MS IWA - extended protection - SSPI - channel binding

Peter peter at motyka.org
Tue Sep 22 12:50:19 EDT 2009 

On Aug 27, 1:26 pm, Jeffrey Altman <jalt... at secure-endpoints.com>
wrote:
> Markus Moeller wrote:
> > I am reading the MS article aboutIWAand extended protection
> >http://msdn.microsoft.com/en-us/library/dd639324.aspx and wonder if this
> > affects GSSAPI based applications like Apache with mod_auth_kerb ?  Does
> > this mean MS has addedchannelbindings to SSPI ?
>
> > Unfortunately I don't have Windows 7 to test.
>
> > Thank you
> > Markus
>
> You do not need Windows 7.   The change was backported all the way to XP
> SP2 and the update was pushed as critical two weeks ago.
> When activated GSS-API over TLS will usechannelbindings if the
> application requests extended protection.
>
> Jeffrey Altman

>From what I can tell, this change was not pushed as a critical update,
I had to install a patch manually to get channel binding capability
for Windows XP (http://support.microsoft.com/kb/968389).  I've done
some experimenting with both Windows 7 and Windows XP and channel
binding definitely behaves differently on the two platforms.  With
Windows 7, IWA authentication appears to provide channel binding
regardless if the application requests extended protection.  Actually,
this is causing a runtime failure in my Java application using jgss
without any channel bindings defined on the acceptor:

GSSException: Channel binding mismatch (Mechanism level:
ChannelBinding not provided!)

The only way I can get around this error message with Windows 7 is to
disable extended protection via the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
\SuppressExtendedProtection (0 disabled - 1 enabled)

I can't get Windows XP to send channel binding information in my IWA
scenario.  I suspect it has something to do with my acceptor not
specifying the need for extended protection, I'm not really sure.

The major difference between the platform implementations I can see
is, Windows 7 always sends extended protected data for IWA, Windows XP
only sends extended protected data when necessary (can't verify
this...)

Peter Motyka

More information about the Kerberos mailing list