On Sat, Mar 1, 2008 at 1:46 AM, Matthew Andrews wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> | Matt,
> | The obvious question is whether your KDC is properly configured for
> | pkinit? Also, is the client configured to require preauthentication?
> | If so, the KDC should offer the pkinit preauth method to the client in
> | a preauth-required message. Unlike the Heimdal client, the MIT client
> | will not send padata automatically just because you specified
> | pkinit_identity and pkinit_anchors.
> |
> | K.C.
> |
> |
>
> well, I have the following in the kdc.conf in the realms stanza entry
> for the realm in question:
>
>
>
> again I'm still not sure what I'm missing. I'm sure that in the end
> it'll be something that I go "oh, DUH!" about but for now I don't see
> it. Thanks for the help.


I haven't looked closely at the KDC cert, but you didn't mention
whether the client principal's DB entry has the requires_preauth flag
set. Does the KDC not offer pkinit as a valid patype?

K.C.