Cannot authenticate to IDP server using Kerberos from Windows 7 client running IE8

  • 7006036
  • 19-May-2010
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Windows 2003 server with Active Directory and Kerberos services enabled
Windows 7 clients with IE8

Situation

Access Manager 3.1.1-265 (3.1 SP1 IR3a) not allowing us use Kerberos as a passthru for authentication. Whenever we try to access a protected resource using IE8 (in Win7) or IE7 (in WinXP Pro) with the KB 974455 security patch installed, we are being prompted to enter our credentials. If we uninstall the security patch, IE7 starts to function properly again but IE8 on Windows 7 does not.

Resolution

 
Note that

Note: If the key "SuppressExtendedProtection"does not exist, create a Key named "SuppressExtendedProtection"with a DWORD [in Windows 2K8 DWORD (32 bit)] value of 0x02

2) Ensure "Enable Integrated Windows Authentication" is enabled (Tools -> Internet Options -> Advanced Tab).

3) Ensure the IDP DNS Name or URL is added to the Local Intranet section. (Tools -> Internet Options -> Security Tab -> click Local Intranet -> Sites -> Advanced -> Add Service Provider URL e.g. https://idp126.lab.novell.com/) (Needed in cases where the Service Provider domains and the AD/Client Domains are NOT the same) (Would not work if Domain Name / URL were added to the Trusted Sites section -> Local Intranet should be set for it to work).
 
4) If AD setup to enable DES encryption, Windows 7 must be configured to sent DES encrypted token. DES not enabled by default in Windows 7 and the link at http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx explains how to enable it.

Additional Information

The changes to the client required to bypass the Kerberos issues caused by the security update may be fixed in JVM 1.6 update 19:

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6851973
jgss(krb5plugin) -- ignore incoming channel binding if acceptor does not set
one as per RFC 4121 4.1.1.2
Will include this in 3.1 SP3 when available.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.