Stumbling on Extended Protection Policy

When generating a proxy I’m getting an error about the extendedProtectionPolicy element not being supported. Why didn’t I see this error before?

Extended protection policy is a change to how integrated Windows authentication works that is intended to enhance security. The use of extended protection is supposed to mitigate certain types of forwarding attacks during the credential challenge process. However, the platform support for extended protection is being delivered in different pieces so support is still inconsistent. You most likely have used a mix of different platforms to develop the client and server pieces of the application.

If you’re getting an error about the extended protection policy element on the client, check to see if your client application config file contains a line referencing extended protection, such as:

 <extendedProtectionPolicy policyEnforcement="Never" />

You’ve probably picked this up on a machine that supports extended protection but are now on a machine that doesn’t support extended protection. Deleting the extended protection policy element and trying again to generate the proxy on the target machine should resolve the problem.