MS IWA - extended protection - SSPI - channel binding

Peter peter at motyka.org
Tue Sep 22 22:41:57 EDT 2009


On Sep 22, 5:04 pm, Peter <pe... at motyka.org> wrote:
> On Sep 22, 2:33 pm, Nicolas Williams <Nicolas.Willi... at sun.com> wrote:
>
>
>
> > On Tue, Sep 22, 2009 at 09:50:19AM -0700, Peter wrote:
> > > From what I can tell, this change was not pushed as a critical update,
> > > I had to install a patch manually to get channel binding capability
> > > for Windows XP (http://support.microsoft.com/kb/968389).  I've done
> > > some experimenting with both Windows 7 and Windows XP and channel
> > > binding definitely behaves differently on the two platforms.  With
> > > Windows 7, IWA authentication appears to provide channel binding
> > > regardless if the application requests extended protection.  Actually,
> > > this is causing a runtime failure in my Java application using jgss
> > > without any channel bindings defined on the acceptor:
>
> > > GSSException: Channel binding mismatch (Mechanism level:
> > > ChannelBinding not provided!)
>
> > The JGSS issue is CR #6851973:
>
> > 6851973 ignore incoming channel binding if acceptor does not set one
>
> > The fix will be in the October 2009 updates.  (The fix was integrated
> > into build b64.)
>
> > Nico
> > --
>
> Thanks for the info, Nico.  I went to preview the update, but I'm not
> seeing a b64.  Am I looking in the wrong place?http://download.java.net/jdk6/latest_binaries/
>
> Latest available seems to be b02.
>
> Peter

Apologies Nico, I assumed you meant 6851973 would be part of updates
for the Java SE 6 Update 18 release.  I noticed the fix in the
OpenJDK7 code base (http://hg.openjdk.java.net/jdk7/tl/jdk/rev/
37ed72fe7561) and will see about having backported to OpenJDK6 for
Update 18 via the jdk6-dev mail list.

Peter




More information about the Kerberos mailing list