Cannot authenticate to Identity Server using kerberos with IE8 or updates Windows patches
This document (7004752) is provided subject to the disclaimer at the end of this document.
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3 Linux Novell Identity Server
Looking at the catalina.out file, the following error message is displayed when parsing the Kerberos token sent by the browser:
>>> KrbApReq: authenticate succeed.
<amLogEntry> 2009-10-28T12:54:34Z SEVERE NIDS Application: AM#200104101: AMDEVIC
EID#D5AF8CA5FBDB5813: Error processing SPNEGO/Kerberos : AM#200104101: AMDEVICE
ID#D5AF8CA5FBDB5813: : Error processing SPNEGO/Kerberos : AM#200104101: AMDEVICE
ID#D5AF8CA5FBDB5813: : Error processing SPNEGO/Kerberos : Channel binding mismatch (Mechanism level: ChannelBinding not provided!) </amLogEntry>
0x00 – Enable protection technology.
0x01 - This makes the client appear unpatched to remote servers except in cases where caller of SSPI on the client provides both a channel binding token and a target SPN. The security implication of setting this flag is this: it makes clients that do not use channel binding correctly, and clients that do not go over SSL vulnerable to authentication relay, even to partially hardened servers.
0x02 - This makes the client set Kerberos channel binding value to zero even if calling application correctly supplies the value. In our issue, IE 7 will not use the extended authentication in Kerberos authentication. 0x02 has no effect on NTLM.
0x03 - Combination of 0x01 and 0x02. It disables channel binding always for Kerberos (0x02) and suppresses both channel binding and service bindings for those NTLM callers that do not supply channel binding (0x01)
Microsoft's recent security updates for IE has changed the security settings on the client.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7004752
- Creation Date:28-OCT-09
- Modified Date:26-APR-12
- NetIQAccess Manager (NAM)
Did this document solve your problem? Provide Feedback