Kerberos vs. Extended Protection RRS feed

  • Question

  • Hi everybody,

    I'm reading about the Extended Protection feature (https://msdn.microsoft.com/en-us/library/ff487261.aspx) and I have some troubles to find differences between Kerberos and Service Binding. In both cases the client must send the signed SPN of the service he wants to connect, to prevent the attacker to use the same request to connect to the legitimate server. So...what's the difference?


    Tuesday, November 10, 2015 9:30 AM


All replies

  • Hi,

    As far as I know, extended protection is an enhancement to the pre-authentication phase when using integrated Windows authentication.  Service binding helps guard against mirror attacks, where the SPN's intercepted by a "something" and passed to the target, i.e. SQL Server.  As part of EP, SQL server validates that the client that sent the SPN (from the SPN) is the client that's currently connected, which it won't be in a compromised situation.  The connection's then refused.  So, service/channel binding is an extension to authentication process (NTLM/Kerberos), not a replacement.

    Thanks, Andrew
    My blog...

    Tuesday, November 10, 2015 11:29 AM
  • Extended Protection protects from so called "authentication relay attacks" against which both NTLM and Kerberos alone do not protect.

    You find very good descriptions here:

    Connect to the Database Engine Using Extended Protection

    Extended Protection for Authentication

    Andreas Wolter (Blog | Twitter)
    MCSM: Microsoft Certified Solutions Master Data Platform, MCM, MVP
    www.SarpedonQualityLab.com | www.SQL-Server-Master-Class.com

    Monday, November 16, 2015 10:20 PM
  • Hi Andreas,

    From one of your links. Do you know how this is done (only Service Binding, no encryption)? "Service binding addresses luring attacks by requiring a client to send a signed service principal name (SPN) of the SQL Server service that the client intends to connect to." How does the client sign it? Using which key? The service key?

    I've tested with Wireshark and the SPN is sent in clear text when configuring SQL Server Extended Protection to Required (no Encryption), so I have no idea what this setting actually does. Any idea??


    Thursday, November 26, 2015 8:25 AM