Hello All, It seems that this topic has heated up while I was on vacation. I replied to one of the threads but my response was number 21 and not necessarily easy to find so I am summarizing my findings here.
In windows 7, and XP with the latest security updates, Windows now offers something called IWA extended protection. IE8 appears to take advantage of this while earlier versions of IE do not. In short, the Kerberos token being sent by the updated windows initiator contains channel binding information and the Java 6 Kerberos acceptor fails when trying to match this info to locally configured channel bindings and there is no way in Java 6 to tell the VM to ignore this information. There is a fix for this in Java 7. Listed here in the jdk 7 changeset: http://hg.openjdk.java.net/jdk7/jdk7/jdk/rev/37ed72fe7561 http://hg.openjdk.java.net/jdk7/jdk7/jdk/rev/37ed72fe7561 The exception that will be thrown in your logs will look like this: GSSException: Channel binding mismatch (Mechanism level: ChannelBinding not provided!) If you must use IE8 you can try the windows registry tweak listed here: http://support.microsoft.com/?scid=kb%3Ben-us%3B968389&x=10&y=18 http://support.microsoft.com/?scid=kb%3Ben-us%3B968389&x=10&y=18 The configuration that works for me( no registry tweaking) is: CAS Server OS: RHEL5 ( I have also tested with tomcat on windows XP as well, it works) CAS Server Java: java version "1.6.0_18" Java(TM) SE Runtime Environment (build 1.6.0_18-b07) Java HotSpot(TM) Client VM (build 16.0-b13, mixed mode, sharing) Browsers: IE: Version: 7.0.5730.13CO Firefox: Firefox/3.6 although the issue does not appear to manifest itself on Firefox. Hope this helps, Dean -- View this message in context: http://n4.nabble.com/CAS-IE8-SPNEGO-Not-supported-tp1564988p1564988.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
