- Windows Vista
- Windows 7
- Windows Server 2008
- Windows Server 2008 R2
Update informationThis update adds an automatic logon level that determines when it is acceptable for WinHTTP to include the default credentials in a request. The update adds the following logon level:
ValueAvailable values are listed in the following table:
After you install this update and configure the logon level, Msiexec.exe uses the WinHttpSetCredentials function to pass the required authorization credentials to the content server if the first anonymous access request fails.
Automatic Logon Policy
The automatic logon (auto-logon) policy determines when it's acceptable for WinHTTP to include the default credentials in a request. The default credentials are either the current thread token or the session token, which depends on whether WinHTTP is used in synchronous or asynchronous mode. The thread token is used in synchronous mode, and the session token is used in asynchronous mode. These default credentials are often the username and password used to log on to Microsoft Windows.
The auto-logon policy was implemented to prevent these credentials from being casually used to authenticate against an untrusted server. By default, we set the security level to WINHTTP_AUTOLOGON_SECURITY_LEVEL_MEDIUM. This enables the default credentials to be used only for intranet requests. The auto-logon policy only applies to the NTLM and Negotiate authentication schemes. Credentials are never automatically transmitted with other schemes.
The auto-logon policy can be set by using the WinHttpSetOption function with the WINHTTP_OPTION_AUTOLOGON_POLICY flag. This flag applies only to the request handle. When the policy is set to WINHTTP_AUTOLOGON_SECURITY_LEVEL_LOW, default credentials can be sent to all servers. When the policy is set to WINHTTP_AUTOLOGON_SECURITY_LEVEL_HIGH, default credentials cannot be used for authentication. We strongly recommend that you use the auto-logon at the MEDIUM level.
Assume that the content server or the source is indicated by using a fully qualified domain name (FQDN) URL in System Center Configuration Manager 2012. When you use WINHTTP_AUTOLOGON_SECURITY_LEVEL_MEDIUM, it will still cause an error because WinHTTP sends user credentials only in response to requests that occur on a local intranet site. However, WinHTTP does not check the security zone settings in Internet Explorer to determine whether a website is in a zone that enables credentials to be sent automatically.
If no proxy is configured, WinHTTP sends credentials only to local intranet sites.
Note If the URL contains no period in the server name, such as in the following example, the server is assumed to be on a local intranet site:
If the URL contains periods, the server is assumed to be on the Internet. The periods indicate that you use an FQDN address. Therefore, no credentials are automatically sent to this server unless a proxy is configured and unless this server is indicated for proxy bypass.
However, if a proxy cannot be configured and you cannot use an intranet site name (as described earlier), then in that case you can use WINHTTP_AUTOLOGON_SECURITY_LEVEL_LOW. In order to make sure that the default credentials are not sent to an untrusted server, you can use https and secure the site with proper SSL certificates. With HTTPS and WINHTTP_AUTOLOGON_SECURITY_LEVEL_LOW being used, instead of default credentials being sent to all servers which make this option less secure, we will now send default credentials only to servers where server authentication is successful. See setting up HTTPS for SCCM.
How to obtain this updateThe following files are available for download from the Microsoft Download Center:
|All supported x86-based versions of Windows Vista||Download the update package now.|
|All supported x64-based versions of Windows Vista||Download the update package now.|
|All supported x86-based versions of Windows Server 2008||Download the update package now.|
|All supported x64-based versions of Windows Server 2008||Download the update package now.|
|All supported IA-64-based versions of Windows Server 2008||Download the update package now.|
|All supported x86-based versions of Windows 7||Download the update package now.|
|All supported x64-based versions of Windows 7||Download the update package now.|
|All supported x64-based versions of Windows Server 2008 R2||Download the update package now.|
|All supported IA-64-based versions of Windows Server 2008 R2||Download the update package now.|
PrerequisitesTo apply this update, you must be running one of the following operating systems:
- Windows Vista Service Pack 2 (SP2)
- Windows Server 2008 Service Pack 2 (SP2)
- Windows 7
- Windows 7 Service Pack 1 (SP1)
- Windows Server 2008 R2
- Windows Server 2008 R2 Service Pack 1 (SP1)