Simple and Protected GSSAPI Negotiation Mechanism

Overview#

Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), aka GSS-SPNEGO and snggo is a GSSAPI "pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms.[1]

The Simple and Protected GSSAPI Negotiation Mechanism pseudo mechanism was documented RFC 2478 which was obsoleted and replaced by RFC 4178.

The Simple and Protected GSSAPI Negotiation Mechanism pseudo mechanism is identified by the Object Identifier iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2).

Simple and Protected GSSAPI Negotiation Mechanism is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.

The presence of the "GSS-SPNEGO" string value in the supportedSASLMechanisms attribute indicates that the LDAP Server Implementation, typically a Microsoft Active Directory Domain Controller, accepts the GSS-SPNEGO security mechanism for LDAP Bind Requests.

MUST NOT be used#

GSS-API mechanisms that negotiate other mechanisms MUST NOT be used with the GS2 Mechanism Family. Specifically, SPNEGO RFC 4178 MUST NOT be used as a GS2 Mechanism Family. To make this easier for SASL implementations, we assign a symbolic SASL Mechanism name to the SPNEGO GSS-API mechanism, "SPNEGO". SASL client implementations MUST NOT choose the SPNEGO mechanism under any circumstances.

Microsoft#

Simple and Protected GSSAPI Negotiation Mechanism's most visible use is in Microsoft's "HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as Integrated Windows Authentication. The negotiable sub-mechanisms included NTLM and Kerberos, both used in Microsoft Active Directory.

!! More Information There might be more information for this subject on one of the following:

Please see our Copyright And Intellectual Property Page and Standard Disclaimer Pages!