JSS/krb5 should ignore remote channel binding info when not requested at local side (RFC 4121 4.1.1.2: the acceptor MAY ignore...).

All major krb5 implementors implement this "MAY", and some applications depend on it as a workaround for not having a way to negotiate the use of channel binding -- the initiator application always uses CB and hopes the acceptor will ignore the CB if the acceptor doesn't support CB.
Posted Date : 2009-06-19 10:13:14.0

N/A

http://hg.openjdk.java.net/jdk7/tl/jdk/rev/37ed72fe7561
Posted Date : 2009-06-19 10:13:14.0

Any chance this bug fix (http://hg.openjdk.java.net/jdk7/jdk7/jdk/rev/37ed72fe7561) could be released with the next update of JDK/JRE 6.  It seems to make for an interoperability issue between Windows 7 initiators and Java acceptors in an IWA/Kerberos scenario.  For example, tokens are being sent with extended protection data (channel bindings) and an acceptor without channel bindings configured fails:

GSSException: Channel binding mismatch (Mechanism level:
ChannelBinding not provided!) 

Using the latest JDK/JRE 7 early access, interoperability in the scenario works just fine.

Thanks,
Peter

The fix will be backported to update releases of 1.4.2, 5.0 and 6.

Thanks for the details.  Do you know if the fix will be backported for the Java SE 6 Update 18 release specifically?

Yes, it should go into 6u18.

When will update 18 or a beta including the fix be available?

This issue is becoming very very urgent after the release of Microsoft Hotfix 974455 for Internet Explorer which has broken our intranet.  We can't see the patch included in jdk6 update 18. Is there a chance to have this patch for JDK 6 in  a short time?

Thank you very much.
Gianfranco.

This is a serious problem, with the  Microsoft's hotfix the problem is became blocking. Have you  milestone to patch jdk6? 

will there realtly be a backported fix for jdk 5 ? Is it already out?

We are experiencing problems related to this bug.
It's becoming very urgent!
Any idea WHEN a fix for JDK 5 and 6 will be available?

re: wangwj 

I'm not seeing this bug id listed in JRE 6u18 (B01-B03) so far.

I've found this in one of our dev environments, one workaround is to set:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\SuppressExtendedProtection to 0x02 

This has to be set on all the clients.

is there a fix for 6u16

Is there a fix for 6u16

Why can't jdk6u18 include the bugfix? I can't see reasons for priority "low" and and state "fixed" here... please fix this issue!

Thanks, 
  peter

JDK6u18 is released, and this fix is not included. Does anyone have a update on this case?