Overview #From Wikipedia:SPNEGO, the free encyclopedia
The SPNEGO pseudo mechanism is identified by the Object Identifier iso.org.dod.internet.security.mechanism.snego (188.8.131.52.5.5.2).
SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.
The presence of the "GSS-SPNEGO" string value in the supportedSASLMechanisms attribute indicates that the LDAP server, typically a Active Directory DC, accepts the GSS-SPNEGO security mechanism for LDAP bind requests.HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided Single Sign-On capability later marketed as Integrated Windows Authentication. The Negotiate SSP sub-mechanisms included NTLM and Kerberos, both used in Microsoft Active Directory.
The only time Windows-specific things get involved with SPNEGO is when you allow the use of NTLM: "A highly insecure authentication method enabled by default in Windows. More importantly, unless you expressly forbid it via GPOs you’re probably using NTLM all over the place in your company’s network."NT LAN Manager Vulnerabilities shows some of the Vulnerabilities with using NT LAN Manager (NTLM)