Overview #
From Wikipedia:SPNEGO
, the free encyclopedia
SPNEGO or Simple and Protected GSSAPI Negotiation Mechanism, aka GSS-SPNEGO and snggo is a GSSAPI "pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms.
The SPNEGO pseudo mechanism is documented in RFC 2478 and RFC 4178.
The SPNEGO pseudo mechanism is identified by the Object Identifier iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2).
SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.
The presence of the "GSS-SPNEGO" string value in the supportedSASLMechanisms attribute indicates that the LDAP server, typically a Active Directory DC, accepts the GSS-SPNEGO security mechanism for LDAP bind requests.
Microsoft Active Directory#
SPNEGO's most visible use is in Microsoft's "HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided Single Sign-On capability later marketed as Integrated Windows Authentication. The Negotiate SSP sub-mechanisms included NTLM and Kerberos, both used in Microsoft Active Directory.The only time Windows-specific things get involved with SPNEGO is when you allow the use of NTLM: "A highly insecure authentication method enabled by default in Windows. More importantly, unless you expressly forbid it via GPOs you’re probably using NTLM all over the place in your company’s network."
