SPNEGO

The article's lead section may need to be rewritten. Please help improve the lead and read the lead layout guide. (December 2010) (Learn how and when to remove this message)

SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) is a GSSAPI "pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms.

SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports.

The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.

SPNEGO's most visible use is in Microsoft's "HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as Integrated Windows Authentication. The negotiable sub-mechanisms included NTLM and Kerberos, both used in Active Directory.

The HTTP Negotiate extension was later implemented with similar support in:

• Mozilla 1.7 beta^[1]
• Mozilla Firefox 0.9
• Konqueror 3.3.1^[2]
• Google Chrome 6.0.472 ^[3]

1. 19 February 1996 - Eric Baize and Denis Pinkas publish the Internet Draft Simple GSS-API Negotiation Mechanism (draft-ietf-cat-snego-01.txt).
2. 17 October 1996 - The mechanism is assigned the object identifier 1.3.6.1.5.5.2 and is abbreviated snego.
3. 25 March 1997 - Optimistic piggybacking of one mechanism's initial token is added. This saves a round trip.
4. 22 April 1997 - The "preferred" mechanism concept is introduced. The draft standard's name is changed from just "Simple" to "Simple and Protected" (spnego).
5. 16 May 1997 - Context flags are added (delegation, mutual auth, etc.). Defenses are provided against attacks on the new "preferred" mechanism.
6. 22 July 1997 - More context flags are added (integrity and confidentiality).
7. 18 November 1998 - The rules of selecting the common mechanism are relaxed. Mechanism preference is integrated into the mechanism list.
8. 4 March 1998 - An optimisation is made for an odd number of exchanges. The mechanism list itself is made optional.

• Final December 1998 - DER encoding is chosen to disambiguate how the MIC is calculated. The draft is submitted for standardisation as RFC 2478.
• October 2005 - Interoperability with Microsoft implementations is addressed. Some constraints are improved and clarified and defects corrected. Published as RFC 4178, although it is now non-interoperable with strict implementations of now-obsoleted RFC 2478.

• "Internet Drafts of RFC 2478". All (Current & Expired) Internet Drafts Collection - Drafts. Retrieved May 28, 2005.
• "HTTP-Based Cross-Platform Authentication via the Negotiate Protocol". Microsoft Developer Network (MSDN) library. Retrieved May 28, 2005.
• "using mod_auth_kerb and Windows 2000/2003 as KDC". Tutorial. Retrieved December 2, 2005.

• RFC 4178 The Simple and Protected GSS-API Negotiation Mechanism (obsoletes RFC 2478).
• RFC 4559 SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows
• Microsoft technical article on SPNEGO tokens
• SPNEGO support in Mozilla
• mod_auth_kerb Apache module supporting SPNEGO
• Earlier drafts of draft-brezak-spnego-http-05.txt, since -05 is no longer available.
• Microsoft article on authorization data present in Kerberos tickets (PAC)
• SPNEGO and SSO articles
• COMMERCIAL SPNEGO for Tomcat, JBoss, WebSphere...
• Security Site for Windows Integration Authentication with SSO
• Support for SPNEGO in Java GSS with Java 6.
• COMMERCIAL Plexcel - PHP Active Directory Integration
• WebSphere with a side of SPNEGO
• SPNEGO and credential delegation with Java
• Making use of SPNEGO in your J2EE and .NET Client Applications
• SPNEGO Http Servlet Filter - Free Open Source Library
• Waffle: native Java Tomcat authentication on Windows (NTLM or Kerberos)
• Tomcat authentication on Windows via SPNEGO (NTLM or Kerberos) using JNI