Tuesday, January 25, 2011

Troubleshooting GSSException: Channel binding mismatch (Mechanism level: ChannelBinding not provided!)

Ran into another interesting error in one of my SharePoint 2007 farms with kerberos enabled. Our Teamworks web part, which uses kerberos to authenticate to the Teamworks (jboss) workflow server suddenly stopped working after a series of patches were applied to all the servers in the farm. Nothing obvious was showing up in the windows event logs, but I did find this error in the Teamworks logs

java.lang.RuntimeException: Exception verifying Kerberos token
at org.jboss.security.auth.AdvancedWebCallbackHandler$1.run(AdvancedWebCallbackHandler.java:236)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:337)
at org.jboss.security.auth.CommonKerberosUtils.doAsKerberosSubject(CommonKerberosUtils.java:64)
at org.jboss.security.auth.AdvancedWebCallbackHandler.handleNegotiateCallback(AdvancedWebCallbackHandler.java:211)
at org.jboss.security.auth.AdvancedWebCallbackHandler.handleCallbacks(AdvancedWebCallbackHandler.java:151)
at org.jboss.security.auth.AdvancedWebCallbackHandler.handle(AdvancedWebCallbackHandler.java:107)
at org.jboss.security.auth.HttpServletRequestResponseValve.doNegotiate(HttpServletRequestResponseValve.java:382)
at org.jboss.security.auth.HttpServletRequestResponseValve.authenticate(HttpServletRequestResponseValve.java:263)
at org.jboss.security.auth.HttpServletRequestResponseValve.authenticate(HttpServletRequestResponseValve.java:237)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
at org.jboss.security.auth.HttpServletRequestResponseValve.invoke(HttpServletRequestResponseValve.java:128)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:392)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
at java.lang.Thread.run(Thread.java:595)
Caused by: GSSException: Channel binding mismatch (Mechanism level: ChannelBinding not provided!)
at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.(InitialToken.java:225)
at sun.security.jgss.krb5.InitSecContextToken.(InitSecContextToken.java:102)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:715)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
at org.jboss.security.auth.AdvancedWebCallbackHandler$1.run(AdvancedWebCallbackHandler.java:226)
... 22 more

Google lead me to this forum thread:

http://forums.sdn.sap.com/thread.jspa?threadID=1504390&start=15&tstart=0

Apparently one of the server patches we applied changed the SharePoint server's "Extended Protection for Authentication" behavior (http://support.microsoft.com/?scid=kb;en-us;968389&x=10&y=18), which was causing kerberos to fail for our Teamworks Web Part.

We ended up adding the registry key "SuppressExtendedProtection" as a DWORD type with a value of "2" to the node "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA" on the SharePoint web front end where the Web Part was running. After a reboot, it fixed our problem.

No comments: