MS IWA - extended protection - SSPI - channel binding

Nicolas Williams Nicolas.Williams at sun.com
Tue Sep 22 16:33:50 EDT 2009


On Tue, Sep 22, 2009 at 09:50:19AM -0700, Peter wrote:
> From what I can tell, this change was not pushed as a critical update,
> I had to install a patch manually to get channel binding capability
> for Windows XP (http://support.microsoft.com/kb/968389).  I've done
> some experimenting with both Windows 7 and Windows XP and channel
> binding definitely behaves differently on the two platforms.  With
> Windows 7, IWA authentication appears to provide channel binding
> regardless if the application requests extended protection.  Actually,
> this is causing a runtime failure in my Java application using jgss
> without any channel bindings defined on the acceptor:
> 
> GSSException: Channel binding mismatch (Mechanism level:
> ChannelBinding not provided!)

The JGSS issue is CR #6851973:

6851973 ignore incoming channel binding if acceptor does not set one

The fix will be in the October 2009 updates.  (The fix was integrated
into build b64.)

Nico
-- 



More information about the Kerberos mailing list