Would it be good to put this information into the Wiki? Thanks! Scott
On Mon, Feb 22, 2010 at 2:26 PM, Dean Heisey <[email protected]>wrote: > > Hello All, > > It seems that this topic has heated up while I was on vacation. I > replied to one of the threads but my response was number 21 and not > necessarily easy to find so I am summarizing my findings here. > > In windows 7, and XP with the latest security updates, Windows now offers > something called IWA extended protection. IE8 appears to take advantage of > this while earlier versions of IE do not. In short, the Kerberos token > being > sent by the updated windows initiator contains channel binding information > and the Java 6 Kerberos acceptor fails when trying to match this info to > locally configured channel bindings and there is no way in Java 6 to tell > the VM to ignore this information. There is a fix for this in Java 7. > > Listed here in the jdk 7 changeset: > http://hg.openjdk.java.net/jdk7/jdk7/jdk/rev/37ed72fe7561 > http://hg.openjdk.java.net/jdk7/jdk7/jdk/rev/37ed72fe7561 > > The exception that will be thrown in your logs will look like this: > > GSSException: Channel binding mismatch (Mechanism level: ChannelBinding > not provided!) > > If you must use IE8 you can try the windows registry tweak listed here: > > http://support.microsoft.com/?scid=kb%3Ben-us%3B968389&x=10&y=18 > http://support.microsoft.com/?scid=kb%3Ben-us%3B968389&x=10&y=18 > > The configuration that works for me( no registry tweaking) is: > > CAS Server OS: RHEL5 ( I have also tested with tomcat on windows XP as > well, it works) > CAS Server Java: java version "1.6.0_18" > Java(TM) SE Runtime Environment (build 1.6.0_18-b07) > Java HotSpot(TM) Client VM (build 16.0-b13, mixed mode, sharing) > > Browsers: > IE: Version: 7.0.5730.13CO > Firefox: Firefox/3.6 although the issue does not appear to manifest > itself on Firefox. > > > Hope this helps, > > Dean > > > > > > > > > -- > View this message in context: > http://n4.nabble.com/CAS-IE8-SPNEGO-Not-supported-tp1564988p1564988.html > Sent from the CAS Users mailing list archive at Nabble.com. > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
