This article describes a nonsecurity update which implements Extended Protection for Authentication in Microsoft Windows HTTP Services (WinHTTP).

When Extended Protection for Authentication is enabled, authentication requests are bound to both the Service Principal Names (SPN) of the server to which the client tries to connect and to the outer Transport Layer Security (TLS) channel over which the Integrated Windows authentication occurs.

To use the features that this update includes, update 968389 must be installed on the computer. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
968389 Extended Protection for Authentication

This article describes a non-security update which implements Extended Protection for Authentication in the HTTP Protocol Stack (http.sys).

When Extended Protection for Authentication is enabled, authentication requests are bound to both the Service Principal Names (SPN) of the server, the client tries to connect to and to the outer Transport Layer Security (TLS) channel over which the Integrated Windows Authentication authentication occurs.

To use the features that this update includes, you must have the update 968389 installed on the computer. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
968389 Extended Protection for Authentication

Consider the following scenario:

• You have Windows Remote Management (WinRM) installed on a computer that is running Windows Server 2008 or Windows Vista.
• You have a user security token that is larger than 16 KB because of the domain configuration.
  Note: The size of the user security token grows together with the number of groups to which the user belongs.
• You start a WinRM operation from this computer. Or, you use another application that uses WinRM for communication, such as Microsoft System Center Virtual Machine Manager.

In this scenario, the operation fails and you receive following error code:

0×803380f7

Additionally, the following event is logged in the System log:

Log Name: System
Source: Microsoft-Windows-Security-Kerberos
Date: Date & Time
Event ID: 6
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: Computer Name
Description: The kerberos SSPI package generated an output token of size number bytes, which was too large to fit in the token buffer of size number bytes, provided by process id number. The output SSPI token being too large is probably the result of the user user name being a member of a large number of groups. It is recommended to minimize the number of groups a user belongs to. If the problem can not be corrected by reduction of the group memberships of this user, please contact your system administrator to increase the maximum token size, which in term is configured machine-wide via the following registry value: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize.

Description: This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft Windows HTTP Services (WinHTTP). The most severe vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerabilities by changing the way that Windows HTTP Services handles errors and validates certificates, and by ensuring that Windows HTTP Services correctly use NTLM credential reflection protection mechanisms. Keep reading →

You have an application that is built on the Microsoft .NET Framework 2.0 and that is hosted on Internet Information Services (IIS) 7.0. The first time that you access a Microsoft ASP.NET page in the application, you receive an HTTP 400 error message. However, later requests succeed.

Details on how this feature could make your web traffic more efficient, but has potential risks. Keep reading →

An application attempts to listen for local loopback requests by calling HttpAddUrl for http://localhost[:port]. If the application does not have administrator privileges the call will fail with the following:

Access Denied

This problem occurs on Windows Vista if User Account Control (UAC) is enabled and the application is running under the Limited User Account.

This problem occurs when the local computer is running one of the following Microsoft Windows operating system:

• Windows Vista
• Windows Server 2003
• Windows XP

When you try to send messages to the HTTP address or to the multicast address of a Microsoft Message Queuing queue on a computer that is running a 64-bit version of Windows Vista, the attempt is unsuccessful. Additionally, you receive the following error message:

404 not found

When you try to configure Windows Mail to use an Web-based e-mail account on a computer that is running Windows Vista, you experience one of the following symptoms:

• When you try to add a Hotmail account or an MSN account to Windows Mail, you receive the following message:
  

  Information About HTTP E-mail

  Windows Mail no longer supports the HTTP servers used by Hotmail and other web-based e-mail providers. Click the Back button to set up a different e-mail account, or see other options for accessing your web-based e-mail.

• When you try to use a Windows Live e-mail account or a different Web-based e-mail account in Windows Mail, you cannot send or receive e-mail messages.