[31419] in Kerberos
Re: MS IWA - extended protection - SSPI - channel binding
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Thu Aug 27 15:27:41 2009
X-Envelope-From: jaltman@secure-endpoints.com
X-MDaemon-Deliver-To: kerberos@mit.edu
Message-ID: <4A96DDEF.2060007@secure-endpoints.com>
Date: Thu, 27 Aug 2009 15:26:39 -0400
From: Jeffrey Altman <jaltman@secure-endpoints.com>
MIME-Version: 1.0
To: huaraz@moeller.plus.com
In-Reply-To: <h76jvo$fs2$1@ger.gmane.org>
Cc: kerberos@mit.edu
Reply-To: jaltman@secure-endpoints.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Markus Moeller wrote:
> I am reading the MS article about IWA and extended protection
> http://msdn.microsoft.com/en-us/library/dd639324.aspx and wonder if this
> affects GSSAPI based applications like Apache with mod_auth_kerb ? Does
> this mean MS has added channel bindings to SSPI ?
>
> Unfortunately I don't have Windows 7 to test.
>
> Thank you
> Markus
You do not need Windows 7. The change was backported all the way to XP
SP2 and the update was pushed as critical two weeks ago.
When activated GSS-API over TLS will use channel bindings if the
application requests extended protection.
Jeffrey Altman
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
