Overview #
SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism aka GSS-SPNEGO and snggo) is a GSSAPI "pseudo mechanism" that is used to negotiate one of a number of possible real SASL Mechanisms.SPNEGO pseudo mechanism is documented in RFC 2478 and RFC 4178.
SPNEGO SASL Mechanisms] is identified by the Object Identifier iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2).
SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.
The presence of the "GSS-SPNEGO" string value in the supportedSASLMechanisms attribute indicates that the LDAP server, typically a Domain Controller, accepts the GSS-SPNEGO security mechanism for LDAP Bind Requests.
Microsoft Active Directory#
SPNEGO's most visible Implementation is in Microsoft's "HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided Single Sign-On capability later marketed as Integrated Windows Authentication. The Negotiate SSP sub-mechanisms included NTLM and Kerberos, both used in Microsoft Active Directory.NT LAN Manager Vulnerabilities#
NT LAN Manager Vulnerabilities shows some of the Vulnerabilities with using NT LAN Manager (NTLM)More Information#
There might be more information for this subject on one of the following:- Bind Authentication Method
- CredSSP
- GSS-SPNEGO
- Generic Security Service Application Program Interface
- Identity Broker
- Kerberos
- LDAP Signing
- NT LAN Manager Vulnerabilities
- Negotiate SSP
- SASL
- Security Support Provider Interface
- Simple and Protected GSSAPI Negotiation Mechanism
- Windows Integrated Authentication