Configure Extended Protection in IIS 7.5

Applies To: Windows Server 2008 R2

Extended protection for IIS 7.5 in Windows Server® 2008 R2 enhances the existing Windows Authentication functionality in order to mitigate authentication relay or "man in the middle" attacks. This mitigation is accomplished by using security information that is implemented through two security mechanisms:

  • Channel-binding information that is specified through a Channel Binding Token (CBT), which is primarily used for SSL connections.

  • Service-binding information that is specified through a Service Principle Name (SPN), which is primarily used for connections that do not use SSL, or when a connection is established through a scenario that provides SSL offloading, such as a proxy server or a load-balancing server.

How to configure Extended Protection

You can configure extended protection by using AppCmd.exe, or by using the IIS Configuration Editor to specify settings for the extendedProtection element in the ApplicationHost.config file.

To learn more about extended protection and how to configure it, see Windows Extended Protection on For information about updating IIS 7.0 to use extended protection, see Description of the update that implements Extended Protection for Authentication in Internet Information Services (IIS) on Microsoft Support.

Configure extended protection with AppCmd.exe

The following examples demonstrate how to configure Windows authentication with extended protection for the Default Web Site, and adds two Service Principle Name (SPN) entries to the collection of SPNs.

appcmd.exe set config "Default Web Site" -section:system.webServer/security/authentication/windowsAuthentication /enabled:"True" /commit:apphost

appcmd.exe set config "Default Web Site" -section:system.webServer/security/authentication/windowsAuthentication /extendedProtection.tokenChecking:"Allow" /extendedProtection.flags:"None" /commit:apphost

appcmd.exe set config "Default Web Site" -section:system.webServer/security/authentication/windowsAuthentication /+"extendedProtection.[name='HTTP/']" /commit:apphost

appcmd.exe set config "Default Web Site" -section:system.webServer/security/authentication/windowsAuthentication /+"extendedProtection.[name='HTTP/']" /commit:apphost


You must set the value of the commit parameter to APPHOST when you use AppCmd.exe to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.

For more information about how to use AppCmd.exe, see Appcmd.exe (IIS 7)

See Also

Other Resources

Introduction to ApplicationHost.config