SPNEGO

From Wikipedia, the free encyclopedia

SPNEGO stands for Simple and Protected GSSAPI Negotiation Mechanism. It is sometimes pronounced or spelled "spengo".

SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports.

SPNEGO is a standard GSSAPI pseudo-mechanism. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.

SPNEGO's most visible use is in Microsoft's "HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as Integrated Windows Authentication. The negotiable sub-mechanisms included NTLM and Kerberos, both used in Active Directory.

The HTTP Negotiate extension was later implemented with similar support in:

[edit] History of the SPNEGO standard

  1. 19 February 1996 - Eric Baize and Denis Pinkas publish the internet draft Simple GSS-API Negotiation Mechanism (draft-ietf-cat-snego-01.txt).
  2. 17 October 1996 - The mechanism is assigned the object identifier 1.3.6.1.5.5.2 and is abbreviated snego.
  3. 25 March 1997 - Optimistic piggybacking of one mechanism's initial token is added. This saves a round trip.
  4. 22 April 1997 - The "preferred" mechanism concept is introduced. The draft standard's name is changed from just "Simple" to "Simple and Protected" (spnego).
  5. 16 May 1997 - Context flags are added (delegation, mutual auth, etc.). Defences are provided against attacks on the new "preferred" mechanism.
  6. 22 July 1997 - More context flags are added (integrity and confidentiality).
  7. 18 November 1998 - The rules of selecting the common mechanism are relaxed. Mechanism preference is integrated into the mechanism list.
  8. 4 March 1998 - An optimisation is made for an odd number of exchanges. The mechanism list itself is made optional.
  • Final December 1998 - DER encoding is chosen to disambiguate how the MIC is calculated. The draft is submitted for standardisation as RFC 2478.
  • October 2005 - Interoperability with Microsoft implementations is addressed. Some constraints are improved and clarified and defects corrected. Published as RFC 4178, although it is now non-interoperable with strict implementations of now-obsoleted RFC 2478.

[edit] External links

[edit] References