This documentation is archived and is not being maintained.

Extended Protection

Visual Studio 2008

Download sample

This sample demonstrates how to use Extended Protection in a service. Extended Protection is a security initiative of protecting against man-in-the-middle (MITM) attacks. MITM attack is a security threat where a MITM takes a client’s credentials and forwards it to a server.


Today, when applications authenticate using Kerberos, Digest or NTLM using HTTPS, a Transport Level Security (TLS) channel is first established and then authentication takes place using the secure channel. However, there is no binding between the session key generated by SSL and the session key generated during authentication. Any MITM can establish itself between the client and the server and start forwarding the requests from the client even when the transport channel itself is secure because the server has no way of knowing whether the secure channel has been established from the client or some MITM. The solution in this scenario is to bind the outer TLS channel with the inner authentication channel such that the server can detect if there is a man in the middle which is what Extended Protection is about.

This sample only works when hosted on IIS. It does not work with and will not work on Cassini – Visual Studio Development Server since this does not support HTTPS.

To set up, build, and run the sample

  1. Install IIS on the computer from Add/Remove Programs -> Windows features.

  2. Turn on Windows Authentication in Windows features: Internet Information Services -> World Wide Web Services -> Security -> Windows Authentication.

  3. Turn on HTTP Activation in Windows features: Microsoft .NET Framework 3.5.1 -> Windows Communication Foundation HTTP Activation.

  4. Install a server certificate.

    1. Open the IIS manager -> Server certificates (from the feature view tab).

    2. For the purpose of testing this sample, you can create a self-signed certificate. (If you don’t want Internet Explorer to prompt you about the certificate not being secure – you can install it in the Trusted Certificate Root authority store).

  5. Go to Actions pane for the Default web site. Click on Edit Site -> Bindings. Add https as a type if not already present with port number 443 and assign the SSL certificate created in the above step.

  6. Build the service.

    This creates a virtual directory in IIS for you (from the post build action specified in the project properties) and copies the dll, .svc and config files as needed for a service to be web hosted.

  7. Open the IIS Manager. Right click on the virtual directory (ExtendedProtection) that the above step created and select Convert to Application.

  8. Open the Authentication module in IIS Manager for this virtual directory and enable Windows Authentication.

    1. Open Advanced Settings for Windows Authentication for this virtual directory and set it to Required.

      This is done, because the sample sets the corresponding ExtendedProtection setting to Always.

  9. Test the service by accessing the URL from a browser window.

    If you want to access this URL from another computer, ensure that the firewall is configured to allow all incoming http and https connections.

  10. Open up the client configuration file and specify a full machine name for <client> - <endpoint> - address attribute replacing <<full_machine_name>>

  11. Run the client.

    The client communicates with the service establishing a secure channel and utilizes extended protection.

© 2007 Microsoft Corporation. All rights reserved.