SPNEGO

From Wikipedia, the free encyclopedia

SPNEGO stands for Simple and Protected GSSAPI Negotiation Mechanism. SPNEGO is a standard GSSAPI pseudo-mechanism for peers to determine which GSSAPI mechanisms are shared, select one and then establish a security context with it. SPNEGO is sometimes pronounced or spelt "spengo".

SPNEGO's most visible use is in Microsoft's "HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as Windows Integrated Authentication. The negotiable sub-mechanisms included NTLM and Kerberos, both used in Active Directory.

The HTTP Negotiate extension was later implemented with similar support in Mozilla 1.7beta, Mozilla Firefox 0.9, and Konqueror 3.3.1.

[edit] History of the SPNEGO standard

1. 19 February 1996 - Eric Baize and Denis Pinkas publish the internet draft Simple GSS-API Negotiation Mechanism (draft-ietf-cat-snego-01.txt).
2. 17 October 1996 - The mechanism is assigned the object identifier 1.3.6.1.5.5.2 and is abbreviated snego.
3. 25 March 1997 - Optimistic piggybacking of one mechanism's initial token is added. This saves a round trip.
4. 22 April 1997 - The "preferred" mechanism concept is introduced. The draft standard's name is changed from just "Simple" to "Simple and Protected" (spnego).
5. 16 May 1997 - Context flags are added (delegation, mutual auth, etc.). Defences are provided against attacks on the new "preferred" mechanism.
6. 22 July 1997 - More context flags are added (integrity and confidentiality).
7. 18 November 1998 - The rules of selecting the common mechanism are relaxed. Mechanism preference is integrated into the mechanism list.
8. 4 March 1998 - An optimisation is made for an odd number of exchanges. The mechanism list itself is made optional.

• Final December 1998 - DER encoding is chosen to disambiguate how the MIC is calculated. The draft is submitted for standardisation as RFC 2478.
• October 2005 - Interoperability with Microsoft implementations is addressed. Some constraints are improved and clarified and defects corrected. Published as RFC 4178, although it is now non-interoperable with strict implementations of now-obsoleted RFC 2478.

[edit] External links

• RFC 2478 The Simple and Protected GSS-API Negotiation Mechanism
• RFC 4559 SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows
• Microsoft technical article on SPNEGO tokens
• Vintela description of SPNEGO
• SPNEGO support in Mozilla
• Apache module for supporting SPNEGO
• mod_auth_kerb Apache module supporting SPNEGO
• Earlier drafts of draft-brezak-spnego-http-05.txt, since -05 is no longer available.
• Microsoft article on authorization data present in Kerberos tickets (PAC)
• PAC (Privilege Attribute Certificate) in a Java Web Server World
• [1] Security Site for Windows Integration Authentication with SSO
• Open source Java Spnego library by Taglab.

[edit] References

• Internet Drafts of RFC 2478. All (Current & Expired) Internet Drafts Collection - Drafts. Retrieved on May 28, 2005.
• Mozilla bug 17578: I want Kerberos authentication and TGT forwarding
• HTTP-Based Cross-Platform Authentication via the Negotiate Protocol. Microsoft Developer Network (MSDN) library. Retrieved on May 28, 2005.
• Konqueror has SPNEGO support. Apache and Kerberos tutorial. Retrieved on May 30, 2005.
• using mod_auth_kerb and Windows 2000/2003 as KDC. Tutorial. Retrieved on Dec 02, 2005.