Wiki is updated. From: Scott Battaglia [mailto:[email protected]] Sent: Monday, February 22, 2010 12:08 PM To: [email protected] Subject: Re: [cas-user] CAS + IE8 + SPNEGO Not supported
Thanks, Dean! On Mon, Feb 22, 2010 at 3:06 PM, Dean Heisey <[email protected]<mailto:[email protected]>> wrote: I will, That way it won't get lost in the forum Dean From: Scott Battaglia-2 [via Jasig] [mailto:[hidden email]<http://n4.nabble.com/user/SendEmail.jtp?type=node&node=1565059&i=0>] Sent: Monday, February 22, 2010 12:05 PM To: Dean Heisey Subject: Re: CAS + IE8 + SPNEGO Not supported Would it be good to put this information into the Wiki? Thanks! Scott On Mon, Feb 22, 2010 at 2:26 PM, Dean Heisey <[hidden email]<http://n4.nabble.com/user/SendEmail.jtp?type=node&node=1565056&i=0>> wrote: Hello All, It seems that this topic has heated up while I was on vacation. I replied to one of the threads but my response was number 21 and not necessarily easy to find so I am summarizing my findings here. In windows 7, and XP with the latest security updates, Windows now offers something called IWA extended protection. IE8 appears to take advantage of this while earlier versions of IE do not. In short, the Kerberos token being sent by the updated windows initiator contains channel binding information and the Java 6 Kerberos acceptor fails when trying to match this info to locally configured channel bindings and there is no way in Java 6 to tell the VM to ignore this information. There is a fix for this in Java 7. Listed here in the jdk 7 changeset: http://hg.openjdk.java.net/jdk7/jdk7/jdk/rev/37ed72fe7561 http://hg.openjdk.java.net/jdk7/jdk7/jdk/rev/37ed72fe7561 The exception that will be thrown in your logs will look like this: GSSException: Channel binding mismatch (Mechanism level: ChannelBinding not provided!) If you must use IE8 you can try the windows registry tweak listed here: http://support.microsoft.com/?scid=kb%3Ben-us%3B968389&x=10&y=18 http://support.microsoft.com/?scid=kb%3Ben-us%3B968389&x=10&y=18 The configuration that works for me( no registry tweaking) is: CAS Server OS: RHEL5 ( I have also tested with tomcat on windows XP as well, it works) CAS Server Java: java version "1.6.0_18" Java(TM) SE Runtime Environment (build 1.6.0_18-b07) Java HotSpot(TM) Client VM (build 16.0-b13, mixed mode, sharing) Browsers: IE: Version: 7.0.5730.13CO Firefox: Firefox/3.6 although the issue does not appear to manifest itself on Firefox. Hope this helps, Dean -- View this message in context: http://n4.nabble.com/CAS-IE8-SPNEGO-Not-supported-tp1564988p1564988.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to [hidden email]<http://n4.nabble.com/user/SendEmail.jtp?type=node&node=1565056&i=1> as: [hidden email]<http://n4.nabble.com/user/SendEmail.jtp?type=node&node=1565056&i=2> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [hidden email]<http://n4.nabble.com/user/SendEmail.jtp?type=node&node=1565056&i=3> as: [hidden email]<http://n4.nabble.com/user/SendEmail.jtp?type=node&node=1565056&i=4> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user ________________________________ View message @ http://n4.nabble.com/CAS-IE8-SPNEGO-Not-supported-tp1564988p1565056.html To unsubscribe from CAS + IE8 + SPNEGO Not supported, click here. ________________________________ View this message in context: RE: CAS + IE8 + SPNEGO Not supported<http://n4.nabble.com/CAS-IE8-SPNEGO-Not-supported-tp1564988p1565059.html> Sent from the CAS Users mailing list archive<http://n4.nabble.com/CAS-Users-f255676.html> at Nabble.com. -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
