extendedProtection Element for windowsAuthentication [IIS Settings Schema]

Note

For more information about the extendedProtection element, see the following topic on the Microsoft IIS.net Web site: Windows Extended Protection <extendedProtection>.

Specifies the settings that configure the extended protection for Windows authentication in IIS 7.5. Extended protection enhances the existing Windows authentication functionality in order to mitigate authentication relay or "man in the middle" attacks.

Syntax

Attributes and Elements

The following sections describe attributes, child elements, and parent elements.

Attributes

Attribute	Description
flags	Optional flags attribute. Specifies the additional behavior settings for extended protection. The flags attribute can be a combination of the following values; the default value is None. Name Description None This flag specifies that no additional behavior is enabled for extended protection. (For example, no proxy server is being used and SPN checking is enabled and requires FQDNs.) The numerical value is 0. Proxy This flag specifies that part of the communication path will be through a proxy, or that the client is connecting directly to the destination server over HTTP. The numerical value is 1. NoServiceNameCheck This flag specifies that SPN checking is disabled; this flag should not be used in scenarios where only SPNs are being checked. The numerical value is 2. AllowDotlessSpn This flag specifies that SPNs are not required to be FQDNs. Setting this flag allows NetBIOS-based SPNs. Note Setting this flag is not a secure scenario; non-FQDN-based names are vulnerable to name resolution poisoning attacks. The numerical value is 4. ProxyCohosting This flag specifies that the entire client-to-server communication path will use HTTP only; no part of the communication path will use SSL, and SPN checking will be used. Note: When you specify this flag, you must also specify the Proxy flag. The numerical value is 32.
tokenChecking	Optional enum attribute. Specifies the behavior for checking channel-binding information. The tokenChecking attribute can be one of the following values; the default value is None. Name Description None This value specifies that IIS will not perform channel-binding token checking. This setting emulates the behavior that existed before extended protection. The numerical value is 0. Allow This value specifies that channel-binding token checking is enabled, but not required. This setting allows secure communication with clients that support extended protection, but still supports clients that are not capable of using extended protection. The numerical value is 1. Require This value specifies that channel-binding token checking is required. This setting does not provide support for clients that do not support extended protection. The numerical value is 2.

Child Elements

Element	Description
spn	Adds a SPN to the collection.
clearSpns	Clears the collection of SPNs.
removeSpn	Removes a SPN from the collection.

Parent Elements

Element	Description
configuration	Specifies the root element in every configuration file that is used by IIS 7.
system.webServer	Specifies the top-level section group (in ApplicationHost.config) in which this element is defined.
security	Specifies the section group that contains security-related sections.
authentication	Specifies the section group that contains authentication sections.
windowsAuthentication	Specifies the settings for Windows authentication.

Remarks

For more information about the extendedProtection element, see the following topic on the Microsoft IIS.net Web site: Windows Extended Protection <extendedProtection>.

Element Information

Configuration locations	ApplicationHost.config
Requirements	IIS 7

See Also

Reference

spn for extendedProtection Element for windowsAuthentication [IIS Settings Schema]