MS IWA - extended protection - SSPI - channel binding

Peter peter at motyka.org
Tue Sep 22 19:04:02 EDT 2009


On Sep 22, 2:33 pm, Nicolas Williams <Nicolas.Willi... at sun.com> wrote:
> On Tue, Sep 22, 2009 at 09:50:19AM -0700, Peter wrote:
> > From what I can tell, this change was not pushed as a critical update,
> > I had to install a patch manually to get channel binding capability
> > for Windows XP (http://support.microsoft.com/kb/968389).  I've done
> > some experimenting with both Windows 7 and Windows XP and channel
> > binding definitely behaves differently on the two platforms.  With
> > Windows 7, IWA authentication appears to provide channel binding
> > regardless if the application requests extended protection.  Actually,
> > this is causing a runtime failure in my Java application using jgss
> > without any channel bindings defined on the acceptor:
>
> > GSSException: Channel binding mismatch (Mechanism level:
> > ChannelBinding not provided!)
>
> The JGSS issue is CR #6851973:
>
> 6851973 ignore incoming channel binding if acceptor does not set one
>
> The fix will be in the October 2009 updates.  (The fix was integrated
> into build b64.)
>
> Nico
> --

Thanks for the info, Nico.  I went to preview the update, but I'm not
seeing a b64.  Am I looking in the wrong place?
http://download.java.net/jdk6/latest_binaries/

Latest available seems to be b02.

Peter



More information about the Kerberos mailing list