Cannot authenticate to IDP server using Kerberos from Windows 7 client running IE8

Access Manager 3.1.1-265 (3.1 SP1 IR3a) not allowing us use Kerberos as a passthru for authentication. Whenever we try to access a protected resource using IE8 (in Win7) or IE7 (in WinXP Pro) with the KB 974455 security patch installed, we are being prompted to enter our credentials. If we uninstall the security patch, IE7 starts to function properly again but IE8 on Windows 7 does not.

On the Windows client box modify the registry as per (https://www.novell.com/support/dynamickc.do?cmd=show&forward=nonthreadedKC&docType=kc&externalId=7004752&sliceId=1).

 

Note that

Note: If the key "SuppressExtendedProtection"does not exist, create a Key named "SuppressExtendedProtection"with a DWORD [in Windows 2K8 DWORD (32 bit)] value of 0x02

3) Ensure the IDP DNS Name or URL is added to the Local Intranet section. (Tools -> Internet Options -> Security Tab -> click Local Intranet -> Sites -> Advanced -> Add Service Provider URL e.g. https://idp126.lab.novell.com/) (Needed in cases where the Service Provider domains and the AD/Client Domains are NOT the same) (Would not work if Domain Name / URL were added to the Trusted Sites section -> Local Intranet should be set for it to work).

 

4) If AD setup to enable DES encryption, Windows 7 must be configured to sent DES encrypted token. DES not enabled by default in Windows 7 and the link at http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx explains how to enable it.

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6851973
jgss(krb5plugin) -- ignore incoming channel binding if acceptor does not set
one as per RFC 4121 4.1.1.2

Will include this in 3.1 SP3 when available.