SPNEGO

Last updated

Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), often pronounced "spenay-go", is a GSSAPI "pseudo mechanism" used by client-server software to negotiate the choice of security technology. SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.

Contents

SPNEGO's most visible use is in Microsoft's "HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as Integrated Windows Authentication . The negotiable sub-mechanisms included NTLM and Kerberos, both used in Active Directory. The HTTP Negotiate extension was later implemented with similar support in:

History

Notes

  1. Mozilla bug 17578: I want Kerberos authentication and TGT forwarding
  2. "Konqueror has SPNEGO support". Apache and Kerberos tutorial. Archived from the original on 19 April 2005. Retrieved 30 May 2005.
  3. "Support for SPNEGO authentication". Google Chrome Enhancement Request. Archived from the original on 11 November 2012. Retrieved 20 November 2010.

References