Re: MS IWA - extended protection - SSPI - channel binding
On Aug 27, 1:26 pm, Jeffrey Altman jalt...@secure-endpoints.com wrote: Markus Moeller wrote: I am reading the MS article aboutIWAand extended protection http://msdn.microsoft.com/en-us/library/dd639324.aspx and wonder if this affects GSSAPI based applications like Apache with mod_auth_kerb ? Does this mean MS has addedchannelbindings to SSPI ? Unfortunately I don't have Windows 7 to test. Thank you Markus You do not need Windows 7. The change was backported all the way to XP SP2 and the update was pushed as critical two weeks ago. When activated GSS-API over TLS will usechannelbindings if the application requests extended protection. Jeffrey Altman From what I can tell, this change was not pushed as a critical update, I had to install a patch manually to get channel binding capability for Windows XP (http://support.microsoft.com/kb/968389). I've done some experimenting with both Windows 7 and Windows XP and channel binding definitely behaves differently on the two platforms. With Windows 7, IWA authentication appears to provide channel binding regardless if the application requests extended protection. Actually, this is causing a runtime failure in my Java application using jgss without any channel bindings defined on the acceptor: GSSException: Channel binding mismatch (Mechanism level: ChannelBinding not provided!) The only way I can get around this error message with Windows 7 is to disable extended protection via the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa \SuppressExtendedProtection (0 disabled - 1 enabled) I can't get Windows XP to send channel binding information in my IWA scenario. I suspect it has something to do with my acceptor not specifying the need for extended protection, I'm not really sure. The major difference between the platform implementations I can see is, Windows 7 always sends extended protected data for IWA, Windows XP only sends extended protected data when necessary (can't verify this...) Peter Motyka Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: MS IWA - extended protection - SSPI - channel binding
What is the java problem ? Does java not ignore channel bindings when set to GSS_C_NO_CHANNEL_BINDINGS in gss_accept as C does ? Does Windows use any data in the channel binding or just the src/dest IPs ? Where is that documented ( I couldn't find it ) ? Thank you Markus Peter pe...@motyka.org wrote in message news:8072f979-c6b4-42d1-a5f8-f80f5dee5...@p15g2000vbl.googlegroups.com... On Aug 27, 1:26 pm, Jeffrey Altman jalt...@secure-endpoints.com wrote: Markus Moeller wrote: I am reading the MS article aboutIWAand extended protection http://msdn.microsoft.com/en-us/library/dd639324.aspx and wonder if this affects GSSAPI based applications like Apache with mod_auth_kerb ? Does this mean MS has addedchannelbindings to SSPI ? Unfortunately I don't have Windows 7 to test. Thank you Markus You do not need Windows 7. The change was backported all the way to XP SP2 and the update was pushed as critical two weeks ago. When activated GSS-API over TLS will usechannelbindings if the application requests extended protection. Jeffrey Altman From what I can tell, this change was not pushed as a critical update, I had to install a patch manually to get channel binding capability for Windows XP (http://support.microsoft.com/kb/968389). I've done some experimenting with both Windows 7 and Windows XP and channel binding definitely behaves differently on the two platforms. With Windows 7, IWA authentication appears to provide channel binding regardless if the application requests extended protection. Actually, this is causing a runtime failure in my Java application using jgss without any channel bindings defined on the acceptor: GSSException: Channel binding mismatch (Mechanism level: ChannelBinding not provided!) The only way I can get around this error message with Windows 7 is to disable extended protection via the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa \SuppressExtendedProtection (0 disabled - 1 enabled) I can't get Windows XP to send channel binding information in my IWA scenario. I suspect it has something to do with my acceptor not specifying the need for extended protection, I'm not really sure. The major difference between the platform implementations I can see is, Windows 7 always sends extended protected data for IWA, Windows XP only sends extended protected data when necessary (can't verify this...) Peter Motyka Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: MS IWA - extended protection - SSPI - channel binding
On Tue, Sep 22, 2009 at 09:50:19AM -0700, Peter wrote: From what I can tell, this change was not pushed as a critical update, I had to install a patch manually to get channel binding capability for Windows XP (http://support.microsoft.com/kb/968389). I've done some experimenting with both Windows 7 and Windows XP and channel binding definitely behaves differently on the two platforms. With Windows 7, IWA authentication appears to provide channel binding regardless if the application requests extended protection. Actually, this is causing a runtime failure in my Java application using jgss without any channel bindings defined on the acceptor: GSSException: Channel binding mismatch (Mechanism level: ChannelBinding not provided!) The JGSS issue is CR #6851973: 6851973 ignore incoming channel binding if acceptor does not set one The fix will be in the October 2009 updates. (The fix was integrated into build b64.) Nico -- Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: MS IWA - extended protection - SSPI - channel binding
On Sep 22, 2:33 pm, Nicolas Williams nicolas.willi...@sun.com wrote: On Tue, Sep 22, 2009 at 09:50:19AM -0700, Peter wrote: From what I can tell, this change was not pushed as a critical update, I had to install a patch manually to get channel binding capability for Windows XP (http://support.microsoft.com/kb/968389). I've done some experimenting with both Windows 7 and Windows XP and channel binding definitely behaves differently on the two platforms. With Windows 7, IWA authentication appears to provide channel binding regardless if the application requests extended protection. Actually, this is causing a runtime failure in my Java application using jgss without any channel bindings defined on the acceptor: GSSException: Channel binding mismatch (Mechanism level: ChannelBinding not provided!) The JGSS issue is CR #6851973: 6851973 ignore incoming channel binding if acceptor does not set one The fix will be in the October 2009 updates. (The fix was integrated into build b64.) Nico -- Thanks for the info, Nico. I went to preview the update, but I'm not seeing a b64. Am I looking in the wrong place? http://download.java.net/jdk6/latest_binaries/ Latest available seems to be b02. Peter Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: MS IWA - extended protection - SSPI - channel binding
On Sep 22, 5:04 pm, Peter pe...@motyka.org wrote: On Sep 22, 2:33 pm, Nicolas Williams nicolas.willi...@sun.com wrote: On Tue, Sep 22, 2009 at 09:50:19AM -0700, Peter wrote: From what I can tell, this change was not pushed as a critical update, I had to install a patch manually to get channel binding capability for Windows XP (http://support.microsoft.com/kb/968389). I've done some experimenting with both Windows 7 and Windows XP and channel binding definitely behaves differently on the two platforms. With Windows 7, IWA authentication appears to provide channel binding regardless if the application requests extended protection. Actually, this is causing a runtime failure in my Java application using jgss without any channel bindings defined on the acceptor: GSSException: Channel binding mismatch (Mechanism level: ChannelBinding not provided!) The JGSS issue is CR #6851973: 6851973 ignore incoming channel binding if acceptor does not set one The fix will be in the October 2009 updates. (The fix was integrated into build b64.) Nico -- Thanks for the info, Nico. I went to preview the update, but I'm not seeing a b64. Am I looking in the wrong place?http://download.java.net/jdk6/latest_binaries/ Latest available seems to be b02. Peter Apologies Nico, I assumed you meant 6851973 would be part of updates for the Java SE 6 Update 18 release. I noticed the fix in the OpenJDK7 code base (http://hg.openjdk.java.net/jdk7/tl/jdk/rev/ 37ed72fe7561) and will see about having backported to OpenJDK6 for Update 18 via the jdk6-dev mail list. Peter Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
MS IWA - extended protection - SSPI - channel binding
I am reading the MS article about IWA and extended protection http://msdn.microsoft.com/en-us/library/dd639324.aspx and wonder if this affects GSSAPI based applications like Apache with mod_auth_kerb ? Does this mean MS has added channel bindings to SSPI ? Unfortunately I don't have Windows 7 to test. Thank you Markus Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: MS IWA - extended protection - SSPI - channel binding
Markus Moeller wrote: I am reading the MS article about IWA and extended protection http://msdn.microsoft.com/en-us/library/dd639324.aspx and wonder if this affects GSSAPI based applications like Apache with mod_auth_kerb ? Does this mean MS has added channel bindings to SSPI ? Unfortunately I don't have Windows 7 to test. Thank you Markus You do not need Windows 7. The change was backported all the way to XP SP2 and the update was pushed as critical two weeks ago. When activated GSS-API over TLS will use channel bindings if the application requests extended protection. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos