[31496] in Kerberos
Re: MS IWA - extended protection - SSPI - channel binding
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Tue Sep 22 16:45:52 2009
X-Barracuda-Envelope-From: Nicolas.Williams@sun.com
Date: Tue, 22 Sep 2009 15:33:50 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Peter <peter@motyka.org>
Message-ID: <20090922203350.GS1033@Sun.COM>
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <8072f979-c6b4-42d1-a5f8-f80f5dee5191@p15g2000vbl.googlegroups.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Sep 22, 2009 at 09:50:19AM -0700, Peter wrote:
> From what I can tell, this change was not pushed as a critical update,
> I had to install a patch manually to get channel binding capability
> for Windows XP (http://support.microsoft.com/kb/968389). I've done
> some experimenting with both Windows 7 and Windows XP and channel
> binding definitely behaves differently on the two platforms. With
> Windows 7, IWA authentication appears to provide channel binding
> regardless if the application requests extended protection. Actually,
> this is causing a runtime failure in my Java application using jgss
> without any channel bindings defined on the acceptor:
>
> GSSException: Channel binding mismatch (Mechanism level:
> ChannelBinding not provided!)
The JGSS issue is CR #6851973:
6851973 ignore incoming channel binding if acceptor does not set one
The fix will be in the October 2009 updates. (The fix was integrated
into build b64.)
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos