Microsoft has just released a fix for the Extended Protection for Windows Authentication feature in IIS. The details about the issue are in security bulletin MS10-040.
Important things to note about the issue/fix:
- The fix is only applicable if you have Extended Protection installed.
Windows 7 and Windows Server 2008 R2 have this feature in the OS. However all previous platforms require you to install KB 973917 to get this particular feature. So if you did not install KB 973917 on your Windows Server 2008 machine for example, you won't need this update.
- The issue will occur only if you set Extended Protection tokenChecking flags to 'Allow' (partially hardened).
Your server configuration is NOT vulnerable if the Extended protection feature is not in use, i.e. tokenChecking=None, or your server is configured to a 'hardened' state, i.e. tokenChecking=Require. Your server is vulnerable on if it is configured to a partially hardened state, i.e. tokenChecking=Allow. In this state your server will allow Windows Authentication without a Channel Binding Token from clients that do not support it.