Environment
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3 Linux Novell Identity Server
Situation
Kerberos authentication enabled on the Identity Server. Everything working as expected for months. Users update their workatations frequently with security patches, and adter applying one such patch the autehntication to the Identity server using Kerberos fails. Instead of getting single signed on to the Identity server, the user is prompted for his/her credentials via the basic auth popup menu.
Looking at the catalina.out file, the following error message is displayed when parsing the Kerberos token sent by the browser:
>>> KrbApReq: authenticate succeed.
<amLogEntry> 2009-10-28T12:54:34Z SEVERE NIDS Application: AM#200104101: AMDEVIC
EID#D5AF8CA5FBDB5813: Error processing SPNEGO/Kerberos : AM#200104101: AMDEVICE
ID#D5AF8CA5FBDB5813: : Error processing SPNEGO/Kerberos : AM#200104101: AMDEVICE
ID#D5AF8CA5FBDB5813: : Error processing SPNEGO/Kerberos : Channel binding mismatch (Mechanism level: ChannelBinding not provided!) </amLogEntry>
Looking at the catalina.out file, the following error message is displayed when parsing the Kerberos token sent by the browser:
>>> KrbApReq: authenticate succeed.
<amLogEntry> 2009-10-28T12:54:34Z SEVERE NIDS Application: AM#200104101: AMDEVIC
EID#D5AF8CA5FBDB5813: Error processing SPNEGO/Kerberos : AM#200104101: AMDEVICE
ID#D5AF8CA5FBDB5813: : Error processing SPNEGO/Kerberos : AM#200104101: AMDEVICE
ID#D5AF8CA5FBDB5813: : Error processing SPNEGO/Kerberos : Channel binding mismatch (Mechanism level: ChannelBinding not provided!) </amLogEntry>
Resolution
Change the SuppressExtendedProtection registry setting to 0X02. The full path and options are shown below.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\SuppressExtendedProtection
0x00 – Enable protection technology.
0x01 - This makes the client appear unpatched to remote servers except in cases where caller of SSPI on the client provides both a channel binding token and a target SPN. The security implication of setting this flag is this: it makes clients that do not use channel binding correctly, and clients that do not go over SSL vulnerable to authentication relay, even to partially hardened servers.
0x02 - This makes the client set Kerberos channel binding value to zero even if calling application correctly supplies the value. In our issue, IE 7 will not use the extended authentication in Kerberos authentication. 0x02 has no effect on NTLM.
0x03 - Combination of 0x01 and 0x02. It disables channel binding always for Kerberos (0x02) and suppresses both channel binding and service bindings for those NTLM callers that do not supply channel binding (0x01)
Microsoft's recent security updates for IE has changed the security settings on the client.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\SuppressExtendedProtection
0x00 – Enable protection technology.
0x01 - This makes the client appear unpatched to remote servers except in cases where caller of SSPI on the client provides both a channel binding token and a target SPN. The security implication of setting this flag is this: it makes clients that do not use channel binding correctly, and clients that do not go over SSL vulnerable to authentication relay, even to partially hardened servers.
0x02 - This makes the client set Kerberos channel binding value to zero even if calling application correctly supplies the value. In our issue, IE 7 will not use the extended authentication in Kerberos authentication. 0x02 has no effect on NTLM.
0x03 - Combination of 0x01 and 0x02. It disables channel binding always for Kerberos (0x02) and suppresses both channel binding and service bindings for those NTLM callers that do not supply channel binding (0x01)
Microsoft's recent security updates for IE has changed the security settings on the client.