MS IWA - extended protection - SSPI - channel binding

Markus Moeller huaraz at moeller.plus.com
Tue Sep 22 16:22:02 EDT 2009


What is the java problem ? Does java not ignore channel bindings when set to 
GSS_C_NO_CHANNEL_BINDINGS in gss_accept as C does ? Does Windows use any 
data in the channel binding or just the src/dest IPs ? Where is that 
documented ( I couldn't find it ) ?

Thank you
Markus

"Peter" <peter at motyka.org> wrote in message 
news:8072f979-c6b4-42d1-a5f8-f80f5dee5191 at p15g2000vbl.googlegroups.com...
On Aug 27, 1:26 pm, Jeffrey Altman <jalt... at secure-endpoints.com>
wrote:
> Markus Moeller wrote:
> > I am reading the MS article aboutIWAand extended protection
> >http://msdn.microsoft.com/en-us/library/dd639324.aspx and wonder if this
> > affects GSSAPI based applications like Apache with mod_auth_kerb ? Does
> > this mean MS has addedchannelbindings to SSPI ?
>
> > Unfortunately I don't have Windows 7 to test.
>
> > Thank you
> > Markus
>
> You do not need Windows 7. The change was backported all the way to XP
> SP2 and the update was pushed as critical two weeks ago.
> When activated GSS-API over TLS will usechannelbindings if the
> application requests extended protection.
>
> Jeffrey Altman

>From what I can tell, this change was not pushed as a critical update,
I had to install a patch manually to get channel binding capability
for Windows XP (http://support.microsoft.com/kb/968389).  I've done
some experimenting with both Windows 7 and Windows XP and channel
binding definitely behaves differently on the two platforms.  With
Windows 7, IWA authentication appears to provide channel binding
regardless if the application requests extended protection.  Actually,
this is causing a runtime failure in my Java application using jgss
without any channel bindings defined on the acceptor:

GSSException: Channel binding mismatch (Mechanism level:
ChannelBinding not provided!)

The only way I can get around this error message with Windows 7 is to
disable extended protection via the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
\SuppressExtendedProtection (0 disabled - 1 enabled)

I can't get Windows XP to send channel binding information in my IWA
scenario.  I suspect it has something to do with my acceptor not
specifying the need for extended protection, I'm not really sure.

The major difference between the platform implementations I can see
is, Windows 7 always sends extended protected data for IWA, Windows XP
only sends extended protected data when necessary (can't verify
this...)

Peter Motyka
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos





More information about the Kerberos mailing list