Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

MS IWA - extended protection - SSPI - channel binding

164 views
Skip to first unread message

Markus Moeller

unread,
Aug 27, 2009, 2:40:35 PM8/27/09
to kerb...@mit.edu
I am reading the MS article about IWA and extended protection
http://msdn.microsoft.com/en-us/library/dd639324.aspx and wonder if this
affects GSSAPI based applications like Apache with mod_auth_kerb ? Does
this mean MS has added channel bindings to SSPI ?

Unfortunately I don't have Windows 7 to test.

Thank you
Markus


Jeffrey Altman

unread,
Aug 27, 2009, 3:26:39 PM8/27/09
to hua...@moeller.plus.com, kerb...@mit.edu
You do not need Windows 7. The change was backported all the way to XP
SP2 and the update was pushed as critical two weeks ago.
When activated GSS-API over TLS will use channel bindings if the
application requests extended protection.

Jeffrey Altman


Peter

unread,
Sep 22, 2009, 12:50:19 PM9/22/09
to
On Aug 27, 1:26 pm, Jeffrey Altman <jalt...@secure-endpoints.com>
wrote:
> Markus Moeller wrote:
> > I am reading the MS article aboutIWAand extended protection

> >http://msdn.microsoft.com/en-us/library/dd639324.aspx and wonder if this
> > affects GSSAPI based applications like Apache with mod_auth_kerb ?  Does
> > this mean MS has addedchannelbindings to SSPI ?

>
> > Unfortunately I don't have Windows 7 to test.
>
> > Thank you
> > Markus
>
> You do not need Windows 7.   The change was backported all the way to XP
> SP2 and the update was pushed as critical two weeks ago.
> When activated GSS-API over TLS will usechannelbindings if the

> application requests extended protection.
>
> Jeffrey Altman

From what I can tell, this change was not pushed as a critical update,
I had to install a patch manually to get channel binding capability
for Windows XP (http://support.microsoft.com/kb/968389). I've done
some experimenting with both Windows 7 and Windows XP and channel
binding definitely behaves differently on the two platforms. With
Windows 7, IWA authentication appears to provide channel binding
regardless if the application requests extended protection. Actually,
this is causing a runtime failure in my Java application using jgss
without any channel bindings defined on the acceptor:

GSSException: Channel binding mismatch (Mechanism level:
ChannelBinding not provided!)

The only way I can get around this error message with Windows 7 is to
disable extended protection via the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
\SuppressExtendedProtection (0 disabled - 1 enabled)

I can't get Windows XP to send channel binding information in my IWA
scenario. I suspect it has something to do with my acceptor not
specifying the need for extended protection, I'm not really sure.

The major difference between the platform implementations I can see
is, Windows 7 always sends extended protected data for IWA, Windows XP
only sends extended protected data when necessary (can't verify
this...)

Peter Motyka

Markus Moeller

unread,
Sep 22, 2009, 4:22:02 PM9/22/09
to kerb...@mit.edu
What is the java problem ? Does java not ignore channel bindings when set to
GSS_C_NO_CHANNEL_BINDINGS in gss_accept as C does ? Does Windows use any
data in the channel binding or just the src/dest IPs ? Where is that
documented ( I couldn't find it ) ?

Thank you
Markus

"Peter" <pe...@motyka.org> wrote in message
news:8072f979-c6b4-42d1...@p15g2000vbl.googlegroups.com...

Peter Motyka
________________________________________________
Kerberos mailing list Kerb...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


Nicolas Williams

unread,
Sep 22, 2009, 4:33:50 PM9/22/09
to Peter, kerb...@mit.edu
On Tue, Sep 22, 2009 at 09:50:19AM -0700, Peter wrote:
> From what I can tell, this change was not pushed as a critical update,
> I had to install a patch manually to get channel binding capability
> for Windows XP (http://support.microsoft.com/kb/968389). I've done
> some experimenting with both Windows 7 and Windows XP and channel
> binding definitely behaves differently on the two platforms. With
> Windows 7, IWA authentication appears to provide channel binding
> regardless if the application requests extended protection. Actually,
> this is causing a runtime failure in my Java application using jgss
> without any channel bindings defined on the acceptor:
>
> GSSException: Channel binding mismatch (Mechanism level:
> ChannelBinding not provided!)

The JGSS issue is CR #6851973:

6851973 ignore incoming channel binding if acceptor does not set one

The fix will be in the October 2009 updates. (The fix was integrated
into build b64.)

Nico
--

Peter

unread,
Sep 22, 2009, 7:04:02 PM9/22/09
to

Thanks for the info, Nico. I went to preview the update, but I'm not
seeing a b64. Am I looking in the wrong place?
http://download.java.net/jdk6/latest_binaries/

Latest available seems to be b02.

Peter

Peter

unread,
Sep 22, 2009, 10:41:57 PM9/22/09
to
> seeing a b64.  Am I looking in the wrong place?http://download.java.net/jdk6/latest_binaries/

>
> Latest available seems to be b02.
>
> Peter

Apologies Nico, I assumed you meant 6851973 would be part of updates
for the Java SE 6 Update 18 release. I noticed the fix in the
OpenJDK7 code base (http://hg.openjdk.java.net/jdk7/tl/jdk/rev/
37ed72fe7561) and will see about having backported to OpenJDK6 for
Update 18 via the jdk6-dev mail list.

Peter

0 new messages