I'm pretty sure this is supposed to work, but I'm not upgrading to 10.9 for a while, so I guess I can't comment as much as I'd like.

I do know there exist people who did it with 10.8, but have no direct contact with them. If you're doing it with an AD Kerberos service, then there are some off-topic configuration settings that are probably needed. Even more if you want to use AD with a cross-realm trust to a PKINIT-supporting non-AD Kerberos.

On Nov 14, 2013, at 1:51 PM, Yoann Gini <yoann.gini@gmail.com> wrote:

And actually (on a 10.9), the Kerberos didn’t get the TGT from the login. Klist ask me for a password.

Does someone did successfully enable PKINIT/Kerberos things ?

Personal email. hbhotz@oxy.edu