HOME

TheInfoList



Click Here for Items Related To - SPNEGO
OR:
SPNEGO on:   [Wikipedia]   [Google]   [Amazon]

Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), often pronounced "spenay-go", is a
GSSAPI The Generic Security Service Application Program Interface (GSSAPI, also GSS-API) is an application programming interface for programs to access security services. The GSSAPI is an IETF standard that addresses the problem of many similar but inc ...
"pseudo mechanism" used by client-server software to negotiate the choice of security technology. SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner. SPNEGO's most visible use is in
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
's "HTTP Negotiate"
authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicati ...
extension. It was first implemented in
Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical web browsers developed by Microsoft which was used in the Windows line of operating systems ( ...
5.01 and IIS 5.0 and provided
single sign-on Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-enterin ...
capability later marketed as ''
Integrated Windows Authentication Integrated Windows Authentication (IWA) is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included ...
''. The negotiable sub-mechanisms included
NTLM In a Windows network, NT (New Technology) LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft L ...
and Kerberos, both used in
Active Directory Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was used only for centralize ...
. The HTTP Negotiate extension was later implemented with similar support in: *
Mozilla Mozilla (stylized as moz://a) is a free software community founded in 1998 by members of Netscape. The Mozilla community uses, develops, spreads and supports Mozilla products, thereby promoting exclusively free software and open standards, w ...
1.7 beta * Mozilla Firefox 0.9 *
Konqueror Konqueror is a free and open-source web browser and file manager that provides web access and file-viewer functionality for file systems (such as local files, files on a remote FTP server and files in a disk image). It forms a core part of t ...
3.3.1 *
Google Chrome Google Chrome is a cross-platform web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS ...
6.0.472


History

* 19 February 1996 – Eric Baize and Denis Pinkas publish the
Internet Draft An Internet Draft (I-D) is a document published by the Internet Engineering Task Force (IETF) containing preliminary technical specifications, results of networking-related research, or other technical information. Often, Internet Drafts are int ...
''Simple GSS-API Negotiation Mechanism'' (draft-ietf-cat-snego-01.txt). * 17 October 1996 – The mechanism is assigned the
object identifier In computing, object identifiers or OIDs are an identifier mechanism standardized by the International Telecommunication Union (ITU) and ISO/IEC for naming any object, concept, or "thing" with a globally unambiguous persistent name. Syntax and le ...
''1.3.6.1.5.5.2'' and is abbreviated snego. * 25 March 1997 – Optimistic piggybacking of one mechanism's initial token is added. This saves a round trip. * 22 April 1997 – The "preferred" mechanism concept is introduced. The draft standard's name is changed from just "Simple" to "Simple and Protected" (spnego). * 16 May 1997 – Context flags are added ( delegation, mutual auth, etc.). Defenses are provided against attacks on the new "preferred" mechanism. * 22 July 1997 – More context flags are added (
integrity Integrity is the practice of being honest and showing a consistent and uncompromising adherence to strong moral and ethical principles and values. In ethics, integrity is regarded as the honesty and truthfulness or accuracy of one's actions. Inte ...
and
confidentiality Confidentiality involves a set of rules or a promise usually executed through confidentiality agreements that limits the access or places restrictions on certain types of information. Legal confidentiality By law, lawyers are often required ...
). * 18 November 1998 – The rules of selecting the common mechanism are relaxed. Mechanism preference is integrated into the mechanism list. * 4 March 1998 – An optimisation is made for an odd number of exchanges. The mechanism list itself is made optional. * December 1998 (Final) – DER encoding is chosen to disambiguate how the MIC is calculated. The draft is submitted for standardisation as RFC 2478. * October 2005 – Interoperability with Microsoft implementations is addressed. Some constraints are improved and clarified and defects corrected. Published as RFC 4178, although it is now non-interoperable with strict implementations of now-obsoleted RFC 2478.


Notes


References

* * *


External links

* ''The Simple and Protected GSS-API Negotiation Mechanism'' (obsoletes ). * ''SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows'' {{DEFAULTSORT:Spnego Cryptographic protocols Computer access control protocols