To whom it may concern, I have recently started using MIT Kerberos 5 version 1.10.1 with PKINIT talking to a Microsoft Active Directory server. It fails due to verify_kdc_san() not setting *valid_san to a non-zero value (or pkinit_as_rep_parse() not having any way to set it to a non-zero value before calling verify_kdc_san()). Below is the debuging output from "kinit" after modifying crypto_retrieve_X509_sans() to write the certificate to stdout in PEM format. $ kinit ... PKCS7 Verification Success verify_kdc_san: pkinit_kdc_hostname values found in config file crypto_retrieve_X509_sans: Looking for SANs in cert: -----BEGIN CERTIFICATE----- MIIFVzCCBMCgAwIBAgIKR+v9ugABAAAgcTANBgkqhkiG9w0BAQUFADBqMRMwEQYK CZImiZPyLGQBGRYDbWlsMRQwEgYKCZImiZPyLGQBGRYEYXJteTEVMBMGCgmSJomT 8ixkARkWBXVzYWNlMRIwEAYKCZImiZPyLGQBGRYCZHMxEjAQBgNVBAMTCVVTQUNF LUNBMjAeFw0xMTEyMDYwNjQ5MTdaFw0xMzA2MjEwMDA0NTNaMCsxKTAnBgNVBAMT IEVJUy1EQzFJVEwuZWlzLmRzLnVzYWNlLmFybXkubWlsMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQCdgVyGYVDF1Hrg6jN0FyrnKqlQv5UiTtbJZnmWH8m4xYGn m/SCiJyecXzem6VoUUsWH5y4Ro+GkYZTRuNho7bQ5daEDkWCASytJXlk1oC44Voa oeYvVjVlXPri3iXZ2pgIXHIbUad7Ummip7mGHbsr31NgNM3bcF/ifX5LA225vwID AQABo4IDQTCCAz0wCwYDVR0PBAQDAgWgMEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZI hvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDAHBgUrDgMCBzAKBggqhkiG9w0DBzAd BgNVHQ4EFgQURP+M3QsMOvhBFPoChvfeJaCSlQMwLwYJKwYBBAGCNxQCBCIeIABE AG8AbQBhAGkAbgBDAG8AbgB0AHIAbwBsAGwAZQByMB8GA1UdIwQYMBaAFPlF6VHp RFRGukyvLIb+i2GNGnJxMIIBHwYDVR0fBIIBFjCCARIwggEOoIIBCqCCAQaGgcJs ZGFwOi8vL0NOPVVTQUNFLUNBMigxKSxDTj1FSVMtR0MyQ1BDLENOPUNEUCxDTj1Q dWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0 aW9uLERDPWRzLERDPXVzYWNlLERDPWFybXksREM9bWlsP2NlcnRpZmljYXRlUmV2 b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2lu dIY/aHR0cDovL2Vpcy1nYzJjcGMuZHMudXNhY2UuYXJteS5taWwvQ2VydEVucm9s bC9VU0FDRS1DQTIoMSkuY3JsMIIBMwYIKwYBBQUHAQEEggElMIIBITCBtAYIKwYB BQUHMAKGgadsZGFwOi8vL0NOPVVTQUNFLUNBMixDTj1BSUEsQ049UHVibGljJTIw S2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1k cyxEQz11c2FjZSxEQz1hcm15LERDPW1pbD9jQUNlcnRpZmljYXRlP2Jhc2U/b2Jq ZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTBoBggrBgEFBQcwAoZcaHR0 cDovL2Vpcy1nYzJjcGMuZHMudXNhY2UuYXJteS5taWwvQ2VydEVucm9sbC9FSVMt R0MyQ1BDLmRzLnVzYWNlLmFybXkubWlsX1VTQUNFLUNBMigxKS5jcnQwHQYDVR0l BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4GBAAi1jQhn YbuXUpSJeHhQgUY9639mgs75oEwt7yCdNqgdu2ZnItFk9MwePvXyoU1UzSqAKpoh esXNDP9R1CBNUhgiiWO0ve0vBqjUDE/Rh6uQeZh/leVG03hIAUTKa2+5VuJlsl1G FkuLo4f/lrWooCQn9KpWziHgTanb2S38dwPo -----END CERTIFICATE----- crypto_retrieve_X509_sans: looking for SANs in cert = /CN=EIS-DC1ITL.eis.ds.usace.army.mil verify_kdc_san: Checking pkinit sans verify_kdc_san: no pkinit san match found verify_kdc_san: no certhosts (or we wouldn't accept them anyway) verify_kdc_san: returning retval -1765328308, valid_san 0, need_eku_checking 1 pkinit_as_rep_parse returning -1765328308 (KDC name mismatch) pkinit_as_rep_parse returned -1765328308 (KDC name mismatch) pkinit_client_process: returning -1765328308 (KDC name mismatch) ... My krb5.conf contains: [libdefaults] default_realm = EIS.DS.USACE.ARMY.MIL pkinit_kdc_hostname = EIS-DC1ITL.eis.ds.usace.army.mil ... [realms] EIS.DS.USACE.ARMY.MIL = { kdc = eis-dc1itl.eis.ds.usace.army.mil default_domain = eis.ds.usace.army.mil admin_server = eis-dc1itl.eis.ds.usace.army.mil } Given this it should be entirely possible to verify that my KDC is who I expect it to be as I have explicitly specified it and the certificate chain has been validated. This would comply with section 3.2.4 of RFC 4556. I would like for PKINIT to succeed under these circumstances. Thanks, -- (U) Roy Keene (U) US Army Corps of Engineers IT (ACE-IT) (U) Contractor