JCIFSSpnegoAuthenticationHandler stops working when instaling patch KB974455 in Internet Explorer

Hello.

We have CAS 3.3 in production (tomcat 6.0.18, JRE 1.6 update 16) and after installing patch KB974455 in Internet Explorer, SPNEGO validation has stopped working.

We have been investigating and we have found that it may be related to Extended Protection for Authentication (http://support.microsoft.com/?scid=kb%3Ben-us%3B968389&x=14&y=13). It also may be a problem with explorer in windows 7 that come with that extended protection activated (we don't have try it).

Any suggestion?

Here is de stack trace:

jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.reflect.InvocationTargetException
       at jcifs.spnego.Authentication.processKerberos(Authentication.java:447)
       at jcifs.spnego.Authentication.processSpnego(Authentication.java:346)
       at jcifs.spnego.Authentication.process(Authentication.java:235)
       at org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler.doAuthentication(JCIFSSpnegoAuthenticationHandler.java:56)
       at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate(AbstractPreAndPostProcessingAuthenticationHandler.java:71)
       at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(AuthenticationManagerImpl.java:88)
       at org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTicket(CentralAuthenticationServiceImpl.java:417)
       at org.jasig.cas.web.flow.AbstractNonInteractiveCredentialsAction.doExecute(AbstractNonInteractiveCredentialsAction.java:80)
       at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:192)
       at org.springframework.webflow.engine.AnnotatedAction.execute(AnnotatedAction.java:146)
       at org.springframework.webflow.engine.ActionExecutor.execute(ActionExecutor.java:59)
       at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:156)
       at org.springframework.webflow.engine.State.enter(State.java:191)
       at org.springframework.webflow.engine.Transition.execute(Transition.java:212)
       at org.springframework.webflow.engine.TransitionableState.onEvent(TransitionableState.java:107)
       at org.springframework.webflow.engine.Flow.onEvent(Flow.java:534)
       at org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent(RequestControlContextImpl.java:205)
       at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:161)
       at org.springframework.webflow.engine.State.enter(State.java:191)
       at org.springframework.webflow.engine.Transition.execute(Transition.java:212)
       at org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:54)
       at org.springframework.webflow.engine.State.enter(State.java:191)
       at org.springframework.webflow.engine.Transition.execute(Transition.java:212)
       at org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:54)
       at org.springframework.webflow.engine.State.enter(State.java:191)
       at org.springframework.webflow.engine.Transition.execute(Transition.java:212)
       at org.springframework.webflow.engine.TransitionableState.onEvent(TransitionableState.java:107)
       at org.springframework.webflow.engine.Flow.onEvent(Flow.java:534)
       at org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent(RequestControlContextImpl.java:205)
       at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:161)
       at org.springframework.webflow.engine.State.enter(State.java:191)
       at org.springframework.webflow.engine.Flow.start(Flow.java:521)
       at org.springframework.webflow.engine.impl.RequestControlContextImpl.start(RequestControlContextImpl.java:193)
       at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:177)
       at org.springframework.webflow.executor.FlowExecutorImpl.launch(FlowExecutorImpl.java:187)
       at org.springframework.webflow.executor.support.FlowRequestHandler.handleFlowRequest(FlowRequestHandler.java:125)
       at org.springframework.webflow.executor.mvc.FlowController.handleRequestInternal(FlowController.java:165)
       at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153)
       at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
       at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:875)
       at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:809)
       at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:571)
       at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:501)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
       at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
       at org.inspektr.common.web.ClientInfoThreadLocalFilter.doFilterInternal(ClientInfoThreadLocalFilter.java:48)
       at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
       at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
       at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:857)
       at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:565)
       at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1509)
       at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.reflect.InvocationTargetException
       at sun.reflect.GeneratedMethodAccessor64.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
       at java.lang.reflect.Method.invoke(Unknown Source)
       at jcifs.spnego.Authentication.processKerberos(Authentication.java:430)
       ... 62 more
Caused by: java.security.PrivilegedActionException: java.lang.reflect.InvocationTargetException
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.Subject.doAsPrivileged(Unknown Source)
       ... 66 more
Caused by: java.lang.reflect.InvocationTargetException
       at sun.reflect.GeneratedMethodAccessor68.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
       at java.lang.reflect.Method.invoke(Unknown Source)
       at jcifs.spnego.Authentication$ServerAction.run(Authentication.java:517)
       ... 68 more
Caused by: GSSException: Channel binding mismatch (Mechanism level: ChannelBinding not provided!)
       at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(Unknown Source)
       at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
       at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
       at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
       at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
       ... 72 more
--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev

Hello Scott.

I've tried with jcifs-1.3.12 but error persist.
I've been looking for a newer version of jcifs-ext but in the official site (http://sourceforge.net/projects/jcifs-ext/) there is no one (latest is 0.9.4). However, in https://labs.jboss.com/community/wiki/NegotiateKerberos (at the bottom) there is what looks like a newer version (jcifs-ext-1.2.3.jar). I've tried it but I obtain the same results: SPNEGO autenticacion works with firefox and with all internet explorer versions without patch KB974455 but not if I intall it.

In http://groups.google.com/group/comp.protocols.kerberos/browse_thread/thread/77d23b537e917d6a?pli=1 they talks about a related problem and they mention that it may be relatad to the JGSS API. They also mention that it will be resolved in a coming update of JRE. What do you think about it?
--

You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev