Unfortunately I don't have Windows 7 to test.
Thank you
Markus
Jeffrey Altman
From what I can tell, this change was not pushed as a critical update,
I had to install a patch manually to get channel binding capability
for Windows XP (http://support.microsoft.com/kb/968389). I've done
some experimenting with both Windows 7 and Windows XP and channel
binding definitely behaves differently on the two platforms. With
Windows 7, IWA authentication appears to provide channel binding
regardless if the application requests extended protection. Actually,
this is causing a runtime failure in my Java application using jgss
without any channel bindings defined on the acceptor:
GSSException: Channel binding mismatch (Mechanism level:
ChannelBinding not provided!)
The only way I can get around this error message with Windows 7 is to
disable extended protection via the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
\SuppressExtendedProtection (0 disabled - 1 enabled)
I can't get Windows XP to send channel binding information in my IWA
scenario. I suspect it has something to do with my acceptor not
specifying the need for extended protection, I'm not really sure.
The major difference between the platform implementations I can see
is, Windows 7 always sends extended protected data for IWA, Windows XP
only sends extended protected data when necessary (can't verify
this...)
Peter Motyka
Thank you
Markus
"Peter" <pe...@motyka.org> wrote in message
news:8072f979-c6b4-42d1...@p15g2000vbl.googlegroups.com...
Peter Motyka
________________________________________________
Kerberos mailing list Kerb...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
The JGSS issue is CR #6851973:
6851973 ignore incoming channel binding if acceptor does not set one
The fix will be in the October 2009 updates. (The fix was integrated
into build b64.)
Nico
--
Thanks for the info, Nico. I went to preview the update, but I'm not
seeing a b64. Am I looking in the wrong place?
http://download.java.net/jdk6/latest_binaries/
Latest available seems to be b02.
Peter
Apologies Nico, I assumed you meant 6851973 would be part of updates
for the Java SE 6 Update 18 release. I noticed the fix in the
OpenJDK7 code base (http://hg.openjdk.java.net/jdk7/tl/jdk/rev/
37ed72fe7561) and will see about having backported to OpenJDK6 for
Update 18 via the jdk6-dev mail list.
Peter