Thanks, Dean!
On Mon, Feb 22, 2010 at 3:06 PM, Dean Heisey <[email protected]>wrote: > I will, > > > > That way it won’t get lost in the forum > > > > Dean > > > > *From:* Scott Battaglia-2 [via Jasig] [mailto:[hidden > email]<http://n4.nabble.com/user/SendEmail.jtp?type=node&node=1565059&i=0>] > > *Sent:* Monday, February 22, 2010 12:05 PM > *To:* Dean Heisey > *Subject:* Re: CAS + IE8 + SPNEGO Not supported > > > > Would it be good to put this information into the Wiki? > > > > Thanks! > > Scott > > > > On Mon, Feb 22, 2010 at 2:26 PM, Dean Heisey <[hidden > email]<http://n4.nabble.com/user/SendEmail.jtp?type=node&node=1565056&i=0>> > wrote: > > > Hello All, > > It seems that this topic has heated up while I was on vacation. I > replied to one of the threads but my response was number 21 and not > necessarily easy to find so I am summarizing my findings here. > > In windows 7, and XP with the latest security updates, Windows now offers > something called IWA extended protection. IE8 appears to take advantage of > this while earlier versions of IE do not. In short, the Kerberos token > being > sent by the updated windows initiator contains channel binding information > and the Java 6 Kerberos acceptor fails when trying to match this info to > locally configured channel bindings and there is no way in Java 6 to tell > the VM to ignore this information. There is a fix for this in Java 7. > > Listed here in the jdk 7 changeset: > http://hg.openjdk.java.net/jdk7/jdk7/jdk/rev/37ed72fe7561 > http://hg.openjdk.java.net/jdk7/jdk7/jdk/rev/37ed72fe7561 > > The exception that will be thrown in your logs will look like this: > > GSSException: Channel binding mismatch (Mechanism level: ChannelBinding > not provided!) > > If you must use IE8 you can try the windows registry tweak listed here: > > http://support.microsoft.com/?scid=kb%3Ben-us%3B968389&x=10&y=18 > http://support.microsoft.com/?scid=kb%3Ben-us%3B968389&x=10&y=18 > > The configuration that works for me( no registry tweaking) is: > > CAS Server OS: RHEL5 ( I have also tested with tomcat on windows XP as > well, it works) > CAS Server Java: java version "1.6.0_18" > Java(TM) SE Runtime Environment (build 1.6.0_18-b07) > Java HotSpot(TM) Client VM (build 16.0-b13, mixed mode, sharing) > > Browsers: > IE: Version: 7.0.5730.13CO > Firefox: Firefox/3.6 although the issue does not appear to manifest > itself on Firefox. > > > Hope this helps, > > Dean > > > > > > > > > -- > View this message in context: > http://n4.nabble.com/CAS-IE8-SPNEGO-Not-supported-tp1564988p1564988.html > Sent from the CAS Users mailing list archive at Nabble.com. > > -- > You are currently subscribed to [hidden > email]<http://n4.nabble.com/user/SendEmail.jtp?type=node&node=1565056&i=1>as: > [hidden > email]<http://n4.nabble.com/user/SendEmail.jtp?type=node&node=1565056&i=2> > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > > You are currently subscribed to [hidden email] > <http://n4.nabble.com/user/SendEmail.jtp?type=node&node=1565056&i=3> as: > [hidden email] > <http://n4.nabble.com/user/SendEmail.jtp?type=node&node=1565056&i=4> > > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > ------------------------------ > > View message @ > http://n4.nabble.com/CAS-IE8-SPNEGO-Not-supported-tp1564988p1565056.html > To unsubscribe from CAS + IE8 + SPNEGO Not supported, click here. > > > > ------------------------------ > View this message in context: RE: CAS + IE8 + SPNEGO Not > supported<http://n4.nabble.com/CAS-IE8-SPNEGO-Not-supported-tp1564988p1565059.html> > > Sent from the CAS Users mailing list > archive<http://n4.nabble.com/CAS-Users-f255676.html>at Nabble.com. > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
