Overview #SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism aka GSS-SPNEGO and snggo) is a GSSAPI "pseudo mechanism" that is used to negotiate one of a number of possible real SASL Mechanisms.
SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.
The presence of the "GSS-SPNEGO" string value in the supportedSASLMechanisms attribute indicates that the LDAP server, typically a Domain Controller, accepts the GSS-SPNEGO security mechanism for LDAP Bind Requests.Implementation is in Microsoft's "HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided Single Sign-On capability later marketed as Integrated Windows Authentication. The Negotiate SSP sub-mechanisms included NTLM and Kerberos, both used in Microsoft Active Directory. NT LAN Manager Vulnerabilities shows some of the Vulnerabilities with using NT LAN Manager (NTLM)
More Information#There might be more information for this subject on one of the following:
- Bind Authentication Method
- Generic Security Service Application Program Interface
- Identity Broker
- LDAP Signing
- NT LAN Manager Vulnerabilities
- Negotiate SSP
- Security Support Provider Interface
- Simple and Protected GSSAPI Negotiation Mechanism
- Windows Integrated Authentication