This article describes the Extended Protection (EP) support in Minion Enterprise (ME).
EP is a Windows security mechanism designed to prevent man-in-the-middle attacks.
For more information about EP and SQL Server, click here: https://msdn.microsoft.com/en-us/library/ff487261.aspx
ME has been tested with a Channel Binding implementation of EP and contains features that help with the configuration of your various environmental conditions. For starters, ME allows you to control your connection parameters in the dbo.ConnParameters table. This table has two columns (Encrypt, TrustServerCert) that allow you to refine your collection parameters as outlined in the MSDN article above. There are also two other columns (InstanceID, and CollectionName) that allow you to define different settings for different servers or collections. With this setup you can finely tune your connection requirements for your entire environment from a single location.
SPN configuration:
Depending on your implementation it may be necessary to configure an SPN to enable collections through a proxy or to meet some other security requirement. This has no bearing on ME and should be configured as it would be for any other application, that is, in conjunction with your system and network admins.
Windows vs. SQL collections
ME collections breakdown basically into two types of collections; Windows and SQL Server. Sometimes there’s a difference between the requirements for each collection type but that shouldn’t be the case here. We have seen no evidence that either of these two collection types behave differently in EP or mixed environments.
DNS vs. NETBIOS connections
We’ve tested against FQDNs and DNS aliases as well as NETBIOS names and have had successful collections against all three types. If there is an error, it will probably be environment specific and outside the scope of ME.
Connection Testing Matrix:
Here is a table that shows the testing we’ve done in conjunction with a client using EP, to determine the scope of our EP support and configuration. The Encrypt and Trust values correspond to the columns mentioned above in the dbo.ConnParameters table. As well, we picked both a Windows-level collection and a SQL-level collection.
| EP | Non-EP | ||||
| WMI | SQL Server | WMI | SQL Server | ||
| FQDN | |||||
| Encrypt = 1 & Trust = 1 | Y | Y | Y | Y | |
| Encrypt = 1 & Trust = 0 | Y | Y | Y | Y | |
| Encrypt = 0 & Trust = 1 | Y | Y | Y | Y | |
| Encrypt = 0 & Trust = 0 | Y | Y | Y | Y | |
| Netbios | |||||
| Encrypt = 1 & Trust = 1 | Y | N | Y | N | |
| Encrypt = 1 & Trust = 0 | Y | N | Y | N | |
| Encrypt = 0 & Trust = 1 | Y | Y | Y | Y | |
| Encrypt = 0 & Trust = 0 | Y | Y | Y | Y | |
| DNS Alias | |||||
| Encrypt = 1 & Trust = 1 | Y | Y | Y | Y | |
| Encrypt = 1 & Trust = 0 | Y | Y | Y | Y | |
| Encrypt = 0 & Trust = 1 | Y | Y | Y | Y | |