Extended Protection

Extended protection is a mechanism to bind an outer secure channel such as SSL to inner channel authentication protocols such as Kerberos-APREQ and HTTP header authentication.

The concept of extended protection is defined in RFC2743.

Extended protection, when available, is configured automatically on the client but may require configuration on the server for non-default scenarios.

Supported Configurations

Extended protection is supported when using WS_HTTP_CHANNEL_BINDING with security bindings using Windows Integrated Authentication protocols such as WS_HTTP_HEADER_AUTH_SECURITY_BINDING and WS_KERBEROS_APREQ_MESSAGE_SECURITY_BINDING. It is configured via the following security properties:

The following configurations involving extended protection are possible:



Supported Platforms

Extended protection is supported on platforms with support for it in the operating system. Windows 7 and Windows Server 2008 R2 provide built-in support. Other platforms may require an update.

If the server's operating system does not provide such support, any extended protection information sent by the client is ignored. As a result, clients using extended protection can communicate with such a server, but the security benefit is lost. On the client, WS_KERBEROS_APREQ_MESSAGE_SECURITY_BINDING combined with WS_SSL_TRANSPORT_SECURITY_BINDING only supports extended protection on Vista and above.

NOTE: Extended protection being unavailable does not prevent any particular configuration from being used.


A default-configured server can communicate with SOAP clients regardless of whether they use extended protection or not. The one exception being Windows XP and Windows Server 2003 WWSAPI clients that have been updated to support extended protection and use both WS_KERBEROS_APREQ_MESSAGE_SECURITY_BINDING and WS_SSL_TRANSPORT_SECURITY_BINDING. To support such clients WS_EXTENDED_PROTECTION_POLICY_NEVER must be specified by the server. Servers configured with WS_EXTENDED_PROTECTION_POLICY_ALWAYS will reject communication from clients that do not use extended protection. On the client, WS_KERBEROS_APREQ_MESSAGE_SECURITY_BINDING combined with WS_SSL_TRANSPORT_SECURITY_BINDING will result in the message being sent using the HTTP chunked transfer encoding on Vista and above. This may cause interop issues with servers that do not support chunked transfer.

The following Enums/Constants are part of extended protection:

The following stuctures are part of extended protection: