified the pkinit_kdc_hostname = blrdhcdev-ad.blrdhcdev.com >tested again but it throws error regarding "no acceptable EKU in KDC >cert" > >I read the link you sent in the below mail, it says setting >pkinit_eku_checking is not necessary.
Well, hm, I am not the expert on how AD realms and their certificates are normally created. I was under the impression that normally the correct EKU is placed in the certificate, but maybe that didn't happen in this case. You COULD get a copy of the KDC certificate (just the public portion, of course) and examine it with the openssl command-line tools if you want to verify that. Anyway, you should be able to solve this with the pkinit_eku_checking client configuration option (it goes in the same section as pkinit_kdc_hostname). There are three possible values for this entry: kpKDC (the default), kpServerAuth, and none. So since kpKDC doesn't work for you, I'd try kpServerAuth. "none" is always an option, but is not recommended. With the PKI deployments I work with, we have to use kpServerAuth (in theory we can get a certificate with the correct EKU and the id-pkinit-san, but sadly there is a bug in the generated encoding they produce so it doesn't work). --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
