Extended Protection

Extended protection is a mechanism to bind an outer secure channel such as SSL to inner channel authentication protocols such as Kerberos-APREQ and HTTP header authentication.

The concept of extended protection is defined in RFC2743.

Extended protection, when available, is configured automatically on the client but may require configuration on the server for non-default scenarios.

Supported Configurations

Extended protection is supported when using WS_HTTP_CHANNEL_BINDING with security bindings using Windows Integrated Authentication protocols such as WS_HTTP_HEADER_AUTH_SECURITY_BINDING and WS_KERBEROS_APREQ_MESSAGE_SECURITY_BINDING. It is configured via the following security properties:

• WS_SECURITY_PROPERTY_EXTENDED_PROTECTION_POLICY
• WS_SECURITY_PROPERTY_EXTENDED_PROTECTION_SCENARIO
• WS_SECURITY_PROPERTY_SERVICE_IDENTITIES

The following configurations involving extended protection are possible:

Client

• WS_SSL_TRANSPORT_SECURITY_BINDING is used with WS_KERBEROS_APREQ_MESSAGE_SECURITY_BINDING or WS_HTTP_HEADER_AUTH_SECURITY_BINDING. In this configuration the authentication binding is bound to the SSL connection via an extended protection token that is automatically extracted from the SSL connection.
• No SSL is used and WS_HTTP_HEADER_AUTH_SECURITY_BINDING is set. The authentication binding is bound via the Server Principal Name (SPN), which is automatically determined from the WS_ENDPOINT_ADDRESS.

Server

• WS_SSL_TRANSPORT_SECURITY_BINDING is used with WS_KERBEROS_APREQ_MESSAGE_SECURITY_BINDING or WS_HTTP_HEADER_AUTH_SECURITY_BINDING. In this configuration the authentication binding is bound to the SSL connection via an extended protection token that is extracted from the SSL connection and validated automatically.
• No SSL is used and WS_HTTP_HEADER_AUTH_SECURITY_BINDING is set. The authentication binding is bound via the Server Principal Name (SPN), which must be provided via WS_SECURITY_PROPERTY_SERVICE_IDENTITIES. When a message is received, the SPN is extracted and validated for an exact match with the provided service names. Not providing SPNs is the equivalent of setting WS_EXTENDED_PROTECTION_POLICY_NEVER.
• No SSL is used, WS_EXTENDED_PROTECTION_SCENARIO_BOUND_SERVER is specified and WS_KERBEROS_APREQ_MESSAGE_SECURITY_BINDING is used. In this configuration, WS_SECURITY_PROPERTY_SERVICE_IDENTITIES must not be set. No SPN check is performed beyond what is done as part of the Kerberos protocol.
• WS_EXTENDED_PROTECTION_SCENARIO_TERMINATED_SSL is specified and either WS_KERBEROS_APREQ_MESSAGE_SECURITY_BINDING or WS_HTTP_HEADER_AUTH_SECURITY_BINDING is used. WS_SECURITY_PROPERTY_SERVICE_IDENTITIES must be set.

Supported Platforms

Extended protection is supported on platforms with support for it in the operating system. Windows 7 and Windows Server 2008 R2 provide built-in support. Other platforms may require an update.

If the server's operating system does not provide such support, any extended protection information sent by the client is ignored. As a result, clients using extended protection can communicate with such a server, but the security benefit is lost. On the client, WS_KERBEROS_APREQ_MESSAGE_SECURITY_BINDING combined with WS_SSL_TRANSPORT_SECURITY_BINDING only supports extended protection on Vista and above.

NOTE: Extended protection being unavailable does not prevent any particular configuration from being used.

Interoperability

A default-configured server can communicate with SOAP clients regardless of whether they use extended protection or not. The one exception being Windows XP and Windows Server 2003 WWSAPI clients that have been updated to support extended protection and use both WS_KERBEROS_APREQ_MESSAGE_SECURITY_BINDING and WS_SSL_TRANSPORT_SECURITY_BINDING. To support such clients WS_EXTENDED_PROTECTION_POLICY_NEVER must be specified by the server. Servers configured with WS_EXTENDED_PROTECTION_POLICY_ALWAYS will reject communication from clients that do not use extended protection. On the client, WS_KERBEROS_APREQ_MESSAGE_SECURITY_BINDING combined with WS_SSL_TRANSPORT_SECURITY_BINDING will result in the message being sent using the HTTP chunked transfer encoding on Vista and above. This may cause interop issues with servers that do not support chunked transfer.

The following Enums/Constants are part of extended protection:

• WS_EXTENDED_PROTECTION_POLICY
• WS_EXTENDED_PROTECTION_SCENARIO

The following stuctures are part of extended protection:

• WS_SERVICE_SECURITY_IDENTITIES