active-directory - Create Certificates for PKINIT-based Kerberos login on Active Directory
问题描述
I'm trying to set-up a PKINIT-based Kerberos login on a Active Directory. The login shall be performed using sssd on Linux. However, the kerberos server does not accept the client certificate. We receive an error with event ID 21: Certificate for user REALM/Domainuser is not valid on the server and sssd says: Client name mismatch.
The certificates were created with the following procedure on a different Linux machine:
openssl req -new -key keyfile.pem -out reqfile.pem -subj "/CN=Domainuser/O=AAA/C=DE/OU=BBB"
env REALM=REALM.local CLIENT=Domainuser openssl x509 \ -CAkey ../ca_privkey.pem -CA ../ca_cert.pem -req -in reqfile.pem \ -extensions client_cert -extfile extensions.client \ -days 365 -out certfile.pem
We installed the AD CA on the Windows Server that hosts the AD itself. We exported the certificte of this CA to the Linux machine and stored its private key and certificate in the ca_privkey.pem
and ca_cert.pem
files to use it with openssl
.
The client_cert
we used during signature creation was created using the template suggested by sssd. The only thing we added is the crlDistributionPoints
option to include the CRL of the CA:
[client_cert]
basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage=1.3.6.1.5.2.3.4
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
issuerAltName=issuer:copy
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
crlDistributionPoints=URI:http://link-to-CRL-of-CA
[princ_name]
realm=EXP:0,GeneralString:${ENV::REALM}
principal_name=EXP:1,SEQUENCE:principal_seq
[principal_seq]
name_type=EXP:0,INTEGER:1
name_string=EXP:1,SEQUENCE:principals
[principals]
princ1=GeneralString:${ENV::CLIENT}
The realm used for the authentication is REALM.local (equal to the AD Domain). The environment variables REALM
and CLIENT
are set to REALM.LOCAL
and pkuser
during certificate creation and the user pkuser
also exists in the AD (Password-based login is possible).
I have no clue why the authentication is not successful. Do you have any ideas what might be wrong in the configuration or give me a hint s.t. Windows prints a more detailed error message? Note, that certutil -verify -urlfetch certfile.pem
is able to validate the whole certificate chain and does not print any errors when executed with the Administrator
command on the AD server.
I assume that there are some configuration errors on the Windows Server. This is the first time I configured a Windows Server ;)
解决方案
最后,我们弄清楚了问题所在。Windows AD 需要额外的扩展密钥使用字段来允许身份验证。
您必须添加1.3.6.1.5.5.7.3.2
和1.3.6.1.4.1.311.20.2.2
。
此外,SAN 必须设置为:otherName:1.3.6.1.4.1.311.20.2.3;UTF8:<client-name>@<realm>
推荐阅读
- amazon-web-services - 在 AWS 上部署 Antd Pro
- .net - 在 Swashbuckle.Core 中使用 IIS 虚拟目录为所有端点添加前缀
- java - 使用java从json对象中提取json字符串数组值
- algorithm - 更改伪代码以便我们摆脱循环
- google-cloud-composer - 无法删除 GCP Cloud Composer 环境
- c - 如何在c中使用多个指向一个二维数组的指针?
- postgresql - pgSQL-INSERT 前触发函数检查是否存在具有相同 ID 的记录
- angular - Angular 8 - 检查后表达式已更改
- algorithm - 寻找无重访图遍历路径(所有顶点)的优化策略
- confluent-platform - 无法在 Arcadia BI 工具中加载 KSQL 表