4 Replies Latest reply on Aug 4, 2010 6:13 PM by 843810

    Windows 7 IWA and Java 6 Kerberos acceptor (ChannelBinding not provided)

      I'm experiencing an interoperability issue with Windows 7 IWA extended protection (channel binding) and a Java 6 kerberos acceptor. The kerberos token being sent by the Windows 7 initiator appears to contain channel binding information and the Java 6 kerberos acceptor fails when trying to match this information to locally configured channel bindings. I'd prefer for the acceptor to simply ignore the channel binding information being sent by initiator, but this doesn't seem possible with Java 6. Java 7 early access appears to have a fix in place that allows for ignoring channel binding data in the token, http://hg.openjdk.java.net/jdk7/jdk7/jdk/rev/37ed72fe7561.

      Since I'm forced to use Java 6 I'd like to find a way to have the Java 6 kerberos acceptor interact with the Windows 7 initiator using channel binding. The channel binding information is an md5sum of data representing data about the SSL/TLS transport in which the IWA authentication is taking place via. I can't seem to find a spec which details the exact layout of data which needs to be hashed to construct the channel binding. Anyone have some insight into how to construct this data?

      The exact exception I'm seeing with Java 6 is:
      GSSException: Channel binding mismatch (Mechanism level: ChannelBinding not provided!)

        • 1. Re: Windows 7 IWA and Java 6 Kerberos acceptor (ChannelBinding not provided)
          I am seeing what looks like the same problem with Windows XP following an upgrade this week. Is there any information on either an update to Java 6 or on the channel binding?
          • 2. Re: Windows 7 IWA and Java 6 Kerberos acceptor (ChannelBinding not provided)
            There's a workaround for Windows XP.

            From this thread on MS TechNet: http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/1a58678e-6787-4582-805b-6414855ec016
            there will be a workaround for Windows 7 soon.
            • 3. Re: Windows 7 IWA and Java 6 Kerberos acceptor (ChannelBinding not provided)
              As far as I can tell java 1.6.0_18 does not have fix for this issue, even though someone (at Sun?) mentioned that he/she intended to backport the fix into java 1.6.0_18.

              I ended up backporting it myself and it resolved the issue for me.

              If you have at least mid-level Java programming experience, you should be able to follow these steps:

              step 1. Get this file, which has the fix:
              and copy it to a local directory (create the directory first !) : channel-fix

              step 2. make the following editing changes so that it will compile under java 1.6:

              BEFORE: import sun.security.jgss.HttpCaller;
              AFTER: import sun.security.jgss.GSSUtil;
              BEFORE: if (context.getCaller() instanceof HttpCaller &&
              AFTER: if (context.getCaller() == GSSUtil.CALLER_HTTP_NEGOTIATE &&

              step 3. compile InitialToken.java using a java 1.6 compiler: javac InitialToken.java

              step 4a. locate rt.jar (java runtime library) for the java 1.6 on your server machine (the machine where you're getting the channelbinding exception).
              step 4b. make a backup copy of this rt.jar
              step 4c. also copy this rt.jar to your local machine, to your channel-fix directory.

              step 5. under your channel-fix directory, create the following directory structure: sun/security/jgss/krb5

              step 6. copy InitialToken$OverloadedChecksum.class and InitialToken.class (the results of step 3) to this new directory that you just created: (sun/security/jgss/krb5/ )

              step 7. copy rt.jar (from step 4) to channel-fix directory.

              step 8. go to channel-fix directory and run the following command: jar uvf rt.jar sun

              step 9. This version of rt.jar now has the channel binding fix in place. Copy this rt.jar back to the server machine, overwriting the rt.jar that's already there.

              Edited by: ginolee on Mar 27, 2010 5:54 AM

              Edited by: ginolee on Mar 27, 2010 5:57 AM
              • 4. Re: Windows 7 IWA and Java 6 Kerberos acceptor (ChannelBinding not provided)
                Thanks. I was having a problem with the WindowsDesktopSSO module of OpenSSO when coming in over SSL, and this is exactly the fix I needed.