Troubleshooting GSSException: Channel binding mismatch (Mechanism level: ChannelBinding not provided!)
at org.jboss.security.auth.AdvancedWebCallbackHandler$1.run(AdvancedWebCallbackHandler.java:236)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:337)
at org.jboss.security.auth.CommonKerberosUtils.doAsKerberosSubject(CommonKerberosUtils.java:64)
at org.jboss.security.auth.AdvancedWebCallbackHandler.handleNegotiateCallback(AdvancedWebCallbackHandler.java:211)
at org.jboss.security.auth.AdvancedWebCallbackHandler.handleCallbacks(AdvancedWebCallbackHandler.java:151)
at org.jboss.security.auth.AdvancedWebCallbackHandler.handle(AdvancedWebCallbackHandler.java:107)
at org.jboss.security.auth.HttpServletRequestResponseValve.doNegotiate(HttpServletRequestResponseValve.java:382)
at org.jboss.security.auth.HttpServletRequestResponseValve.authenticate(HttpServletRequestResponseValve.java:263)
at org.jboss.security.auth.HttpServletRequestResponseValve.authenticate(HttpServletRequestResponseValve.java:237)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
at org.jboss.security.auth.HttpServletRequestResponseValve.invoke(HttpServletRequestResponseValve.java:128)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:392)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
at java.lang.Thread.run(Thread.java:595)
Caused by: GSSException: Channel binding mismatch (Mechanism level: ChannelBinding not provided!)
at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.
at sun.security.jgss.krb5.InitSecContextToken.
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:715)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
at org.jboss.security.auth.AdvancedWebCallbackHandler$1.run(AdvancedWebCallbackHandler.java:226)
... 22 more
Google lead me to this forum thread:
http://forums.sdn.sap.com/thread.jspa?threadID=1504390&start=15&tstart=0
Apparently one of the server patches we applied changed the SharePoint server's "Extended Protection for Authentication" behavior (http://support.microsoft.com/?scid=kb;en-us;968389&x=10&y=18), which was causing kerberos to fail for our Teamworks Web Part.
We ended up adding the registry key "SuppressExtendedProtection" as a DWORD type with a value of "2" to the node "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA" on the SharePoint web front end where the Web Part was running. After a reboot, it fixed our problem.