SPNEGO

SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) is a GSSAPI "pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms.

SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports.

The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.

SPNEGO's most visible use is in Microsoft's "HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as Integrated Windows Authentication. The negotiable sub-mechanisms included NTLM and Kerberos, both used in Active Directory.

The HTTP Negotiate extension was later implemented with similar support in:

• Mozilla 1.7 beta^[1]
• Mozilla Firefox 0.9
• Konqueror 3.3.1^[2]
• Google Chrome 6.0.472 ^[3]

History

1. 19 February 1996 – Eric Baize and Denis Pinkas publish the Internet Draft Simple GSS-API Negotiation Mechanism (draft-ietf-cat-snego-01.txt).
2. 17 October 1996 – The mechanism is assigned the object identifier 1.3.6.1.5.5.2 and is abbreviated snego.
3. 25 March 1997 – Optimistic piggybacking of one mechanism's initial token is added. This saves a round trip.
4. 22 April 1997 – The "preferred" mechanism concept is introduced. The draft standard's name is changed from just "Simple" to "Simple and Protected" (spnego).
5. 16 May 1997 – Context flags are added (delegation, mutual auth, etc.). Defenses are provided against attacks on the new "preferred" mechanism.
6. 22 July 1997 – More context flags are added (integrity and confidentiality).
7. 18 November 1998 – The rules of selecting the common mechanism are relaxed. Mechanism preference is integrated into the mechanism list.
8. 4 March 1998 – An optimisation is made for an odd number of exchanges. The mechanism list itself is made optional.

• Final December 1998 – DER encoding is chosen to disambiguate how the MIC is calculated. The draft is submitted for standardisation as RFC 2478.
• October 2005 – Interoperability with Microsoft implementations is addressed. Some constraints are improved and clarified and defects corrected. Published as RFC 4178, although it is now non-interoperable with strict implementations of now-obsoleted RFC 2478.

Notes

References

• "Internet Drafts of RFC 2478". All (Current & Expired) Internet Drafts Collection – Drafts. http://potaroo.net/ietf/idref/rfc2478/. Retrieved May 28, 2005. 
• "HTTP-Based Cross-Platform Authentication via the Negotiate Protocol". Microsoft Developer Network (MSDN) library. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp. Retrieved May 28, 2005. 
• "using mod_auth_kerb and Windows 2000/2003 as KDC". Tutorial. http://www.grolmsnet.de/kerbtut/. Retrieved December 2, 2005. 

External links

• RFC 4178 The Simple and Protected GSS-API Negotiation Mechanism (obsoletes RFC 2478).
• RFC 4559 SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows
• Microsoft technical article on SPNEGO tokens
• SPNEGO support in Mozilla
• mod_auth_kerb Apache module supporting SPNEGO
• Earlier drafts of draft-brezak-spnego-http-05.txt, since −05 is no longer available.
• Microsoft article on authorization data present in Kerberos tickets (PAC)
• SPNEGO and SSO articles
• COMMERCIAL SPNEGO for Tomcat, JBoss, WebSphere...
• Security Site for Windows Integration Authentication with SSO
• Support for SPNEGO in Java GSS with Java 6.
• COMMERCIAL Plexcel – PHP Active Directory Integration
• WebSphere with a side of SPNEGO
• SPNEGO and credential delegation with Java
• Making use of SPNEGO in your J2EE and .NET Client Applications
• SPNEGO Http Servlet Filter – Free Open Source Library
• Waffle: native Java Tomcat authentication on Windows (NTLM or Kerberos)
• Tomcat authentication on Windows via SPNEGO (NTLM or Kerberos) using JNI