Wednesday, December 30, 2009

SSO Authentication Problems for Windows Clients Against Java Kerberos Servers

Quote from an MS Support Case

Hotfix 968389 makes XP machines to support Extended Protection for Integrated Authentication which consists of Service Binding information (SPN) and a Channel Binding Token (CBT). This is ON by default and results in authentication requests to be bound to both the Service Principal Names (SPN) of the server the client attempts to connect to and to the outer Transport Layer Security (TLS) channel over which the Integrated Windows Authentication (IWA) authentication takes place.

If you conclude that you are affected by this issue and are required to turn off CBT, enable the following registry key to disable CBT on Windows XP client:Create a reg DWORD (SuppressExtendedProtection) with a value of 0x03 under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSANote: This feature enhances the protection and handling of credentials when authenticating network connections using Integrated Windows Authentication (IWA). Disabling CBT can result in security implications protected by this feature.

More Information

What is CBT?

CBT is a part of Extended Protection for Integrated Authentication which is a mechanism to bind an outer secure channel such as SSL to inner channel authentication protocols such as Kerberos-APREQ and HTTP header authentication. CBT is a property of the outer secure channel (such as TLS) used to tie (bind) it to a conversation over an inner, client-authenticated channel. Channel binding is accomplished by the client transferring the SPN and the CBT to the server in a tamperproof fashion. The server validates the channel binding information in accordance with its policy and rejects authentication attempts for which it does not believe itself to have been the intended target. This way, the two channels become cryptographically bound together. • If the client is updated to support the extended protection, applications should supply a channel binding and service binding information to all supported authentication protocols. Channel binding information can only be supplied when there is a channel (TLS) to bind to. Service binding information should always be supplied.

- Updated servers which are properly configured may verify the channel and service binding information when it is present in the client authentication token and reject the authentication attempt if the channel bindings do not match. Depending on the deployment scenario, servers may verify channel binding, service binding or both.
- Updated servers have the ability to accept or reject down-level client requests that do not contain the channel binding information based on policy.

Channel Binding Token values:
• 0x01 - This makes the client appear unpatched to remote servers except in cases where caller of SSPI on the client provides both a channel binding token and a target SPN. The security implication of setting this flag is this: it makes
clients that do not use channel binding correctly, and clients that do not go over SSL vulnerable to authentication relay, even to partially hardened servers.

• 0x02 - This makes the client set Kerberos channel binding value to zero even if calling application correctly supplies the value. If set without the previous 0x01 value, this value will cause the client to stop working against hardened servers with SSL.

• 0x03 - Combination of 0x01 and 0x02. It disables channel binding always for Kerberos (0x02) and suppresses both channel binding and service bindings for those NTLM callers that do not supply channel binding (0x01). So, 0x02 has no effect on NTLM.

Note: As per PG, Windows 7 adds support for an IETF security standard called channel binding. There is a known application compatibility issue between Windows 7 clients and Java Kerberos servers (such as Jetty). The setting 0x3 (discussed later in this article) on the client overcomes this application compatibility issue at the expense of suppressing channel binding. This setting should only be used on client computers that have to authenticate to Java erberos servers:


1. Jetty - Jetty 6.1.7
2. SAP Portal (Java J2EE Web Server -


1. Windows clients that support Channel Binding Tokens fail to be authenticated by non-CBT capable Kerberos server such as Java Kerberos.

Sample customer experience:

Accessing Federated Web sites using PingIdentity Federated Services from Internet Explorer 8.0 on Windows 7 clients. The same operation works from IE 8.0 on Windows XP and Windows Vista computers. The error text on Windows 7 reads:

Title: Error - Single Sign-On
Message text: Unexpected Runtime Authn Adapter Integration Problem.
Please contact your system administrator for assistance regarding this error.
Adapter: CorpIWA

No comments: