A hotfix is available that adds the Extended Protection for Authentication feature to WCF in the .NET Framework 3.5 SP1 for Windows Vista and for Windows Server 2008

Article translations Article translations
Article ID: 981205 - View products that this article applies to.
Expand all | Collapse all

On This Page

Introduction

A hotfix is available that adds the Extended Protection for Authentication feature to Windows Communication Foundation (WCF) in the Microsoft .NET Framework 3.5 Service Pack 1 (SP1). This hotfix applies to Windows Vista and to Windows Server 2008. The Extended Protection for Authentication feature helps prevent relay attacks when you use Integrated Windows Authentication (IWA).

For more information about the Extended Protection for Authentication feature and about relay attacks, visit the following Microsoft Developer Network (MSDN) Web site:
Overview of the Extended Protection for Authentication feature and of relay attacks

RESOLUTION

Hotfix information

A supported hotfix is now available from Microsoft. However, it is intended to correct only the problem that this article describes. Apply it only to systems that are experiencing this specific problem.

To resolve this problem, contact Microsoft Customer Support Services to obtain the hotfix. For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support
Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Prerequisites

You must have the .NET Framework 3.5 SP1 installed to apply this hotfix.

Restart requirement

You do not have to restart the computer after you apply this hotfix if affected files are not being used.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
For all supported x86-based versions of Windows Vista Service Pack 2 (SP2) and of Windows Server 2008 SP2
Collapse this tableExpand this table
File nameFile versionFile sizeDateTime
Smdiagnostics.dll3.0.4506.4504110,59209-Mar-201011:02
System.servicemodel.washosting.dll3.0.4506.450432,76809-Mar-201011:03
Servicemodel.mofNot Applicable84,98509-Mar-201011:02
Servicemodel.mof.uninstallNot Applicable89603-Apr-200921:16
Servicemonikersupport.dll3.0.4506.450417,25609-Mar-201011:02
System.identitymodel.dll3.0.4506.4504442,36809-Mar-201011:01
System.runtime.serialization.dll3.0.4506.4504970,75209-Mar-201011:01
System.servicemodel.dll3.0.4506.45045,988,35209-Mar-201011:02
For all supported x64-based versions of Windows Vista SP2 and of Windows Server 2008 SP2
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Servicemodel.mofNot Applicable84,98509-Mar-201011:01Not Applicable
Servicemodel.mof.uninstallNot Applicable89603-Apr-200920:55Not Applicable
Servicemonikersupport.dll3.0.4506.450419,30409-Mar-201011:01x64
Smdiagnostics.dll3.0.4506.450494,20809-Mar-201011:01x64
System.identitymodel.dll3.0.4506.4504401,40809-Mar-201011:00x64
System.runtime.serialization.dll3.0.4506.4504847,87209-Mar-201011:00x64
System.servicemodel.washosting.dll3.0.4506.450432,76809-Mar-201011:01x64
System.servicemodel.dll3.0.4506.45045,328,89609-Mar-201011:00x64
For all supported IA-64-based versions of Windows Server 2008 SP2
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Servicemodel.mofNot Applicable84,98509-Mar-201011:02Not Applicable
Servicemodel.mof.uninstallNot Applicable89603-Apr-200920:57Not Applicable
Servicemonikersupport.dll3.0.4506.450433,64009-Mar-201011:02IA-64
Smdiagnostics.dll3.0.4506.450494,20809-Mar-201011:02IA-64
System.identitymodel.dll3.0.4506.4504401,40809-Mar-201011:02IA-64
System.runtime.serialization.dll3.0.4506.4504847,87209-Mar-201011:02IA-64
System.servicemodel.washosting.dll3.0.4506.450432,76809-Mar-201011:02IA-64
System.servicemodel.dll3.0.4506.45045,328,89609-Mar-201011:02IA-64

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

To enable the Extended Protection for Authentication feature in WCF, follow these steps:
  1. On the client side, install the Extended Protection for Authentication update for Security Support Provider Interface (SSPI).

    This update changes SSPI to improve Windows authentication. Additionally, this update prevents credentials from being forwarded. After you install this update, you must implement the registry settings that are described in Microsoft Knowledge Base (KB) article 968389 to enable extended protection.

    For more information about the registry settings, click the following KB article number:
    968389 Extended Protection for Authentication
  2. On the server side, install the Extended Protection for Authentication update for the HTTP Protocol Stack.
  3. Install the Extended Protection for Authentication update for Internet Information Services (IIS) when IIS is installed.

    After you install the update, follow the instructions in KB article 973917 to configure extended protection in IIS. For more information about these instructions, click the following KB article number:
    973917 Description of the update that implements Extended Protection for Authentication in Internet Information Services (IIS)
    970430 Description of the update that implements Extended Protection for Authentication in the HTTP Protocol Stack (http.sys)
  4. Use the ExtendedProtectionPolicy class in WCF to represent the extended protection policy that the server uses to validate incoming client connections.

    The class can be applied only when the security mode is set to Transport mode or to TransportWithMessageCredential mode.
The following is a sample code that shows the configuration in a binding element of a service config file:
<binding>
……………
   <security mode="Transport">
           <transport ……………>                     
             <extendedProtectionPolicy policyEnforcement ="WhenSupported"/>
           </transport > 
         </security>
</binding>
For more information about the Extended Protection for Authentication feature, visit the following Microsoft TechNet Web site:
Extended Protection for Authentication
For more information about hotfixes for the support of the Extended Protection for Authentication feature in the .NET Framework 3.5 SP1, click the following KB article numbers:
981201 hotfix is available for ASP.NET 2.0 that enables support for extended protection
981202 A hotfix is available that enables support for extended protection for the .NET Framework 3.5 SP1 in Windows Vista and in Windows Server 2008
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Properties

Article ID: 981205 - Last Review: October 6, 2011 - Revision: 2.0
APPLIES TO
  • Microsoft .NET Framework 3.5 Service Pack 1
Keywords: 
kbexpertiseadvanced kbsurveynew kbqfe KB981205

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com