Description of the update that implements Extended Protection for Authentication in Internet Information Services (IIS)

Support for Windows Vista Service Pack 1 (SP1) ends on July 12, 2011. To continue receiving security updates for Windows, make sure you're running Windows Vista with Service Pack 2 (SP2). For more information, refer to this Microsoft web page: Support is ending for some versions of Windows.

Introduction

This article describes a nonsecurity update that implements Extended Protection for Authentication in Internet Information Services (IIS).

When Extended Protection for Authentication is enabled, authentication requests are bound to both the Service Principal Names (SPN) of the server to which the client tries to connect and to the outer Transport Layer Security (TLS) channel over which Integrated Windows Authentication happens.

Note On March 9, 2010, this update was rereleased to address an installation issue and a functional issue:
  • This update will now correctly detect when a computer that is running Windows Server 2003 Service Pack 2 (SP2) is in an installation where IIS 6 contains some Windows Server 2003 Service Pack 1 (SP1) binaries, and will refuse to install and exits with an error code. The versions of update 973917 that were released before this date will successfully install, but they could cause IIS to not restart after installation.
  • On a computer that is running Windows Server 2003, this rerelease addresses an issue that could cause excessive amounts of memory to be allocated upon enabling Extended Protection for Authentication.
  • On a computer that is running Windows Server 2008, this rerelease addresses an issue that could cause Extended Protection not to function correctly when IIS is configured to use kernel-mode Windows Authentication.

More Information

Configuration

Extended protection enhances the existing Windows Authentication functionality to mitigate authentication relay or "man in the middle" attacks. This mitigation is accomplished by using security information that is implemented through two security mechanisms:
  • Channel binding information that is specified through a Channel Binding Token (CBT). This is used primarily for SSL connections.
  • Service binding information that is specified through a service principal name (SPN). This is used primarily for connections that do not use SSL or when a connection is established. For example, this might be in a scenario in which SSL is offloaded to another device, such as a proxy server or load-balancer.
In IIS 7.0, Extended Protection is configured through the <extendedProtection> element. Detailed configuration information can be found under the header "Configuration on IIS 7.0 and IIS 7.5". For IIS 6.0, the same configuration parameters are used, but the parameters are deployed by using registry keys. (Review the section "Configuration on IIS 6.0.")

The <extendedProtection> element may contain a collection of <spn> elements, each of which contains a unique SPN for the service binding information. Each SPN represents a unique endpoint in the connection path. It may be a Fully Qualified Domain Name (FQDN) or NetBIOS name of the destination server or a proxy server. For example, if a client is connecting to a destination server through a proxy server, the SPN collection on the destination server would have to contain the SPN for the proxy server. Each SPN in the collection must be prefixed with "HTTP". Therefore, the SPN for "www.contoso.com" would be "HTTP/www.contoso.com".

Extended Protection Scenarios

Consider the following sample scenarios.
ScenarioFlagsDescription
Client connects directly to destination server that uses HTTP.Proxy, ProxyCohostingSPN checking will be used, and channel binding token checking will not be used.
Client connects directly to destination server that uses SSL.NoneChannel binding token checking is used, and SPN checking is not used.
Client connects to destination server through a proxy server that uses HTTP for the path.Proxy, ProxyCohostingSPN checking will be used, and channel binding token checking will not be used.
Client connects to destination server through a proxy server that uses SSL for the path.ProxySPN checking will be used, and channel binding token checking will not be used.
Client connects to proxy server that uses SSL, and proxy server connects to the destination server that uses HTTP (SSL off-loading).ProxySPN checking will be used, and channel binding token checking will not be used.
  • In these scenarios, you could also specify the AllowDotlessSpn flag if your networking environment supports NetBIOS-based SPNs. However, NetBIOS-based SPNs are not secure.
  • For the scenarios in which SPN checking will be used, and channel binding token checking will not be used, you should not specify the NoServiceNameCheck flag.
  • Default installation of IIS 6.0, IIS 7.0, or IIS 7.5 does not enable or install Windows authentication. Extended Protection is applicable only when Windows authentication is enabled for your Web site or application.

Configuration on IIS 7.0 and 7.5

The default installation of IIS 7.0 does not include the Windows authentication role service. To use Windows authentication on IIS, you must install the role service, disable Anonymous authentication for your Web site or application, and then enable Windows authentication for the site or application.

Note After you install the role service, IIS 7.0 commits the following configuration settings to the ApplicationHost.config file.
<windowsAuthentication enabled="false" />

How to enable Extended Protection for Windows authentication for IIS 7.5

  1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. In the Connections pane, expand the server name, expand Sites, and then select the site, application or Web service for which you want to enable Extended Protection for Windows authentication.
  3. Scroll to the Security section in the Home pane, and then double-click Authentication.

  4. In the Authentication pane, select Windows Authentication.

  5. Click Enable in the Actions pane.


  6. Click Advanced Settings in the Actions pane.

  7. When the Advanced Settings dialog box appears, select one of the following options in the Extended Protection menu:
    • Select Accept if you want to enable extended protection while providing down-level support for clients that do not support extended protection.
    • Select Required if you want to enable extended protection without providing down-level support.

  8. Click OK to close the Advanced Settings dialog box.

How to enable Extended Protection for Windows authentication for IIS 7.0

Internet Information Services (IIS) Manager for IIS 7.0 does not expose the options to make changes to Extended Protection. Therefore, changes have to be made by using the configuration sample or the scripts that are shown later in this article.

Configuration

Attribute
The <extendedProtection> element is configurable at the site, application, or virtual directory level in the ApplicationHost.config file.
AttributeDescription
flagsOptional flags attribute.



Specifies the additional behavior settings for extended protection.



The flags attribute can be a combination of the values in the next table. The default value is None.
tokenCheckingOptional enum attribute.



Specifies the behavior for checking channel binding information.



The tokenChecking attribute can be one of the values in the next table. The default value is None.
The flags attribute configures additional behavior for extended protection. The possible flags are as follows.
NameDescription
NoneThis flag specifies that no additional behavior is enabled for extended protection. (For example, no proxy server is being used and SPN checking is enabled and requires FQDNs.)


The numeric value is 0.
ProxyThis flag specifies that part of the communication path will be through a proxy, or the client is connecting directly to the destination server over HTTP.


The numeric value is 1.
NoServiceNameCheckThis flag specifies that SPN checking is disabled. This flag should not be used in scenarios where only SPNs are being checked.


The numeric value is 2.
AllowDotlessSpnThis flag specifies that SPNs are not required to be an FQDN.

Note Setting this flag is not a secure scenario, as non-FQDN based names are vulnerable to name resolution poisoning attacks. This setting is not recommended as it may expose customers to risk.


The numeric value is 4.
ProxyCohostingThis flag specifies that the client-to-server communication path will use HTTP only. No part of the communication path will use SSL, and SPN checking will be used.

Note When you specify this flag, you must also specify the Proxy flag.


The numeric value is 32.
The tokenChecking attribute configures the behavior for checking for channel binding tokens. The possible values for this attribute are as follows.
NameDescription
NoneThis value specifies that IIS will not perform channel binding token checking. This setting emulates the behavior that existed before extended protection.


The numeric value is 0.
AllowThis value specifies that channel binding token checking is enabled but not required. This setting allows communications with clients that support extended protection to be protected by the feature, but still supports clients that cannot use extended protection.


The numeric value is 1.
RequireThis value specifies that channel binding token checking is required. This setting does not provide support for clients that do not support extended protection.


The numeric value is 2.
Child Elements
ElementDescription
spnAdds an SPN to the collection.
clearSpnsClears the collection of SPNs.
removeSpnRemoves an SPN from the collection.

Configuration Sample

The following sample displays a <extendedProtection> element that demonstrates enabling Windows authentication with extended protection for the Default Web Site. The sample adds two SPN entries to the collection of SPNs.
<location path="Default Web Site">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true">
<extendedProtection tokenChecking="Allow" flags="None">
<spn name="HTTP/www.contoso.com" />
<spn name="HTTP/contoso.com" />
</extendedProtection>
</windowsAuthentication>
</authentication>
</security>
</system.webServer>
</location>

Sample Code

The following examples demonstrate how to enable Windows authentication with extended protection for the Default Web Site and how to add two SPNs to the collection.
AppCmd.exe

appcmd.exe set config "Default Web Site" -section:system.webServer/security/authentication/windowsAuthentication /enabled:"True" /commit:apphost

appcmd.exe set config "Default Web Site" -section:system.webServer/security/authentication/windowsAuthentication /extendedProtection.tokenChecking:"Allow" /extendedProtection.flags:"None" /commit:apphost

appcmd.exe set config "Default Web Site" -section:system.webServer/security/authentication/windowsAuthentication /+"extendedProtection.[name='HTTP/www.contoso.com']" /commit:apphost

appcmd.exe set config "Default Web Site" -section:system.webServer/security/authentication/windowsAuthentication /+"extendedProtection.[name='HTTP/contoso.com']" /commit:apphost
Note You must make sure to set the commit parameter to APPHOST when you use AppCmd.exe to configure these settings. This setting commits the configuration settings to the appropriate location section in the ApplicationHost.config file.
C#

using System;
using System.Text;
using Microsoft.Web.Administration;

internal static class Sample
{
private static void Main()
{
using (ServerManager serverManager = new ServerManager())
{
Configuration config = serverManager.GetApplicationHostConfiguration();

ConfigurationSection windowsAuthenticationSection = config.GetSection("system.webServer/security/authentication/windowsAuthentication", "Default Web Site");
windowsAuthenticationSection["enabled"] = true;

ConfigurationElement extendedProtectionElement = windowsAuthenticationSection.GetChildElement("extendedProtection");
extendedProtectionElement["tokenChecking"] = @"Allow";
extendedProtectionElement["flags"] = @"None";

ConfigurationElementCollection extendedProtectionCollection = extendedProtectionElement.GetCollection();

ConfigurationElement spnElement = extendedProtectionCollection.CreateElement("spn");
spnElement["name"] = @"HTTP/www.contoso.com";
extendedProtectionCollection.Add(spnElement);

ConfigurationElement spnElement1 = extendedProtectionCollection.CreateElement("spn");
spnElement1["name"] = @"HTTP/contoso.com";
extendedProtectionCollection.Add(spnElement1);

serverManager.CommitChanges();
}
}
}

Visual Basic .NET

Imports System
Imports System.Text
Imports Microsoft.Web.Administration
Module Sample
Sub Main()
Dim serverManager As ServerManager = New ServerManager
Dim config As Configuration = serverManager.GetApplicationHostConfiguration

Dim windowsAuthenticationSection As ConfigurationSection = config.GetSection("system.webServer/security/authentication/windowsAuthentication", "Default Web Site")
windowsAuthenticationSection("enabled") = True

Dim extendedProtectionElement As ConfigurationElement = windowsAuthenticationSection.GetChildElement("extendedProtection")
extendedProtectionElement("tokenChecking") = "Allow"
extendedProtectionElement("flags") = "None"

Dim extendedProtectionCollection As ConfigurationElementCollection = extendedProtectionElement.GetCollection

Dim spnElement As ConfigurationElement = extendedProtectionCollection.CreateElement("spn")
spnElement("name") = "HTTP/www.contoso.com"
extendedProtectionCollection.Add(spnElement)

Dim spnElement1 As ConfigurationElement = extendedProtectionCollection.CreateElement("spn")
spnElement1("name") = "HTTP/contoso.com"
extendedProtectionCollection.Add(spnElement1)

serverManager.CommitChanges()
End Sub
End Module

JavaScript

var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST";

var windowsAuthenticationSection = adminManager.GetAdminSection("system.webServer/security/authentication/windowsAuthentication", "MACHINE/WEBROOT/APPHOST/Default Web Site");
windowsAuthenticationSection.Properties.Item("enabled").Value = true;

var extendedProtectionElement = windowsAuthenticationSection.ChildElements.Item("extendedProtection");
extendedProtectionElement.Properties.Item("tokenChecking").Value = "Allow";
extendedProtectionElement.Properties.Item("flags").Value = "None";

var extendedProtectionCollection = extendedProtectionElement.Collection;

var spnElement = extendedProtectionCollection.CreateNewElement("spn");
spnElement.Properties.Item("name").Value = "HTTP/www.contoso.com";
extendedProtectionCollection.AddElement(spnElement);

var spnElement1 = extendedProtectionCollection.CreateNewElement("spn");
spnElement1.Properties.Item("name").Value = "HTTP/contoso.com";
extendedProtectionCollection.AddElement(spnElement1);

adminManager.CommitChanges();

VBScript

Set adminManager = createObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST"

Set windowsAuthenticationSection = adminManager.GetAdminSection("system.webServer/security/authentication/windowsAuthentication", "MACHINE/WEBROOT/APPHOST/Default Web Site")
windowsAuthenticationSection.Properties.Item("enabled").Value = True

Set extendedProtectionElement = windowsAuthenticationSection.ChildElements.Item("extendedProtection")
extendedProtectionElement.Properties.Item("tokenChecking").Value = "Allow"
extendedProtectionElement.Properties.Item("flags").Value = "None"

Set extendedProtectionCollection = extendedProtectionElement.Collection

Set spnElement = extendedProtectionCollection.CreateNewElement("spn")
spnElement.Properties.Item("name").Value = "HTTP/www.contoso.com"
extendedProtectionCollection.AddElement(spnElement)

Set spnElement1 = extendedProtectionCollection.CreateNewElement("spn")
spnElement1.Properties.Item("name").Value = "HTTP/contoso.com"
extendedProtectionCollection.AddElement(spnElement1)

adminManager.CommitChanges()

Configuration on IIS 6.0

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

On IIS 6.0, Extended Protection for Authentication can be configured by setting the following registry keys.
Registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W3SVC\Parameters\extendedProtection\tokenChecking
Allowed Values: 0 (None), 1 (Allow), 2 (Require)
Data Type:DWORD
Default: 0
NameDescription
NoneThis value specifies that IIS will not perform channel binding token checking. This setting emulates the behavior that existed before extended protection.


The numeric value is 0.
AllowThis value specifies that channel binding token checking is enabled but not required. This setting allows communications with clients that support extended protection to be protected by the feature, but it still supports clients that cannot use extended protection


The numeric value is 1.
RequireThis value specifies that channel binding token checking is required. This setting does not provide support for clients that do not support extended protection.


The numeric value is 2.
Registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W3SVC\Parameters\extendedProtection\flags
Allowed Values: 0 (none), 1 (proxy), 2 (NoServiceNameCheck), 4 (AllowDotlessSpn), 32 (ProxyCohosting)
Data Type:DWORD
Default: 0
NameDescription
NoneThis flag specifies that no additional behavior is enabled for extended protection. (For example, no proxy server is being used.)


The numeric value is 0.
ProxyThis flag specifies that part of the communication path will be through a proxy. When the client is connecting directly to the destination server over HTTP, both Proxy and ProxyCoHosting must be enabled.

The numeric value is 1.
NoServiceNameCheckThis flag specifies that SPN checking is disabled. This flag should not be used in scenarios in which only SPNs are being checked.

The numeric value is 2.
AllowDotlessSpnThis flag specifies that SPNs are not required to be an FQDN. Setting this flag allows NetBIOS-based SPNs.

Note Setting this flag is not a secure scenario, as non-FQDN based names are vulnerable to name resolution poisoning attacks. This setting is not recommended as it may expose customers to risk.

The numeric value is 4.
ProxyCohostingThis flag specifies that the client-to-server communication path will use HTTP only. No part of the communication path will use SSL, and SPN checking will be used. Turn on this bit also if both secure and nonsecure traffic that is sent through the proxy has to be successfully authenticated.

Note When you specify this flag, you must also specify the Proxy flag.


The numeric value is 32.
Registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W3SVC\Parameters\extendedProtection\spns
Allowed Values: <strings>
Data Type:MULTI_SZ
Default: empty
To set these registry keys, please follow the process below:
  1. Start Registry Editor. To do this, click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:


    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W3SVC\Parameters\extendedProtection\
  3. Verify that the tokenChecking, Flags, and spns registry values are present.



    If these registry values are not present, follow these steps to create them:
    1. Select the registry subkey that is listed in step 2, point to New on the Edit menu, and then click DWORD Value.
    2. Type tokenChecking, and then press ENTER.
    3. Select the registry subkey that is listed in step 2, point to New on the Edit menu, and then click DWORD Value.
    4. Type flags, and then press ENTER.
    5. Select the registry subkey that is listed in step 2, point to New on the Edit menu, and then click MULTI_SZ Value.
    6. Type spns, and then press ENTER.
  4. Click to select the tokenChecking registry value.
  5. On the Edit menu, click Modify.
  6. In the Value data box, type the preferred value, and then click OK.
  7. Click to select the flags registry value.

  8. In the Value data box, type the preferred value, and then click OK.
  9. Click to select the spns registry value.
  10. In the Value data box, enter an appropriate spn, and then click OK.
  11. Exit Registry Editor.
For more information about the Extended Protection for Authentication feature and about how to enable this feature upon installing this update, visit the following Microsoft Web site: For more information about IIS, visit the following Microsoft Web site:Integrated Windows Authentication with Extended ProtectionService Principal Names

Update information

Prerequisites for Windows Server 2003

This update requires a correct installation of Windows Server 2003 Service Pack 2 (SP2). There are some cases in which some Service Pack 1 (SP1) binaries may be installed on a computer that is otherwise running SP2. Installing this update on such a computer can cause an IIS failure, which causes the server to return "503 Service Unavailable" error messages for all requests. To determine whether the server is running the correct SP2 binaries for IIS, refer to the following file table to verify that version numbers are equal to the versions of the files listed here or to later versions.

File nameFile versionFile sizeDatePlatformSP requirement
Adrot.dll6.0.3790.395958,88017-Feb-2007x86SP2
Adsiis.dll6.0.3790.3959291,32817-Feb-2007x86SP2
Asp.dll6.0.3790.3959388,09617-Feb-2007x86SP2
Browscap.dll6.0.3790.395947,10417-Feb-2007x86SP2
Certobj.dll6.0.3790.395982,43217-Feb-2007x86SP2
Coadmin.dll6.0.3790.395964,00017-Feb-2007x86SP2
Controt.dll6.0.3790.395933,79217-Feb-2007x86SP2
Davcdata.exe6.0.3790.395927,13617-Feb-2007x86SP2
Davcprox.dll6.0.3790.39596,65617-Feb-2007x86SP2
Gzip.dll6.0.3790.395925,60017-Feb-2007x86SP2
Httpext.dll6.0.3790.3959241,66417-Feb-2007x86SP2
Httpmib.dll6.0.3790.395918,94417-Feb-2007x86SP2
Httpodbc.dll6.0.3790.395948,64017-Feb-2007x86SP2
Iisadmin.dll6.0.3790.395921,50417-Feb-2007x86SP2
Iiscfg.dll6.0.3790.39591,133,05617-Feb-2007x86SP2
Iisclex4.dll6.0.3790.062,97618-Feb-2007x86SP2
Iisext.dll6.0.3790.395982,94417-Feb-2007x86SP2
Iislog.dll6.0.3790.395976,28817-Feb-2007x86SP2
Iisres.dll6.0.3790.3959122,88017-Feb-2007x86SP2
Iisrstas.exe6.0.3790.395928,16017-Feb-2007x86SP2
Iisui.dll6.0.3790.3959217,08817-Feb-2007x86SP2
Iisuiobj.dll6.0.3790.395968,60817-Feb-2007x86SP2
Iisutil.dll6.0.3790.3959167,93617-Feb-2007x86SP2
Iisw3adm.dll6.0.3790.3959216,57617-Feb-2007x86SP2
Iiswmi.dll6.0.3790.3959194,56017-Feb-2007x86SP2
Inetinfo.exe6.0.3790.395914,33617-Feb-2007x86SP2
Inetmgr.dll6.0.3790.39591,058,30417-Feb-2007x86SP2
Inetmgr.exe6.0.3790.395919,45617-Feb-2007x86SP2
Infocomm.dll6.0.3790.3959235,52017-Feb-2007x86SP2
Isapips.dll6.0.3790.39598,19217-Feb-2007x86SP2
Isatq.dll6.0.3790.395952,73617-Feb-2007x86SP2
Iscomlog.dll6.0.3790.395919,45617-Feb-2007x86SP2
Logscrpt.dll6.0.3790.395925,60017-Feb-2007x86SP2
Lonsint.dll6.0.3790.395913,31217-Feb-2007x86SP2
Metadata.dll6.0.3790.3959234,49617-Feb-2007x86SP2
Nextlink.dll6.0.3790.395961,44017-Feb-2007x86SP2
Nntpadm.dll6.0.3790.3959187,39217-Feb-2007x86SP2
Nntpsnap.dll6.0.3728.02,663,42417-Feb-2007x86SP2
Rpcref.dll6.0.3790.39594,09617-Feb-2007x86SP2
Seo.dll6.0.3790.3959219,13617-Feb-2007x86SP2
Smtpadm.dll6.0.3790.3959179,20017-Feb-2007x86SP2
Smtpsnap.dll6.0.3728.02,086,40017-Feb-2007x86SP2
Ssinc.dll6.0.3790.395924,06417-Feb-2007x86SP2
Svcext.dll6.0.3790.395944,54417-Feb-2007x86SP2
Uihelper.dll6.0.3790.3959114,17617-Feb-2007x86SP2
Urlauth.dll6.0.3790.395915,36017-Feb-2007x86SP2
W3cache.dll6.0.3790.395919,45617-Feb-2007x86SP2
W3comlog.dll6.0.3790.395910,75217-Feb-2007x86SP2
W3core.dll6.0.3790.3959349,69617-Feb-2007x86SP2
W3ctrlps.dll6.0.3790.39596,14417-Feb-2007x86SP2
W3ctrs.dll6.0.3790.395924,06417-Feb-2007x86SP2
W3dt.dll6.0.3790.395939,42417-Feb-2007x86SP2
W3ext.dll6.0.3790.395992,67217-Feb-2007x86SP2
W3isapi.dll6.0.3790.395962,46417-Feb-2007x86SP2
W3tp.dll6.0.3790.395913,31217-Feb-2007x86SP2
W3wp.exe6.0.3790.39597,16817-Feb-2007x86SP2
Wam.dll6.0.3790.395923,04017-Feb-2007x86SP2
Wamps.dll6.0.3790.39596,65617-Feb-2007x86SP2
Wamreg.dll6.0.3790.395955,80817-Feb-2007x86SP2

Known issues

  • Windows Server 2003

    This update was rereleased on March 9, 2010 to perform an additional check to make sure that the IIS 6 system on a computer that is running Windows Server 2003 SP2 does not contain binaries from the SP1 version. If such binaries are found, this update will exit with an error message. To fix this condition, reapply the SP2 update to your computers and install this package after you successfully reinstall SP2.

    The original version of this security update, released before March 9, 2010, could cause IIS application pools to not start on installations of Windows Server 2003 SP2 where IIS 6 may contain some SP1 binaries, IIS application pools may not start. The System log would display the following error message when the IIS service is started:
    Event ID 1009, Description: A process serving application pool 'DefaultAppPool' terminated unexpectedly. The process id was '1234'
    For more information about this known issue, click the following article number to view the article in the Microsoft Knowledge Base:

    2009746 Internet Information Services 6.0 may not function correctly after installing KB973917

    We recommend reviewing the "Prerequisites for Windows Server 2003" section if your computer is not a clean Windows Server 2003 SP2 installation.

    As of December 16, 2009, if you use Automatic Updates, you will no longer be offered this update if your IIS installation is in a configuration where both SP1 and SP2 binaries are present on the computer. We recommend that you review the following article in the Microsoft Knowledge Base for the next steps that you must take to make sure that the computer is ready to apply this update.
    2009746 Internet Information Services 6.0 may not function correctly after installing KB973917

  • Windows Server 2003 and Windows Server 2008

    This update was re-released on March 9, 2010. This re-released update fully replaces the initial release. If you install the new release, the initial release will be uninstalled and replaced by the new one. Uninstalling the March 9 release of this update will leave the computer without Extended Protection for IIS functionality present.

FILE INFORMATION

ERROR: PhantomJS timeout occurred