[31498] in Kerberos
Re: MS IWA - extended protection - SSPI - channel binding
daemon@ATHENA.MIT.EDU (Peter)
Tue Sep 22 20:53:29 2009
From: Peter <peter@motyka.org>
Date: Tue, 22 Sep 2009 16:04:02 -0700 (PDT)
Message-ID: <7f07a383-9624-4acf-9794-311b6e5b66a6@l35g2000vba.googlegroups.com>
Mime-Version: 1.0
X-Complaints-To: groups-abuse@google.com
Complaints-To: groups-abuse@google.com
To: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Sep 22, 2:33 pm, Nicolas Williams <Nicolas.Willi...@sun.com> wrote:
> On Tue, Sep 22, 2009 at 09:50:19AM -0700, Peter wrote:
> > From what I can tell, this change was not pushed as a critical update,
> > I had to install a patch manually to get channel binding capability
> > for Windows XP (http://support.microsoft.com/kb/968389). I've done
> > some experimenting with both Windows 7 and Windows XP and channel
> > binding definitely behaves differently on the two platforms. With
> > Windows 7, IWA authentication appears to provide channel binding
> > regardless if the application requests extended protection. Actually,
> > this is causing a runtime failure in my Java application using jgss
> > without any channel bindings defined on the acceptor:
>
> > GSSException: Channel binding mismatch (Mechanism level:
> > ChannelBinding not provided!)
>
> The JGSS issue is CR #6851973:
>
> 6851973 ignore incoming channel binding if acceptor does not set one
>
> The fix will be in the October 2009 updates. (The fix was integrated
> into build b64.)
>
> Nico
> --
Thanks for the info, Nico. I went to preview the update, but I'm not
seeing a b64. Am I looking in the wrong place?
http://download.java.net/jdk6/latest_binaries/
Latest available seems to be b02.
Peter
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
