SPNEGO
Encyclopedia
SPNEGO is a GSSAPI
"pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms.
SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports.
The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.
SPNEGO's most visible use is in Microsoft
's "HTTP Negotiate" authentication
extension. It was first implemented in Internet Explorer
5.01 and IIS 5.0 and provided single sign-on
capability later marketed as Integrated Windows Authentication
. The negotiable sub-mechanisms included NTLM
and Kerberos, both used in Active Directory
.
The HTTP Negotiate extension was later implemented with similar support in:
Generic Security Services Application Program Interface
The Generic Security Services Application Program Interface is an application programming interface for programs to access security services....
"pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms.
SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports.
The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.
SPNEGO's most visible use is in Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
's "HTTP Negotiate" authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
extension. It was first implemented in Internet Explorer
Internet Explorer
Windows Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems, starting in 1995. It was first released as part of the add-on package Plus! for Windows 95 that year...
5.01 and IIS 5.0 and provided single sign-on
Single sign-on
Single sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
capability later marketed as Integrated Windows Authentication
Integrated Windows Authentication
Integrated Windows Authentication is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems...
. The negotiable sub-mechanisms included NTLM
NTLM
In a Windows network, NTLM is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users....
and Kerberos, both used in Active Directory
Active Directory
Active Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....
.
The HTTP Negotiate extension was later implemented with similar support in:
- MozillaMozillaMozilla is a term used in a number of ways in relation to the Mozilla.org project and the Mozilla Foundation, their defunct commercial predecessor Netscape Communications Corporation, and their related application software....
1.7 beta - Mozilla FirefoxMozilla FirefoxMozilla Firefox is a free and open source web browser descended from the Mozilla Application Suite and managed by Mozilla Corporation. , Firefox is the second most widely used browser, with approximately 25% of worldwide usage share of web browsers...
0.9 - KonquerorKonquerorNot to be confused with the Conqueror web browser.Konqueror is a web browser and file manager that provides file-viewer functionality for file systems such as local files, files on a remote ftp server and files in a disk image. It is a core part of the KDE desktop environment...
3.3.1 - Google ChromeGoogle ChromeGoogle Chrome is a web browser developed by Google that uses the WebKit layout engine. It was first released as a beta version for Microsoft Windows on September 2, 2008, and the public stable release was on December 11, 2008. The name is derived from the graphical user interface frame, or...
6.0.472
History
- 19 February 1996 – Eric Baize and Denis Pinkas publish the Internet DraftInternet DraftInternet Drafts is a series of working documents published by the IETF. Typically, they are drafts for RFCs, but may be other works in progress not intended for publication as RFCs. It is considered inappropriate to rely on Internet Drafts for reference purposes...
Simple GSS-API Negotiation Mechanism (draft-ietf-cat-snego-01.txt). - 17 October 1996 – The mechanism is assigned the object identifierObject identifierIn computing, an object identifier or OID is an identifier used to name an object . Structurally, an OID consists of a node in a hierarchically-assigned namespace, formally defined using the ITU-T's ASN.1 standard. Successive numbers of the nodes, starting at the root of the tree, identify each...
1.3.6.1.5.5.2 and is abbreviated snego. - 25 March 1997 – Optimistic piggybacking of one mechanism's initial token is added. This saves a round trip.
- 22 April 1997 – The "preferred" mechanism concept is introduced. The draft standard's name is changed from just "Simple" to "Simple and Protected" (spnego).
- 16 May 1997 – Context flags are added (delegation, mutual authAuthenticationAuthentication is the act of confirming the truth of an attribute of a datum or entity...
, etc.). Defenses are provided against attacks on the new "preferred" mechanism. - 22 July 1997 – More context flags are added (integrityData integrityData Integrity in its broadest meaning refers to the trustworthiness of system resources over their entire life cycle. In more analytic terms, it is "the representational faithfulness of information to the true state of the object that the information represents, where representational faithfulness...
and confidentiality). - 18 November 1998 – The rules of selecting the common mechanism are relaxed. Mechanism preference is integrated into the mechanism list.
- 4 March 1998 – An optimisation is made for an odd number of exchanges. The mechanism list itself is made optional.
- Final December 1998 – DER encodingDistinguished Encoding RulesDistinguished Encoding Rules , is a message transfer syntax specified by the ITU in X.690. The Distinguished Encoding Rules of ASN.1 is an International Standard drawn from the constraints placed on basic encoding rules encodings by X.509. DER encodings are valid BER encodings...
is chosen to disambiguate how the MIC is calculated. The draft is submitted for standardisation as RFC 2478. - October 2005 – Interoperability with Microsoft implementations is addressed. Some constraints are improved and clarified and defects corrected. Published as RFC 4178, although it is now non-interoperable with strict implementations of now-obsoleted RFC 2478.
- Final December 1998 – DER encoding
External links
- RFC 4178 The Simple and Protected GSS-API Negotiation Mechanism (obsoletes RFC 2478).
- RFC 4559 SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows
- Microsoft technical article on SPNEGO tokens
- SPNEGO support in Mozilla
- mod_auth_kerb Apache module supporting SPNEGO
- Earlier drafts of draft-brezak-spnego-http-05.txt, since −05 is no longer available.
- Microsoft article on authorization data present in Kerberos tickets (PAC)
- SPNEGO and SSO articles
- COMMERCIAL SPNEGO for Tomcat, JBoss, WebSphere...
- Security Site for Windows Integration Authentication with SSO
- Support for SPNEGO in Java GSS with Java 6.
- COMMERCIAL Plexcel – PHP Active Directory Integration
- WebSphere with a side of SPNEGO
- SPNEGO and credential delegation with Java
- Making use of SPNEGO in your J2EE and .NET Client Applications
- SPNEGO Http Servlet Filter – Free Open Source Library
- Waffle: native Java Tomcat authentication on Windows (NTLM or Kerberos)
- Tomcat authentication on Windows via SPNEGO (NTLM or Kerberos) using JNI