Legacy Created, Obsoleted, and Destroyed Before Shipping

As far as I can tell there has never been a description of what the mysterious LegacyExtendedProtectionPolicy property is for that appeared on the HTTP and TCP transports and is now slowly in the process of disappearing. In the small number of places it appeared the property has been marked as obsolete.

Extended protection policy is an enhancement to integrated Windows authentication that is intended to mitigate certain types of forwarding attacks during the credential challenge process. Although it was determined that an extended protection policy was needed on existing operating systems as well, the new types used by the policy API could not be ported. Therefore, a simpler LegacyExtendedProtectionPolicy property was created to allow porting the functionality without porting the policy API. This turned out to not be entirely successful.

The legacy extended protection policy started to show up because it appeared together with fixes you might download for other issues. Once those fixes are updated to remove these traces, the legacy will disappear entirely.