Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Microsoft Security Advisory: Extended protection for authentication

Microsoft Security Advisory: Extended protection for authentication

View products that this article applies to.

Support for Windows Vista Service Pack 1 (SP1) ends on July 12, 2011. To continue receiving security updates for Windows, make sure you're running Windows Vista with Service Pack 2 (SP2). For more information, refer to this Microsoft web page: Support is ending for some versions of Windows.

↑ Back to the top

INTRODUCTION

Microsoft has released security advisory 973811. To view the complete security advisory, visit the following Microsoft website:

http://www.microsoft.com/technet/security/advisory/973811.mspx

How to obtain help and support for this security update


Help installing updates:
Support for Microsoft Update

Security solutions for IT professionals:
TechNet Security Troubleshooting and Support

Help protect your computer that is running Windows from viruses and malware:
Virus Solution and Security Center

Local support according to your country:
International Support

↑ Back to the top

More Information

How do I configure .NET to utilize Extended Protection for Authentication?

Here are the steps for enabling Extended Protection for the Microsoft .NET Framework 2.0 Service Pack 2, .NET Framework 3.0 Service Pack 2, and .NET Framework 3.5 SP1.

For .NET Framework 2.0 Service Pack 2 (Network Class Library)

Extended protection can be turned on by setting properties on HttpListener. For more information, visit the following Microsoft MSDN websites:

HttpListener.ExtendedProtectionPolicy
HttpListener.ExtendedProtectionSelectorDelegate
HttpListener.DefaultServiceNames
If NegotiateStream is used, then the appropriate overloads of [Begin]AuthenticateAsServer and [Begin]AuthenticateAsClient need to be used: For more information, visit the following Microsoft MSDN websites:

http://msdn.microsoft.com/en-us/library/dd413524(v=VS.100).aspx
http://msdn.microsoft.com/en-us/library/dd413526(v=VS.100).aspx
http://msdn.microsoft.com/en-us/library/dd413525(v=VS.100).aspx
http://msdn.microsoft.com/en-us/library/dd413527(v=VS.100).aspx


In addition to the recommendations in these Microsoft websites, follow these steps:
  1. On the client side, install the Extended Protection for Authentication update for Security Support Provider Interface (SSPI). This update changes SSPI to improve Windows authentication. Additionally, this update prevents credentials from being forwarded. After you install this update, you must implement the registry settings that are described in Microsoft Knowledge Base (KB) article 968389 to enable extended protection.

    For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    968389 Extended Protection for Authentication
  2. On the server side, install the Extended Protection for Authentication update for the HTTP Protocol Stack.

For .NET Framework 2.0 Service Pack 2 (ASP.NET)

No special action is required in order to use Extended Protection.

For .NET Framework 3.0 Service Pack 2 (WCF)

To enable the Extended Protection for Authentication feature in WCF, follow these steps: To do this, follow these steps:
  1. On the client side, install the Extended Protection for Authentication update for Security Support Provider Interface (SSPI). This update changes SSPI to improve Windows authentication. Additionally, this update prevents credentials from being forwarded. After you install this update, you must implement the registry settings that are described in Microsoft Knowledge Base (KB) article 968389 to enable extended protection.

    For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    968389 Extended Protection for Authentication
  2. On the server side, install the Extended Protection for Authentication update for the HTTP Protocol Stack.
  3. Install the Extended Protection for Authentication update for Internet Information Services (IIS) when IIS is installed.



    After you install the update, follow the instructions in KB article 973917 to configure extended protection in IIS.


    For more information, click the following article numbers to view the article in the Microsoft Knowledge Base:
    973917 Description of the update that implements Extended Protection for Authentication in Internet Information Services (IIS)
    970430
    Description of the update that implements Extended Protection for Authentication in the HTTP Protocol Stack (http.sys)
  4. Use the ExtendedProtectionPolicy class in WCF to represent the extended protection policy that the server uses to validate incoming client connections. The class can be applied only when the security mode is set to Transport mode or to TransportWithMessageCredential mode. The following is a sample code that shows the configuration in a binding element of a service config file: 

    <binding>
    ……………
       <security mode="Transport">
               <transport ……………>                     
                 <extendedProtectionPolicy policyEnforcement ="WhenSupported"/>
               </transport > 
             </security>
    </binding>

    For more information about the Extended Protection for Authentication feature, visit the following Microsoft TechNet website:


    Extended Protection for Authentication





For more configuration information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
Article numberArticle title
982532 Description of the rollup update for the .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 1 and on Windows Server 2008 Service Pack 1 (976767 and 980843): June 8, 2010
982533 Description of the rollup update for the .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 2 and on Windows Server 2008 Service Pack 2 (976768 and 980842): June 8, 2010
982535 Description of the rollup update for the .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 1 and on Windows Server 2008 Service Pack 1 (976767, 980843, and 976771): June 8, 2010
982536 Description of the rollup update for the .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 2 and on Windows Server 2008 Service Pack 2 (976768, 980842, and 976772): June 8, 2010
982167 Description of the rollup update for the .NET Framework 3.5 Service Pack 1 and the .NET Framework 2.0 Service Pack 2 on Windows XP and on Windows Server 2003 (976765 and 980773): June 8, 2010
982168 Description of the rollup update for the .NET Framework 3.5 Service Pack 1 on Windows XP and on Windows Server 2003 (976765, 980773 and 976769): June 8,
2262911 "Could not load type 'System.Security.Authentication.ExtendedProtection.ExtendedProtectionPolicy'" exception error after you install update 982167 or update 982168

↑ Back to the top

Known Issues

For more information about known issues with this software, click the following article number to view the article in the Microsoft Knowledge Base:



Article numberArticle title
2197146 Updates for the .NET Framework 3.5 Service Pack 1 and the .NET Framework 2.0 Service Pack 2 may cause the Microsoft Knowledge Base article number to appear instead of the full title of the update in the Add or Remove Programs item in Control Panel

↑ Back to the top

Applies to:

↑ Back to the top

Keywords: kbsecurity, kbsecvulnerability, kb, kbsecreview, kbsurveynew, kbsecbulletin, kbsecadvisory, kblangall, kbfix, kbexpertiseinter, kbbug, atdownload, kbmustloc

↑ Back to the top

Article Info
Article ID : 973811
Revision : 1
Created on : 1/7/2017
Published on : 5/8/2012
Exists online : False
Views : 649