Article ID: 973811 - Last Review: May 8, 2012 - Revision: 6.0

Microsoft Security Advisory: Extended protection for authentication

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
Support for Windows Vista Service Pack 1 (SP1) ends on July 12, 2011. To continue receiving security updates for Windows, make sure you're running Windows Vista with Service Pack 2 (SP2). For more information, refer to this Microsoft web page: Support is ending for some versions of Windows (http://windows.microsoft.com/en-us/windows/help/end-support-windows-xp-sp2-windows-vista-without-service-packs) .

On This Page

Expand all | Collapse all

INTRODUCTION

Microsoft has released security advisory 973811. To view the complete security advisory, visit the following Microsoft website:
http://www.microsoft.com/technet/security/advisory/973811.mspx (http://www.microsoft.com/technet/security/advisory/973811.mspx)
Back to the top

How to obtain help and support for this security update

Help installing updates: Support for Microsoft Update (http://support.microsoft.com/ph/6527)

Security solutions for IT professionals: TechNet Security Troubleshooting and Support (http://technet.microsoft.com/security/bb980617.aspx)

Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center (http://support.microsoft.com/contactus/cu_sc_virsec_master)

Local support according to your country: International Support (http://support.microsoft.com/common/international.aspx)

Back to the top

MORE INFORMATION

How do I configure .NET to utilize Extended Protection for Authentication?

Here are the steps for enabling Extended Protection for the Microsoft .NET Framework 2.0 Service Pack 2, .NET Framework 3.0 Service Pack 2, and .NET Framework 3.5 SP1.

For .NET Framework 2.0 Service Pack 2 (Network Class Library)

Extended protection can be turned on by setting properties on HttpListener. For more information, visit the following Microsoft MSDN websites:
HttpListener.ExtendedProtectionPolicy (http://msdn.microsoft.com/en-us/library/system.net.httplistener.extendedprotectionpolicy(v=VS.100).aspx)
HttpListener.ExtendedProtectionSelectorDelegate (http://msdn.microsoft.com/en-us/library/system.net.httplistener.extendedprotectionselectordelegate(v=VS.100).aspx)
HttpListener.DefaultServiceNames (http://msdn.microsoft.com/en-us/library/system.net.httplistener.defaultservicenames(v=VS.100).aspx)
If NegotiateStream is used, then the appropriate overloads of [Begin]AuthenticateAsServer and [Begin]AuthenticateAsClient need to be used: For more information, visit the following Microsoft MSDN websites:
http://msdn.microsoft.com/en-us/library/dd413524(v=VS.100).aspx (http://msdn.microsoft.com/en-us/library/dd413524(v=VS.100).aspx)
http://msdn.microsoft.com/en-us/library/dd413526(v=VS.100).aspx (http://msdn.microsoft.com/en-us/library/dd413526(v=VS.100).aspx)
http://msdn.microsoft.com/en-us/library/dd413525(v=VS.100).aspx (http://msdn.microsoft.com/en-us/library/dd413525(v=VS.100).aspx)
http://msdn.microsoft.com/en-us/library/dd413527(v=VS.100).aspx (http://msdn.microsoft.com/en-us/library/dd413527(v=VS.100).aspx)


In addition to the recommendations in these Microsoft websites, follow these steps:
  1. On the client side, install the Extended Protection for Authentication update for Security Support Provider Interface (SSPI). This update changes SSPI to improve Windows authentication. Additionally, this update prevents credentials from being forwarded. After you install this update, you must implement the registry settings that are described in Microsoft Knowledge Base (KB) article 968389 to enable extended protection. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    968389  (http://support.microsoft.com/kb/968389/ ) Extended Protection for Authentication
  2. On the server side, install the Extended Protection for Authentication update for the HTTP Protocol Stack.

For .NET Framework 2.0 Service Pack 2 (ASP.NET)

No special action is required in order to use Extended Protection.

For .NET Framework 3.0 Service Pack 2 (WCF)

To enable the Extended Protection for Authentication feature in WCF, follow these steps: To do this, follow these steps:
  1. On the client side, install the Extended Protection for Authentication update for Security Support Provider Interface (SSPI). This update changes SSPI to improve Windows authentication. Additionally, this update prevents credentials from being forwarded. After you install this update, you must implement the registry settings that are described in Microsoft Knowledge Base (KB) article 968389 to enable extended protection. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    968389  (http://support.microsoft.com/kb/968389/ ) Extended Protection for Authentication
  2. On the server side, install the Extended Protection for Authentication update for the HTTP Protocol Stack.
  3. Install the Extended Protection for Authentication update for Internet Information Services (IIS) when IIS is installed.

    After you install the update, follow the instructions in KB article 973917 to configure extended protection in IIS. For more information, click the following article numbers to view the article in the Microsoft Knowledge Base:
    973917  (http://support.microsoft.com/kb/973917/ ) Description of the update that implements Extended Protection for Authentication in Internet Information Services (IIS)
    970430  (http://support.microsoft.com/kb/970430/ ) Description of the update that implements Extended Protection for Authentication in the HTTP Protocol Stack (http.sys)
  4. Use the ExtendedProtectionPolicy class in WCF to represent the extended protection policy that the server uses to validate incoming client connections. The class can be applied only when the security mode is set to Transport mode or to TransportWithMessageCredential mode. The following is a sample code that shows the configuration in a binding element of a service config file: 
    
<binding>
……………
   <security mode="Transport">
           <transport ……………>                     
             <extendedProtectionPolicy policyEnforcement ="WhenSupported"/>
           </transport > 
         </security>
</binding>
    For more information about the Extended Protection for Authentication feature, visit the following Microsoft TechNet website:
    Extended Protection for Authentication (http://blogs.technet.com/b/srd/archive/2009/12/08/extended-protection-for-authentication.aspx)
For more configuration information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
Collapse this tableExpand this table
Article numberArticle title
982532  (http://support.microsoft.com/kb/982532/ ) Description of the rollup update for the .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 1 and on Windows Server 2008 Service Pack 1 (976767 and 980843): June 8, 2010
982533  (http://support.microsoft.com/kb/982533/ ) Description of the rollup update for the .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 2 and on Windows Server 2008 Service Pack 2 (976768 and 980842): June 8, 2010
982535  (http://support.microsoft.com/kb/982535/ ) Description of the rollup update for the .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 1 and on Windows Server 2008 Service Pack 1 (976767, 980843, and 976771): June 8, 2010
982536  (http://support.microsoft.com/kb/982536/ ) Description of the rollup update for the .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 2 and on Windows Server 2008 Service Pack 2 (976768, 980842, and 976772): June 8, 2010
982167  (http://support.microsoft.com/kb/982167/ ) Description of the rollup update for the .NET Framework 3.5 Service Pack 1 and the .NET Framework 2.0 Service Pack 2 on Windows XP and on Windows Server 2003 (976765 and 980773): June 8, 2010
982168  (http://support.microsoft.com/kb/982168/ ) Description of the rollup update for the .NET Framework 3.5 Service Pack 1 on Windows XP and on Windows Server 2003 (976765, 980773 and 976769): June 8,
2262911  (http://support.microsoft.com/kb/2262911/ ) "Could not load type 'System.Security.Authentication.ExtendedProtection.ExtendedProtectionPolicy'" exception error after you install update 982167 or update 982168
Back to the top

Known Issues

For more information about known issues with this software, click the following article number to view the article in the Microsoft Knowledge Base:
Collapse this tableExpand this table
Article numberArticle title
2197146  (http://support.microsoft.com/kb/2197146/ ) Updates for the .NET Framework 3.5 Service Pack 1 and the .NET Framework 2.0 Service Pack 2 may cause the Microsoft Knowledge Base article number to appear instead of the full title of the update in the Add or Remove Programs item in Control Panel
Back to the top
APPLIES TO
  • Microsoft .NET Framework 3.5 Service Pack 1
  • Microsoft .NET Framework 3.0 Service Pack 2
  • Microsoft .NET Framework 2.0 Service Pack 2
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Standard without Hyper-V
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows Web Server 2008
  • Windows Vista Service Pack 2, when used with:
    • Windows Vista Enterprise
    • Windows Vista Home Basic
    • Windows Vista Home Premium
    • Windows Vista Starter
    • Windows Vista Ultimate
    • Windows Vista Enterprise 64-bit Edition
    • Windows Vista Home Basic 64-bit Edition
    • Windows Vista Home Premium 64-bit Edition
    • Windows Vista Ultimate 64-bit Edition
    • Windows Vista Business 64-bit Edition
  • Windows Vista Service Pack 1, when used with:
    • Windows Vista Business
    • Windows Vista Enterprise
    • Windows Vista Home Basic
    • Windows Vista Home Premium
    • Windows Vista Starter
    • Windows Vista Ultimate
    • Windows Vista Enterprise 64-bit Edition
    • Windows Vista Home Basic 64-bit Edition
    • Windows Vista Home Premium 64-bit Edition
    • Windows Vista Ultimate 64-bit Edition
    • Windows Vista Business 64-bit Edition
  • Microsoft Windows Server 2003 Service Pack 1, when used with:
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003 Service Pack 2, when used with:
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Datacenter x64 Edition
    • Microsoft Windows Server 2003, Enterprise x64 Edition
    • Microsoft Windows Server 2003, Standard x64 Edition
    • Microsoft Windows XP Professional x64 Edition
    • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows XP Service Pack 2, when used with:
    • Microsoft Windows XP Home Edition
    • Microsoft Windows XP Professional
  • Microsoft Windows XP Service Pack 3, when used with:
    • Microsoft Windows XP Home Edition
    • Microsoft Windows XP Professional
Back to the top
Keywords: 
kbsecadvisory atdownload kbbug kbexpertiseinter kbfix kbsecbulletin kbsecurity kbsecvulnerability KB973811
Back to the top