Hi,
Login fails with "dual-persona" enabled DoD CAC - XEROX (FOR DOD) using kerberos cac authentication
Configure the printer for CAC Authentication.
Login Name for the CAC User in Active Directory = 2001439475@mil
Login Name being used by the printer when the CAC is inserted = 2001439750170084@mil
From the network traces, we see it is sending the AS-REQ with PIV user name (16 digit name) instead of CAC name (10 digits).
DoD has enabled “dual-persona” on their CAC cards, when they use those cards in products, the smart card login is failing. From the network traces, we see it is sending the AS-REQ with PIV user name (16 digit name) instead of CAC name (10 digits).
Further we analyzed it and observed the credentials cache is updated with Default Principal Name as PIV user name.
/opt/nc/dlms/kerberos/apps/klist -c /tmp/krbtc_1 –f
Output
Ticket cache: FILE:/tmp/krbtc_1
Default principal: 2001439750170084\@mil@CAC12DOM.LAB
Valid starting Expires Service principal
09/27/17 11:57:32 09/27/17 21:57:37 krbtgt/CAC12DOM.LAB@CAC12DOM.LAB
renew until 09/28/17 11:57:32, Flags: FRIA
09/27/17 11:57:38 09/27/17 21:57:37 ldap/cac2.cac12dom.lab@
renew until 09/28/17 11:57:32, Flags: FRAO
09/27/17 11:57:38 09/27/17 21:57:37 renew until 09/28/17 11:57:32, Flags: FRAO
We get the principal name from a certificate associated with authentication on the card. Since the DoD is using Dual ID cards, odds are we are pulling the first cert that is an authentication cert from the card (in this case PIV based one).
This is found in pkinit_matching or pkinit_identity.
How could we change the order here so it pulls the CAC authentication certificate instead of the PIV certificate in kerberos pkinit module?
How could we swap between CAC authentication certificate and PIV certificate in pkinit module in kerberos?
Regards,
Nishanth