English 中文(简体)
Why do I get a GSSException when using Active Directory SSO from Microsoft IE to a Java server?
原标题:

I was building an Active Directory Single Sign-On authentication system for Java web applications (using SPNEGO/Kerberos), and everything works fine with either Firefox or (reportedly) Safari, but Internet Explorer causes an exception:

GSSException: Channel binding mismatch (Mechanism level: ChannelBinding not provided!)

In fact, I thought IE worked before a Windows patch was installed.

最佳回答

Apparently, Microsoft IE patch KB974455 enabled "Extended Protection" for Integrated Windows Authentication. Normally, with SPNEGO/Kerberos authentication, the client machine acquires a Kerberos/Active Directory ticket for the server and presents this ticket during the HTTP authentication negotiation. As of at least Java 1.6, the Java JGSS-API library is capable of interpreting the SPNEGO/Kerberos negotiation and authenticating the ticket.

With the Extended Protection (see also Extended Protection for Authentication), IE adds a channel binding to the SPNEGO negotiation; what data the channel binding is based on is currently unknown to me, other than that the SSL session identifier seems to be part of it. The Java JGSS-API library attempts to validate the channel binding and canno without the data the binding is based on. It then throws the channel binding mismatch exception.

The issue has resulted in some internet traffic, including Sun Bug ID 6851973.

According to comments associated with 6851973, RFC 4121, says,

If the caller to GSS_Accept_sec_context [RFC2743] passes in GSS_C_NO_CHANNEL_BINDINGS [RFC2744] as the channel bindings, then the acceptor MAY ignore any channel bindings supplied by the initiator, returning success even if the initiator did pass in channel bindings.

and "all major krb5 implementors implement this MAY ". JGSS appears to be requiring the acceptor to provide the channel binding if the initiator is presenting it. Further, the fix is available in Java 7, build 64 and will be back ported to Java 5 and 6, although the Java 6u18 does not appear to have it as reported in 6851973.

A work-around as seen in Extended Protection for Authentication is to set the

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLSASuppressExtendedProtection

registry setting to 0x02. This disables Extended Protection.

问题回答

暂无回答




相关问题
Spring Properties File

Hi have this j2ee web application developed using spring framework. I have a problem with rendering mnessages in nihongo characters from the properties file. I tried converting the file to ascii using ...

Logging a global ID in multiple components

I have a system which contains multiple applications connected together using JMS and Spring Integration. Messages get sent along a chain of applications. [App A] -> [App B] -> [App C] We set a ...

Java Library Size

If I m given two Java Libraries in Jar format, 1 having no bells and whistles, and the other having lots of them that will mostly go unused.... my question is: How will the larger, mostly unused ...

How to get the Array Class for a given Class in Java?

I have a Class variable that holds a certain type and I need to get a variable that holds the corresponding array class. The best I could come up with is this: Class arrayOfFooClass = java.lang....

SQLite , Derby vs file system

I m working on a Java desktop application that reads and writes from/to different files. I think a better solution would be to replace the file system by a SQLite database. How hard is it to migrate ...

热门标签