This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Simple and Protected GSSAPI Negotiation Mechanism
Simple and Protected GSSAPI Negotiation Mechanism

Version management

Difference between version and

At line 1 added 22 lines
!!! Overview
[{$pagename}] ([SPNEGO]), aka GSS-SPNEGO and snggo is a [GSSAPI] "pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms.[1]
The [{$pagename}] pseudo mechanism was documented [RFC 2478] which was obsoleted and replaced by [RFC 4178].
The [{$pagename}] pseudo mechanism is identified by the Object Identifier iso.org.dod.internet.security.mechanism.snego ([1.3.6.1.5.5.2]).
[{$pagename}] is used when a client application wants to authenticate to a remote server, but neither end is sure what [authentication protocols|Authentication Method] the other supports. The pseudo-mechanism uses a protocol to determine what common [GSSAPI] mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.
The presence of the "GSS-SPNEGO" string value in the [supportedSASLMechanisms] attribute indicates that the [LDAP Server Implementation], typically a [Microsoft Active Directory] [Domain Controller], accepts the GSS-SPNEGO security mechanism for [LDAP] [Bind Requests].
!! MUST NOT be used
GSS-API mechanisms that negotiate other mechanisms MUST NOT be used with the [GS2 Mechanism Family]. Specifically, [SPNEGO] [RFC 4178] __MUST NOT be used__ as a [GS2 Mechanism Family]. To make this easier for [SASL] implementations, we assign a symbolic [SASL Mechanism] name to the [SPNEGO] GSS-API mechanism, "SPNEGO". [SASL] client implementations __MUST NOT__ choose the [SPNEGO] mechanism under any circumstances.
!! Microsoft
[{$pagename}]'s most visible use is in Microsoft's "HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as [Integrated Windows Authentication]. The negotiable sub-mechanisms included [NTLM] and [Kerberos], both used in [Microsoft Active Directory].
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [SPNEGO|Wikipedia:SPNEGO/|target='_blank'] - based on information obtained 2016-05-17-
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop