Protocols for MSSQLSERVER Properties (Advanced Tab)
Applies to: 
SQL Server - Windows only
Use the Advanced tab on the Protocols for MSSQLSERVER Properties dialog box to configure Extended Protection for Authentication for the SQL Server Database Engine. Extended Protection is a feature of the network components implemented by the operating system. Extended Protection is available in Windows 7 and Windows Server 2008 R2, and is included in service packs for older operating systems. SQL Server is more secure when connections are made using Extended Protection. Some benefits of Extended Protection require Force Encryption to be selected on the Flags tab.
Important
Windows does not enable Extended Protection by default. For information about how to enable Extended Protection, see the following:
For more information about how to configure other SQL Server services, see Manage the Database Engine Services. For a complete description of Extended Protection, see Connect to the Database Engine Using Extended Protection.
Options
Extended Protection
There are three possible values:
Off: Means Extended Protection is disabled. The instance of SQL Server accepts connections from any client regardless of whether the client is protected or not. Off is compatible with older and unpatched operating systems, but is less secure. Only use this setting when you know that the client operating systems don't support extended protection.
Allowed: Means Extended Protection is required for connections from operating systems that support Extended Protection. Connections from unprotected client applications that are running on protected client operating systems are rejected. Extended Protection is ignored for connections from unprotected operating systems. This setting is more secure than Off, but isn't the most secure setting. Use this setting in mixed environments, where some operating systems or applications support Extended Protection and some don't.
Required: Means that for a connection to be accepted, it must come from a protected application on a protected operating system. This setting is the most secure of the three options. But connections from operating systems that don't support Extended Protection won't be able to connect to SQL Server.
Accepted NTLM SPNs
An instance of SQL Server can be identified by more than one NTLM service principal name (SPN). You list the SPNs as a series of strings separated by semicolons. For example, the value MSSQLSvc/HostName1.Contoso.com;MSSQLSvc/HostName2.Contoso.com, indicates that clients attempting to connect to SPNs named MSSQLSvc/HOST1.Contoso.com or MSSQLSvc/HOST2.Contoso.com are allowed. The variable has a maximum length of 2048 characters.
See also
Extended Protection for Authentication with Reporting Services
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for