Novell Home

My Favorites

Close

Please to see your favorites.

Cannot authenticate to Identity Server using kerberos with IE8 or updates Windows patches

This document (7004752) is provided subject to the disclaimer at the end of this document.

Environment

Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3 Linux Novell Identity Server

Situation

Kerberos authentication enabled on the Identity Server. Everything working as expected for months. Users update their workatations frequently with security patches, and adter applying one such patch the autehntication to the Identity server using Kerberos fails. Instead of getting single signed on to the Identity server, the user is prompted for his/her credentials via the basic auth popup menu.

Looking at the catalina.out file, the following error message is displayed when parsing the Kerberos token sent by the browser:

>>> KrbApReq: authenticate succeed.
<amLogEntry> 2009-10-28T12:54:34Z SEVERE NIDS Application: AM#200104101: AMDEVIC
EID#D5AF8CA5FBDB5813:  Error processing SPNEGO/Kerberos : AM#200104101: AMDEVICE
ID#D5AF8CA5FBDB5813: : Error processing SPNEGO/Kerberos : AM#200104101: AMDEVICE
ID#D5AF8CA5FBDB5813: : Error processing SPNEGO/Kerberos : Channel binding mismatch (Mechanism level: ChannelBinding not provided!) </amLogEntry>

Resolution

Change the SuppressExtendedProtection registry setting to 0X02. The full path and options are shown below.


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\SuppressExtendedProtection

0x00 – Enable protection technology.

0x01 - This makes the client appear unpatched to remote servers except in cases where caller of SSPI on the client provides both a channel binding token and a target SPN. The security implication of setting this flag is this: it makes clients that do not use channel binding correctly, and clients that do not go over SSL vulnerable to authentication relay, even to partially hardened servers.

0x02 - This makes the client set Kerberos channel binding value to zero even if calling application correctly supplies the value. In our issue, IE 7 will not use the extended authentication in Kerberos authentication. 0x02 has no effect on NTLM.

0x03 - Combination of 0x01 and 0x02. It disables channel binding always for Kerberos (0x02) and suppresses both channel binding and service bindings for those NTLM callers that do not supply channel binding (0x01)

Microsoft's recent security updates for IE has changed the security settings on the client.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7004752
  • Creation Date:28-OCT-09
  • Modified Date:26-APR-12
    • NetIQAccess Manager (NAM)

Did this document solve your problem? Provide Feedback