Recently I’ve been working with a client to build a federated SSO system. One of the requirements was for internal employees to have seamless access using Windows’ Kerberos. This isn’t anything novel, and is something I’ve worked on for a number of organisations – though not for a while. However we came unstuck, with multiple OpenSSO servers behind a load balancer and SSL termination there rather than the servers themselves. It seems that Microsoft have done something entirely reasonable and enhanced the security of their Kerberos implementation, enabling ‘channel binding‘, wherein the requests are bound both to the Service Principal Name of the server requested by the client, and also to the SSL transport.
This breaks when a request arrives through a load balancer, since the underlying hostname doesn’t match that of the client browser request (the load balancer DNS name), and thus the AD domain controller rejects the token. Microsoft made the change enabling this ability in August 2009, in Security Advisory 973811 and then progressively enabled this for clients and servers of theirs, including Internet Explorer.
When channel binding isn’t requested by a server (in this case the OpenSSO servers), in theory it can be ignored, but currently available versions of Java don’t ignore it, instead passing it on to the AD domain controller, the result of which is a GSS Exception in the OpenSSO logs when using Internet Explorer on the client workstation. Firefox isn’t affected as it doesn’t request channel binding.
There are various workarounds which might be applicable to your situation:
- Ensure all Windows users use Firefox
- Make a registry change on all Windows clients to disable the Extended Protection
- Upgrade to a new build of Java (it’s Java bug 6851973)
If you’re looking to upgrade Java, this fix is available in release candidates of Java 7. It may be available in Java 6u19, but not in the currently release Java 6u18 or prior, unless you’re paying for Java for Business – the fix is in 6u17-rev-b06.
Hopefully this post might prove useful to someone – it took us some time to find the cause of the problem, and the resolution.