MS IWA - extended protection - SSPI - channel binding

Nicolas Williams Nicolas.Williams at
Tue Sep 22 16:33:50 EDT 2009

On Tue, Sep 22, 2009 at 09:50:19AM -0700, Peter wrote:
> From what I can tell, this change was not pushed as a critical update,
> I had to install a patch manually to get channel binding capability
> for Windows XP (  I've done
> some experimenting with both Windows 7 and Windows XP and channel
> binding definitely behaves differently on the two platforms.  With
> Windows 7, IWA authentication appears to provide channel binding
> regardless if the application requests extended protection.  Actually,
> this is causing a runtime failure in my Java application using jgss
> without any channel bindings defined on the acceptor:
> GSSException: Channel binding mismatch (Mechanism level:
> ChannelBinding not provided!)

The JGSS issue is CR #6851973:

6851973 ignore incoming channel binding if acceptor does not set one

The fix will be in the October 2009 updates.  (The fix was integrated
into build b64.)


More information about the Kerberos mailing list