Overview #

SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism aka GSS-SPNEGO and snggo) is a GSSAPI "pseudo mechanism" that is used to negotiate one of a number of possible real SASL Mechanisms.

SPNEGO pseudo mechanism is documented in RFC 2478 and RFC 4178.

SPNEGO SASL Mechanisms] is identified by the Object Identifier iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2).

SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.

The presence of the "GSS-SPNEGO" string value in the supportedSASLMechanisms attribute indicates that the LDAP server, typically a Domain Controller, accepts the GSS-SPNEGO security mechanism for LDAP Bind Requests.

Microsoft Active Directory#

SPNEGO's most visible Implementation is in Microsoft's "HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided Single Sign-On capability later marketed as Integrated Windows Authentication. The Negotiate SSP sub-mechanisms included NTLM and Kerberos, both used in Microsoft Active Directory.

NT LAN Manager Vulnerabilities#

NT LAN Manager Vulnerabilities shows some of the Vulnerabilities with using NT LAN Manager (NTLM)

More Information#

There might be more information for this subject on one of the following:

• Bind Authentication Method
• CredSSP
• GSS-SPNEGO
• Generic Security Service Application Program Interface
• Identity Broker
• Kerberos
• LDAP Signing
• NT LAN Manager Vulnerabilities
• Negotiate SSP
• SASL
• Security Support Provider Interface
• Simple and Protected GSSAPI Negotiation Mechanism
• Windows Integrated Authentication