MS IWA - extended protection - SSPI - channel binding
Nicolas Williams
Nicolas.Williams at sun.com
Tue Sep 22 16:33:50 EDT 2009
On Tue, Sep 22, 2009 at 09:50:19AM -0700, Peter wrote:
> From what I can tell, this change was not pushed as a critical update,
> I had to install a patch manually to get channel binding capability
> for Windows XP (http://support.microsoft.com/kb/968389). I've done
> some experimenting with both Windows 7 and Windows XP and channel
> binding definitely behaves differently on the two platforms. With
> Windows 7, IWA authentication appears to provide channel binding
> regardless if the application requests extended protection. Actually,
> this is causing a runtime failure in my Java application using jgss
> without any channel bindings defined on the acceptor:
>
> GSSException: Channel binding mismatch (Mechanism level:
> ChannelBinding not provided!)
The JGSS issue is CR #6851973:
6851973 ignore incoming channel binding if acceptor does not set one
The fix will be in the October 2009 updates. (The fix was integrated
into build b64.)
Nico
--
More information about the Kerberos
mailing list