<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] ([SPNEGO]), aka GSS-SPNEGO and snggo is a [GSSAPI] &quot;pseudo mechanism&quot; that is used to negotiate one of a number of possible real mechanisms.[1]

The [{$pagename}] pseudo mechanism was documented [RFC 2478] which was obsoleted and replaced by [RFC 4178].

The [{$pagename}] pseudo mechanism is identified by the Object Identifier iso.org.dod.internet.security.mechanism.snego ([1.3.6.1.5.5.2]).

[{$pagename}] is used when a client application wants to authenticate to a remote server, but neither end is sure what [authentication protocols|Authentication Method] the other supports. The pseudo-mechanism uses a protocol to determine what common [GSSAPI] mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.

The presence of the &quot;GSS-SPNEGO&quot; string value in the [supportedSASLMechanisms] attribute indicates that the [LDAP Server Implementation], typically a [Microsoft Active Directory] [Domain Controller], accepts the GSS-SPNEGO security mechanism for [LDAP] [Bind Requests].

!! MUST NOT be used
GSS-API mechanisms that negotiate other mechanisms MUST NOT be used with the [GS2 Mechanism Family].  Specifically, [SPNEGO] [RFC 4178] __MUST NOT be used__ as a [GS2 Mechanism Family]. To make this easier for [SASL] implementations, we assign a symbolic [SASL Mechanism] name to the [SPNEGO] GSS-API mechanism, &quot;SPNEGO&quot;.  [SASL] client implementations __MUST NOT__ choose the [SPNEGO] mechanism under any circumstances.

!! Microsoft
[{$pagename}]'s most visible use is in Microsoft's &quot;HTTP Negotiate&quot; authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as [Integrated Windows Authentication]. The negotiable sub-mechanisms included [NTLM] and [Kerberos], both used in [Microsoft Active Directory].

 !! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [SPNEGO|Wikipedia:SPNEGO/|target='_blank'] - based on information obtained 2016-05-17- 
</pre>