Are we the only group that has Vintela SSO configured with Kerberos encryption on Windows servers and whose client PCs using Internet Explorer have started to display HTTP Status 500...Channel binding mismatch? We see NOTHING on the web or in any of the forums on this. Client PCs effected have the Microsoft Updates of 10/13/09 applied (especially KB974455).

We have:

- Business Objects Enterprise XI 3.1 with FixPack 1_7

- Windows 2003 Servers for the Vintela and Business Objects Enterprise installation and authentication. On the client side, any version of IE (6, 7, 8) is impacted as soon as the Microsoft Updates are applied (removing KB974455 seems to clear up the problem, but it is a combination of updates that need to be in place for it to occur).

Manual login is not impacted (thank goodness), but we'd much prefer SSO. Suggestions?

A similar phenomenon is caused in the our environment .
We use EP of the SAP.
I realized SSO which used kerberos between AD and EP.
However, I was not able to use SSO when I applied Microsoft update KB974455.
The version of the OS of our client PC is windows XP Professional SP3.
Because Microsoft update KB974455 is a patch preventing serious security, I want to apply it.
However, I am troubled with SSO because I want to continue using it.
If there is a solution, please show me it.

Since the system is in-use, I would prefer not to switch from using the keytab to a straight password to enable tracing -- at least not until the weekend (when there are less users). I assure you that we are not using DES -- I configured it for RC4. We also have not upgraded our DCs to 2008 yet, and the SSO continues to work perfectly for any client PC which has not applied the recent Microsoft patches. If necessary, I will come in this weekend and get a trace for you. Thanks a bunch!

We haven't applied the 10/13/2009 patches yet (but intend to do so this weekend) - and have a couple of questions...

1.) Does this effect all the "flavours" of Enterprise 3.1 (eg. Crystal Report 2008 Server, Business Objects Edge 3.1) - or is it Enterprise 3.1 specific...?

2.) Does it effect WinAD SSO into both the Java (Tomcat) and .Net (IIS) InfoView applications - or is it specific to a certain web-platform....?

Thanks in advance!

Mark,

1.) We do not have Crystal Report 2008 Server, nor Business Objects Edge 3.1 -- we can only attest to the impact on Enterprise 3.1 logins.

2.) We only use the Java (Tomcat) portion since the .NET/IIS stuff is being phased out.

So, basically, I can't answer either of your questions. Sorry.

Mark,

My apologies. I downloaded the documentation for 3.0 long before I downloaded/installed 3.1. My information is old regarding the IIS stuff. We never used the IIS portion even back with XI R2, so my attention was focused elsewhere.

looking at the patch details I can't see what's happening. My guess is that it's either changing IE settings or IE SSO behavior (since the patch seems to refer to only IE stuff). It is very likely that at least kerberos SSO will also be affected as they both use spnego. NTLM may be ok but who knows.

I did not get a chance to test this today so we'll have to see next week. It sounds like this could be a serious issue so create cases if you can.

Also see the following SAP notes 1379894 for IE rules for configuration or 1245342 for manual logon instructions or 1263764 for firefox (kerberos) SSO instructions.

Looking at the initial findings it looks like this may need to be escalated to Microsoft

Regards,

Tim

Hi,

we have the same problem: we have realized SSO between EP and AD. Before installing KB974455 the integrated Window Authentification worked fine. Now, with KB974455 we get the following exception:

org.ietf.jgss.GSSException, major code: 1, minor code: 0
major string: Channel binding mismatch
minor string: ChannelBinding checksum failed verification
at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:34)
at com.ibm.security.jgss.mech.krb5.k.a(k.java:409)
at com.ibm.security.jgss.mech.krb5.k.b(k.java:207)
at com.ibm.security.jgss.mech.krb5.k.acceptSecContext(k.java:76)
at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:353)
at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:79)
at com.sap.security.core.server.jaas.SPNegoLoginModule.doHandshake(SPNegoLoginModule.java:749)
at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:365)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
at java.security.AccessController.doPrivileged(AccessController.java:231)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
...

Our System:
Client: Windows XP SP2, IE 7.0.5730.13
Server OS: Linux (amd64) 2.6.16.60-0.33-smp
ADS LDAP: Windows 2003 Server
SAP Version: NetWeaver 7.0 SP18
JDK: j2sdk1.4.2_16-x64, IBM

With Firefox the IWA works still fine.
What can we do to fix the problem with IE?