[SmartcardServices-Users] PKINIT failed on OS X 10.9 but not on Windows 7

[Yoann Gini]

Hi folks,

First of all, if I didn’t publish anything at this time on Windows integration it’s because I’ve been busy, and also because I’ve a troubleshooting sessions on a client network this week, so I think it will be valuable for the article :-)

At least if I find the bug.

Does anyone have already seen a PKINIT system working well on Windows 7 but not on OS X 10.9 ?

We have a Charismathics middleware (same on OS X and Windows) and a Nexus PKI linked to a 2k8 AD.

Everything work well on Windows (authentication and PKINIT, confirmed via a network capture) but on OS X, the certificate is validated by the trust chain but it’s unusable to handle PKINIT part.

If my AD account is configured as a portable account with local data pre existing (so no need to connect to a share point at the login time), authentication work well. The card is also OK when we have to sign somethings.

But, if my user account is not yet on the system / network only, the authentication fail.

Running kinit command line with needed options for PKINIT lead me to the common error: 

kinit: krb5_pk_enterprise_certs: Failed to find PKINIT certificate: Certificate not found

I’ve pass the whole day digging with debugger and disassembler to understand where is the problem and I’ve ended with a problem in the certificate matching system, Heimdal seems to not understand the LocalKeyID (OID 1.2.840.113549.1.9.21). I’m not sure if I’m on the right track or not…

Does anyone have some experience to share here?

Best regards,
Yoann.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4806 bytes
Desc: not available
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20131126/073c0161/attachment.p7s>