>gotcha, thank you very much for all the help. >I guess just out of curiosity: >- for windows: there are other tools such as heimdall and microsoft >kerberos. with those I don't know if you ever played around with them or >know if they support smartcard and pin authentication to get a ticket >manually. >manually meaning, get a ticket for a specified account with the use of >kinit or similar tools..
Here's my limited, imperfect understanding of the situation. - My understanding is that the Kerberos implementation supplied by Microsoft does implement PKINIT and works with smartcards. But I am not sure if you can use it OUTSIDE of an Active Directory domain. - It seems that Heimdal _does_ implement PKINIT. But it's not clear to me that they support using PKCS#11 to sign the PKINIT request, which is the piece you need to make it work with Smartcards. I mean, I see there is SOME PKCS#11 support, I just didn't see any calls to something like C_SignInit. It's very possible I missed it. You're going to have to investigate that on your own. --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
